Security
A hole in telnetd
An unexpected FreeBSD security team "holiday message" had an underlying cause that was, perhaps, even more surprising: a long-standing remote code execution flaw in telnetd. As the message notes, FreeBSD tries hard to avoid releasing security updates at inconvenient times, and the end of the year is pretty inconvenient for most. But, attacks were being seen in the wild and, since telnetd is typically run as root, the consequences were severe.
Some, perhaps many, readers can be forgiven for wondering what all the fuss is about, as it has been well over a decade since telnet was being actively discouraged for use on Linux (and other operating systems). It is still present in many distribution repositories, however, which led to a pile of Linux updates in addition to the FreeBSD update. It turns out that telnetd is actually being used much more than one might think, especially on embedded devices.
The reason that telnet has long been deprecated—at least over unencrypted networks—is that it is a cleartext protocol. Logging into a remote system using telnet means that your username and password were being sent in the clear, such that any man-in-the-middle could sniff your credentials. But, it turns out that the telnet protocol does have an encrypted mode (though it's not considered cryptographically strong), and it is that mode that is being exploited by the recent attacks.
The bug itself is a fairly mundane buffer overflow that is triggered when an overlong encryption key is sent to the server. That key is sent before any authentication has occurred, which allows random attackers to target any vulnerable telnetd server. Even readers without much knowledge of C (or buffer overflows) will likely understand the basics of the patch that fixes the problem. There is also a fairly comprehensive exploit available for study. It can target multiple Linux and BSD installations, and contains shell code (i.e. code that will create a root shell when executed by telnetd because of the exploit) for i386 and SPARC architectures.
While the bug itself has been around for quite some time, it is interesting—nearly amusing—to see that sites still have telnetd servers running. The updates imply that these hosts are both accessible by untrusted users (or no update would be needed) and are regularly accessed via telnet. There are few, if any, Linux distributions that enable telnetd by default, so administrators or device makers are knowingly enabling it. While sshd most certainly has had its share of bugs, and will likely have more down the road, one would guess that security researchers pay a lot more attention to sshd than they do to telnetd. Not so for attackers evidently.
Part of the reason that telnetd may still be hanging around is that Windows doesn't ship an SSH client, but does ship telnet. That may encourage device makers to enable telnet so that Windows users can access the device without installing any software. In addition, there were several reports that Cisco and Juniper routers are often accessed via telnet in the comment thread on our posting of the FreeBSD message. Given that those devices often sit in strategic internet locations, and may well be running a telnetd descended from the vulnerable code, it could lead to some fairly serious consequences. One hopes that Cisco, Juniper, and others are paying attention.
Brief items
Security quote of the week
But this problem is peanuts compared to what has just appeared. In the debate around the American Stop Online Piracy Act, American legislators have demonstrated a clear capability and willingness to interfere with the technical operations of American products, when doing so furthers American political interests regardless of the policy situation in the customer's country. Actually, it's even worse: American legislators have demonstrated a willingness to do this just because of the different laws in the customer's country, outside of the United States.
28C3: New attacks on GSM mobiles and security measures shown (The H)
The H reports from the Chaos Communication Congress; the open-source Osmocom package appears to be serving its intended purpose and finding vulnerabilities in the cellphone network. "The researchers explained and then demonstrated how, using the above technique and easily procurable tools, attackers are able to emulate a mobile phone to make phone calls and send text messages. They noted that some users have already received bills totalling thousands of euros for calls and texts to Caribbean premium rate services. In many cases, an attacker can, by simulating a GSM mobile, also query that subscriber's mailbox providing they know the subscriber's location and the key has not been changed."
Merry Christmas from FreeBSD
The FreeBSD security team has sent out a holiday card of sorts to its users. "No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes aren't deceiving you: We really did just send out 5 security advisories." The motivating factor appears to be this vulnerability in telnetd; anybody who exposes a telnet port to the net on FreeBSD is currently open to a remote root exploit. The number of LWN readers doing so must be tiny (if, indeed, it's nonzero), but it seems worthwhile to get the word out there anyway.
The Linux kernel's memory allocators from an exploitation perspective
"Argp" has posted a lengthy look at the kernel's memory allocators and how they can be exploited to attack the system. "The attack vector of corrupting adjacent objects on the same slab is fully applicable to SLUB and largely works like in the case of the SLAB allocator. However, in the case of SLUB there is an added attack vector: exploiting the allocator’s metadata (the ones responsible for finding the next free object on the slab). As twiz and sgrakkyu have demonstrated in their book on kernel exploitation, the slab can be misaligned by corrupting the least significant byte of the metadata of a free object that hold the pointer to the next free object. This misalignment of the slab allows us to create an in-slab fake object and by doing so to a) satisfy safeguard checks as the one I explained in the previous paragraph when they are used, and b) to hijack the kernel’s execution flow to our own code."
New vulnerabilities
cacti: multiple vulnerabilities
| Package(s): | cacti | CVE #(s): | |||||||||
| Created: | December 23, 2011 | Updated: | January 4, 2012 | ||||||||
| Description: | Cacti to 0.8.7i fixes multiple security vulnerabilities. See the release notes for details. | ||||||||||
| Alerts: |
| ||||||||||
ffmpeg: multiple code-execution vulnerabilities
| Package(s): | ffmpeg | CVE #(s): | CVE-2011-4351 CVE-2011-4353 CVE-2011-4364 CVE-2011-4579 | ||||||||||||||||||||||||||||||||||||
| Created: | January 4, 2012 | Updated: | August 30, 2012 | ||||||||||||||||||||||||||||||||||||
| Description: | Multiple vulnerabilities have been found in the ffmpeg audio application.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
ghostscript: code execution
| Package(s): | ghostscript | CVE #(s): | CVE-2009-3743 | ||||||||||||||||||||||||||||||||
| Created: | January 4, 2012 | Updated: | February 6, 2012 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: Off-by-one error in the Ins_MINDEX function in the TrueType bytecode interpreter in Ghostscript before 8.71 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed TrueType font in a document that trigger an integer overflow and a heap-based buffer overflow. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
ghostscript: denial of service
| Package(s): | ghostscript | CVE #(s): | CVE-2010-4054 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 4, 2012 | Updated: | February 6, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Specially crafted font data in a compressed data stream can force the ghostscript interpreter to crash; see this patch for details. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: restriction bypass
| Package(s): | kernel | CVE #(s): | CVE-2011-4127 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 23, 2011 | Updated: | March 6, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
* Using the SG_IO IOCTL to issue SCSI requests to partitions or LVM volumes resulted in the requests being passed to the underlying block device. If a privileged user only had access to a single partition or LVM volume, they could use this flaw to bypass those restrictions and gain read and write access (and be able to issue other SCSI commands) to the entire block device. In KVM (Kernel-based Virtual Machine) environments using raw format virtio disks backed by a partition or LVM volume, a privileged guest user could bypass intended restrictions and issue read and write requests (and other SCSI commands) on the host, and possibly access the data of other guests that reside on the same underlying block device. Partition-based and LVM-based storage pools are not used by default. Refer to Red Hat Bugzilla bug 752375 for further details and a mitigation script for users who cannot apply this update immediately. (CVE-2011-4127, Important) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | |||||
| Created: | December 26, 2011 | Updated: | January 4, 2012 | ||||
| Description: | Linux kernel 3.1.6 restores the route cache garbage collector. Recent kernels could fill and exhaust their neighbor cache. | ||||||
| Alerts: |
| ||||||
moodle: lots of vulnerabilities
| Package(s): | moodle | CVE #(s): | CVE-2011-4581 CVE-2011-4582 CVE-2011-4583 CVE-2011-4584 CVE-2011-4585 CVE-2011-4586 CVE-2011-4587 CVE-2011-4588 CVE-2011-4589 CVE-2011-4590 CVE-2011-4591 CVE-2011-4592 CVE-2011-4593 | ||||||||||||
| Created: | December 22, 2011 | Updated: | January 4, 2012 | ||||||||||||
| Description: | The moodle 2.1.3, 2.0.6, and 1.9.15 releases fix a large number of information leak, code injection, and other vulnerabilities; see the 2.1.3 release notes for details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mozilla: multiple vulnerabilities
| Package(s): | mozilla, firefox, thunderbird, seamonkey | CVE #(s): | CVE-2011-3658 CVE-2011-3660 CVE-2011-3661 CVE-2011-3663 CVE-2011-3665 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 26, 2011 | Updated: | March 23, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements (CVE-2011-3658). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger a compartment mismatch associated with the nsDOMMessageEvent::GetData function, and unknown other vectors (CVE-2011-3660). YARR, as used in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaScript (CVE-2011-3661). Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to capture keystrokes entered on a web page by using SVG animation accessKey events within that web page (CVE-2011-3663). Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an Ogg VIDEO element that is not properly handled after scaling (CVE-2011-3665). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
openstack-nova: directory traversal
| Package(s): | openstack-nova | CVE #(s): | CVE-2011-4596 | ||||||||
| Created: | December 23, 2011 | Updated: | January 20, 2012 | ||||||||
| Description: | From the Red Hat bugzilla:
Prevent potential directory traversal with malicious EC2 image tarballs, by making sure the tarfile is safe before unpacking it. Prevent potential directory traversal with malicious file names in EC2 image manifests. | ||||||||||
| Alerts: |
| ||||||||||
php: denial of service
| Package(s): | php | CVE #(s): | CVE-2011-4885 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 30, 2011 | Updated: | April 13, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
phpmyadmin: cross-site scripting
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2011-4780 CVE-2011-4782 | ||||||||||||||||
| Created: | January 2, 2012 | Updated: | January 4, 2012 | ||||||||||||||||
| Description: | From the Red Hat bugzilla:
Multiple cross-site scripting (XSS) vulnerabilities in libraries/display_export.lib.php in phpMyAdmin 3.4.x before 3.4.9 allow remote attackers to inject arbitrary web script or HTML via crafted URL parameters, related to the export panels in the (1) server, (2) database, and (3) table sections. (CVE-2011-4780) From the Red Hat bugzilla: Cross-site scripting (XSS) vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter. (CVE-2011-4782) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
t1lib: code execution
| Package(s): | t1lib | CVE #(s): | CVE-2011-0764 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 22, 2011 | Updated: | January 30, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The t1lib package has a code execution vulnerability exploitable via a malicious font file. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
telnetd: code execution with root privileges
| Package(s): | telnetd krb5 krb5-appl heimdal | CVE #(s): | CVE-2011-4862 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 26, 2011 | Updated: | February 23, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
It was discovered that the Kerberos support for telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to the Telnet to execute arbitrary code with root privileges. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
unbound: denial of service
| Package(s): | unbound | CVE #(s): | CVE-2011-4528 CVE-2011-4869 | ||||||||||||||||
| Created: | December 23, 2011 | Updated: | December 1, 2013 | ||||||||||||||||
| Description: | From the Debian advisory:
It was discovered that Unbound, a recursive DNS resolver, would crash when processing certain malformed DNS responses from authoritative DNS servers, leading to denial of service. CVE-2011-4528: Unbound attempts to free unallocated memory during processing of duplicate CNAME records in a signed zone. CVE-2011-4869: Unbound does not properly process malformed responses which lack expected NSEC3 records. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>