Security
GNUnet adds VPN, direct wireless peering, and more
The GNU project released version 0.9.0 of its GNUnet peer-to-peer (P2P) networking framework in late November. GNUnet allows users to create secure, decentralized P2P networks, akin to the technique used by Gnutella, in which every node is a peer with no central server coordinating the network. But GNUnet puts its emphasis on secure communication links and anonymity: when used for file-sharing, the files a user uploads to the network cannot be traced to their origin, and no one can monitor download activity. Version 0.9.0 breaks network compatibility with previous releases, but it also adds several architectural improvements, and is the first release to officially support an application other than file sharing.
The birds-eye view of GNUnet makes it sound like yet another Napster clone, because the most easily understood use of P2P networks is sharing files — which many assume focuses on copyright-infringing media files. But GNUnet is more general; the project is interested in providing a secure network for people combating censorship or simply wishing to secure their own network traffic against prying eyes. Although sharing files is one use of a decentralized network, it is not the end goal.
Privacy and anonymity are baked into the framework. Peers are identified solely by the SHA-512 hash of a public key; there is no mechanism to further identify anyone on the network — no usernames, or network-wide view of who is connected. Each peer keeps track of its connections to its neighbors, but the connection data is transient and regularly expires. Furthermore, when neighbors exchange messages, they use a mutually-authenticated, encrypted link (a separate link for each peer-to-peer pair). As long as a peer is being a good citizen and is helping to route traffic for the rest of the network, to any eavesdroppers the traffic that originates from the peer is hard to distinguish from traffic being routed between other hosts.
In GNUnet's file-sharing application module, files uploaded by users are encoded using an encryption scheme called Encoding for Censorship-Resistant Sharing (ECRS). ECRS is independent from the link-level encryption, and splits file contents up into blocks that are distributed between the peers. This serves two purposes: fault-tolerance, and enabling faster transfers with Bittorrent-like multi-downloads. Whenever a file is uploaded, special "keyword" blocks associate its contents with potential search terms (which GNUnet refers to as "namespaces"). A distributed hash table keeps track of the namespaces and the files associated with them, so that users can search for files. On the down side, this setup means that all searches are probabilistic — there is no guarantee that a search query will turn up every chunk of the file you search for when you search for it.
On the other hand, the GNUnet client software does not need to connect to the global network of all GNUnet users; it can also run in "Friend-to-Friend" mode to create a private network. In this mode, files uploaded are distributed and replicated in chunks only among the "friends," so the participants can speed up file transfers and enjoy a degree of fault-tolerance, all with a far better probability of finding the files they need available than they might in the global, distributed GNUnet network.
Meet 0.9.0
You can download GNUnet 0.9.0 from the GNU FTP site. There are separate source packages for the command-line GNUnet core and for the GTK+ GUI. As is generally the case with official GNU projects, the software is tested on Linux-based systems as well as FreeBSD, Mac OS X, and Windows — although one of the new features appears to work only on Linux. The configuration documentation is admirably thorough and is already update-to-date for 0.9.0. GNUnet depends on several other GNU projects, and this release requires some recent versions of some dependencies, so a quick check of the list is recommended. There are generic installation instructions as well, although the Autotools-based process is nothing out of the ordinary.
The file-sharing module found in earlier releases is still provided, but version 0.9.0 is the first to provide another module: a virtual private network (VPN). The VPN module creates a virtual network interface on the client (named vpn-gnunet on Linux boxes), which the user can then use to route IP traffic over GNUnet. This traffic is encrypted between every pair of nodes and is anonymous, much like a Tor tunnel, and like Tor it requires that at least some peers act as "exit" nodes.
GNUnet 0.9.0 introduces protocol changes that make it incompatible with 0.8.0 and earlier releases; in the release notes the project admits that this is inconvenient, but said that "productive development and readable code were considered more important.
" The protocol changes include a simplified peer-discovery message format (known as a "HELLO") and moving several of the required services (such as identity management and peer discovery) from separate plug-ins into a "core" module.
A bigger architectural change in this release is a move to a multi-process model, with separate processes running data storage, peer messaging, and other services, along with a lightweight supervisor process (called the automatic restart manager or "ARM") overseeing all of the others. This removes the need to juggle mutexes and locks between a potentially large number of threads — which made earlier releases difficult to maintain — but it also opens the door to contributors writing GNUnet applications in languages other than C and C++. Last but by no means least, it should also make testing and debugging simpler.
The new VPN system can actually do more than route basic IP traffic through GNUnet. It includes a DNS resolver configured to route the .gnunet pseudo-TLD to GNUnet, so it is possible to run GNUnet-only services by binding them to the GNUnet VPN virtual interface. The VPN module can also translate between IPv4 and IPv6 traffic, which makes it possible to use GNUnet to access IPv6 sites or applications from IPv4-only computers, and vice-versa. The project has a page of screencasts showcasing this feature; they use wget to fetch various sites over the VPN connection using several combinations of IPv4 and IPv6 networking.
GNUnet's closest competitor in terms of features is probably Freenet, which also provides a decentralized, anonymous P2P network with encrypted traffic and storage. Like GNUnet, Freenet can function as a transport layer for applications beyond file-sharing, and already has several example applications in the wild. GNUnet points out a few differences between the frameworks on its site, the most notable of which is that GNUnet is capable of using any number of transport protocols. The list includes familiar application- and transport-layer options like TCP, UDP, HTTP, and HTTPS, but also the link-layer itself — starting with 0.9.0, GNUnet peers can talk to each other directly with 802.11 wireless LAN hardware, without going through an access point.
The direct-over-WLAN code requires Linux (at least for the moment), and a supported WiFi card. It uses packet injection to exchange messages with other GNUnet WLAN peers, which requires a helper binary running with root privileges, but the technique allows the machine to remain connected to an access point at the same time. Currently the data rate is limited to around 1Mbps.
0.9.0 also improves GNUnet's peer discovery in some interesting ways. Users can bootstrap their connection to the wider GNUnet world by loading a list of hosts, but, starting with this release, GNUnet peers can also discover each other on the LAN with IPv4 broadcast messages and IPv6 multicast. Peers can also automatically traverse NAT using a variety of methods (including using Universal Plug and Play (UPnP) and ICMP hole punching).
Finally, the project has made an effort to make this release more user-friendly to set up. As the cornucopia of protocols suggests, GNUnet is known for its flexibility, but that is not always simple to navigate. In addition to the connectivity settings, GNUnet can use MySQL, PostgreSQL, or SQLite for storage (both the long-term storage the user contributes to the distributed storage pool, and for the temporary data GNUnet keeps track of during a running session). The setup tool now automatically tests the network and database settings selected by the user and alerts if they do not work.
Applications and all that
On the surface, GNUnet's new functionality makes it more and more like Tor — namely through the availability of separate, anonymous in-network services. Practically speaking, GNUnet still lags behind both Tor and Freenet in terms of what is actually offered to end users; the other networks already support more applications. But GNUnet is making progress; in addition to the VPN code that debuted in 0.9.0, the developers have recently revived the dormant P2P chat application.
At the technical level, GNUnet's main advantage over these other networks is the flexibility it offers in transport protocols — in the past, there were even more options, including a module to route traffic over SMTP (on the grounds that SMTP is rarely blocked by firewalls). Hopefully as the number of applications increases, we will see more and more uses for this flexible transport framework. Routing around censorship is one of the most important uses of this class of project, and the less flexible options — like Tor — are already beginning to be blocked in the wild.
Brief items
Security quotes of the week
[...]
"In five years, unsolicited advertisements may feel so personalized and relevant it may seem that spam is dead. At the same time, spam filters will be so precise you'll never be bothered by unwanted sales pitches again"
Twitter releases TextSecure
Whisper Systems, just acquired by Twitter, has announced that it has released TextSecure - an encrypted messaging client for Android - under GPLv3; the source is available on Github. "We've always been interested in the ability for individuals and organizations to communicate freely and securely. In the year and a half since Whisper Systems launched TextSecure, we've received an enormous amount of thanks, feedback, and encouraging stories from users who have employed TextSecure towards those ends. We hope that as an open source project, TextSecure will be able to reach even more people, with an even larger number of contributors working to make it a great product."
New vulnerabilities
abrt: information disclosure
| Package(s): | abrt | CVE #(s): | CVE-2011-4088 | ||||||||||||||||||||
| Created: | December 19, 2011 | Updated: | July 10, 2012 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Jan Iven reported that abrt could possibly leak certain non-public information when reporting on crashes. If an application included a user name, password, or other confidential information in the crash output, abrt would send that information along with the other information it collects about the crash, to bugzilla. While the real problem is the application including this information in the crash output, abrt should not be submitting this information or should warn the user that it may be submitting potentially sensitive information and allow the user to scrub that information before it is sent. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2011-4597 CVE-2011-4598 | ||||||||
| Created: | December 19, 2011 | Updated: | December 21, 2011 | ||||||||
| Description: | From the Debian advisory:
CVE-2011-4597: Ben Williams discovered that it was possible to enumerate SIP user names in some configurations. CVE-2011-4598: Kristijan Vrban discovered that Asterisk can be crashed with malformed SIP packets if the "automon" feature is enabled. | ||||||||||
| Alerts: |
| ||||||||||
bzip2: insecure tmp file creation
| Package(s): | bzip2 | CVE #(s): | CVE-2011-4089 | ||||
| Created: | December 15, 2011 | Updated: | December 21, 2011 | ||||
| Description: | From the Ubuntu advisory: vladz discovered that executables compressed by bzexe insecurely create temporary files when they are ran. A local attacker could exploit this issue to execute arbitrary code as the user running a compressed executable. | ||||||
| Alerts: |
| ||||||
dtc: multiple vulnerabilities
| Package(s): | dtc | CVE #(s): | CVE-2011-3195 CVE-2011-3196 CVE-2011-3197 CVE-2011-3198 CVE-2011-3199 | ||||
| Created: | December 19, 2011 | Updated: | December 21, 2011 | ||||
| Description: | From the Debian advisory:
Ansgar Burchardt, Mike O'Connor and Philipp Kern discovered multiple vulnerabilities in DTC, a web control panel for admin and accounting hosting services: CVE-2011-3195: A possible shell insertion has been found in the mailing list handling. CVE-2011-3196: Unix rights for the apache2.conf were set incorrectly (world readable). CVE-2011-3197: Incorrect input sanitising for the $_SERVER["addrlink"] parameter could lead to SQL insertion. CVE-2011-3198: DTC was using the -b option of htpasswd, possibly revealing password in clear text using ps or reading /proc. CVE-2011-3199: A possible HTML/javascript insertion vulnerability has been found in the DNS & MX section of the user panel. | ||||||
| Alerts: |
| ||||||
ejabberd: denial of service
| Package(s): | ejabberd | CVE #(s): | CVE-2011-4320 | ||||||||||||
| Created: | December 19, 2011 | Updated: | December 21, 2011 | ||||||||||||
| Description: | From the Red Hat bugzilla:
A denial of service flaw was found in the way PubSub extension of the ejabberd, a distributed, fault-tolerant Jabber/XMPP server, performed processing of certain, malformed <publish/> stanzas. A remote attacker, authenticated Jabber user, could send a specially-crafted request to Jabber server, leading to the jabberd daemon to enter an infinite loop and consume excessive amount of CPU, while processing the stanza. | ||||||||||||||
| Alerts: |
| ||||||||||||||
libxml2: denial of service
| Package(s): | libxml2 | CVE #(s): | CVE-2011-3905 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 15, 2011 | Updated: | September 26, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: libxml2 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors (CVE-2011-3905). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
lighttpd: denial of service and MITM vulnerabilities
| Package(s): | lighttpd | CVE #(s): | CVE-2011-4362 CVE-2011-3389 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 21, 2011 | Updated: | September 10, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A signedness issue in the lighttpd base64 decoding routine can lead to an out-of-bounds read and a denial-of-service opportunity (CVE-2011-4362). Lighttpd can also be vulnerable to the SSL "BEAST" attack in certain configurations, enabling a possible man-in-the-middle attack (CVE-2011-3389). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mediawiki: multiple vulnerabilities
| Package(s): | mediawiki | CVE #(s): | CVE-2011-1587 CVE-2011-4360 CVE-2011-4361 | ||||
| Created: | December 19, 2011 | Updated: | December 21, 2011 | ||||
| Description: | From the Debian advisory:
CVE-2011-1587: Masato Kinugawa discovered a cross-site scripting (XSS) issue, which affects Internet Explorer clients only, and only version 6 and earlier. Web server configuration changes are required to fix this issue. Upgrading MediaWiki will only be sufficient for people who use Apache with AllowOverride enabled. CVE-2011-4360: Alexandre Emsenhuber discovered an issue where page titles on private wikis could be exposed bypassing different page ids to index.php. In the case of the user not having correct permissions, they will now be redirected to Special:BadTitle. CVE-2011-4361: Tim Starling discovered that action=ajax requests were dispatched to the relevant function without any read permission checks being done. This could have led to data leakage on private wikis. | ||||||
| Alerts: |
| ||||||
namazu: cross-site scripting
| Package(s): | namazu | CVE #(s): | CVE-2011-4345 | ||||||||
| Created: | December 15, 2011 | Updated: | December 1, 2013 | ||||||||
| Description: | From the openSUSE advisory: namazu: XSS flaw by processing HTTP cookies (CVE-2011-4345) | ||||||||||
| Alerts: |
| ||||||||||
perl-PAR: insecure temporary file handling
| Package(s): | perl-PAR perl-PAR-Packer | CVE #(s): | CVE-2011-4114 | ||||||||||||||||
| Created: | December 21, 2011 | Updated: | December 21, 2011 | ||||||||||||||||
| Description: | From the Red Hat bugzilla entry: It was reported that PAR::Packer's par_mktmpdir() function would create /tmp/par-[username] directories insecurely, which could allow a local attacker to make changes to the cache directory and possibly the PAR-packged program. PAR::Packer does not verify that the user owns the directory, nor does it create it with secure permissions. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
phpMyAdmin: cross-site scripting
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2011-4634 | ||||||||||||||||
| Created: | December 19, 2011 | Updated: | January 2, 2012 | ||||||||||||||||
| Description: | From the Red Hat advisory:
Using crafted database names, it was possible to produce XSS in the Database Synchronize and Database rename panels. Using an invalid and crafted SQL query, it was possible to produce XSS when editing a query on a table overview panel or when using the view creation dialog. Using a crafted column type, it was possible to produce XSS in the table search and create index dialogs. Only phpMyAdmin 3.4.x is affected by this vulnerability. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
pidgin: multiple vulnerabilities
| Package(s): | pidgin | CVE #(s): | CVE-2011-4602 CVE-2011-4603 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 15, 2011 | Updated: | January 9, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: An input sanitization flaw was found in the way the Pidgin SILC (Secure Internet Live Conferencing) protocol plug-in escaped certain UTF-8 characters in channel messages. A remote attacker could use this flaw to crash Pidgin via a specially-crafted SILC message. (CVE-2011-4603) Multiple NULL pointer dereference flaws were found in the Jingle extension of the Extensible Messaging and Presence Protocol (XMPP) protocol plug-in in Pidgin. A remote attacker could use these flaws to crash Pidgin via a specially-crafted Jingle multimedia message. (CVE-2011-4602) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
susestudio, kiwi: multiple vulnerabilities
| Package(s): | SUSE Studio Onsite 1.2 and kiwi | CVE #(s): | CVE-2011-3180 CVE-2011-4192 CVE-2011-4193 CVE-2011-4195 | ||||
| Created: | December 15, 2011 | Updated: | December 21, 2011 | ||||
| Description: |
From the SUSE advisory:
| ||||||
| Alerts: |
| ||||||
tor: arbitrary code execution
| Package(s): | tor | CVE #(s): | CVE-2011-2778 | ||||||||||||
| Created: | December 16, 2011 | Updated: | January 11, 2012 | ||||||||||||
| Description: | From the Debian advisory:
It was discovered that Tor, an online privacy tool, incorrectly computes buffer sizes in certain cases involving SOCKS connections. Malicious parties could use this to cause a heap-based buffer overflow, potentially allowing execution of arbitrary code. In Tor's default configuration this issue can only be triggered by clients that can connect to Tor's socks port, which listens only on localhost by default. In non-default configurations where Tor's SocksPort listens not only on localhost or where Tor was configured to use another socks server for all of its outgoing connections, Tor is vulnerable to a larger set of malicious parties. | ||||||||||||||
| Alerts: |
| ||||||||||||||
xorg: restriction bypass
| Package(s): | xorg | CVE #(s): | CVE-2011-4613 | ||||||||
| Created: | December 19, 2011 | Updated: | January 26, 2012 | ||||||||
| Description: | From the Debian advisory:
The Debian X wrapper enforces that the X server can only be started from a console. "vladz" discovered that this wrapper could be bypassed. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>