Security
Postfix TLS plaintext injection
Transitioning between states, or contexts—unencrypted to encrypted for example—is one place where security flaws can sometimes hide. We have seen one example of that in the TLS renegotiation vulnerability that cropped up in late 2009. More recently, a somewhat similar problem was discovered in the Postfix mail transfer agent (MTA) (as well as other mail server software and MTAs). The problem lies in improperly handling the transition between states such that the boundaries that should exist between them are not enforced.
The problem came to light in a lengthy post on March 7 to the postfix-users mailing list by Postfix creator Wietse Venema, but he had discovered it back in January. Venema silently fixed the problem in Postfix at that time, and then worked with CERT to coordinate fixes for other affected projects and vendors. That work has been completed, so the details are now being made public.
The problem occurs when Postfix changes from unencrypted to encrypted mode via the STARTTLS SMTP command. Venema goes into some detail about how Postfix makes that switch (at least at a high level), but the basic flaw is that it doesn't flush its buffers after it switches over to the TLS encrypted mode. That allows a man-in-the-middle attacker to inject some plaintext commands into the SMTP data stream between the STARTTLS and the client's first TLS-encrypted SMTP commands.
Venema demonstrates the problem using the OpenSSL s_client command with a minor modification. Using that program, one can easily test for the problem. In the example, the STARTTLS command is followed directly by the RSET command, which just resets the state (sender and receiver addresses for instance) of any in-progress mail transaction. In an affected MTA, the TLS negotiation will take place, so that subsequent traffic is encrypted, but the server will read the buffered RSET command even though it was sent prior to the establishment of the TLS session. But, since the server believes it is in encrypted mode, it treats the RSET as being in that context.
Obviously, a RSET is not particularly harmful. There are other things an attacker could do, as Venema mentions:
The exploits would look similar to those described for the TLS renegotiation flaw. If the attacker can predict what commands a client will send (which isn't terribly difficult at least for SMTP), they can prefix their own set of commands and relay the server responses to the victim. Typically, the attacker commands will leave the server in a kind of dangling state waiting for the client to send data that will complete the commands. The classic example is for the attacker to send the SMTP DATA command after setting the from and to addresses appropriately; all of the commands the client sends are then included into the email that gets sent to the attacker.
Clients that don't check the TLS certificate are, in some sense, unaffected by this problem. They are always vulnerable to man-in-the-middle attacks that don't need to rely upon tricks like this plaintext injection. But clients that do check those certificates were at risk. Given that even security-conscious users are much more inclined to use a random open WiFi access point because they are using encrypted communications, this vulnerability could be used to capture a lot of outgoing mail—or worse.
Venema also points out that part of the problem in Postfix was that it was
written to adhere to the "robustness principle" (aka Postel's Law):
"Be conservative in what you send; be liberal in what you
accept
". The idea is that protocol implementations should strive to
only send compliant messages, but to accept non-compliant messages from
others when the intent is clear. Venema puts it this way:
Sadly in some ways, the robustness principle has been generally deprecated over the years as attackers (and other malicious entities such as spammers) have exploited the liberal acceptance of messages to further their aims. It has also allowed ill-behaved programs to continue to exist well past the time they should have been fixed. Strict protocol compliance in both directions is now the norm.
The full message from Venema is well worth reading as it provides many more details than other advisories generally do. It should also be something of a wakeup call to other developers of servers that switch between contexts (either switching from plaintext to encrypted or by encryption renegotiation). Looking closely at those transitions might just turn up a hole or two. Hopefully if bugs like that do get discovered, the developers will put out an advisory as informative as Venema's.
[ We would like to thank Brad Hards for giving us a heads-up about this issue. ]
Brief items
Security quotes of the week
Your passwords have been hashed
In a long-overdue upgrade, we have recently switched over to storing hashed passwords in our database. We have occasionally been taken to task (and deservedly so) for not doing that, and have finally gotten around to implementing a bcrypt-based hash for passwords. When the LWN site code was first implemented, passwords seemed like a pretty low-security item—there just wasn't much that an attacker could do if they got access to one—and the ability to remind users of their passwords seemed useful. Over time, though, it has become clear that password reuse can make the compromise of even "low security" passwords into a serious problem. Sites like ours clearly should not store passwords in plain text; we are now happy to say that we do not.
The only user-visible side of the change is in the username/password recovery process as we can no longer send you your password in email (at least we hope that's the only user-visible part, the rest should just be working invisibly in the background). Username and password recovery have been added to the Login page in case you ever need them. One thing to note, however, is that none of it will work unless we have an up-to-date email address for you in our database. We don't send very much email that you haven't requested (essentially just subscription reminders) and we definitely will not share your email address with anyone else, so please check your address via the My Account page, and update it if necessary.
New vulnerabilities
aaa_base: arbitrary file corruption
| Package(s): | aaa_base | CVE #(s): | CVE-2011-0461 | ||||||||||||
| Created: | March 14, 2011 | Updated: | May 17, 2011 | ||||||||||||
| Description: | From the openSUSE advisory:
The boot.localfs init script wrote a file to /dev/shm during shut-down. Since local users may create symlinks there a malicious user could cause corruption of arbitrary files. | ||||||||||||||
| Alerts: |
| ||||||||||||||
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | |||||||||
| Created: | March 10, 2011 | Updated: | March 16, 2011 | ||||||||
| Description: | From the Fedora advisory:
The release of Asterisk 1.6.2.17 resolves several issues reported by the community and would have not been possible without your participation. Thank you! | ||||||||||
| Alerts: |
| ||||||||||
build: unsafe use of cpio
| Package(s): | build | CVE #(s): | CVE-2010-4226 | ||||||||
| Created: | March 15, 2011 | Updated: | April 18, 2011 | ||||||||
| Description: | From the openSUSE advisory:
The build script uses cpio to extract untrusted rpm packages for bootstrapping virtual machines. cpio is not safe to use for this task, therefore the build script now uses bsdtar instead | ||||||||||
| Alerts: |
| ||||||||||
cgit: denial of service
| Package(s): | cgit | CVE #(s): | CVE-2011-1027 | ||||||||
| Created: | March 16, 2011 | Updated: | March 16, 2011 | ||||||||
| Description: | The cgit server can be thrown into an infinite loop by a remote attacker using a specially crafted URL. | ||||||||||
| Alerts: |
| ||||||||||
chromium-browser: multiple vulnerabilities
| Package(s): | chromium-browser | CVE #(s): | CVE-2011-1108 CVE-2011-1109 CVE-2011-1113 CVE-2011-1114 CVE-2011-1115 CVE-2011-1121 CVE-2011-1122 | ||||
| Created: | March 10, 2011 | Updated: | March 16, 2011 | ||||
| Description: | From the Debian advisory:
CVE-2011-1108: Google Chrome before 9.0.597.107 does not properly implement JavaScript dialogs, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document. CVE-2011-1109: Google Chrome before 9.0.597.107 does not properly process nodes in Cascading Style Sheets (CSS) stylesheets, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." CVE-2011-1113: Google Chrome before 9.0.597.107 on 64-bit Linux platforms does not properly perform pickle deserialization, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. CVE-2011-1114: Google Chrome before 9.0.597.107 does not properly handle tables, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale node." CVE-2011-1115: Google Chrome before 9.0.597.107 does not properly render tables, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." CVE-2011-1121: Integer overflow in Google Chrome before 9.0.597.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a TEXTAREA element. CVE-2011-1122: The WebGL implementation in Google Chrome before 9.0.597.107 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, aka Issue 71960. | ||||||
| Alerts: |
| ||||||
chromium-browser: multiple vulnerabilities
| Package(s): | chromium-browser | CVE #(s): | CVE-2011-0779 CVE-2011-1290 | ||||
| Created: | March 15, 2011 | Updated: | March 16, 2011 | ||||
| Description: | From the Debian advisory:
CVE-2011-0779: Google Chrome before 9.0.597.84 does not properly handle a missing key in an extension, which allows remote attackers to cause a denial of service (application crash) via a crafted extension. CVE-2011-1290: Integer overflow in WebKit allows remote attackers to execute arbitrary code via unknown vectors, as demonstrated by Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann during a Pwn2Own competition at CanSecWest 2011. | ||||||
| Alerts: |
| ||||||
kernel-rt: multiple vulnerabilities
| Package(s): | kernel-rt | CVE #(s): | CVE-2010-4250 CVE-2010-4648 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 11, 2011 | Updated: | September 13, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Memory leak in the inotify_init() system call. In some cases, it could leak a group, which could allow a local, unprivileged user to eventually cause a denial of service. (CVE-2010-4250) A logic error in orinoco_ioctl_set_auth() in the Linux kernel's ORiNOCO wireless extensions support implementation could render TKIP countermeasures ineffective when it is enabled, as it enabled the card instead of shutting it down. (CVE-2010-4648) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
krb5: denial of service
| Package(s): | krb5 | CVE #(s): | CVE-2011-0284 | ||||||||||||||||||||||||
| Created: | March 16, 2011 | Updated: | April 1, 2011 | ||||||||||||||||||||||||
| Description: | The krb5 key distribution center suffers from a double-free flaw which can be exploited by a remote attacker to cause the daemon to abort. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libvpx: denial of service
| Package(s): | libvpx | CVE #(s): | CVE-2010-4489 | ||||||||
| Created: | March 14, 2011 | Updated: | June 19, 2012 | ||||||||
| Description: | From the Ubuntu advisory:
Chris Evans discovered that libvpx did not properly perform bounds checking. If an application using libvpx opened a specially crafted WebM file, an attacker could cause a denial of service. | ||||||||||
| Alerts: |
| ||||||||||
openldap: multiple vulnerabilities
| Package(s): | openldap | CVE #(s): | CVE-2011-1024 CVE-2011-1025 CVE-2011-1081 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 11, 2011 | Updated: | September 26, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the way OpenLDAP handled authentication failures being passed from an OpenLDAP slave to the master. If OpenLDAP was configured with a chain overlay and it forwarded authentication failures, OpenLDAP would bind to the directory as an anonymous user and return success, rather than return failure on the authenticated bind. This could allow a user on a system that uses LDAP for authentication to log into a directory-based account without knowing the password. (CVE-2011-1024) It was found that the OpenLDAP back-ndb back end allowed successful authentication to the root distinguished name (DN) when any string was provided as a password. A remote user could use this flaw to access an OpenLDAP directory if they knew the value of the root DN. Note: This issue only affected OpenLDAP installations using the NDB back-end, which is only available for Red Hat Enterprise Linux 6 via third-party software. (CVE-2011-1025) A flaw was found in the way OpenLDAP handled modify relative distinguished name (modrdn) requests. A remote, unauthenticated user could use this flaw to crash an OpenLDAP server via a modrdn request containing an empty old RDN value. (CVE-2011-1081) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
perl-mail-box: boundary guessing
| Package(s): | perl-Mail-Box | CVE #(s): | |||||||||||||
| Created: | March 11, 2011 | Updated: | March 16, 2011 | ||||||||||||
| Description: | From the Fedora advisory:
2.097 now randomizes boundary string to avoid (undemonstrated) security risks with boundary guessing. | ||||||||||||||
| Alerts: |
| ||||||||||||||
php-zendframework: cross-site scripting
| Package(s): | php-ZendFramework | CVE #(s): | |||||||||
| Created: | March 14, 2011 | Updated: | March 16, 2011 | ||||||||
| Description: | From the Zend Framework advisory:
The default error handling view script generated using Zend_Tool failed to escape request parameters when run in the "development" configuration environment, providing a potential XSS attack vector. | ||||||||||
| Alerts: |
| ||||||||||
pidgin: denial of service
| Package(s): | pidgin | CVE #(s): | CVE-2011-1091 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 14, 2011 | Updated: | November 10, 2011 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Multiple NULL pointer dereference flaws were found in the way Yahoo protocol plug-in of the Pidgin instant messaging client handled malformed YMSG packets (SMS messages and notification packets). A remote, authenticated user could use this flaw to cause denial of service (Pidgin crash) via specially-crafted notification message. The SMS messages handling issue is exploitable only via specially-crafted SMS message, sent from remote, malicious Yahoo server. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
vsftpd: denial of service
| Package(s): | vsftpd | CVE #(s): | CVE-2011-0762 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 10, 2011 | Updated: | October 11, 2011 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
wireshark: denial of service
| Package(s): | wireshark | CVE #(s): | CVE-2011-1143 CVE-2011-1138 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 14, 2011 | Updated: | April 19, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
epan/dissectors/packet-ntlmssp.c in the NTLMSSP dissector in Wireshark before 1.4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted .pcap file. (CVE-2011-1143) Off-by-one error in the dissect_6lowpan_iphc function in packet-6lowpan.c in Wireshark 1.4.0 through 1.4.3 on 32-bit platforms allows remote attackers to cause a denial of service (application crash) via a malformed 6LoWPAN IPv6 packet. (CVE-2011-1138) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
wordpress: multiple vulnerabilities
| Package(s): | wordpress | CVE #(s): | CVE-2011-0700 CVE-2011-0701 | ||||||||||||
| Created: | March 11, 2011 | Updated: | September 18, 2012 | ||||||||||||
| Description: | From the Debian advisory:
CVE-2011-0700: Input passed via the post title when performing a "Quick Edit" or "Bulk Edit" action and via the "post_status", "comment_status", and "ping_status" parameters is not properly sanitised before being used. Certain input passed via tags in the tags meta-box is not properly sanitised before being returned to the user. CVE-2011-0701: Wordpress incorrectly enforces user access restrictions when accessing posts via the media uploader and can be exploited to disclose the contents of e.g. private or draft posts. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>