User: Password:
Subscribe / Log in / New account


Security in the 20-teens

By Jonathan Corbet
February 1, 2010
Recently, Google announced that its operations in China (and beyond) had been subject to sophisticated attacks, some of which were successful; a number of other companies have been attacked as well. The source of these attacks may never be proved, but it is widely assumed that they were carried out by government agencies. There are also allegations that the East Anglia email leak was a government-sponsored operation. While at LCA, your editor talked with a developer who has recently found himself at Google; according to this developer, incidents like these demonstrate that the security game has changed in significant ways, with implications that the community can ignore only at its peril.

Whenever one talks about security, one must do so in the context of a specific threat model: what are we trying to defend ourselves against? Different threat models lead to very different conclusions. For years, one of the most pressing threats has been script kiddies and others using well-known vulnerabilities to break into systems; initially these breakins were mostly for fun, but, over time, these attackers have increasingly had commercial motivations. In response, Linux distributors have created reasonably secure-by-default installations and effective mechanisms for the distribution of updates. As a result, we are, by default, quite well defended against this class of attack when carried out remotely, and moderately well defended against canned local attacks.

Attackers with more determination and focus are harder to defend against; somebody who intends to break into a specific system in pursuit of a well-defined goal has a better chance of success. Chances are, only the most hardened of systems can stand up against focused attackers with local access. When these attackers are at the far end of a network connection, we still stand a reasonable chance of keeping them out.

Often, those concerned with security simply throw up their hands when confronted with the problem of defending a system against an attacker who is working with the resources available to national governments. Most of us assume that we'll not be confronted with such an attack, and that there's little that we could do about one if we were. When governmental attackers can obtain physical access, there probably is little to be done, but remote (foreign) governmental attackers may not be able to gain that sort of access.

What the attacks on Google (and others) tell us is that we've now entered an era where we need to be concerned about attacks from national governments. What the attacks on Google (and others) tell us is that we've now entered an era where we need to be concerned about attacks from national governments. Probably we have been in such an epoch for a while now, but the situation has become increasingly clear. Thinking about the implications would make some sense.

A look at updates from distributors shows that we still have have a steady stream of vulnerabilities in image processing libraries, PDF viewers, Flash players, and more. Some of these problems (yet another PNG buffer overflow, say) appear to have a relatively low priority, but they shouldn't. Media-based attacks can only become more common over time; it's easy to get a victim to look at a file or go to a specific web page. Properly targeted phishing (easily done by a national government) may be the method of choice for compromising specific systems for some time to come. Browsers, file viewers, and media players will play an unfortunate role in the compromise of many systems.

What may be even more worrisome, though, is the threat of back doors, trojan horses, or (perhaps most likely) subtle vulnerabilities inserted into our software development and distribution channels. This could happen at just about any stage in the chain.

On the development side, we like to think that code review would find deliberately coded security weaknesses. But consider this: kernel code tends to be reviewed more heavily than code in many other widely-used programs, and core kernel code gets more review than driver code. But none of that was able to prevent the vmsplice() vulnerability - caused by a beginner-level programming error - from getting into the mainline kernel. Many more subtle bugs are merged in every development cycle. We can't ever catch them all; what are our chances against a deliberately-inserted, carefully-hidden hole?

Source code management has gotten more robust in recent years; the widespread use of tools like git and mercurial effectively guarantees that an attempt to corrupt a repository somewhere will be detected. But that nice assumption only holds true for as long as one assumes that the hash algorithms used to identify commits are not subject to brute-force collisions. One should be careful about such assumptions when the computing resources of a national government can be brought to bear. We might still detect an attempt to exploit a hash collision - but our chances are not as good.

In any case, the software that ends up on our systems does not come directly from the source repositories; distributors apply changes of their own and build binary packages from that source. The building of packages is, one hopes, relatively robust; distributors have invested some significant resources into package signing and verification mechanisms. The Fedora and Red Hat intrusions show that this link in the chain is indeed subject to attack, but it is probably not one of the weakest links.

A weaker point may be the source trees found on developer laptops and the patches that those developers apply. A compromise of the right developer's system could render the entire signing mechanism moot; it will just sign code which has already been corrupted. Community distributions, which (presumably) have weaker controls, could be especially vulnerable to this attack vector. In that context, it's worth bearing in mind that distributions like Debian and Gentoo - at least - are extensively used in a number of sensitive environments. Enterprise distributions might be better defended against the injection of unwanted code, but the payback for the insertion of a hole into an enterprise distribution could be high. Users of community rebuilds of enterprise distributions (LWN being one of those) should bear in mind that they have added one more link to the chain of security that they depend on.

Then again, all of that may be unnecessary; perhaps ordinary bugs are enough to open our systems to sufficiently determined attackers. We certainly have no shortage of them. One assumes that no self-respecting, well-funded governmental operation would be without a list of undisclosed vulnerabilities close at hand. They have the resources to look for unknown bugs, to purchase the information from black-hat crackers, and to develop better static analysis tools than we have.

All told, it is a scary situation, one which requires that we rethink the security of our systems and processes from one end to the other. Otherwise we risk becoming increasingly vulnerable to well-funded attackers. We also risk misguided and destructive attempts to secure the net through heavy-handed regulation; see this ZDNet article for a somewhat confusing view of how that could come about.

The challenge is daunting, and it may be insurmountable. But, then, we as a community have overcome many other challenges that the world thought we would never get past, and the attacks seem destined to happen regardless of whether we try to improve our defenses. If we could achieve a higher level of security while preserving the openness of our community and the vitality of our development process, Linux would be even closer to World Domination than it is now. Even in the absence of other minor concerns - freedom, the preservation of fundamental civil rights, and the preservation of an open network, for example - this goal would be worth pursuing.

Comments (83 posted)

Brief items

China Internet Network Information Center accepted as a Mozilla root CA

Those who are concerned about the security of Mozilla's SSL certificate validation might want to take a look at this bugzilla entry. It seems that, at the end of October, Mozilla approved the addition of the China Internet Network Information Center (CNNIC) as a root certification authority, meaning that Firefox will accept CNNIC-signed certificates as valid and fully trusted. CNNIC is said to be controlled by the Chinese government and is alleged to be heavily involved in spying on Chinese citizens; numerous people are concerned that it will use its root CA position to facilitate man-in-the-middle attacks. Unfortunately, most of these concerns were not raised during the discussion period, making the removal of CNNIC - if warranted - harder.

Comments (41 posted)

Security reports

Two information leak vulnerabilities in Bugzilla

The Bugzilla project is reporting two information leaks that could lead to the disclosure of sensitive data. Several directories (CVS/, contrib/, docs/en/xml/, and t/) and the old-params.txt file were not restricted from being served by Bugzilla. By default, they do not contain sensitive information, but custom installations may have added files with passwords or other information. Also, certain bugs could be made public, at least briefly, when they were moved to a different product. Versions 3.0.11, 3.2.6, 3.4.5, and 3.5.3 have been released to address the leaks. Click below for the full announcement.

Full Story (comments: none)

New vulnerabilities

bltk: privilege escalation

Package(s):bltk CVE #(s):
Created:January 29, 2010 Updated:February 19, 2010
Description: From the Fedora advisory: bltk will run any command as root
Fedora FEDORA-2010-1219 bltk 2010-01-29
Fedora FEDORA-2010-1327 bltk 2010-02-18

Comments (none posted)

hybserv: denial of service

Package(s):hybserv CVE #(s):CVE-2010-0303
Created:January 29, 2010 Updated:February 3, 2010
Description: From the Debian advisory: Julien Cristau discovered that hybserv, a daemon running IRC services for IRCD-Hybrid, is prone to a denial of service attack via the commands option.
Debian DSA-1982-1 hybserv 2010-01-29

Comments (none posted)

ircd-hybrid/ircd-ratbox: multiple vulnerabilities

Package(s):ircd-hybrid/ircd-ratbox CVE #(s):CVE-2009-4016 CVE-2010-0300
Created:January 28, 2010 Updated:June 9, 2010
Description: From the Debian alert:

David Leadbeater discovered an integer underflow that could be triggered via the LINKS command and can lead to a denial of service or the execution of arbitrary code (CVE-2009-4016). This issue affects both, ircd-hybrid and ircd-ratbox.

It was discovered that the ratbox IRC server is prone to a denial of service attack via the HELP command. The ircd-hybrid package is not vulnerable to this issue (CVE-2010-0300).

Fedora FEDORA-2010-9312 ircd-hybrid 2010-05-31
Fedora FEDORA-2010-9312 ircd-ratbox 2010-05-31
Debian DSA-1980-1 ircd-hybrid/ircd-ratbox 2010-01-27

Comments (none posted)

kernel: insecure devtmpfs permissions

Package(s):kernel CVE #(s):CVE-2010-0299
Created:February 1, 2010 Updated:February 8, 2010

From the Mandriva advisory:

An issue was discovered in 2.6.32.x kernels, which sets unsecure permission for devtmpfs file system by default. (CVE-2010-0299)

SuSE SUSE-SA:2010:010 kernel 2010-02-08
Mandriva MDVSA-2010:030 kernel 2009-01-01

Comments (none posted)

kernel: arbitrary code execution

Package(s):kernel CVE #(s):CVE-2009-1385
Created:February 3, 2010 Updated:February 3, 2010

From the Red Hat advisory:

A flaw was found in the Intel PRO/1000 Linux driver (e1000) in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially-crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important)

Red Hat RHSA-2010:0079-01 kernel 2010-02-02

Comments (none posted)

lighttpd: denial of service

Package(s):lighttpd CVE #(s):CVE-2010-0295
Created:February 2, 2010 Updated:June 3, 2010
Description: From the Debian advisory: Li Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion.
Fedora FEDORA-2010-7643 lighttpd 2010-04-30
Fedora FEDORA-2010-7636 lighttpd 2010-04-30
Debian DSA-1987-1 lighttpd 2010-02-02
Gentoo 201006-17 lighttpd 2010-06-03
SuSE SUSE-SR:2010:003 lighttpd, net-snmp/libsnmp15/perl-SNMP, fuse, xpdf 2010-02-09

Comments (none posted)

maildrop: privilege escalation

Package(s):maildrop CVE #(s):CVE-2010-0301
Created:January 28, 2010 Updated:September 7, 2010
Description: From the Debian alert:

Christoph Anton Mitterer discovered that maildrop, a mail delivery agent with filtering abilities, is prone to a privilege escalation issue that grants a user root group privileges.

Gentoo 201009-02 maildrop 2010-09-06
Debian DSA-1981-2 maildrop 2010-01-28
Debian DSA-1981-1 maildrop 2010-01-28
Mandriva MDVSA-2010:038 maildrop 2010-02-16
Fedora FEDORA-2010-1927 maildrop 2010-02-16
Fedora FEDORA-2010-1863 maildrop 2010-02-16

Comments (none posted)

moodle: multiple vulnerabilities

Package(s):moodle CVE #(s):CVE-2009-4297 CVE-2009-4298 CVE-2009-4299 CVE-2009-4301 CVE-2009-4302 CVE-2009-4303 CVE-2009-4305
Created:February 3, 2010 Updated:February 16, 2010

From the Debian advisory:

CVE-2009-4297: Multiple cross-site request forgery (CSRF) vulnerabilities have been discovered.

CVE-2009-4298: It has been discovered that the LAMS module is prone to the disclosure of user account information.

CVE-2009-4299: The Glossary module has an insufficient access control mechanism.

CVE-2009-4301: Moodle does not properly check permissions when the MNET service is enabled, which allows remote authenticated servers to execute arbitrary MNET functions.

CVE-2009-4302: The login/index_form.html page links to an HTTP page instead of using an SSL secured connection.

CVE-2009-4303: Moodle stores sensitive data in backup files, which might make it possible for attackers to obtain them.

CVE-2009-4305: It has been discovered that the SCORM module is prone to an SQL injection.

Additionally, an SQL injection in the update_record function, a problem with symbolic links and a verification problem with Glossary, database and forum ratings have been fixed.

SuSE SUSE-SR:2010:004 moodle, xpdf, pdns-recursor, pango, horde, gnome-screensaver, fuse, gnutls, flash-player 2010-02-16
Debian DSA-1986-1 moodle 2010-02-02

Comments (none posted)

ncpfs: privilege escalation

Package(s):ncpfs CVE #(s):CVE-2009-3297
Created:January 28, 2010 Updated:March 1, 2011

From the Red Hat bugzilla entry:

Ronald Volgers found a race condition in the samba-client's mount.cifs utility. Local, unprivileged user could use this flaw to conduct symlink attacks, leading to disclosure of sensitive information, or, possibly to privilege escalation.

Ubuntu USN-1077-1 fuse 2011-02-28
SuSE SUSE-SR:2010:011 dovecot12, cacti, java-1_6_0-openjdk, irssi, tar, fuse, apache2, libmysqlclient-devel, cpio, moodle, libmikmod, libicecore, evolution-data-server, libpng/libpng-devel, libesmtp 2010-05-10
Fedora FEDORA-2010-3999 samba 2010-03-10
Fedora FEDORA-2010-4050 samba 2010-03-10
Debian DSA-1989-1 fuse 2010-02-02
Fedora FEDORA-2010-1218 samba 2010-01-29
Fedora FEDORA-2010-1190 samba 2010-01-29
Ubuntu USN-892-1 fuse 2010-01-28
Ubuntu USN-893-1 samba 2010-01-28
Fedora FEDORA-2010-1145 ncpfs 2010-01-28
Fedora FEDORA-2010-1168 ncpfs 2010-01-28
Pardus 2010-27 fuse 2010-02-02
Pardus 2010-23 samba 2010-02-02
Debian DSA-2004-1 samba 2010-02-28
Mandriva MDVSA-2010:047 fuse 2010-02-23
Mandriva MDVSA-2010:046 ncpfs 2010-02-23
SuSE SUSE-SR:2010:004 moodle, xpdf, pdns-recursor, pango, horde, gnome-screensaver, fuse, gnutls, flash-player 2010-02-16
Fedora FEDORA-2010-1159 fuse 2010-01-28
Fedora FEDORA-2010-1140 fuse 2010-01-28
SuSE SUSE-SR:2010:003 lighttpd, net-snmp/libsnmp15/perl-SNMP, fuse, xpdf 2010-02-09

Comments (1 posted)

mysql: access restriction bypass

Package(s):mysql CVE #(s):CVE-2008-7247
Created:February 2, 2010 Updated:November 16, 2010
Description: From the CVE entry:

sql/ in MySQL 5.0.x through 5.0.88, 5.1.x through 5.1.41, and 6.0 before 6.0.9-alpha, when the data home directory contains a symlink to a different filesystem, allows remote authenticated users to bypass intended access restrictions by calling CREATE TABLE with a (1) DATA DIRECTORY or (2) INDEX DIRECTORY argument referring to a subdirectory that requires following this symlink.

Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12
Gentoo 201201-02 mysql 2012-01-05
SUSE SUSE-SR:2010:021 mysql, dhcp, monotone, moodle, openssl 2010-11-16
Pardus 2010-73 mysql-server 2010-06-04
SuSE SUSE-SR:2010:011 dovecot12, cacti, java-1_6_0-openjdk, irssi, tar, fuse, apache2, libmysqlclient-devel, cpio, moodle, libmikmod, libicecore, evolution-data-server, libpng/libpng-devel, libesmtp 2010-05-10
SuSE SUSE-SR:2010:007 cifs-mount/samba, compiz-fusion-plugins-main, cron, cups, ethereal/wireshark, krb5, mysql, pulseaudio, squid/squid3, viewvc 2010-03-30
Mandriva MDVSA-2010:044 mysql 2010-02-19
Pardus 2010-29 mysql-server 2010-02-09
Ubuntu USN-897-1 mysql-dfsg-5.0, mysql-dfsg-5.1 2010-02-10
Fedora FEDORA-2010-1348 mysql 2010-02-02
Fedora FEDORA-2010-1300 mysql 2010-02-02

Comments (none posted)

postgresql: denial of service

Package(s):postgresql-server CVE #(s):CVE-2010-0442
Created:February 3, 2010 Updated:May 28, 2010

From the NVD entry:

The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."

Gentoo 201110-22 postgresql-base 2011-10-25
CentOS CESA-2010:0429 postgresql 2010-05-28
Debian DSA-2051-1 postgresql-8.3 2010-05-24
CentOS CESA-2010:0428 postgresql 2010-05-22
CentOS CESA-2010:0427 postgresql 2010-05-22
Mandriva MDVSA-2010:103 postgresql 2010-05-20
Red Hat RHSA-2010:0427-01 postgresql 2010-05-19
Red Hat RHSA-2010:0429-01 postgresql 2010-05-19
Red Hat RHSA-2010:0428-01 postgresql 2010-05-19
Ubuntu USN-933-1 postgresql-8.1, postgresql-8.3, postgresql-8.4 2010-04-28
Pardus 2010-24 postgresql-server 2010-02-02

Comments (none posted)

rootcerts: upgrade to latest certdata.txt

Package(s):rootcerts CVE #(s):
Created:January 29, 2010 Updated:February 4, 2010
Description: From the Mandriva advisory:

The rootcerts package was added in Mandriva in 2005 and was meant to be updated when necessary. The provided rootcerts packages has been upgraded using the latest certdata.txt file from the mozilla cvs repository, as of 2009/12/03.

Mandriva MDVSA-2010:029 rootcerts 2010-01-28
Mandriva MDVSA-2010:032 rootcerts 2010-02-04

Comments (none posted)

roundcubemail: information disclosure

Package(s):roundcubemail CVE #(s):CVE-2010-0464
Created:February 3, 2010 Updated:February 25, 2010

From the Red Hat bugzilla entry:

Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.

Mandriva MDVSA-2010:048 roundcubemail 2010-02-25
Fedora FEDORA-2010-1385 roundcubemail 2010-02-02
Fedora FEDORA-2010-1399 roundcubemail 2010-02-02

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark CVE #(s):CVE-2009-4337 CVE-2010-0304
Created:February 1, 2010 Updated:May 28, 2010

From the Debian advisory:

CVE-2009-4337: A NULL pointer dereference was found in the SMB/SMB2 dissectors.

CVE-2010-0304: Several buffer overflows were found in the LWRES dissector.

CentOS CESA-2010:0360 wireshark 2010-05-28
CentOS CESA-2010:0360 wireshark 2010-04-20
CentOS CESA-2010:0360 wireshark 2010-04-20
Red Hat RHSA-2010:0360-01 wireshark 2010-04-20
SuSE SUSE-SR:2010:007 cifs-mount/samba, compiz-fusion-plugins-main, cron, cups, ethereal/wireshark, krb5, mysql, pulseaudio, squid/squid3, viewvc 2010-03-30
Fedora FEDORA-2010-3556 wireshark 2010-03-03
Debian DSA-1983-1 wireshark 2010-01-30
Pardus 2010-26 wireshark 2010-02-02

Comments (none posted)

zabbix: multiple vulnerabilities

Package(s):zabbix CVE #(s):CVE-2009-4499 CVE-2009-4501
Created:January 28, 2010 Updated:February 3, 2010
Description: From the CVE entry for CVE-2009-4499:

SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1.6.8 allows remote attackers to execute arbitrary SQL commands via a crafted request, possibly related to the send_history_last_id function in zabbix_server/trapper/nodehistory.c.

From the CVE entry for CVE-2009-4501:

The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Server before 1.6.8 allows remote attackers to cause a denial of service (crash) via a request that lacks expected separators, which triggers a NULL pointer dereference, as demonstrated using the Command keyword.

Fedora FEDORA-2010-0266 zabbix 2010-01-07
Fedora FEDORA-2010-0278 zabbix 2010-01-07

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds