Security
Kernel vulnerabilities: old or new?
A quick search of the CVE database turns up 80 CVE numbers related to kernel vulnerabilities so far this year. At one recent conference or another, while talking with a prominent kernel developer, your editor confessed that he found that number to be discouragingly high. In an era where there is clearly an increasing level of commercial, criminal, and governmental interest in exploiting security holes, it would be hard to be doing enough to avoid the creation of vulnerabilities. But, your editor wondered, could we be doing more than we are? The response your editor got was, in essence, that the bulk of the holes being disclosed were ancient vulnerabilities which were being discovered by new static analysis tools. In other words, we are fixing security problems faster than we are creating them.That sort of claim requires verification; it is also amenable to being verified by a researcher with sufficient determination and pain resistance. Your editor decided to give it a try. "All" that would be required, after all, was to look at each vulnerability and figure out when it was introduced. How hard could that be?
So, the basic process followed was this: pick a CVE entry, find the patch which closed the hole, then dig through the repository history and other resources in an attempt to figure out just when the problem was first introduced into the kernel. In some cases, the answer was relatively easy to find; others were sufficiently hard that your editor eventually gave up. One especially valuable resource in the search turned out to be the Red Hat bugzilla; the developers there (and Eugene Teo in particular) go out of their way to document the particulars of vulnerabilities. Sometimes, the commit which introduced the bug was simply listed there. The "git gui blame" utility is also quite useful when doing this kind of research.
About 60 of the 80 vulnerabilities listed above were dealt with in this way before your editor's eyes crossed permanently. The results can be seen in the following table. Let it be said from the outset that there will inevitably be some errors in the data below; the most likely mistake will be assigning blame to a commit which actually just moved the vulnerability from somewhere else. That may lead to a bias that makes vulnerabilities look more recent than they really are. That said, a best effort has been made, and things should not be too far off.
Some other notes relevant to the table:
- No attempt was made to find the origin of vulnerabilities which were
present in the initial commit which began the git era during the
2.6.12 development cycle. Anything which was already present then can
certainly be said to be an old bug.
- Some parts of the code have been changed so many times that it can be
truly hard to determine when a vulnerability was introduced; places
where your editor give up are marked as "unknown" above. One could
maybe come up with a real answer by bisecting and trying exploits, but
your editor's dedication to the task was not quite that strong.
- A couple of these bugs are old in a different way - CVE-2010-1188 was fixed in 2008, but was only understood to be a security issue in 2010. Anybody running a current kernel would not be vulnerable, but bugs like this can be nicely preserved in enterprise kernels for many years.
Looking at when the vulnerabilities were introduced yields a chart like this:
![[Kernel vulnerabilities]](https://static.lwn.net/images/2010/kernel-vulnerabilities.png)
So, in a sense, the above-mentioned kernel hacker was correct - an awful lot of the vulnerabilities fixed over the last year predate the git era, and are thus over five years old. It seems that security bugs can lurk in the kernel for a very long time before somebody stumbles across them - or, at least, before somebody reports them.
According to the information above, we have fixed dozens of vulnerabilities since 2.6.33 without introducing any. The latter part of that claim might be charitably described as being unlikely to stand the test of time. There were (at least) 13 vulnerabilities fixed in the 2.6.35 cycle, 21 in the 2.6.36 cycle. We can hope that fewer vulnerabilities were added in that time; it seems certain, though, that (1) the number of vulnerabilities added will not be zero, and (2) it will probably take us five years or more to find many of them.
There may be some comfort in knowing that a large proportion of 2010's known security vulnerabilities are not a product of 2010's development. Indeed, assuming that a fair number of the old vulnerabilities are a bit older yet, one can also claim that they are not a product of the "new" kernel development model adopted in the early 2.6 days. That claim could be tested by extending this research back into the BitKeeper era; that is a task for a future project.
Your editor remains concerned, though, that it is too easy to put insecure code into the kernel and too hard to discover the vulnerabilities that are created. Analysis tools can help, but there really is no substitute for painstaking and meticulous code review when it comes to keeping vulnerabilities out of the kernel. At times, it is clear that the amount of review being done is not what it should be. There may well come a day when we'll wish we had found a way to be a bit more careful.
Brief items
Security quotes of the week
While it is generally understood that udev events are related to hardware, it's important to keep in mind that it also sends events on module loads, and module loads can happen on demand from unprivileged users. For example, say you want to send an X.25 packet, when you call socket(AF_X25, SOCK_STREAM), the kernel will go load net-pf-9, which modules.alias lists as the x25 module. And once loaded, udev sends a "module" event.
TaintDroid code released
TaintDroid is an Android firmware modification which can track and report on application activity; needless to say, the results with some applications can be surprising. The code is now available for anybody wanting to build their own TaintDroid system. For the time being, though, installing it does not appear to be a simple or straightforward task.Two local privilege escalations
There is a local-root kernel vulnerability in the RDS protocol implementation. See this VSR advisory for more information. So far, only Ubuntu has issued an update for this problem.
Tavis Ormandy has reported a flaw in GNU libc that can be exploited by local users to gain root privileges. No distributions (other than the soon-to-be-released Fedora 14) have put out an update as yet.
New vulnerabilities
ardour: insecure library loading
| Package(s): | ardour | CVE #(s): | CVE-2010-3349 | ||||||||
| Created: | October 15, 2010 | Updated: | October 20, 2010 | ||||||||
| Description: | From the Red Hat bugzilla:
The vulnerability is due to an insecure change to LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. | ||||||||||
| Alerts: |
| ||||||||||
gnome-subtitles: code execution
| Package(s): | gnome-subtitles | CVE #(s): | CVE-2010-3357 | ||||||||
| Created: | October 14, 2010 | Updated: | October 20, 2010 | ||||||||
| Description: | From the Red Hat bugzilla entry: The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. | ||||||||||
| Alerts: |
| ||||||||||
java-1.6.0-openjdk: multiple vulnerabilities
| Package(s): | java-1.6.0-openjdk | CVE #(s): | CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3551 CVE-2010-3553 CVE-2010-3554 CVE-2010-3557 CVE-2010-3561 CVE-2010-3562 CVE-2010-3564 CVE-2010-3565 CVE-2010-3567 CVE-2010-3568 CVE-2010-3569 CVE-2010-3573 CVE-2010-3574 CVE-2010-3566 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 14, 2010 | Updated: | May 3, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: defaultReadObject of the Serialization API could be tricked into setting a volatile field multiple times, which could allow a remote attacker to execute arbitrary code with the privileges of the user running the applet or application. (CVE-2010-3569) Race condition in the way objects were deserialized could allow an untrusted applet or application to misuse the privileges of the user running the applet or application. (CVE-2010-3568) Miscalculation in the OpenType font rendering implementation caused out-of-bounds memory access, which could allow remote attackers to execute code with the privileges of the user running the java process. (CVE-2010-3567) JPEGImageWriter.writeImage in the imageio API improperly checked certain image metadata, which could allow a remote attacker to execute arbitrary code in the context of the user running the applet or application. (CVE-2010-3565) Double free in IndexColorModel could cause an untrusted applet or application to crash or, possibly, execute arbitrary code with the privileges of the user running the applet or application. (CVE-2010-3562) The privileged accept method of the ServerSocket class in the Common Object Request Broker Architecture (CORBA) implementation in OpenJDK allowed it to receive connections from any host, instead of just the host of the current connection. An attacker could use this flaw to bypass restrictions defined by network permissions. (CVE-2010-3561) Flaws in the Swing library could allow an untrusted application to modify the behavior and state of certain JDK classes. (CVE-2010-3557) Flaws in the CORBA implementation could allow an attacker to execute arbitrary code by misusing permissions granted to certain system objects. (CVE-2010-3554) UIDefault.ProxyLazyValue had unsafe reflection usage, allowing untrusted callers to create objects via ProxyLazyValue values. (CVE-2010-3553) HttpURLConnection improperly handled the "chunked" transfer encoding method, which could allow remote attackers to conduct HTTP response splitting attacks. (CVE-2010-3549) HttpURLConnection improperly checked whether the calling code was granted the "allowHttpTrace" permission, allowing untrusted code to create HTTP TRACE requests. (CVE-2010-3574) HttpURLConnection did not validate request headers set by applets, which could allow remote attackers to trigger actions otherwise restricted to HTTP clients. (CVE-2010-3541, CVE-2010-3573) The Kerberos implementation improperly checked the sanity of AP-REQ requests, which could cause a denial of service condition in the receiving Java Virtual Machine. (CVE-2010-3564) The NetworkInterface class improperly checked the network "connect" permissions for local network addresses, which could allow remote attackers to read local network addresses. (CVE-2010-3551) Information leak flaw in the Java Naming and Directory Interface (JNDI) could allow a remote attacker to access information about otherwise-protected internal network names. (CVE-2010-3548) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
java-1.6.0-sun: multiple unspecified vulnerabilities
| Package(s): | java-1.6.0-sun | CVE #(s): | CVE-2010-3550 CVE-2010-3552 CVE-2010-3555 CVE-2010-3556 CVE-2010-3558 CVE-2010-3559 CVE-2010-3560 CVE-2010-3563 CVE-2010-3570 CVE-2010-3571 CVE-2010-3572 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 14, 2010 | Updated: | March 22, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component CVE-2010-3552 JDK unspecified vulnerability in New Java Plugin component CVE-2010-3555 JDK unspecified vulnerability in Deployment component CVE-2010-3556 JDK unspecified vulnerability in 2D component CVE-2010-3558 JDK unspecified vulnerability in Java Web Start component CVE-2010-3559 JDK unspecified vulnerability in Sound component CVE-2010-3560 JDK unspecified vulnerability in Networking component CVE-2010-3563 JDK unspecified vulnerability in Deployment component CVE-2010-3570 JDK unspecified vulnerability in Deployment Toolkit CVE-2010-3571 JDK unspecified vulnerability in 2D component CVE-2010-3572 JDK unspecified vulnerability in Sound component | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: information leak
| Package(s): | kernel | CVE #(s): | CVE-2010-3477 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 20, 2010 | Updated: | March 28, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The kernel's networking code fails to fully initialize a structure which is then passed back to user space, thus leaking a few bytes of data. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2010-2963 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 20, 2010 | Updated: | May 10, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A failure to properly validate parameters in the Video4Linux1 compatibility interface can enable a local user to obtain root privileges. This vulnerability apparently only affects 64-bit systems. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2010-3432 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 20, 2010 | Updated: | March 28, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The SCTP networking code fails to properly handle the appending of packet chunks, leading to a remotely-triggerable system crash (at least). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: information leak
| Package(s): | kernel | CVE #(s): | CVE-2010-3437 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 20, 2010 | Updated: | April 21, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The CD driver fails to check parameters properly, allowing a local attacker to read arbitrary kernel memory. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2010-3442 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 20, 2010 | Updated: | March 28, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The sound subsystem fails to properly validate system call parameters, enabling local attackers to crash the system (at least). Only 32-bit systems are affected by this bug. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: remote denial of service
| Package(s): | kernel | CVE #(s): | CVE-2010-3705 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 20, 2010 | Updated: | April 28, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The SCTP networking code does not properly handle HMAC calculations, enabling a remote attacker to crash the system (or worse) through specially-crafted traffic. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: local privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2010-3904 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 20, 2010 | Updated: | May 10, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The RDS network protocol fails to validate user-space addresses, allowing a local attacker to write arbitrary values into kernel memory. See this advisory for more information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Mozilla products: multiple vulnerabilities
| Package(s): | firefox seamonkey thunderbird xulrunner | CVE #(s): | CVE-2010-3170 CVE-2010-3173 CVE-2010-3175 CVE-2010-3176 CVE-2010-3177 CVE-2010-3178 CVE-2010-3179 CVE-2010-3180 CVE-2010-3182 CVE-2010-3183 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 20, 2010 | Updated: | December 24, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The firefox 3.6.11/3.5.14 and thunderbird 3.1.5/3.0.9 releases fix the usual set of security vulnerabilities. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
MRG Messaging: multiple vulnerabilities
| Package(s): | MRG Messaging | CVE #(s): | CVE-2009-5005 CVE-2009-5006 | ||||||||
| Created: | October 14, 2010 | Updated: | October 20, 2010 | ||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way Apache Qpid handled the receipt of invalid AMQP data. A remote user could send invalid AMQP data to the server, causing it to crash, resulting in the cluster shutting down. (CVE-2009-5005) A flaw was found in the way Apache Qpid handled a request to redeclare an existing exchange while adding a new alternate exchange. If a remote, authenticated user issued such a request, the server would crash, resulting in the cluster shutting down. (CVE-2009-5006) | ||||||||||
| Alerts: |
| ||||||||||
opera: multiple vulnerabilities
| Package(s): | opera | CVE #(s): | |||||
| Created: | October 15, 2010 | Updated: | October 20, 2010 | ||||
| Description: | Opera 10.63 is a recommended upgrade offering security and stability enhancements. See the Opera release notes for details. | ||||||
| Alerts: |
| ||||||
php-pear-CAS: multiple vulnerabilities
| Package(s): | php-pear-CAS | CVE #(s): | CVE-2010-3690 CVE-2010-3691 CVE-2010-3692 | ||||||||||||||||||||
| Created: | October 19, 2010 | Updated: | February 23, 2011 | ||||||||||||||||||||
| Description: | From the CVE entries:
Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls. (CVE-2010-3690) PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is enabled, allows local users to overwrite arbitrary files via a symlink attack on an unspecified file. (CVE-2010-3691) Directory traversal vulnerability in the callback function in client.php in phpCAS before 1.1.3, when proxy mode is enabled, allows remote attackers to create or overwrite arbitrary files via directory traversal sequences in a Proxy Granting Ticket IOU (PGTiou) parameter. (CVE-2010-3692) | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
poppler: memory corruption
| Package(s): | poppler | CVE #(s): | CVE-2010-3703 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 19, 2010 | Updated: | December 24, 2010 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
poppler git commit bf2055088a corrects a possible use of an uninitialized pointer in PostScriptFunction, which can cause crash or memory corruption. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
typo3: multiple vulnerabilities
| Package(s): | typo3 | CVE #(s): | CVE-2010-3714 CVE-2010-3715 CVE-2010-3716 CVE-2010-3717 | ||||
| Created: | October 20, 2010 | Updated: | October 20, 2010 | ||||
| Description: | The typo3 content management system suffers from multiple vulnerabilities, including remote file disclosure (CVE-2010-3714), cross-site scripting (CVE-2010-3715), privilege escalation (CVE-2010-3716), and denial of service (CVE-2010-3717). | ||||||
| Alerts: |
| ||||||
webkitgtk: multiple vulnerabilities
| Package(s): | webkitgtk | CVE #(s): | CVE-2010-3113 CVE-2010-1814 CVE-2010-1812 CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114 CVE-2010-3116 CVE-2010-3257 CVE-2010-3259 | ||||||||||||||||||||||||||||||||||||
| Created: | October 19, 2010 | Updated: | March 2, 2011 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora advisory:
Bug #628032 - CVE-2010-3113 webkit: memory corruption when handling SVG documents Bug #631946 - CVE-2010-1814 webkit: memory corruption flaw when handling form menus Bug #631939 - CVE-2010-1812 webkit: use-after-free flaw in handling of selections Bug #631948 - CVE-2010-1815 webkit: use-after-free flaw when handling scrollbars Bug #628071 - CVE-2010-3115 webkit: address bar spoofing with history bug Bug #627703 - CVE-2010-1807 webkit: input validation error when parsing certain NaN values Bug #628035 - CVE-2010-3114 webkit: bad cast with text editing Bug #640353 - CVE-2010-3116 webkit: memory corruption with MIME types Bug #640357 - CVE-2010-3257 webkit: stale pointer issue with focusing Bug #640360 - CVE-2010-3259 webkit: cross-origin image theft | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>