User: Password:
|
|
Subscribe / Log in / New account

Security

An interesting DNSSEC amplification

By Jake Edge
July 14, 2010

A recent report clearly demonstrates that computer security is not exempt from the "law of unintended consequences". As DNSSEC (Domain Name System Security Extensions) is rolled out, we will likely see various kinds of unanticipated problems in that system which is meant to secure the internet name resolution process. One of the concerns about DNSSEC has always been the amount of additional traffic it would generate, as well as the processing burden on DNS servers—both of those came into play here.

The report from Cisco reads a bit like a detective story. A particular DNS server saw a sudden 2-3x increase in its traffic, which at first glance appeared to be some kind of denial of service (DoS) attack. Further investigation showed that the query rate jumped from tens of queries per second (qps) to around 3000 qps. Because it was a DNSSEC signed zone, each query required two responses—a key resource record (DNSKEY RR) and a signature RR (RRSIG RR)—totaling more than 1K in size. That led to response traffic of 35 megabits per second (3000+ queries x 1K+ bytes).

When a small amount of data can be sent that generates a much larger response, there is an "amplification" effect going on. That means that an attacker can use much less of a resource, bandwidth say, than the victim must use to respond. So, a small bandwidth investment, spread out over a large number of attackers (in a DDoS, distributed DoS), can easily cause a victim to generate more traffic than it can handle. Because DNS typically uses UDP to eliminate the connection establishment overhead of TCP, it also makes it easier for attackers, as they don't need to use state-tracking resources on their end. These kinds of amplification attacks are well-known for the existing DNS. It is also understood that DNSSEC adds other amplification possibilities, but those known cases were not the cause of the problem that Cisco investigated.

In analyzing the data from this event, it was determined that a very small fraction of clients (1,000 out of 500,000-1,000,000 daily unique clients) were making repeated queries for the same DNSKEY RR. It could have been from some kind of bug in certain DNS clients, but because the event was so sudden, it suggested that there was some kind of "external trigger". An obvious trigger would be a change to the DNS information being served and that was in fact the case: the cryptographic keys had been changed on the day of the traffic increase.

Normally, a key rollover is handled by keeping both keys around for an overlap period and signing resource records with both keys during that time. Either key can be used to verify the signature during the overlap, and eventually the old key can be deprecated and then removed. Keys are signed by a parent server's key (i.e. example.com's key is signed by the .com server's key), all the way up to the key used to sign the root keys. Today, those root keys are often stored locally by the client as "Trust Anchor". If a client cannot verify a signature with a key that it has in its cache, it will request a new key from the parent, because it assumes the key has changed.

Before it requests a key from the parent, though, it re-requests the key from the server it is talking to, because it assumes that it is getting bogus responses from some kind of attack. If it really were an attack, that would be the right response, but if there were some misconfiguration on the part of the client, it would just make the problem worse. It turns out that some clients were distributed with a static set of Trust Anchors. Once those keys were rolled over, those clients were out of date and could no longer resolve names associated with those parts of the DNS hierarchy.

But, the amplification turns out to be quite a bit larger than just a handful of retries for an affected server. When a client cannot verify a signature, it will do a depth-first search of the alternative name servers, querying each server to try to find keys that it can use. There are 14 .com name servers, and potentially several name servers for example.com. This leads to a combinatorial explosion of sorts, where a query for a single host name (test.example.com for example) in a simple configuration (two example.com name servers) leads to 844 separate queries.

Other, much worse, scenarios are described in the report. It is interesting that perfectly reasonable behavior by clients who have ended up with outdated information can lead to such a huge increase in the traffic that DNS servers, especially the root servers, may have to handle. The conclusion from the Cisco report is certainly eye-opening:

It is an inherent quality of the DNSSEC deployment that in seeking to prevent lies, an aspect of the stability of the DNS has been weakened. When a client falls out of synchronization with the current key state of DNSSEC, it will mistake the current truth for an attempt to insert a lie. The subsequent efforts of the client to perform a rapid search for what it believes to be a truthful response could reasonably be construed as a legitimate response, if indeed this instance was an attack on that particular client. Indeed, to do otherwise would be to permit the DNS to remain an untrustable source of information. However, in this situation of slippage of synchronized key state between client and server, the effect is both local failure and the generation of excess load on external servers-and if this situation is allowed to become a common state, it has the potential to broaden the failure state to a more general DNS service failure through load saturation of critical DNS servers.

This aspect of a qualitative change of the DNS is unavoidable, and it places a strong imperative on DNS operations and the community of the 5 million current and uncountable future DNS resolvers to understand that "set and forget" is not the intended mode of operation of DNSSEC-equipped clients.

The last paragraph is particularly worrisome. One would guess that a few years down the road, most clients will be DNSSEC-equipped. And most will be in the hands of users who know nothing about key rollover, amplification, DoS, or, for that matter, DNS or DNSSEC. It will be up to the vendors and distributors to ensure that the "forget" part of "set and forget" doesn't happen. It is not hard to envision some kind of nasty apocalypse lurking for DNSSEC if that's not the case.

Comments (10 posted)

Brief items

Quotes of the week

Yay Brazil!. They're making it illegal to use DRM to prevent "fair dealing" with copyrighted works, or access to works which are in the public domain. It's also legal to "crack" DRM if you're only doing it for the purpose of "fair dealing".
-- David Woodhouse

For years we've been bombarded with scare stories about terrorists wanting to shut the Internet down. They're mostly fairy tales, but they're scary precisely because the Internet is so critical to so many things.

Why would we want to terrorize our own population by doing exactly what we don't want anyone else to do? And a national emergency is precisely the worst time to do it.

-- Bruce Schneier on the "internet kill switch"

Comments (1 posted)

New vulnerabilities

abrt: unnecessary setuid

Package(s):abrt CVE #(s):
Created:July 8, 2010 Updated:July 14, 2010
Description:

From the MeeGo advisory:

The file /usr/libexec/abrt-hook-python is setuid as the abrt user. As there is no explicit reason to be setuid as the abrt user, this violates best known practices for security; specifically by not using the principles of least privilege and unintentionally expanding the attackable surface area of MeeGo.

Alerts:
MeeGo MeeGo-SA-10:03 abrt 2010-07-07

Comments (none posted)

cups: multiple vulnerabilities

Package(s):cups CVE #(s):CVE-2010-2431 CVE-2010-2432
Created:July 8, 2010 Updated:October 10, 2011
Description:

From the Pardus advisory:

CVE-2010-2431: The cupsFileOpen function in CUPS before 1.4.4 allows local users, with lp group membership, to overwrite arbitrary files via a symlink attack on the (1) /var/cache/cups/remote.cache or (2) /var/cache/cups/job.cache file.

CVE-2010-2432: The cupsDoAuthentication function in auth.c in the client in CUPS before 1.4.4, when HAVE_GSSAPI is omitted, does not properly handle a demand for authorization, which allows remote CUPS servers to cause a denial of service (infinite loop) via HTTP_UNAUTHORIZED responses.

Alerts:
Gentoo 201207-10 cups 2012-07-09
Mandriva MDVSA-2011:146 cups 2011-10-11
Debian DSA-2176-1 cups 2011-03-02
Mandriva MDVSA-2010:234 cups 2010-11-15
Mandriva MDVSA-2010:232 cups 2010-11-15
CentOS CESA-2010:0811 cups 2010-11-01
Red Hat RHSA-2010:0811-01 cups 2010-10-28
Pardus 2010-95 cups 2010-07-08

Comments (none posted)

ghostscript: multiple vulnerabilities

Package(s):ghostscript CVE #(s):CVE-2009-4270 CVE-2009-4897 CVE-2010-1628
Created:July 14, 2010 Updated:August 19, 2010
Description: From the Ubuntu advisory:

David Srbecky discovered that Ghostscript incorrectly handled debug logging. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2009-4270)

It was discovered that Ghostscript incorrectly handled certain malformed files. If a user or automated system were tricked into opening a crafted Postscript or PDF file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2009-4897)

Dan Rosenberg discovered that Ghostscript incorrectly handled certain recursive Postscript files. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2010-1628)

Alerts:
Gentoo 201412-17 ghostscript-gpl 2014-12-13
Debian DSA-2093-1 ghostscript 2010-08-19
SUSE SUSE-SR:2010:015 gpg2, krb5, kvirc, libpcsclite1/pcsc-lite, libpython2_6-1_0, libvorbis, libwebkit, squidGuard, strongswan 2010-08-17
Fedora FEDORA-2010-11376 ghostscript 2010-07-23
Fedora FEDORA-2010-11325 ghostscript 2010-07-23
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
Pardus 2010-101 ghostscript 2010-08-02
openSUSE openSUSE-SU-2010:0425-2 ghostscript 2010-08-02
Debian DSA-2080-1 ghostscript 2010-08-01
openSUSE openSUSE-SU-2010:0425-1 ghostscript 2010-07-23
Mandriva MDVSA-2010:136 ghostscript 2010-07-15
Mandriva MDVSA-2010:135 ghostscript 2010-07-15
Mandriva MDVSA-2010:134 ghostscript 2010-07-15
Ubuntu USN-961-1 ghostscript 2010-07-13

Comments (none posted)

gnomine: unnecessary setgid

Package(s):gnomine CVE #(s):
Created:July 8, 2010 Updated:July 15, 2010
Description:

From the MeeGo advisory:

The /usr/bin/gnomine binary is setgid for the games group. There is no explicit reason to be setgid and this violates best known practices for security; specifically by not using the prinicples of least privilege and unintentionally expanding the attackable surface area of MeeGo.

Alerts:
MeeGo MeeGo-SA-10:09 gnomine 2010-07-07

Comments (2 posted)

gv: multiple vulnerabilities

Package(s):gv CVE #(s):CVE-2010-2055 CVE-2010-2056
Created:July 9, 2010 Updated:February 6, 2012
Description: From the Red Hat bugzilla:

a deficiency in the way gv handled temporary file creation, when used for opening Portable Document Format (PDF) files. A local attacker could use this flaw to conduct symlink attacks, potentially leading to denial of service (un-athorized overwrite of file content). (CVE-2010-2056)

From the Red Hat bugzilla:

A security flaw was found in the way gs handled its initialization: 1, certain files in current working directory were honored at startup, 2, explicit use of "-P-" command line option, did not prevent ghostscript from execution of PostScript commands, contained within "gs_init.ps" file.

A local attacker could use this flaw to execute arbitrary PostScript commands, if the victim was tricked into opening a PostScript file in the directory of attacker's intent. (CVE-2010-2055)

Alerts:
Gentoo 201412-17 ghostscript-gpl 2014-12-13
Gentoo 201412-08 insight, perl-tk, sourcenav, tk, partimage, bitdefender-console, mlmmj, acl, xinit, gzip, ncompress, liblzw, splashutils, m4, kdm, gtk+, kget, dvipng, beanstalkd, pmount, pam_krb5, gv, lftp, uzbl, slim, iputils, dvbstreamer 2014-12-11
Oracle ELSA-2012-0095 ghostscript 2012-02-03
Oracle ELSA-2012-0096 ghostscript 2012-02-03
Oracle ELSA-2012-0095 ghostscript 2012-02-03
Scientific Linux SL-ghos-20120203 ghostscript 2012-02-03
CentOS CESA-2012:0095 ghostscript 2012-02-03
CentOS CESA-2012:0095 ghostscript 2012-02-03
Red Hat RHSA-2012:0095-01 ghostscript 2012-02-02
MeeGo MeeGo-SA-10:35 ghostscript 2010-11-03
Mandriva MDVSA-2010:159 gv 2010-08-23
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
openSUSE openSUSE-SU-2010:0425-2 ghostscript 2010-08-02
openSUSE openSUSE-SU-2010:0451-1 ghostscript 2010-08-02
Fedora FEDORA-2010-14633 ghostscript 2010-09-15
Fedora FEDORA-2010-14640 ghostscript 2010-09-15
openSUSE openSUSE-SU-2010:0425-1 ghostscript 2010-07-23
Fedora FEDORA-2010-10642 gv 2010-07-01
Fedora FEDORA-2010-10660 gv 2010-07-01

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel kernel-pae CVE #(s):CVE-2010-1641 CVE-2010-2071 CVE-2010-2066
Created:July 8, 2010 Updated:March 8, 2011
Description:

From the Pardus advisory:

CVE-2010-1641: The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request.

CVE-2010-2071: The btrfs_xattr_set_acl function in fs/btrfs/acl.c in btrfs in the Linux kernel 2.6.34 and earlier does not check file ownership before setting an ACL, which allows local users to bypass file permissions by setting arbitrary ACLs, as demonstrated using setfacl.

CVE-2010-2066: If the donor file is an append-only file, we should not allow the operation to proceed, lest we end up overwriting the contents of an append-only file.

Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
MeeGo MeeGo-SA-10:38 kernel 2010-10-09
Fedora FEDORA-2010-18983 kernel 2010-12-17
openSUSE openSUSE-SU-2010:0664-1 Linux 2010-09-23
Fedora FEDORA-2010-14235 kernel 2010-09-08
CentOS CESA-2010:0610 kernel 2010-08-11
Red Hat RHSA-2010:0610-01 kernel 2010-08-10
openSUSE openSUSE-SU-2010:0481-1 Linux Kernel 2010-08-09
Ubuntu USN-966-1 linux, linux-{source-2.6.15,ec2,mvl-dove,ti-omap} 2010-08-04
Fedora FEDORA-2010-11412 kernel 2010-07-27
SUSE SUSE-SA:2010:033 kernel 2010-08-02
Ubuntu USN-1000-1 kernel 2010-10-19
Fedora FEDORA-2010-10876 kernel 2010-07-07
Fedora FEDORA-2010-10880 kernel 2010-07-07
Pardus 2010-94 kernel kernel-pae 2010-07-08
SUSE SUSE-SA:2010:031 kernel 2010-07-20
openSUSE openSUSE-SU-2010:0397-1 Linux Kernel 2010-07-19
CentOS CESA-2010:0504 kernel 2010-07-02

Comments (1 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2010-2478 CVE-2010-2495
Created:July 9, 2010 Updated:March 28, 2011
Description: From the Red Hat bugzilla:

On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer overflow and the buffer may be smaller than needed. Since ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at least denial of service. (CVE-2010-2478)

From the Red Hat bugzilla:

When transmitting L2TP frames, we derive the outgoing interface's UDP checksum hardware assist capabilities from the tunnel dst dev. This can sometimes be NULL, especially when routing protocols are used and routing changes occur. This patch just checks for NULL dst or dev pointers when checking for netdev hardware assist features. (CVE-2010-2495)

Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
Fedora FEDORA-2010-18983 kernel 2010-12-17
openSUSE openSUSE-SU-2010:0664-1 Linux 2010-09-23
SUSE SUSE-SA:2010:040 kernel 2010-09-13
Fedora FEDORA-2010-14235 kernel 2010-09-08
Ubuntu USN-1000-1 kernel 2010-10-19
Pardus 2010-112 kernel kernel-pae 2010-08-12
SUSE SUSE-SA:2010:033 kernel 2010-08-02
Fedora FEDORA-2010-10880 kernel 2010-07-07
Fedora FEDORA-2010-10876 kernel 2010-07-07

Comments (none posted)

libmikmod: arbitrary code execution

Package(s):libmikmod CVE #(s):CVE-2009-3996
Created:July 8, 2010 Updated:October 11, 2010
Description:

From the MeeGo advisory:

Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via an Ultratracker file.

Alerts:
Ubuntu USN-995-1 libmikmod 2010-09-29
Red Hat RHSA-2010:0720-01 mikmod 2010-09-28
Fedora FEDORA-2010-13702 libmikmod 2010-08-30
CentOS CESA-2010:0720 mikmod 2010-10-10
CentOS CESA-2010:0720 mikmod 2010-09-29
CentOS CESA-2010:0720 mikmod 2010-09-29
Mandriva MDVSA-2010:151 libmikmod 2010-08-16
Debian DSA-2071-1 libmikmod 2010-07-14
MeeGo MeeGo-SA-10:04 libmikmod 2010-07-07

Comments (none posted)

libtiff: denial of service

Package(s):libtiff CVE #(s):CVE-2010-2598
Created:July 8, 2010 Updated:March 15, 2011
Description:

From the Red Hat advisory:

An input validation flaw was discovered in libtiff. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash. (CVE-2010-2598)

Alerts:
Ubuntu USN-1085-2 tiff 2011-03-15
Ubuntu USN-1085-1 tiff 2011-03-07
CentOS CESA-2010:0520 libtiff 2010-08-16
Red Hat RHSA-2010:0520-01 libtiff 2010-07-08

Comments (none posted)

libtiff: multiple denial of service flaws

Package(s):libtiff CVE #(s):CVE-2010-2481 CVE-2010-2483 CVE-2010-2595 CVE-2010-2597
Created:July 8, 2010 Updated:March 15, 2011
Description:

From the Red Hat advisory:

Multiple input validation flaws were discovered in libtiff. An attacker could use these flaws to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash. (CVE-2010-2481, CVE-2010-2483, CVE-2010-2595, CVE-2010-2597)

Alerts:
Debian DSA-2552-1 tiff 2012-09-26
Gentoo 201209-02 tiff 2012-09-23
Ubuntu USN-1085-2 tiff 2011-03-15
Ubuntu USN-1085-1 tiff 2011-03-07
MeeGo MeeGo-SA-10:27 libtiff 2010-09-03
MeeGo MeeGo-SA-10:34 libtiff 2010-10-09
rPath rPSA-2010-0064-1 libtiff 2010-10-17
Mandriva MDVSA-2010:146 libtiff 2010-08-06
Mandriva MDVSA-2010:145 libtiff 2010-08-06
CentOS CESA-2010:0519 libtiff 2010-07-14
CentOS CESA-2010:0519 libtiff 2010-07-21
Red Hat RHSA-2010:0519-01 libtiff 2010-07-08

Comments (none posted)

opera: multiple vulnerabilities

Package(s):opera CVE #(s):CVE-2010-0653 CVE-2010-1993
Created:July 14, 2010 Updated:August 2, 2010
Description: From the openSUSE advisory:

CVE-2010-0653: Opera permits cross-origin loading of CSS style sheets even when the style sheet download has an incorrect MIME type and the style sheet document is malformed, which allows remote HTTP servers to obtain sensitive information via a crafted document.

CVE-2010-1993: Opera 9.52 does not properly handle an IFRAME element with a mailto: URL in its SRC attribute, which allows remote attackers to cause a denial of service (resource consumption) via an HTML document with many IFRAME elements.

Alerts:
Gentoo 201206-03 opera 2012-06-15
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
openSUSE openSUSE-SU-2010:0422-1 opera 2010-07-22
openSUSE openSUSE-SU-2010:0370-1 opera 2010-07-14
openSUSE openSUSE-SU-2010:0368-1 opera 2010-07-14

Comments (none posted)

pam: local root privilege escalation

Package(s):pam CVE #(s):CVE-2010-0832
Created:July 8, 2010 Updated:October 26, 2010
Description:

From the Ubuntu advisory:

Denis Excoffier discovered that the PAM MOTD module in Ubuntu did not correctly handle path permissions when creating user file stamps. A local attacker could exploit this to gain root privilieges.

Alerts:
Ubuntu USN-959-2 pam 2010-10-25
Ubuntu USN-959-1 pam 2010-07-07

Comments (none posted)

python-cjson: denial of service

Package(s):python-cjson CVE #(s):CVE-2010-1666
Created:July 12, 2010 Updated:July 21, 2010
Description: From the Debian advisory:

Matt Giuca discovered a buffer overflow in python-cjson, a fast JSON encoder/decoder for Python. This allows a remote attacker to cause a denial of service (application crash) through a specially-crafted Python script.

Alerts:
Fedora FEDORA-2010-10728 python-cjson 2010-07-06
Fedora FEDORA-2010-10710 python-cjson 2010-07-06
Debian DSA-2068-1 python-cjson 2010-07-11

Comments (none posted)

python-mako: cross-site scripting

Package(s):python-mako CVE #(s):CVE-2010-2480
Created:July 8, 2010 Updated:September 29, 2010
Description:

From the Fedora advisory:

Fix potential single-quoting XSS vulnerability.

Alerts:
Ubuntu USN-996-1 mako 2010-09-29
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
openSUSE openSUSE-SU-2010:0383-1 python-mako 2010-07-16
openSUSE openSUSE-SU-2010:0418-1 python-mako 2010-07-22
Fedora FEDORA-2010-10544 python-mako 2010-06-29
Fedora FEDORA-2010-10540 python-mako 2010-06-29

Comments (none posted)

qt: multiple vulnerabilities

Package(s):qt webkit CVE #(s):CVE-2009-2841 CVE-2010-1766 CVE-2010-1772 CVE-2010-1773
Created:July 13, 2010 Updated:March 2, 2011
Description: From the Red Hat bugzilla: A security flaw was found in the way WebKit used to handle media elements (audio and video tags). A remote attacker could provide a specially-crafted document, requesting loading of sub-resources (such as remote URLs), which would be normally disallowed by the callback function(s). (CVE-2009-2841)

From the Red Hat bugzilla: An off by one memory corruption issue exists in WebSocketHandshake::readServerHandshake(). This issue is addressed by improved bounds checking. (CVE-2010-1766)

From the Red Hat bugzilla: A use after free issue exists in WebKit's handling of geolocation events. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handing of geolocation events. (CVE-2010-1772)

From the Red Hat bugzilla: An off by one memory read out of bounds issue exists in WebKit's handling of HTML lists. Visiting a maliciously crafted website may lead to an unexpected application termination or the disclosure of the contents of memory. This issue is addressed through improved bounds checking. (CVE-2010-1773)

Alerts:
Mandriva MDVSA-2011:039 webkit 2011-03-02
SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
MeeGo MeeGo-SA-10:22 qt 2010-09-03
openSUSE openSUSE-SU-2011:0024-1 webkit 2011-01-12
MeeGo MeeGo-SA-10:37 webkit 2010-10-09
Fedora FEDORA-2010-14419 webkitgtk 2010-09-10
Fedora FEDORA-2010-14409 webkitgtk 2010-09-10
Ubuntu USN-1006-1 webkit 2010-10-19
SUSE SUSE-SR:2010:015 gpg2, krb5, kvirc, libpcsclite1/pcsc-lite, libpython2_6-1_0, libvorbis, libwebkit, squidGuard, strongswan 2010-08-17
Pardus 2010-106 qt 2010-08-11
openSUSE openSUSE-SU-2010:0458-1 libwebkit 2010-08-02
Fedora FEDORA-2010-11011 qt 2010-07-13
Fedora FEDORA-2010-11020 qt 2010-07-13

Comments (none posted)

scsi-target-utils: denial of service

Package(s):scsi-target-utils CVE #(s):CVE-2010-2221
Created:July 8, 2010 Updated:June 21, 2011
Description:

From the Red Hat advisory:

Multiple buffer overflow flaws were found in scsi-target-utils' tgtd daemon. A remote attacker could trigger these flaws by sending a carefully-crafted Internet Storage Name Service (iSNS) request, causing the tgtd daemon to crash. (CVE-2010-2221)

Alerts:
Ubuntu USN-1156-1 tgt 2011-06-21
SUSE SUSE-SR:2010:017 java-1_4_2-ibm, sudo, libpng, php5, tgt, iscsitarget, aria2, pcsc-lite, tomcat5, tomcat6, lvm2, libvirt, rpm, libtiff, dovecot12 2010-09-21
openSUSE openSUSE-SU-2010:0608-1 iscsitarget/tgt 2010-09-14
openSUSE openSUSE-SU-2010:0604-1 iscsitarget/tgt 2010-09-13
CentOS CESA-2010:0518 scsi-target-utils 2010-07-14
Mandriva MDVSA-2010:131 iscsitarget 2010-07-12
Red Hat RHSA-2010:0518-01 scsi-target-utils 2010-07-08

Comments (none posted)

w3m: man-in-the-middle attack

Package(s):w3m CVE #(s):CVE-2010-2074
Created:July 9, 2010 Updated:October 19, 2012
Description: From the CVE entry:

istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_server is enabled, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Alerts:
Gentoo 201210-01 w3m 2012-10-18
Ubuntu USN-967-1 w3m 2010-08-09
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
CentOS CESA-2010:0565 w3m 2010-07-27
Red Hat RHSA-2010:0565-01 w3m 2010-07-27
openSUSE openSUSE-SU-2010:0393-1 w3m 2010-07-19
Fedora FEDORA-2010-10250 w3m 2010-06-22
Fedora FEDORA-2010-10369 w3m 2010-06-24

Comments (none posted)

znc: denial of service

Package(s):znc CVE #(s):CVE-2010-2448
Created:July 12, 2010 Updated:July 14, 2010
Description: From the Debian advisory:

It was discovered that znc, an IRC bouncer, is vulnerable to denial of service attacks via a NULL pointer dereference when traffic statistics are requested while there is an unauthenticated connection.

Alerts:
Debian DSA-2069-1 znc 2010-07-11

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds