User: Password:
|
|
Subscribe / Log in / New account

Security

Loading signed kernel modules

By Jake Edge
December 7, 2011

Inserting loadable modules into a running kernel is clearly a convenient feature. It allows distributions to have relatively small kernels while still supporting a wide variety of hardware and use-cases, but it can also allow unwanted modules to be loaded in a way that may not be all that easy to detect. Those modules could simply be binary-only drivers that the distribution or service provider doesn't want to support—or they could be some kind of malware. A recently posted patch set will help to avoid those problems by giving the option of building a kernel that will only allow modules that have been cryptographically signed to be loaded, or to simply detect the presence of unsigned modules.

David Howells posted the patches, which are based on code that has been running in Fedora and RHEL kernels for years. Therefore, it should have been "thoroughly tested" Howells said in the final patch in the series (which also contains the module-signing.txt kernel Documentation file). The patch allows for signing modules using the RSA signature algorithm with any of the SHA family of hash algorithms.

The basic idea is that public keys can be built into the kernel and, if CONFIG_MODULE_SIG is enabled, used to check the validity of modules before they are loaded. If CONFIG_MODULE_SIG_FORCE is enabled at compile time (or enforcemodulesig=1 is passed on the kernel command line), only those modules that can be verified with one of the public keys built into the kernel will be loaded. If the "force" option is not used, unsigned modules will still be loaded. In either case, modules with corrupt or incorrect signatures, or those that are signed with a key that is not on the keyring, will be rejected.

In order to make that work, there needs to be a way to build signed modules. That is done by creating public and private keys in the top-level kernel directory (in kernel.pub and kernel.sec by default). The public key will be processed with the kernel's bin2c utility and written as crypto/signature/key.h. The public and secret key will then be used with GNU Privacy Guard (GPG) to sign the modules automatically as they are built. There are several options that can be passed on the make command line to govern the location of the key files as well as options to pass to gpg.

In addition, the modules can be stripped for inclusion into initial ramdisk images and debuginfo can be included in a separate ELF section that is not included in the signature calculation. That means that all of the variants of a particular module can share a single signature that is stored in the module itself (in the .module_sig ELF section). In addition, the output of /proc/modules has been changed to add a "U" to unsigned modules so that they can be detected.

The patch also modifies the kernel's crypto subsystem to allow for the new key type and to add an RSA signature verification algorithm. That requires using the multi-precision integer (MPI) library from GPG, which was reworked from the Red Hat version for kernel inclusion by Dmitry Kasatkin. That code is already in the security tree in order to support the Extended Verification Module (EVM) digital signature extension. It also requires a minimal parser for the OpenPGP format (which is the kind of keys and signatures that GPG generates).

There is also something of a chicken-and-egg problem. Many distributions have crypto and hash algorithms built as modules, but the RSA algorithm and whichever hash is being used to generate the signatures needs to be present or an enforcing kernel won't be able to load any modules at all. For that reason, the patches ensure that if module signatures are selected at compile time, the RSA and chosen hash algorithms are not built as modules themselves. Modules are then loaded in the usual way, with insmod, but the signature will be checked by suitably configured kernels.

There has been relatively little discussion or complaints about the patches in the three revisions that have been posted since Howells began the process in late November. H. Peter Anvin is concerned about adding a OpenPGP parser to the kernel, and Howells was quick to point out that the parser is just the minimal amount needed to pull keys and signatures out of OpenPGP-formatted data. Both Anvin and James Morris were unconvinced about the need for supporting the (now deprecated) DSA signature algorithm and Howells has pulled that code out in the most recent revision.

This is not the first time Howells has proposed these (or similar) changes as those efforts stretch back to (at least) 2004. He has now requested that the code be included into the Morris's security tree. If that happens, and no major complaints arise, we could potentially see signed module support in Linux 3.3.

While it is a useful feature, particularly for those trying to support Linux kernels without random drivers from who-knows-where, it only places another set of hurdles in front of malware authors. Since root privileges are required to load modules in the first place, a malware author will only need to find a way to insert code into the running kernel without using the module loading facility. Once upon a time, /dev/kmem could be used for that, but many distribution kernels don't support it any more. Prior to the advent of CONFIG_STRICT_DEVMEM, /dev/mem would have provided another way, but distributions are generally enabling that option as well. Exploiting some kind of kernel bug is the most probable route for these root-privileged attackers, but is certainly a more fragile approach than simply inserting a module.

Another potential use (or abuse depending on perspective) of the feature is for device makers or distributions to lock down their kernels. That would leave users who wish to add functionality (or remove anti-features) in the same place as the malware author: looking for a kernel bug to exploit. Of course, some users may just find a way to replace the kernel entirely in that scenario.

Comments (7 posted)

Brief items

Security quotes of the week

In recent months, Comodo has been hacked repeatedly, DigiNotar was compromised, and the security of CAs as a whole has been found to be not altogether inspiring. The consensus finally seems to be shifting from the notion that CAs are merely a ripoff, to the notion that they are a ripoff, a security problem, and that we want them dead as immediately as possible. The only question that remains is how to replace them.
-- Moxie Marlinspike

Disclosing security vulnerabilities is good for security and good for society, but vendors really hate it. It results in bad press, forces them to spend money fixing vulnerabilities, and comes out of nowhere. Over the past decade or so, we've had an uneasy truce between security researchers and product vendors. That truce seems to be breaking down.
-- Bruce Schneier

The next problems we hit was pam_securid seems to be running netstat under the covers. I recall we had this problem with the Netscape Certificate libraries. They used to execute netstat in order to generate entropy when using certificates, so I figure this is what is going on here. I also see the sshd executing ps? Probably for the same reason.

RSA guys please use /dev/urandom and /dev/random.

-- Dan Walsh debugs some problems that were causing RSA to recommend turning off SELinux

Comments (none posted)

Paper: Capability leaks in Android phones

Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang have published a paper [PDF] describing research they have done into the Android security model as implemented on actual handsets. "In this paper, we analyze eight popular Android smartphones and discover that the stock phone images do not properly enforce the permission model. Several privileged permissions are unsafely exposed to other applications which do not need to request them for the actual use. To identify these leaked permissions or capabilities, we have developed a tool called Woodpecker. Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones - all without asking for any permission." The Google "Nexus" phones were the happy exception, with almost no leaks. (Seen on The H).

Comments (3 posted)

C|Net Download.Com accused of bundling Nmap with malware

Nmap hacker Fyodor has discovered that the download.com site is offering a version of Nmap (for Windows) with an installer that makes a number of unwelcome changes. "The way it works is that C|Net's download page offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap's real installer." One assumes they do similar things with other free programs. The number of LWN readers obtaining software from download.com is likely to be quite small, but it is still good to be aware of what's going on. This is why some projects adopt draconian trademark policies, unfortunately. (Thanks to Mattias Mattsson).

Full Story (comments: 38)

New vulnerabilities

clearsilver: arbitrary code execution

Package(s):clearsilver CVE #(s):CVE-2011-4357
Created:December 1, 2011 Updated:December 23, 2011
Description: From the Debian advisory:

Leo Iannacone and Colin Watson discovered a format string vulnerability in the Python bindings for the Clearsilver HTML template system, which may lead to denial of service or the execution of arbitrary code.

Alerts:
Fedora FEDORA-2011-17040 clearsilver 2011-12-12
Fedora FEDORA-2011-17042 clearsilver 2011-12-12
Debian DSA-2355-1 clearsilver 2011-11-30

Comments (none posted)

colord: SQL injection

Package(s):colord CVE #(s):CVE-2011-4349
Created:December 5, 2011 Updated:December 8, 2011
Description: The colord daemon suffers from SQL injection vulnerabilities that could allow a local attacker to corrupt its databases or, possibly, databases belonging to other applications; see the Red Hat bugzilla entry for more information.
Alerts:
Ubuntu USN-1289-1 colord 2011-12-07
Fedora FEDORA-2011-16451 colord 2011-11-26
Fedora FEDORA-2011-16453 colord 2011-11-26

Comments (none posted)

glibc: code execution

Package(s):glibc CVE #(s):CVE-2009-5064
Created:December 7, 2011 Updated:December 7, 2011
Description: From the Red Hat advisory: A flaw was found in the way the ldd utility identified dynamically linked libraries. If an attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary code execution with the privileges of the user running ldd.
Alerts:
Scientific Linux SL-glib-20120214 glibc 2012-02-14
Scientific Linux SL-glib-20120214 glibc 2012-02-14
Oracle ELSA-2012-0126 glibc 2012-02-14
Oracle ELSA-2012-0125 glibc 2012-02-14
CentOS CESA-2012:0126 glibc 2012-02-14
CentOS CESA-2012:0125 glibc 2012-02-14
Red Hat RHSA-2012:0125-01 glibc 2012-02-13
Red Hat RHSA-2012:0126-01 glibc 2012-02-13
Scientific Linux SL-glib-20111206 glibc 2011-12-06
Red Hat RHSA-2011:1526-03 glibc 2011-12-06

Comments (none posted)

ipa: cross-site request forgery

Package(s):ipa CVE #(s):CVE-2011-3636
Created:December 7, 2011 Updated:January 11, 2012
Description: A CSRF vulnerability in ipa can allow an attacker to perform Red Hat identity management configuration changes with the privileges of a logged-in user.
Alerts:
Scientific Linux SL-ipa-20111206 ipa 2011-12-06
Red Hat RHSA-2011:1533-04 ipa 2011-12-06

Comments (none posted)

kernel: privilege escalation

Package(s):linux kernel CVE #(s):CVE-2011-4330
Created:December 5, 2011 Updated:December 7, 2011
Description: A bounds-checking error in the HFS filesystem can be exploited by a local user to crash the system or gain privileges.
Alerts:
openSUSE openSUSE-SU-2012:1439-1 kernel 2012-11-05
openSUSE openSUSE-SU-2012:0799-1 kernel 2012-06-28
SUSE SUSE-SU-2012:0736-1 Linux kernel 2012-06-14
Oracle ELSA-2012-0150 kernel 2012-03-07
Red Hat RHSA-2012:0358-01 kernel 2012-03-06
Ubuntu USN-1340-1 linux-lts-backport-oneiric 2012-01-23
Ubuntu USN-1330-1 linux-ti-omap4 2012-01-13
Oracle ELSA-2012-0007 kernel 2012-01-12
Scientific Linux SL-kern-20120112 kernel 2012-01-12
CentOS CESA-2012:0007 kernel 2012-01-11
Red Hat RHSA-2012:0007-01 kernel 2012-01-10
Ubuntu USN-1322-1 linux 2012-01-09
Ubuntu USN-1312-1 linux 2011-12-19
Ubuntu USN-1311-1 linux 2011-12-19
Oracle ELSA-2011-2037 enterprise kernel 2011-12-15
SUSE SUSE-SU-2011:1319-2 Linux kernel 2011-12-14
SUSE SUSE-SU-2011:1319-1 Linux kernel 2011-12-13
Ubuntu USN-1304-1 linux-ti-omap4 2011-12-13
Ubuntu USN-1303-1 linux-mvl-dove 2011-12-13
Ubuntu USN-1302-1 linux-ti-omap4 2011-12-13
Ubuntu USN-1301-1 linux-lts-backport-natty 2011-12-13
Ubuntu USN-1300-1 linux-fsl-imx51 2011-12-13
Ubuntu USN-1299-1 linux-ec2 2011-12-13
SUSE SUSE-SA:2011:046 kernel 2011-12-13
Ubuntu USN-1293-1 linux 2011-12-08
Ubuntu USN-1292-1 linux-lts-backport-maverick 2011-12-08
Ubuntu USN-1291-1 linux 2011-12-08
Ubuntu USN-1286-1 linux 2011-12-03

Comments (none posted)

kexec-tools: information disclosure

Package(s):kexec-tools CVE #(s):CVE-2011-3588 CVE-2011-3589 CVE-2011-3590
Created:December 7, 2011 Updated:March 8, 2012
Description: The kexec-tools package contains a number of information disclosure vulnerabilities exploitable by a local user.
Alerts:
Oracle ELSA-2012-0152 kexec-tools 2012-03-07
Scientific Linux SL-kexe-20120306 kexec-tools 2012-03-06
Red Hat RHSA-2012:0152-03 kexec-tools 2012-02-21
Scientific Linux SL-kexe-20111206 kexec-tools 2011-12-06
Red Hat RHSA-2011:1532-03 kexec-tools 2011-12-06

Comments (none posted)

krb5: denial of service

Package(s):krb5 CVE #(s):CVE-2011-1530
Created:December 7, 2011 Updated:February 1, 2012
Description: The kerberos key distribution center can be made to dereference a null pointer by an authenticated attacker, leading to a server crash.
Alerts:
Fedora FEDORA-2011-16284 krb5 2012-01-31
Gentoo 201201-13 mit-krb5 2012-01-23
CentOS CESA-2011:1790 krb5 2011-12-22
Oracle ELSA-2011-1790 krb5 2011-12-17
Fedora FEDORA-2011-16296 krb5 2011-11-23
Mandriva MDVSA-2011:184 krb5 2011-12-12
Scientific Linux SL-krb5-20111206 krb5 2011-12-06
Ubuntu USN-1290-1 krb5 2011-12-08
Red Hat RHSA-2011:1790-01 krb5 2011-12-06

Comments (none posted)

libarchive: arbitrary code execution

Package(s):libarchive CVE #(s):CVE-2011-1777 CVE-2011-1778
Created:December 1, 2011 Updated:February 21, 2012
Description: From the Red Hat advisory:

Two heap-based buffer overflow flaws were discovered in libarchive. If a user were tricked into expanding a specially-crafted ISO 9660 CD-ROM image or tar archive with an application using libarchive, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-1777, CVE-2011-1778)

Alerts:
Gentoo 201406-02 libarchive 2014-06-01
Debian DSA-2413-1 libarchive 2012-02-20
Ubuntu USN-1310-1 libarchive 2011-12-19
Mandriva MDVSA-2011:191 libarchive 2011-12-18
Mandriva MDVSA-2011:190 libarchive 2011-12-18
Scientific Linux SL-liba-20111201 libarchive 2011-12-01
Oracle ELSA-2011-1507 libarchive 2011-12-01
Red Hat RHSA-2011:1507-01 libarchive 2011-12-01

Comments (none posted)

libxml2: code execution

Package(s):libxml2 CVE #(s):CVE-2011-0216
Created:December 7, 2011 Updated:September 27, 2012
Description: The libxml2 library contains an off-by-one error leading to a buffer overflow vulnerability exploitable via a specially-crafted XML file.
Alerts:
Scientific Linux SL-ming-20130201 mingw32-libxml2 2013-02-01
Oracle ELSA-2013-0217 mingw32-libxml2 2013-02-01
CentOS CESA-2013:0217 mingw32-libxml2 2013-02-01
Red Hat RHSA-2013:0217-01 mingw32-libxml2 2013-01-31
Fedora FEDORA-2012-13824 libxml2 2012-09-27
Fedora FEDORA-2012-13820 libxml2 2012-09-26
Oracle ELSA-2012-0324 libxml2 2012-03-09
Debian DSA-2394-1 libxml2 2012-01-26
Ubuntu USN-1334-1 libxml2 2012-01-19
Oracle ELSA-2012-0017 libxml2 2012-01-12
Scientific Linux SL-libx-20120112 libxml2 2012-01-12
Scientific Linux SL-libx-20120111 libxml2 2012-01-11
Oracle ELSA-2012-0016 libxml2 2012-01-12
CentOS CESA-2012:0017 libxml2 2012-01-11
CentOS CESA-2012:0016 libxml2 2012-01-11
Red Hat RHSA-2012:0017-01 libxml2 2012-01-11
Red Hat RHSA-2012:0016-01 libxml2 2012-01-11
Mandriva MDVSA-2011:188 libxml2 2011-12-15
Scientific Linux SL-libx-20111206 libxml2 2011-12-06
Red Hat RHSA-2011:1749-03 libxml2 2011-12-06

Comments (none posted)

mojarra: code injection

Package(s):mojarra CVE #(s):CVE-2011-4358
Created:December 7, 2011 Updated:December 7, 2011
Description: Mojarra (a JavaServer Faces implementation) can be made to execute untrusted values as EL expressions in some configurations.
Alerts:
Debian DSA-2359-1 mojarra 2011-12-06

Comments (none posted)

nginx: remote code execution

Package(s):nginx-1.0 CVE #(s):CVE-2011-4315
Created:December 5, 2011 Updated:February 9, 2012
Description: The DNS resolver built into nginx suffers from a buffer overflow that could enable remote code execution attacks.
Alerts:
Gentoo 201203-22 nginx 2012-03-28
openSUSE openSUSE-SU-2012:0237-1 nginx 2012-02-09
Fedora FEDORA-2011-16110 nginx 2011-11-19
Fedora FEDORA-2011-16075 nginx 2011-11-19
SUSE SUSE-SU-2011:1300-1 nginx-1.0 2011-12-05

Comments (none posted)

psi: input validation failure

Package(s):psi CVE #(s):CVE-2011-3365 CVE-2011-3366
Created:December 6, 2011 Updated:December 7, 2011
Description: From the Red Hat bugzilla:

An input validation failure was discovered in KSSL (CVE-2011-3365) and Rekonq (CVE-2011-3366) in KDE SC 4.6.0 up to and including KDE SC 4.7.1, however upstream indicates that ealier versions of KDE SC may also be affected.

Alerts:
Gentoo 201412-09 racer-bin, fmod, PEAR-Mail, lvm2, gnucash, xine-lib, lastfmplayer, webkit-gtk, shadow, PEAR-PEAR, unixODBC, resource-agents, mrouted, rsync, xmlsec, xrdb, vino, oprofile, syslog-ng, sflowtool, gdm, libsoup, ca-certificates, gitolite, qt-creator 2014-12-11
Fedora FEDORA-2011-16476 psi 2011-11-27
Fedora FEDORA-2011-16488 psi 2011-11-27

Comments (none posted)

qemu-kvm: privilege escalation

Package(s):qemu-kvm CVE #(s):CVE-2011-4111
Created:December 7, 2011 Updated:December 22, 2011
Description: From the Red Hat advisory: A flaw was found in the way qemu-kvm handled VSC_ATR messages when a guest was configured for a CCID (Chip/Smart Card Interface Devices) USB smart card reader in passthrough mode. An attacker able to connect to the port on the host being used for such a device could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.
Alerts:
Scientific Linux SL-qemu-20111206 qemu-kvm 2011-12-06
CentOS CESA-2011:1777 qemu-kvm 2011-12-22
CentOS CESA-2011:1801 qemu-kvm 2011-12-22
Oracle ELSA-2011-1777 qemu-kvm 2011-12-17
Red Hat RHSA-2011:1801-01 qemu-kvm 2011-12-08
Red Hat RHSA-2011:1777-01 qemu-kvm 2011-12-06

Comments (none posted)

ruby: predictable random numbers

Package(s):ruby CVE #(s):CVE-2011-3009
Created:December 7, 2011 Updated:January 31, 2012
Description: The Ruby interpreter does not reinitialize the random number generator after creating a child process, leading to a situation where two processes may get the same number.
Alerts:
openSUSE openSUSE-SU-2012:0228-1 Ruby 2012-02-09
Scientific Linux SL-ruby-20120130 ruby 2012-01-30
Oracle ELSA-2012-0070 ruby 2012-01-31
Oracle ELSA-2012-0070 ruby 2012-01-31
CentOS CESA-2012:0070 ruby 2012-01-30
CentOS CESA-2012:0070 ruby 2012-01-30
Red Hat RHSA-2012:0070-01 ruby 2012-01-30
Scientific Linux SL-ruby-20111206 ruby 2011-12-06
Red Hat RHSA-2011:1581-03 ruby 2011-12-06

Comments (none posted)

ruby-on-rails: multiple vulnerabilities

Package(s):rubygem-* CVE #(s):CVE-2010-3933 CVE-2011-0448 CVE-2011-0449
Created:December 7, 2011 Updated:December 7, 2011
Description: The Ruby on Rails package suffers from vulnerabilities enabling arbitrary modification of records via crafted form parameters (CVE-2010-3933), SQL injection (CVE-2011-0448), and access restriction bypass (CVE-2011-0449).
Alerts:
Gentoo 201412-28 rails 2014-12-14
openSUSE openSUSE-SU-2011:1305-1 ruby 2011-12-07

Comments (none posted)

sos: key disclosure

Package(s):sos CVE #(s):CVE-2011-4083
Created:December 7, 2011 Updated:January 17, 2013
Description: From the Red Hat advisory: The sosreport utility incorrectly included Certificate-based Red Hat Network private entitlement keys in the resulting archive of debugging information. An attacker able to access the archive could use the keys to access Red Hat Network content available to the host.
Alerts:
CentOS CESA-2012:0153 sos 2013-01-09
Scientific Linux SL-sos-20120321 sos 2012-03-21
Oracle ELSA-2012-0153 sos 2012-03-07
Red Hat RHSA-2012:0153-03 sos 2012-02-21
Scientific Linux SL-sos-20111206 sos 2011-12-06
Red Hat RHSA-2011:1536-03 sos 2011-12-06

Comments (none posted)

torque: user impersonation

Package(s):torque CVE #(s):
Created:December 5, 2011 Updated:December 7, 2011
Description: A user connecting to the torque "pbs_server" is able to impersonate another user in the torque batch system.
Alerts:
Fedora FEDORA-2011-16128 torque 2011-12-04

Comments (none posted)

util-linux-ng: denial of service

Package(s):util-linux-ng CVE #(s):CVE-2011-1675 CVE-2011-1677
Created:December 7, 2011 Updated:May 29, 2012
Description: Vulnerabilities in the util-linux-ng package allow a local user with the ability to mount an unmount filesystems to corrupt the mtab file and leave a stale lock file around, interfering with others' ability to mount filesystems.
Alerts:
Gentoo 201405-15 util-linux 2014-05-18
Mandriva MDVSA-2012:083 util-linux 2012-05-29
Scientific Linux SL-util-20120321 util-linux 2012-03-21
Oracle ELSA-2012-0307 util-linux 2012-03-07
Red Hat RHSA-2012:0307-03 util-linux 2012-02-21
Scientific Linux SL-util-20111206 util-linux-ng 2011-12-06
Red Hat RHSA-2011:1691-03 util-linux-ng 2011-12-06

Comments (none posted)

virt-v2v: privilege escalation

Package(s):virt-v2v CVE #(s):CVE-2011-1773
Created:December 7, 2011 Updated:December 16, 2011
Description: From the Red Hat advisory: Using virt-v2v to convert a guest that has a password-protected VNC console to a KVM guest removed that password protection from the converted guest: after conversion, a password was not required to access the converted guest's VNC console.
Alerts:
Scientific Linux SL-virt-20111206 virt-v2v 2011-12-06
Red Hat RHSA-2011:1615-03 virt-v2v 2011-12-06

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds