Security
A high-level view of the MeeGo security landscape
Several members of the MeeGo security team were on hand at the 2010 MeeGo conference to talk about what kinds of threats they will be trying to address—and why—as well as a security framework to enable MeeGo integrators and application developers to handle security tasks. MeeGo security architect Ryan Ware of Intel looked at the what and the why, while Elena Reshetova and Casey Schaufler of Nokia presented on the Mobile Simplified Security Framework (MSSF). As might be guessed from the presence of Schaufler, the Smack kernel security module plays a prominent role in the access control portion of MSSF. This week, we'll cover Ware's presentation and look at Reshetova and Schaufler's next week.
Ware started with a look back at 1990 by way of a justification of the need
for MeeGo security solutions. In 1990, Intel had 25MHz 386 processors, the
Simpsons were on TV, and there were all of 12 CERT security alerts for the
year. All of those alerts "fit on one slide easily
" and contain some
amusing entries like "rumor of alleged attack
" and
"security probes from Italy
". He listed, again on one slide,
the conferences and other notable computer security news for the year.
Things have changed just a little bit since then.
Fast-forwarding to the present, there have been 4221 CVEs so far this year,
Intel has 3+GHz chips, and the Simpsons are still on TV. When looking at
the growth of malware, there is an inflection point in 1996, which is
probably associated with wider usage of the internet. "The internet
is a petri dish
" where all kinds of malware can grow and change. If
you put a stock Windows XP system on the internet today without a firewall,
it will be infected before you can get the updates installed; it only takes
an average of four minutes before that happens, he said.
There is a huge financial incentive these days for those who write malware,
which has changed the landscape significantly. You can now get "malware as
a service" or rent botnets ($8-90/1000 bots "depending on
quantity
", he said). In the pwn2own contest at CanSecWest, someone with
a working iPhone exploit was unwilling to release it for the $15,000 prize
as they believed they could get more elsewhere—and did, with rumors of a
six-figure sum.
There are also "spearphishing" efforts like Aurora that targeted Google and 30 other companies, including Intel, last year. It targeted specific individual employees, sending them an email that looked it came from someone they knew. When the PDF or JPG inside was opened, it appeared to be an innocuous file of that type, but actually infected their machine with a worm that looked for source code repositories. Once found, the contents of those repositories were slowly—so that intrusion detection systems weren't alerted—sent elsewhere. The Stuxnet worm/virus is another example of this new kind of "persistent" threat.
With MeeGo, there are new usage models where desktop data is migrating to
mobile phones, which are much more easily lost, for example. People are
doing banking from their phones as well. When Ware asked how many in the
audience had used their phone for banking, he got quite a few hands;
"you're all screwed
", he said. Those credentials are stored
somewhere in the phone for an attacker (or thief) to find. There are also
various efforts to publish your location or turn your phone into a credit
card, all of which have various dangers.
Because the number of Linux devices is growing quickly, it is becoming more of a target. For reference, he said there are more than a billion Windows-installed systems—some botnets have more than a million bots—but the smartphone market is growing at a rate (35.5%/year) that will go beyond that soon. At that rate, the expected sales of smartphones in 2014 is 506 million. In addition, the smartphone market is getting less fragmented and he sees iOS and Linux as likely to be the only players before too long.
The focus on mobile Linux security is growing, he said. He noted the
recent Coverity study of the Android kernel that found 88 high-risk
defects and there were "some interesting things in there
".
The report will not be available for a bit as Coverity gave Google 60 days
to fix the problems before the report will be released. Ware noted that
the study found that the defect rate for the code written for Android was
"significantly
higher than for the rest of the kernel
".
MSSF was originally developed for smartphones, but has been broadened to support all of the MeeGo vertical markets (netbook, connected TV, in-vehicle-infotainment (IVI), ...). At a high level, the goals for MSSF are to provide protections for users of devices, the device itself, and for new services that are envisioned for MeeGo devices.
For users, that includes protecting things like login credentials and cookies, but also to try to prevent malicious software from being able to do things like making expensive phone calls without the knowledge or consent of the device owner. Protecting the device entails protecting the SIM lock and ensuring that regulatory requirements (for things like radio frequency emissions) are strictly adhered to. New services like mobile payment also need protection, he said.
The MeeGo security team is doing things beyond just MSSF. It ensures that the external facing MeeGo infrastructure is kept secure. That includes things like source code repositories and open build service packages. The team also ensures that MeeGo images are secure by not having insecure defaults on network services, patching packages for security vulnerabilities, and issuing MeeGo advisories.
MeeGo "can't be secure without you guys
", he said. The team
could do static analysis and code reviews for 80 hours a week and still not
find everything. He asked that folks keep an eye out and point out any
flaws they find to security@meego.com. There is also a new MeeGo-security-discussion
mailing list and weekly IRC meetings of the security team are planned in
the near future.
In answer to some audience questions, Ware said he was concerned about
security issues surrounding "cloud" applications, but hadn't looked at it
specifically yet. It is "something to look at in the
future
". He also was not interested in talking about DRM solutions,
though some in the audience clearly were. He worked on DRM five years ago
and was glad to not be working on it any more. "I don't want to fix
someone's broken business model
", he said. Others who need those
kinds of "solutions" will undoubtedly come up with them.
Brief items
Security quote of the week
An OpenSSL race condition
The OpenSSL project has issued an advisory of a race condition which exists in versions prior to 0.9.8p or 1.0.0b. Successfully exploiting this race can enable a remote attacker to inject code into a server using OpenSSL. It's worth noting, though, that only servers which are (1) multi-threaded, and (2) using OpenSSL's internal caching are vulnerable. So, in particular, Apache servers are not at risk.
New vulnerabilities
banshee: privilege escalation
| Package(s): | banshee | CVE #(s): | CVE-2010-3998 | ||||||||||||||||||||
| Created: | November 12, 2010 | Updated: | February 5, 2014 | ||||||||||||||||||||
| Description: | From the CVE entry:
The (1) banshee-1 and (2) muinshee scripts in Banshee 1.8.0 and earlier place a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
bristol: privilege escalation
| Package(s): | bristol | CVE #(s): | CVE-2010-3351 | ||||||||||||
| Created: | November 15, 2010 | Updated: | November 17, 2010 | ||||||||||||
| Description: | From the CVE entry:
startBristol in Bristol 0.60.5 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. | ||||||||||||||
| Alerts: |
| ||||||||||||||
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla | CVE #(s): | CVE-2010-3764 CVE-2010-3172 | ||||||||||||||||||||||||||||
| Created: | November 15, 2010 | Updated: | January 20, 2011 | ||||||||||||||||||||||||||||
| Description: | From the CVE entries:
The Old Charts implementation in Bugzilla 2.12 through 3.2.8, 3.4.8, 3.6.2, 3.7.3, and 4.1 creates graph files with predictable names in graphs/, which allows remote attackers to obtain sensitive information via a modified URL. (CVE-2010-3764) CRLF injection vulnerability in Bugzilla before 3.2.9, 3.4.x before 3.4.9, 3.6.x before 3.6.3, and 4.0.x before 4.0rc1, when Server Push is enabled in a web browser, allows remote attackers to inject arbitrary HTTP headers and content, and conduct HTTP response splitting attacks, via a crafted URL. (CVE-2010-3172) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
gromacs: code execution
| Package(s): | gromacs | CVE #(s): | CVE-2010-4001 | ||||||||
| Created: | November 15, 2010 | Updated: | November 17, 2010 | ||||||||
| Description: | From the Red Hat bugzilla:
Ludwig Nussel discovered that gromacs contained a script that could be abused by an attacker to execute arbitrary code. The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. | ||||||||||
| Alerts: |
| ||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2010-3865 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 11, 2010 | Updated: | August 9, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory: CVE-2010-3865: A iovec integer overflow in RDS sockets was fixed which could lead to local attackers gaining kernel privileges. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2010-3698 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 11, 2010 | Updated: | August 9, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way KVM (Kernel-based Virtual Machine) handled the reloading of fs and gs segment registers when they had invalid selectors. A privileged host user with access to "/dev/kvm" could use this flaw to crash the host. (CVE-2010-3698, Moderate) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
libxml2: code execution
| Package(s): | libxml2 | CVE #(s): | CVE-2010-4008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 11, 2010 | Updated: | December 8, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: Bui Quang Minh discovered that libxml2 did not properly process XPath namespaces and attributes. If an application using libxml2 opened a specially crafted XML file, an attacker could cause a denial of service or possibly execute code as the user invoking the program. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mod_fcgid: buffer overflow
| Package(s): | mod_fcgid | CVE #(s): | CVE-2010-3872 | ||||||||||||||||||||||||||||
| Created: | November 17, 2010 | Updated: | August 10, 2011 | ||||||||||||||||||||||||||||
| Description: | The mod_fcgid Apache module is subject to a stack buffer overflow with uncertain effects (but code execution seems plausible). | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
moodle: cross-site scripting
| Package(s): | moodle | CVE #(s): | CVE-2010-4207 CVE-2010-4208 CVE-2010-4209 | ||||||||||||||||||||||||
| Created: | November 12, 2010 | Updated: | November 17, 2010 | ||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
CVE-2010-4207: Cross-site scripting vulnerability in the Flash component infrastructure in YUI allows remote attackers to inject arbitrary web script or HTML via charts/assets/charts.swf. CVE-2010-4208: Cross-site scripting vulnerability in the Flash component infrastructure in YUI allows remote attackers to inject arbitrary web script or HTML via uploader/assets/uploader.swf. CVE-2010-4209: Cross-site scripting vulnerability in the Flash component infrastructure in YUI allows remote attackers to inject arbitrary web script or HTML via swfstore/swfstore.swf. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
mysql: denial of service
| Package(s): | mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 | CVE #(s): | CVE-2010-3834 | ||||||||||||||||||||||||||||||||
| Created: | November 11, 2010 | Updated: | July 19, 2011 | ||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that MySQL incorrectly handled materializing a derived table that required a temporary table for grouping. An authenticated user could exploit this to make MySQL crash, causing a denial of service. (CVE-2010-3834) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
openssl: remote code execution
| Package(s): | openssl | CVE #(s): | CVE-2010-3864 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 17, 2010 | Updated: | November 30, 2010 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | The OpenSSL project has issued an advisory of a race condition which exists in versions prior to 0.9.8p or 1.0.0b. Successfully exploiting this race can enable a remote attacker to inject code into a server using OpenSSL. It's worth noting, though, that only servers which are (1) multi-threaded, and (2) using OpenSSL's internal caching are vulnerable. So, in particular, Apache servers are not at risk. See this advisory for more information. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
openswan: code execution
| Package(s): | openswan | CVE #(s): | CVE-2010-3752 CVE-2010-3753 | ||||||||
| Created: | November 17, 2010 | Updated: | November 17, 2010 | ||||||||
| Description: | From the Red Hat advisory: two input sanitization flaws were found in the Openswan client-side handling of Cisco gateway banners. A malicious or compromised VPN gateway could use these flaws to execute arbitrary code on the connecting Openswan client. | ||||||||||
| Alerts: |
| ||||||||||
perl-CGI: multiple vulnerabilities
| Package(s): | perl-CGI | CVE #(s): | |||||
| Created: | November 16, 2010 | Updated: | November 17, 2010 | ||||
| Description: | From the Mandriva advisory:
A new version of the CGI Perl module has been released to CPAN, which fixes several security bugs which directly affect Bugzilla (these two security bugs where first discovered as affecting Bugzilla, then identified as being bugs in CGI.pm itself). | ||||||
| Alerts: |
| ||||||
proftpd: code execution
| Package(s): | proftpd | CVE #(s): | CVE-2010-4221 | ||||||||||||||||||||||||
| Created: | November 11, 2010 | Updated: | December 24, 2010 | ||||||||||||||||||||||||
| Description: | From the proftpd bugzilla entry: The flaw exists within the proftpd server component which listens by default on TCP port 21. When reading user input if a TELNET_IAC escape sequence is encountered the process miscalculates a buffer length counter value allowing a user controlled copy of data to a stack buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
systemtap: privilege execution
| Package(s): | systemtap | CVE #(s): | CVE-2010-4170 | ||||||||||||||||||||||||||||||||
| Created: | November 17, 2010 | Updated: | November 23, 2010 | ||||||||||||||||||||||||||||||||
| Description: | The staprun utility contains two vulnerabilities which can be exploited for privilege escalation by local users; see this advisory for (a little) more information. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>