Security
Enabling Intel TXT in Fedora
Intel's Trusted Execution Technology (TXT) has always been somewhat controversial because it enables the complete lockdown of a computer system. For the DRM-loving crowd, that is seen as a feature, of course, but others, who might want to make their own choices about what code runs on their hardware, do not see it quite the same way. TXT was added to Linux in 2.6.32, without much in the way of complaints—though there were some concerns about protests—now Fedora is discussing whether to enable it for its kernels. The sticking point is not the DRM-lockdown that TXT allows, but is, instead, the fact that it requires an opaque binary "blob" in order to operate.
TXT is a means for ensuring that the code running on a system is what is intended to be run there. By looking at all of the code that the system runs, including things like BIOS, option ROMs, the bootloader, the kernel, and the initrd image, TXT can determine whether any of that code or data has been altered. The idea is to protect the integrity of the system as a whole, and to thwart rootkits or offline attacks, such as swapping in a new hard disk or BIOS for systems like voting machines, medical devices, or ATMs. As mentioned, though, it can also be used to ensure that only code signed by some authority is allowed to run on the device. For ATMs, that's probably a good thing, but if it becomes widespread, it could become a serious impediment to freedom.
As described in an article from a year ago, there are two separate components that collaborate to provide the TXT integrity checking: the tboot "trusted boot" hypervisor and an Authenticated Code Module. The latter, often referred to as the "SINIT AC", is distributed as a binary-only object, which is signed by Intel.
Because there is no source available for SINIT AC—even if there were, without Intel's keys users couldn't build and use their own—some Fedora developers are leery of enabling TXT in Fedora kernels. Stephen Smalley's request to enable TXT, which he sent to the fedora-kernel list in October 2009 shortly after TXT was added to the kernel, was quickly shot down. Eric Paris explained:
More recently, IBM has agreed to move the blob into the BIOS of its xSeries servers. That would alleviate the problem of needing to ship a binary blob to make TXT work—though it does nothing to open up the code, of course. But, that announcement led Paris to reopen the discussion on enabling TXT. In a fairly long message, he lays out the case for enabling the feature. Because xSeries users will be able to use TXT without installing the Intel blob, he sees it as a desirable feature for Fedora:
But Fedora engineering manager Tom "spot" Callaway is less enthusiastic. He notes that IBM is just taking the same binary blob and stuffing it into the BIOS. He is also concerned about supporting Fedora users:
In the non-IBM Xseries case (which is by far, the more common one for Fedora), we would be enabling this option solely to enable proprietary binary blobs during the boot process. In my opinion, given that it is not possible at all for us to troubleshoot or bug fix systems in such a scenario, we should not imply to our userbase that it is supportable by enabling this kernel option.
Smalley thinks that getting TXT into Fedora would allow more testing, but Callaway isn't convinced that's necessarily a good thing:
And then, it breaks. And we get bugs filed. Which we have absolutely 0 chance of being able to fix.
Others see the SINIT AC blob as no different than the firmware blobs that are required to
make various hardware function—and are shipped by Fedora. Callaway
counters that the firmware "is the only way to enable that
hardware to work.
" But, as Chris Wright points out, that leads to an inconsistency: "And TXT needs SINIT AC to work.
It's just inconsistent reasoning.
"
If the proposal were to distribute SINIT AC with Fedora, the situation
would be more "analogous
", Callaway said, "but Intel already tried that, and it
doesn't meet the strict guidelines we have defined in Fedora for what is
considered acceptable firmware
". Red Hat has apparently tried to
convince Intel to open up the SINIT AC code, but without success.
The core difference, at least in Callaway's mind, seems to be that users will be
depending on this code, which they cannot inspect, for the security of
their systems. Faulty firmware for other hardware may make the system
unstable or fail entirely, but that firmware isn't vouching for the
security of the whole system as the SINIT AC does. TXT "requires that we explicitly trust a third party
vendor for security. [...] This makes me extremely uncomfortable, and also makes me wonder why the
NSA seems comfortable with such a scenario in practice.
"
Callaway is referring to the US National Security
Agency (NSA), which is where Smalley works. But, as Smalley points out, adding TXT doesn't really change
anything: "And you were already dependent on Intel for correct
operation of their hardware. Nothing new to see here, move along...
"
Red Hat's James Morris, who seems a bit surprised that the TXT code made it
into the kernel without any ACKs from the security subsystem folks, is also
a bit concerned about the secrecy
surrounding the code: "I really hope the secrecy of the AC module is not part of its security
design.
" He also noted that bugs in the SINIT AC were recently used
to break TXT, but he doesn't see any technical barriers to enabling it in
the Fedora kernel. The security of TXT is not reliant on "keeping the
SINIT module closed source
", according to Smalley, but Intel
"adamantly
" refuses to open source it, Callaway said.
It's not clear why Intel is being so secretive, nor why there isn't support for other signing keys on AC modules. That, at least, would allow others to potentially create alternative AC modules. Intel may believe that "security through obscurity" will help prevent exploits, though there is good reason to believe that it won't—and hasn't.
No conclusion was reached in the thread, though one would guess that Callaway's opinions would carry a fair amount of weight. Had Intel originally placed SINIT AC in the BIOS, rather than providing it as a separate—and separately upgradable—component, it seems likely that this issue would not have reared its head. Certainly users who really want TXT support can build their own kernels, as was suggested, but then they will be on their own for support. That may not be much of an issue for Fedora users, who don't have much of a support plan beyond what the distribution provides, but it will affect RHEL users—and that may be the real target of this effort.
Depending on hardware vendors for security solutions is not without pitfalls, but we are already dependent on them for the correct functioning of our systems, which includes security. It's a question of how far one wants to follow the rabbit hole. Until there are fully free hardware solutions, there will always be hardware dependencies. Its hard to imagine that RHEL, at least, doesn't get TXT support at some point; Fedora would make a good testbed for that support.
Brief items
Microsoft: Google Chrome doesn't respect your privacy (ars technica)
Ars technica reports on a Microsoft offensive against Google's Chrome browser, which is contained in a video presentation by IE product manager Pete LePage. While some of the complaints are, perhaps unsurprisingly, disingenuous, there is a real privacy issue in the way that Chrome handles the address bar. With only one box to type in, Chrome sends all keystrokes, even when typing a URL, to the search provider, which potentially leaks information about which sites are being visited. "It's worth taking a closer look at LePage's first accusation. Even though he didn't really elaborate, the reason for the striking difference for IE8's and Chrome's behaviors is really that simple: IE8 has two boxes and Chrome has one. LePage makes an important mistake in his accusation against Google: his statement should not be 'Chrome sends a request back to Google' but it should be 'Chrome sends a request back to the search provider.'"
Unknown root certificate in Firefox
The Mozilla project has disclosed that Firefox currently contains a root certificate authority that nobody knows anything about. "I have not been able to find the current owner of this root. Both RSA and VeriSign have stated in email that they do not own this root. Therefore, to my knowledge this root has no current owner and no current audit, and should be removed from NSS." It seems past time for the user community to start paying more attention to the root certificates accepted by our browsers.
Mozilla "unknown root certificate" followup
Here's a post from the Mozilla Security Blog explaining the what was going on with the mysterious root certificate accepted by Mozilla. "The confusion stems from a comment made in the newsgroup threads discussing the removal which suggested that the root didn't have a current owner. We know where the root came from, it was added at RSA's request several years ago and vetted according to our inclusion guidelines." A look at the original discussion shows that they only (re)verified the origin of that certificate on April 6; prior to that, nobody was really sure.
ClamAV 0.94.x end of life announcement
The ClamAV developers have sent out a reminder that the end is near for version 0.94.x - and they really mean the end: "This is a reminder that starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 - that is to say older than 1 year." Time for anybody who has not yet upgraded to do it.
New vulnerabilities
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2010-0173 CVE-2010-0181 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 1, 2010 | Updated: | June 14, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mozilla advisories: [1, 2] CVE-2010-0173: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. CVE-2010-0181: phpBB developer Henry Sudhof reported that when an image tag points to a resource that redirects to a mailto: URL, the external mail handler application is launched. This issue poses no security threat to users but could create an annoyance when browsing a site that allows users to post arbitrary images. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gnome-screensaver: unauthorized access
| Package(s): | gnome-screensaver | CVE #(s): | CVE-2010-0732 | ||||||||||||
| Created: | April 7, 2010 | Updated: | May 27, 2010 | ||||||||||||
| Description: | Hitting the "return" key repeatedly can cause an X error, causing gnome-screensaver to exit. | ||||||||||||||
| Alerts: |
| ||||||||||||||
hamlib: arbitrary code execution
| Package(s): | hamlib | CVE #(s): | CVE-2009-3736 | ||||||||||||
| Created: | April 5, 2010 | Updated: | April 7, 2010 | ||||||||||||
| Description: | From the Red Hat bugzilla:
CERT reported a vulnerability in libltdl (part of libtool) where it could, in some cases, load and execute code from a library in the current directory (or the system's shared library search path) instead of the library that was requested with an absolute path. Systems which don't enforce specific naming for loadable objects, or which search for loadable objects in insecure directories (such as the current working directory), or don't require that loadable objects be signed in some way or have their execute bits set, are particularly vulnerable, and are trivial to exploit via an uploaded file. | ||||||||||||||
| Alerts: |
| ||||||||||||||
horde: cross-site scripting
| Package(s): | horde | CVE #(s): | CVE-2008-3824 | ||||||||
| Created: | April 1, 2010 | Updated: | April 7, 2010 | ||||||||
| Description: | From the Red Hat bugzilla entry: oCERT reported an XSS vulnerability discovered by Alexios Fakos affecting horde: Horde relies on code similar to Popoon's externalinput.php to filter out potential XSS attacks on user-supplied input. This filter, and the original, fail to fully sanitize user data. In particular, this filter fails to protect against '/'s acting as spaces in both Microsoft Internet Explorer and Mozilla Firefox. For example, the following snippet, supplied by the reporter, is treated as valid by the browsers but safe by the filter: <body/onload=alert(/w00w00/)> | ||||||||||
| Alerts: |
| ||||||||||
ikiwiki: cross-site scripting
| Package(s): | ikiwiki | CVE #(s): | |||||||||
| Created: | April 1, 2010 | Updated: | April 7, 2010 | ||||||||
| Description: | From the Red Hat bugzilla entry: Ivan Shmakov pointed out that the htmlscrubber allowed data:image/* urls, including data:image/svg+xml. But svg can contain javascript, so that is unsafe. This hole was discovered on 12 March 2010 and fixed the same day with the release of ikiwiki 3.20100312. A fix was also backported to Debian etch, as version 2.53.5. I recommend upgrading to one of these versions if your wiki can be edited by third parties. | ||||||||||
| Alerts: |
| ||||||||||
imlib2: arbitrary code execution
| Package(s): | imlib2 | CVE #(s): | CVE-2008-6079 | ||||||||
| Created: | April 6, 2010 | Updated: | July 2, 2010 | ||||||||
| Description: | From the Debian advisory:
It was discovered that imlib2, a library to load and process several image formats, did not properly process various image file types. Several heap and stack based buffer overflows - partly due to integer overflows - in the ARGB, BMP, JPEG, LBM, PNM, TGA and XPM loaders can lead to the execution of arbitrary code via crafted image files. | ||||||||||
| Alerts: |
| ||||||||||
java-1.6.0-sun: multiple vulnerabilities
| Package(s): | java-1.6.0-sun | CVE #(s): | CVE-2010-0082 CVE-2010-0084 CVE-2010-0085 CVE-2010-0087 CVE-2010-0088 CVE-2010-0089 CVE-2010-0090 CVE-2010-0091 CVE-2010-0092 CVE-2010-0093 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0839 CVE-2010-0840 CVE-2010-0841 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 CVE-2010-0845 CVE-2010-0846 CVE-2010-0847 CVE-2010-0848 CVE-2010-0849 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 1, 2010 | Updated: | September 21, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory. The first number is a reference to the Red Hat bugzilla bug number. 575736 - CVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead of only the base-classes (6626217) 575740 - CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. (6633872) 575747 - CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390) 575755 - CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393) 575756 - CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged information before drop action occurs(6887703) 575760 - CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149) 575764 - CVE-2010-0093 OpenJDK System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265) 575769 - CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947) 575772 - CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954) 575775 - CVE-2010-0845 OpenJDK No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807) 575808 - CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability (6899653) 575818 - CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299) 575846 - CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691) 575854 - CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow Vulnerability (6909597) 575865 - CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823) 575871 - CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability (6914866) 578430 - CVE-2010-0846 JDK unspecified vulnerability in ImageIO component 578432 - CVE-2010-0849 JDK unspecified vulnerability in Java2D component 578433 - CVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin component 578436 - CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple unspecified vulnerabilities 578437 - CVE-2010-0090 JDK unspecified vulnerability in JavaWS/Plugin component 578440 - CVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin component | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
krb5: denial of service
| Package(s): | krb5 | CVE #(s): | CVE-2010-0629 | ||||||||||||||||||||||||||||||||||||||||
| Created: | April 7, 2010 | Updated: | October 18, 2010 | ||||||||||||||||||||||||||||||||||||||||
| Description: | The kadmind daemon contains a user-after-free vulnerability which can be exploited by a remote, authenticated user to cause a crash. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
libnids, dsniff: remotely triggerable null pointer dereference
| Package(s): | dsniff, libnids | CVE #(s): | |||||||||||||||||
| Created: | April 1, 2010 | Updated: | April 7, 2010 | ||||||||||||||||
| Description: | libnids 1.24 (Mar 14 2010): - fixed another remotely triggerable NULL dereference in ip_fragment.c | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
libnss-db: information disclosure and possible privilege escalation
| Package(s): | libnss-db | CVE #(s): | CVE-2010-0826 | ||||||||||||||||||||||||
| Created: | April 1, 2010 | Updated: | May 28, 2010 | ||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: Stephane Chazelas discovered that libnss-db did not correctly set up a database environment. A local attacker could exploit this to read the first line of arbitrary files, leading to a loss of privacy and possibly privilege escalation. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
mahara: SQL injection
| Package(s): | mahara | CVE #(s): | CVE-2010-0400 | ||||
| Created: | April 7, 2010 | Updated: | April 7, 2010 | ||||
| Description: | The mahara electronic portfolio system does not properly escape input when generating user names, enabling an SQL injection attack and the compromise of the database. | ||||||
| Alerts: |
| ||||||
openssl: denial of service
| Package(s): | openssl | CVE #(s): | CVE-2010-0740 | ||||||||||||||||||||
| Created: | April 1, 2010 | Updated: | April 20, 2010 | ||||||||||||||||||||
| Description: | From the CVE entry: The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number. NOTE: some of these details are obtained from third party information. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
pidgin-sipe: unspecified vulnerability
| Package(s): | pidgin-sipe | CVE #(s): | |||||||||
| Created: | April 5, 2010 | Updated: | April 7, 2010 | ||||||||
| Description: | See the comments to this update: The security update is "NTLMv2 and NTLMv2 Session Security support (pier11)" -- previously it only supported the insecure NTMLv1. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>