Security
Pathname-based hooks for SELinux?
A patch that would add the last path component as a parameter to the Linux security module (LSM) hooks for inode creation raised a few eyebrows. It looked to be an attempt to add pathname-based hooks for SELinux—after many SELinux developers took strong stands against those kinds of hooks when they were proposed for AppArmor and, later, TOMOYO. But, this change would not add pathname-based access controls to SELinux, and would, instead, allow it to make decisions about the label it applies to a new inode based on the filename being created. Still, there are questions about whether this is just an ad hoc change to the LSM API for SELinux, and whether there are other hooks that might benefit from similar treatment.
The patches, which were proposed by Eric Paris on the linux-security-module mailing list, are fairly straightforward. The first simply adds a struct qstr pointer to the inode_init_security() hook and changes all the calls to it that are made, mostly in various filesystems. A qstr is a "quick string" object from the directory entry cache, which contains the filename and some additional information (length and hash). The other patch in the set changes SELinux so that it can use that information in its policies:
There is no file globbing, regex parsing, or anything mystical. Either the policy exactly (strcmp) matches the dentry name of the object or it doesn't. This patch has no changes from today if policy does not implement the new rules.
But the inclusion of path information was enough to get a rise out of Casey Schaufler: "I
see. Pathname based controls. In SELinux.
". He went on to note that
AppArmor and TOMOYO had made similar arguments to Paris's and that there
are already pathname-based hooks that were added to support those two
solutions. But Paris is quick to point out
that he is not implementing pathname-based access controls (which is
what AppArmor and TOMOYO implement), but is only adding additional
information for decisions about labeling new filesystem objects:
Schaufler does not completely buy that
argument because of the way labels
are typically maintained in an SELinux system, i.e. using user-space
utilities like restorecond that are pathname-based: "Yes, the kernel component of SELinux relies strictly on the labels,
but the reality is that SELinux is heavily dependent on the user space
component to maintain the proper labels on files so that the specified
policy is rational.
" Stephen Smalley agreed with that to some
extent, but tries to clarify the role of pathnames in
SELinux:
Smalley also explains more about the kinds of race conditions that the patch is trying to avoid:
Furthermore, Smalley said, the pathname-based hooks that are currently
available in the LSM API are not usable to solve this problem because they
don't address the issue of assigning labels to new inodes. The existing hooks
are "about enforcing access control upon file accesses based on the
pathname used to reach the file
". The SELinux community has reached
a consensus that the proposed change is needed, Smalley said, and the only
real question in his mind was whether the changes were acceptable to the
Linux virtual filesystem (VFS) and various filesystem developers.
While Schaufler recognizes that the SELinux community is fully behind the change, he wonders if there are other hooks that could also benefit from the filename information:
He goes on to point out that the LSM API is inconsistent and arbitrary, so
it would make sense to look at the "bigger picture" before hacking in a
change specifically for SELinux. As an example, he posits a possible access control
mechanism that uses file extensions to make decisions ("only files suffixed with '.exe' can be executed and
only files suffixed with '.so' can be mmapped
"). Smalley believes that kind of access control could
be done with the existing pathname-based hooks, but Kyle Moffett came up
with another place where the filename information might be useful, even
for SELinux:
The example Moffett gives would deny a compromised web application the ability to rename or link to the .htaccess file in its directories.
So far, none of the VFS or filesystem hackers have spoken up one way or another, so it is unclear whether this change will be acceptable to them. The LSM API is something of a kernel outcast—or so it appears at times—as no one is particularly satisfied with it, yet it is an integral part of the kernel security landscape. Sometimes that means that various "hacks" get added for specific security solutions, without looking at the overall picture, which is rather unfortunate. It may well be that this change is adopted, as is, without considering other potential users or consistency in the API.
Brief items
Security quotes of the week
Back door in ProFTPD FTP server (The H)
The H has an article about a back door that was recently put into the ProFTPD server code. "The back door provides the attackers with complete access to systems on which the modified version of the server has been installed. On installation, the modified version informs the group behind the back door by contacting an IP address in the Saudi Arabia area. Entering the command 'HELP ACIDBITCHEZ' results in the modified server displaying a root shell. [...] Ironically, to place their back door, the attackers used a zero day vulnerability in ProFTPD itself, which the developers were using to make the source code available to users." (Thanks to Jan-Frode Myklebust who gave us a heads-up about this issue).
Interesting kernel exploit posted
Dan Rosenberg has posted a new local kernel compromise program to the full-disclosure list. It is interesting in that it requires the simultaneous exploitation of three different vulnerabilities to work. This particular program is not useful for anybody wanting to take over a system, but: "However, the important issue, CVE-2010-4258, affects everyone, and it would be trivial to find an unpatched DoS under KERNEL_DS and write a slightly more sophisticated version of this that doesn't have the roadblocks I put in to prevent abuse by script kiddies."
New vulnerabilities
acroread: code execution
| Package(s): | acroread | CVE #(s): | CVE-2010-4091 | ||||||||||||||||||||||||||||
| Created: | December 2, 2010 | Updated: | March 7, 2011 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-3654, CVE-2010-4091) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
bareftp: privilege escalation
| Package(s): | bareftp | CVE #(s): | CVE-2010-3350 | ||||||||
| Created: | December 8, 2010 | Updated: | December 8, 2010 | ||||||||
| Description: | From the CVE entry:
bareFTP 0.3.4 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. | ||||||||||
| Alerts: |
| ||||||||||
bind: multiple vulnerabilities
| Package(s): | bind9 | CVE #(s): | CVE-2010-3613 CVE-2010-3614 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 2, 2010 | Updated: | January 27, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that Bind would incorrectly allow a ncache entry and a rrsig for the same type. A remote attacker could exploit this to cause Bind to crash, resulting in a denial of service. (CVE-2010-3613) It was discovered that Bind would incorrectly mark zone data as insecure when the zone is undergoing a key algorithm rollover. (CVE-2010-3614) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2010-4260 CVE-2010-4479 CVE-2010-4261 | ||||||||||||||||||||||||||||
| Created: | December 7, 2010 | Updated: | December 24, 2010 | ||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
Multiple unspecified vulnerabilities in pdf.c in libclamav in ClamAV before 0.96.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document (CVE-2010-4260, (CVE-2010-4479). Off-by-one error in the icon_cb function in pe_icons.c in libclamav in ClamAV before 0.96.5 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. NOTE: some of these details are obtained from third party information (CVE-2010-4261). | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
epiphany: arbitrary https web site spoofing
| Package(s): | epiphany | CVE #(s): | CVE-2010-3312 | ||||||||||||||||
| Created: | December 7, 2010 | Updated: | January 25, 2011 | ||||||||||||||||
| Description: | From the CVE entry:
Epiphany 2.28 and 2.29, when WebKit and LibSoup are used, unconditionally displays a closed-lock icon for any URL beginning with the https: substring, without any warning to the user, which allows man-in-the-middle attackers to spoof arbitrary https web sites via a crafted X.509 server certificate. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
gnupg: code execution
| Package(s): | gnupg | CVE #(s): | |||||
| Created: | December 6, 2010 | Updated: | December 10, 2010 | ||||
| Description: | From the rPath advisory:
A use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG could allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by tricking a user into importing a certificate with a large number of Subject Alternate Names. | ||||||
| Alerts: |
| ||||||
imagemagick: privilege escalation
| Package(s): | imagemagick | CVE #(s): | CVE-2010-4167 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 8, 2010 | Updated: | March 22, 2012 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Untrusted search path vulnerability in configure.c in ImageMagick before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows local users to gain privileges via a Trojan horse configuration file in the current working directory. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2010-4075 CVE-2010-4077 CVE-2010-4248 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 6, 2010 | Updated: | August 9, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. (CVE-2010-4075) The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. (CVE-2010-4077) Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c. (CVE-2010-4248) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mercurial: man-in-the-middle attack
| Package(s): | mercurial | CVE #(s): | CVE-2010-4237 | ||||
| Created: | December 7, 2010 | Updated: | December 8, 2010 | ||||
| Description: | From the Novell bugzilla:
a security flaw was found in the way Mercurial handled subject Common Name field of the provided certificate (the check if the commonName in the received certificate matches the requested hostname was not performed). An attacker, able to get a carefully-crafted certificate signed by a Certificate Authority could use the certificate during a man-in-the-middle attack and potentially confuse Mercurial into accepting it by mistake. | ||||||
| Alerts: |
| ||||||
openssl: unintended cipher use
| Package(s): | openssl | CVE #(s): | CVE-2010-4180 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 7, 2010 | Updated: | July 27, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of an unintended cipher via vectors involving sniffing network traffic to discover a session identifier. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openssl: unintended cipher use
| Package(s): | openssl | CVE #(s): | CVE-2008-7270 | ||||||||||||||||||||
| Created: | December 8, 2010 | Updated: | January 27, 2011 | ||||||||||||||||||||
| Description: | From the CVE entry:
OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
openssl: authentication bypass
| Package(s): | openssl | CVE #(s): | CVE-2010-4252 | ||||||||
| Created: | December 7, 2010 | Updated: | December 8, 2010 | ||||||||
| Description: | From the CVE entry:
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol. | ||||||||||
| Alerts: |
| ||||||||||
python-paste: cross-site scripting
| Package(s): | paste | CVE #(s): | CVE-2010-2477 | ||||
| Created: | December 8, 2010 | Updated: | December 8, 2010 | ||||
| Description: | From the CVE entry:
Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound. | ||||||
| Alerts: |
| ||||||
tomboy: code execution
| Package(s): | tomboy | CVE #(s): | CVE-2010-4005 | ||||||||||||||||||||||||
| Created: | December 2, 2010 | Updated: | June 16, 2011 | ||||||||||||||||||||||||
| Description: | From the Novell bugzilla entry: The following files set LD_LIBRARY_PATH in a way that allows empty elements which means the current directory is included:
/usr/bin/tomboy (+: instead of :+:) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>