Security
An interesting DNSSEC amplification
A recent report clearly demonstrates that computer security is not exempt from the "law of unintended consequences". As DNSSEC (Domain Name System Security Extensions) is rolled out, we will likely see various kinds of unanticipated problems in that system which is meant to secure the internet name resolution process. One of the concerns about DNSSEC has always been the amount of additional traffic it would generate, as well as the processing burden on DNS servers—both of those came into play here.
The report from Cisco reads a bit like a detective story. A particular DNS server saw a sudden 2-3x increase in its traffic, which at first glance appeared to be some kind of denial of service (DoS) attack. Further investigation showed that the query rate jumped from tens of queries per second (qps) to around 3000 qps. Because it was a DNSSEC signed zone, each query required two responses—a key resource record (DNSKEY RR) and a signature RR (RRSIG RR)—totaling more than 1K in size. That led to response traffic of 35 megabits per second (3000+ queries x 1K+ bytes).
When a small amount of data can be sent that generates a much larger response, there is an "amplification" effect going on. That means that an attacker can use much less of a resource, bandwidth say, than the victim must use to respond. So, a small bandwidth investment, spread out over a large number of attackers (in a DDoS, distributed DoS), can easily cause a victim to generate more traffic than it can handle. Because DNS typically uses UDP to eliminate the connection establishment overhead of TCP, it also makes it easier for attackers, as they don't need to use state-tracking resources on their end. These kinds of amplification attacks are well-known for the existing DNS. It is also understood that DNSSEC adds other amplification possibilities, but those known cases were not the cause of the problem that Cisco investigated.
In analyzing the data from this event, it was determined that a very small fraction of clients (1,000 out of 500,000-1,000,000 daily unique clients) were making repeated queries for the same DNSKEY RR. It could have been from some kind of bug in certain DNS clients, but because the event was so sudden, it suggested that there was some kind of "external trigger". An obvious trigger would be a change to the DNS information being served and that was in fact the case: the cryptographic keys had been changed on the day of the traffic increase.
Normally, a key rollover is handled by keeping both keys around for an overlap period and signing resource records with both keys during that time. Either key can be used to verify the signature during the overlap, and eventually the old key can be deprecated and then removed. Keys are signed by a parent server's key (i.e. example.com's key is signed by the .com server's key), all the way up to the key used to sign the root keys. Today, those root keys are often stored locally by the client as "Trust Anchor". If a client cannot verify a signature with a key that it has in its cache, it will request a new key from the parent, because it assumes the key has changed.
Before it requests a key from the parent, though, it re-requests the key from the server it is talking to, because it assumes that it is getting bogus responses from some kind of attack. If it really were an attack, that would be the right response, but if there were some misconfiguration on the part of the client, it would just make the problem worse. It turns out that some clients were distributed with a static set of Trust Anchors. Once those keys were rolled over, those clients were out of date and could no longer resolve names associated with those parts of the DNS hierarchy.
But, the amplification turns out to be quite a bit larger than just a handful of retries for an affected server. When a client cannot verify a signature, it will do a depth-first search of the alternative name servers, querying each server to try to find keys that it can use. There are 14 .com name servers, and potentially several name servers for example.com. This leads to a combinatorial explosion of sorts, where a query for a single host name (test.example.com for example) in a simple configuration (two example.com name servers) leads to 844 separate queries.
Other, much worse, scenarios are described in the report. It is interesting that perfectly reasonable behavior by clients who have ended up with outdated information can lead to such a huge increase in the traffic that DNS servers, especially the root servers, may have to handle. The conclusion from the Cisco report is certainly eye-opening:
This aspect of a qualitative change of the DNS is unavoidable, and it places a strong imperative on DNS operations and the community of the 5 million current and uncountable future DNS resolvers to understand that "set and forget" is not the intended mode of operation of DNSSEC-equipped clients.
The last paragraph is particularly worrisome. One would guess that a few years down the road, most clients will be DNSSEC-equipped. And most will be in the hands of users who know nothing about key rollover, amplification, DoS, or, for that matter, DNS or DNSSEC. It will be up to the vendors and distributors to ensure that the "forget" part of "set and forget" doesn't happen. It is not hard to envision some kind of nasty apocalypse lurking for DNSSEC if that's not the case.
Brief items
Quotes of the week
Why would we want to terrorize our own population by doing exactly what we don't want anyone else to do? And a national emergency is precisely the worst time to do it.
New vulnerabilities
abrt: unnecessary setuid
| Package(s): | abrt | CVE #(s): | |||||
| Created: | July 8, 2010 | Updated: | July 14, 2010 | ||||
| Description: | From the MeeGo advisory: The file /usr/libexec/abrt-hook-python is setuid as the abrt user. As there is no explicit reason to be setuid as the abrt user, this violates best known practices for security; specifically by not using the principles of least privilege and unintentionally expanding the attackable surface area of MeeGo. | ||||||
| Alerts: |
| ||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2010-2431 CVE-2010-2432 | ||||||||||||||||||||||||||||||||
| Created: | July 8, 2010 | Updated: | October 10, 2011 | ||||||||||||||||||||||||||||||||
| Description: | From the Pardus advisory: CVE-2010-2431: The cupsFileOpen function in CUPS before 1.4.4 allows local users, with lp group membership, to overwrite arbitrary files via a symlink attack on the (1) /var/cache/cups/remote.cache or (2) /var/cache/cups/job.cache file. CVE-2010-2432: The cupsDoAuthentication function in auth.c in the client in CUPS before 1.4.4, when HAVE_GSSAPI is omitted, does not properly handle a demand for authorization, which allows remote CUPS servers to cause a denial of service (infinite loop) via HTTP_UNAUTHORIZED responses. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
ghostscript: multiple vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CVE-2009-4270 CVE-2009-4897 CVE-2010-1628 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2010 | Updated: | August 19, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
David Srbecky discovered that Ghostscript incorrectly handled debug logging. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2009-4270) It was discovered that Ghostscript incorrectly handled certain malformed files. If a user or automated system were tricked into opening a crafted Postscript or PDF file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2009-4897) Dan Rosenberg discovered that Ghostscript incorrectly handled certain recursive Postscript files. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2010-1628) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gnomine: unnecessary setgid
| Package(s): | gnomine | CVE #(s): | |||||
| Created: | July 8, 2010 | Updated: | July 15, 2010 | ||||
| Description: | From the MeeGo advisory: The /usr/bin/gnomine binary is setgid for the games group. There is no explicit reason to be setgid and this violates best known practices for security; specifically by not using the prinicples of least privilege and unintentionally expanding the attackable surface area of MeeGo. | ||||||
| Alerts: |
| ||||||
gv: multiple vulnerabilities
| Package(s): | gv | CVE #(s): | CVE-2010-2055 CVE-2010-2056 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 9, 2010 | Updated: | February 6, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
a deficiency in the way gv handled temporary file creation, when used for opening Portable Document Format (PDF) files. A local attacker could use this flaw to conduct symlink attacks, potentially leading to denial of service (un-athorized overwrite of file content). (CVE-2010-2056) From the Red Hat bugzilla: A security flaw was found in the way gs handled its initialization: 1, certain files in current working directory were honored at startup, 2, explicit use of "-P-" command line option, did not prevent ghostscript from execution of PostScript commands, contained within "gs_init.ps" file. A local attacker could use this flaw to execute arbitrary PostScript commands, if the victim was tricked into opening a PostScript file in the directory of attacker's intent. (CVE-2010-2055) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel kernel-pae | CVE #(s): | CVE-2010-1641 CVE-2010-2071 CVE-2010-2066 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2010 | Updated: | March 8, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Pardus advisory: CVE-2010-1641: The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request. CVE-2010-2071: The btrfs_xattr_set_acl function in fs/btrfs/acl.c in btrfs in the Linux kernel 2.6.34 and earlier does not check file ownership before setting an ACL, which allows local users to bypass file permissions by setting arbitrary ACLs, as demonstrated using setfacl. CVE-2010-2066: If the donor file is an append-only file, we should not allow the operation to proceed, lest we end up overwriting the contents of an append-only file. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2010-2478 CVE-2010-2495 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 9, 2010 | Updated: | March 28, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer overflow and the buffer may be smaller than needed. Since ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at least denial of service. (CVE-2010-2478) From the Red Hat bugzilla: When transmitting L2TP frames, we derive the outgoing interface's UDP checksum hardware assist capabilities from the tunnel dst dev. This can sometimes be NULL, especially when routing protocols are used and routing changes occur. This patch just checks for NULL dst or dev pointers when checking for netdev hardware assist features. (CVE-2010-2495) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libmikmod: arbitrary code execution
| Package(s): | libmikmod | CVE #(s): | CVE-2009-3996 | ||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2010 | Updated: | October 11, 2010 | ||||||||||||||||||||||||||||||||||||
| Description: | From the MeeGo advisory: Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via an Ultratracker file. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
libtiff: denial of service
| Package(s): | libtiff | CVE #(s): | CVE-2010-2598 | ||||||||||||||||
| Created: | July 8, 2010 | Updated: | March 15, 2011 | ||||||||||||||||
| Description: | From the Red Hat advisory: An input validation flaw was discovered in libtiff. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash. (CVE-2010-2598) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
libtiff: multiple denial of service flaws
| Package(s): | libtiff | CVE #(s): | CVE-2010-2481 CVE-2010-2483 CVE-2010-2595 CVE-2010-2597 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2010 | Updated: | March 15, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Multiple input validation flaws were discovered in libtiff. An attacker could use these flaws to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash. (CVE-2010-2481, CVE-2010-2483, CVE-2010-2595, CVE-2010-2597) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
opera: multiple vulnerabilities
| Package(s): | opera | CVE #(s): | CVE-2010-0653 CVE-2010-1993 | ||||||||||||||||||||
| Created: | July 14, 2010 | Updated: | August 2, 2010 | ||||||||||||||||||||
| Description: | From the openSUSE advisory:
CVE-2010-0653: Opera permits cross-origin loading of CSS style sheets even when the style sheet download has an incorrect MIME type and the style sheet document is malformed, which allows remote HTTP servers to obtain sensitive information via a crafted document. CVE-2010-1993: Opera 9.52 does not properly handle an IFRAME element with a mailto: URL in its SRC attribute, which allows remote attackers to cause a denial of service (resource consumption) via an HTML document with many IFRAME elements. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
pam: local root privilege escalation
| Package(s): | pam | CVE #(s): | CVE-2010-0832 | ||||||||
| Created: | July 8, 2010 | Updated: | October 26, 2010 | ||||||||
| Description: | From the Ubuntu advisory: Denis Excoffier discovered that the PAM MOTD module in Ubuntu did not correctly handle path permissions when creating user file stamps. A local attacker could exploit this to gain root privilieges. | ||||||||||
| Alerts: |
| ||||||||||
python-cjson: denial of service
| Package(s): | python-cjson | CVE #(s): | CVE-2010-1666 | ||||||||||||
| Created: | July 12, 2010 | Updated: | July 21, 2010 | ||||||||||||
| Description: | From the Debian advisory:
Matt Giuca discovered a buffer overflow in python-cjson, a fast JSON encoder/decoder for Python. This allows a remote attacker to cause a denial of service (application crash) through a specially-crafted Python script. | ||||||||||||||
| Alerts: |
| ||||||||||||||
python-mako: cross-site scripting
| Package(s): | python-mako | CVE #(s): | CVE-2010-2480 | ||||||||||||||||||||||||
| Created: | July 8, 2010 | Updated: | September 29, 2010 | ||||||||||||||||||||||||
| Description: | From the Fedora advisory: Fix potential single-quoting XSS vulnerability. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
qt: multiple vulnerabilities
| Package(s): | qt webkit | CVE #(s): | CVE-2009-2841 CVE-2010-1766 CVE-2010-1772 CVE-2010-1773 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 13, 2010 | Updated: | March 2, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
A security flaw was found in the way WebKit used to handle media elements
(audio and video tags). A remote attacker could provide a specially-crafted
document, requesting loading of sub-resources (such as remote URLs),
which would be normally disallowed by the callback function(s). (CVE-2009-2841)
From the Red Hat bugzilla: An off by one memory corruption issue exists in WebSocketHandshake::readServerHandshake(). This issue is addressed by improved bounds checking. (CVE-2010-1766) From the Red Hat bugzilla: A use after free issue exists in WebKit's handling of geolocation events. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handing of geolocation events. (CVE-2010-1772) From the Red Hat bugzilla: An off by one memory read out of bounds issue exists in WebKit's handling of HTML lists. Visiting a maliciously crafted website may lead to an unexpected application termination or the disclosure of the contents of memory. This issue is addressed through improved bounds checking. (CVE-2010-1773) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
scsi-target-utils: denial of service
| Package(s): | scsi-target-utils | CVE #(s): | CVE-2010-2221 | ||||||||||||||||||||||||||||
| Created: | July 8, 2010 | Updated: | June 21, 2011 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Multiple buffer overflow flaws were found in scsi-target-utils' tgtd daemon. A remote attacker could trigger these flaws by sending a carefully-crafted Internet Storage Name Service (iSNS) request, causing the tgtd daemon to crash. (CVE-2010-2221) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
w3m: man-in-the-middle attack
| Package(s): | w3m | CVE #(s): | CVE-2010-2074 | ||||||||||||||||||||||||||||||||
| Created: | July 9, 2010 | Updated: | October 19, 2012 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_server is enabled, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
znc: denial of service
| Package(s): | znc | CVE #(s): | CVE-2010-2448 | ||||
| Created: | July 12, 2010 | Updated: | July 14, 2010 | ||||
| Description: | From the Debian advisory:
It was discovered that znc, an IRC bouncer, is vulnerable to denial of service attacks via a NULL pointer dereference when traffic statistics are requested while there is an unauthenticated connection. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>