Security
Security processes and the X.org flaw
A recent X.org security flaw (CVE-2012-0064) was handled well by those involved by many measures (by the issue discloser, by the X.org developers, and by various distribution security response teams). In fact, the issue was fixed in less than a day by most distributions, which helps demonstrate the progress that the open source community has made in terms of security processes and practices.
On January 19th, Gu1 (a member of the Consortium of Pwners computer security war gaming group) published details of a flaw he happened to come across in the latest X.org release. By pressing a particular combination of keys when sitting locally at any machine running X.org 1.11 or greater (and a subset of release candidates), he found that he could terminate any application with a current screen grab (i.e. screensavers). This meant that he, or anyone else with knowledge of that particular "code", would be able to gain local access to machines for which they did not have appropriate credentials. Some readers may be tempted to jump to the conclusion that such a simple "code" is a sign of a maliciously placed back-door, but the actual explanation is far more mundane. This particular key combination simply happens to be a debugging feature — with known and documented security implications — that, by default, was appropriately disabled in the past.
Fortunately X.org 1.11 is currently so new that it hasn't yet shipped in most distributions. Of the most common GNU/Linux distributions, the only stable release affected was Fedora 16. Also affected were Debian testing and unstable as well as Arch, all of which are either rolling or experimental releases. All Ubuntu, RedHat (including CentOS, of course), and openSUSE releases were not affected. So, first of all, there isn't much for most users to worry about with respect to this particular problem. However, the events leading up to and following publication of the flaw paint an interesting picture. In one sense, this flaw was handled well by the security teams of the affected distributions, but that doesn't mean there isn't room for improvement.
Note that a comprehensive discussion on the technical details of the flaw itself will not be included here. Peter Hutterer has already written an excellent blog entry on the matter, and readers are encouraged to visit his site for more information. Succinctly, the screen grab debugging key-press combinations have now been removed from the default XKB keymap configuration files. It is still possible to re-enable them, but that requires a determined user that presumably knows what they are doing.
Timeline of the flaw
In the beginning (1984), X was written. At some point, developers recognized a need to be able to debug screen grabbing applications, so they wrote some code to be able to break such grabs. A screen grab (in X.org speak) is simply a top-level overlay on the screen that prevents events (key and mouse presses) from touching the windows underneath. The grab breaks were assigned to the Control+Alt+KeypadMultiply and Control+Alt+KeypadDivide key-press combinations. At the time, the X developers recognized the security implications and made it a non-default option. They even documented the problem to hopefully make it very clear to users.
Many years passed...
In 2008, there was a great purge of xf86misc (a code clean up effort that removed various unused X code that had accumulated over many years), which, along with many other things, excised those particular debugging options (Daniel Stone's commit, commit). Recently, Daniel has been working on multi-pointer X. In that process, he encountered quite a few situations where screen grab debugging would be helpful. So, he dusted of that code and pushed for its re-inclusion. In June of 2011, Peter Hutterer reviewed and applied said patch.
However, lost in translation/communication (and to the passage of time) was the fact that the code did indeed have security implications. That fact was not picked up on until around January 5th on a day that Gu1 found himself rather bored. On that day, he had decided to read some older X.org documentation, and in particular, he came across "AllowClosedownGrabs", which documented the Control-Alt-KeypadMultiply key combination. He decided to try it with the latest X.org expecting nothing, but to his surprise it worked. So, part of the problem was that the documentation that warned about security considerations of the code was not brought back as well. It still doesn't look like this has returned yet, but an important takeaway is that both code and documentation should be brought back on returning features, and that the discussion in that documentation should be taken into consideration when doing so. One solution could be to remove documentation in the same commit that the code is removed. That way if the commit is ever reverted, the documentation automatically comes back as well.
Not content with only finding the issue, Gu1 took the time to write a rather detailed blog entry, and published that two weeks later on January 19th. He even went so far as to research, bisect, and identify the commit introducing the problem. This is an example of a well-written disclosure. It made it possible for security teams to take rapid action to close the issue. In an email interview with Gu1, he stated that his motivation to do this was not out of selflessness. He was more interested in obtaining a discount to the Hackito Ergo Sum 2012 conference. The discount is provided to those attendees that have disclosed CVE issues. It may be interesting to think more about providing these kind of simple incentives in the future to reduce the number of issues that are currently sat on by those without motivation to disclose.
Note that one could argue that Gu1's decision to fully disclose the issue with no advance notice to those involved was less than ideal. The delayed disclosure (often framed as "responsible disclosure") camp believes that vendors need some time to be able to do appropriate analysis and testing of fixes, and thus disclosers should give those vendors some time (though how much time is often a question). This issue demonstrates a case where that preparation time didn't matter. The issue was fully disclosed and hours later security teams had the problem solved. That is because Gu1's research was comprehensive enough to be able to isolate and fix the problem right away. This kind of detailed analysis should be sought as the norm. Whether that analysis is shared with the vendor or project before being made public typically depends on which camp (full or responsible disclosure) the researcher is in.
In terms of affected releases, X.org 1.11 was originally shipped in June 2011. Shortly thereafter, distribution development branches started picking it up. Debian unstable got it in August, Debian testing got it in September, and the Fedora 16 stable release got it in November. A final timeline of the issue demonstrates how impressively quickly the issue was resolved after disclosure by those distributions affected by it:
Date/Time (UTC) Event 01/05/2012 Gu1 discovers issue 01/19/2012 00:03 Gu1 discloses issue on blog and oss-security 01/19/2012 05:49 workaround posted 01/19/2012 10:19 X.org fixed in Debian unstable 01/19/2012 22:01 X.org fixed in Fedora 16 01/19/2012 23:48 X.org upstream fixed (actually in XKB) 01/22/2012 16:39 X.org fixed in Debian testing (delay due to testing's 2-day minimum migration policy)
For the set of distributions actually affected by this issue, their security teams reacted with admirable speed. The table below lists the time it took to release a fix after Gu1's disclosure. Note that the "underground potential" entry is the length of time that the underground side of the computer security community may have been able to exploit the problem. That said, there is no way of ever knowing if or when it was actually discovered before the disclosure. We do know at least that Gu1 knew about the issue two weeks prior to publishing it.
Distribution Vulnerability window Underground potential Debian unstable ~10 hours ~5 months Fedora 16 ~22 hours ~2 months X.org upstream (XKB) ~23 hours ~6 months Debian testing ~64 hours ~4 months
Conclusions
This particular case raises some questions about the prevailing wisdom that its always best to be running the latest and greatest software releases. Note that each new release involves some kind of code modifications with varying levels of risk. Interestingly, it turns out that in this case users were safer if they chose slower-moving releases. As seen above, the incredibly fast-moving Debian unstable release had a 4 month potential for underground abuse; whereas Debian testing, which moves a bit slower, had a smaller 3 month potential. Fedora 16 was caught by this; whereas Ubuntu wasn't since they played it a bit safer and stuck with X.org 1.10 for their 11.10 release. Distributions have to make their choices about which new releases to include based on their interest in delivering "bleeding edge" packages to their users. Sometimes that means that undiscovered security bugs come along for the ride.
By all measures Daniel and Peter have an extensive background working on X.org. Daniel has been working on various aspects (including DRM/KMS drivers, gstreamer, and kernel input drivers) for 9 years and Peter for 6 years as well (he is the input subsystem maintainer and has worked on libXi). Even with this extensive experience, X.org is such a complex system that there is always the potential for mistakes. We're all human after all. Daniel had this to say:
I've got a lot of time for the school of thought that argues that as complex systems are inherently less secure than simple ones, the best thing to do is to build less complex software. Understanding the flow of events between X and its myriad clients, and the effects even a simple change will have, is really not an easy thing to do. I find the setuid vs. capabilities issue that's been cropping up recently a pretty entertaining example of the law of unintended consequences.
One could argue that Wayland is the simplification needed to eliminate the complexities of X, and it's good that most distributions are now on a long-term term path toward that goal. But even so, Wayland is not necessarily going to be a magic bullet as some have argued. It too will have its share of complexity, and there is always the possibility of writing flaws into the new code, which will only be discovered given time, interest, and motivation. Computer security is always a matter of vigilance.
[ The author would like to thank Daniel Stone, Peter Hutterer, and Gu1 for taking the time to answer interview questions for this article. ]
Brief items
Security quotes of the week
X.org screensaver bypass found
A debugging feature introduced into the X.org server 1.11 can be used by someone with physical access to the system to bypass the screensaver. First reported by "Gu1" on their blog and on the oss-security mailing list. The key sequence Ctrl-Alt-KeypadMultiply will bypass any screensaver. A workaround has been posted, but one would expect an update from X.org before long.Linux Local Privilege Escalation via SUID /proc/pid/mem Write (zx2c4)
The "zx2c4" weblog has a detailed writeup of a local root vulnerability in /proc introduced in 2.6.39 and just fixed on January 17. "In 2.6.39, the protections against unauthorized access to /proc/pid/mem were deemed sufficient, and so the prior #ifdef that prevented write support for writing to arbitrary process memory was removed. Anyone with the correct permissions could write to process memory. It turns out, of course, that the permissions checking was done poorly. This means that all Linux kernels >=2.6.39 are vulnerable, up until the fix commit for it a couple days ago. Let’s take the old kernel code step by step and learn what’s the matter with it." As of this writing, distributors do not yet appear to have begun shipping updates for this vulnerability.
New vulnerabilities
bip: code execution
| Package(s): | bip | CVE #(s): | CVE-2012-0806 | ||||||||||||||||||||||||
| Created: | January 25, 2012 | Updated: | April 9, 2013 | ||||||||||||||||||||||||
| Description: | The bip IRC proxy contains a buffer overflow that may be exploitable for code execution by a remote attacker. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla | CVE #(s): | CVE-2011-3657 CVE-2011-3667 CVE-2011-3668 CVE-2011-3669 | ||||||||
| Created: | January 19, 2012 | Updated: | January 25, 2012 | ||||||||
| Description: | From the Red Hat bugzilla entry: CVE-2011-3657: Tabular and graphical reports, as well as new charts have a debug mode which displays raw data as plain text. This text is not correctly escaped and a crafted URL could use this vulnerability to inject code leading to XSS. CVE-2011-3667: The User.offer_account_by_email WebService method ignores the user_can_create_account setting of the authentication method and generates an email with a token in it which the user can use to create an account. Depending on the authentication method being active, this could allow the user to log in using this account. Installations where the createemailregexp parameter is empty are not vulnerable to this issue. CVE-2011-3668, CVE-2011-3669: The creation of bug reports and of attachments is not protected by a token and so they can be created without the consent of a user if the relevant code is embedded in an HTML page and the user visits this page. This behavior was intentional to let third-party applications submit new bug reports and attachments easily. But as this behavior can be abused by a malicious user, it has been decided to block submissions with no valid token starting from version 4.2rc1. | ||||||||||
| Alerts: |
| ||||||||||
dhcp: denial of service
| Package(s): | dhcp | CVE #(s): | CVE-2011-4868 | ||||||||||||
| Created: | January 23, 2012 | Updated: | January 25, 2012 | ||||||||||||
| Description: | From the CVE entry:
The logging functionality in dhcpd in ISC DHCP before 4.2.3-P2, when using Dynamic DNS (DDNS) and issuing IPv6 addresses, does not properly handle the DHCPv6 lease structure, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via crafted packets related to a lease-status update. | ||||||||||||||
| Alerts: |
| ||||||||||||||
emacs: privilege escalation
| Package(s): | emacs | CVE #(s): | CVE-2012-0035 | ||||||||||||||||||||||||||||
| Created: | January 24, 2012 | Updated: | January 27, 2014 | ||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in GNU Emacs before 23.4 and other products, allows local users to gain privileges via a crafted Lisp expression in a Project.ede file in the directory, or a parent directory, of an opened file. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
glibc: denial of service
| Package(s): | glibc | CVE #(s): | CVE-2011-4609 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 25, 2012 | Updated: | January 25, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The glibc remote procedure call implementation allows remote attackers to open large numbers of connections, causing the target application to use excessive amounts of CPU time. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | linux | CVE #(s): | CVE-2012-0044 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 24, 2012 | Updated: | February 7, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Chen Haogang discovered an integer overflow that could result in memory corruption. A local unprivileged user could use this to crash the system. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2012-0056 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 23, 2012 | Updated: | January 30, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Jüri Aedla discovered that the kernel incorrectly handled /proc/<pid>/mem permissions. A local attacker could exploit this and gain root privileges.
See the "zx2c4" weblog and this LWN article for additional details. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
krb5: denial of service
| Package(s): | mit-krb5 | CVE #(s): | CVE-2011-0283 CVE-2011-4151 | ||||
| Created: | January 24, 2012 | Updated: | January 25, 2012 | ||||
| Description: | From the CVE entries:
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request packet that does not trigger a response packet. (CVE-2011-0283) The krb5_db2_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4, when the db2 (aka Berkeley DB) back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, a different vulnerability than CVE-2011-1528. (CVE-2011-4151) | ||||||
| Alerts: |
| ||||||
logsurfer: arbitrary code execution
| Package(s): | logsurfer | CVE #(s): | CVE-2011-3626 | ||||
| Created: | January 23, 2012 | Updated: | January 25, 2012 | ||||
| Description: | From the Gentoo advisory:
Logsurfer log files may contain substrings used for executing external commands. The prepare_exec() function in src/exec.c contains a double-free vulnerability. A remote attacker could inject specially-crafted strings into a log file processed by Logsurfer, resulting in the execution of arbitrary code with the permissions of the Logsurfer user. | ||||||
| Alerts: |
| ||||||
nxserver-freeedition: privilege escalation
| Package(s): | nxserver-freeedition | CVE #(s): | CVE-2011-3977 | ||||
| Created: | January 23, 2012 | Updated: | January 25, 2012 | ||||
| Description: | From the Gentoo advisory:
NX Server Free Edition and NX Node use nxconfigure.sh, a setuid script containing an unspecified vulnerability. A local attacker could gain escalated privileges. | ||||||
| Alerts: |
| ||||||
openssl: denial of service
| Package(s): | openssl | CVE #(s): | CVE-2012-0050 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 23, 2012 | Updated: | February 17, 2012 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
phpmyadmin: cross-site scripting
| Package(s): | phpmyadmin | CVE #(s): | CVE-2011-1940 | ||||
| Created: | January 23, 2012 | Updated: | January 25, 2012 | ||||
| Description: | From the Debian advisory:
Cross site scripting was possible in the table tracking feature, allowing a remote attacker to inject arbitrary web script or HTML. | ||||||
| Alerts: |
| ||||||
qemu-kvm: code execution
| Package(s): | qemu-kvm | CVE #(s): | CVE-2012-0029 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 24, 2012 | Updated: | August 20, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Nicolae Mogoreanu discovered that QEMU did not properly verify legacy mode packets in the e1000 network driver. A remote attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rsyslog: denial of service
| Package(s): | rsyslog | CVE #(s): | CVE-2011-4623 | ||||||||||||||||||||||||||||
| Created: | January 24, 2012 | Updated: | July 10, 2012 | ||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Peter Eisentraut discovered that Rsyslog would not properly perform input validation when configured to use imfile. If an attacker were able to craft messages in a file that Rsyslog monitored, an attacker could cause a denial of service. The imfile module is disabled by default in Ubuntu. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
tomcat: denial of service via hash collision
| Package(s): | tomcat | CVE #(s): | CVE-2011-4858 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 19, 2012 | Updated: | February 2, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Novell CVE entry: Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
torque: impersonation vulnerability
| Package(s): | torque | CVE #(s): | |||||
| Created: | January 23, 2012 | Updated: | January 25, 2012 | ||||
| Description: | Torque allows one user to impersonate another within a batch system. Fixed in version 3.0.3. | ||||||
| Alerts: |
| ||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2012-0041 CVE-2012-0042 CVE-2012-0043 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 23, 2012 | Updated: | January 27, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla [1], [2], [3]:
Laurent Butti discovered that Wireshark failed to properly check record sizes for many packet capture file formats. It may be possible to make Wireshark crash by convincing someone to read a malformed packet trace file. This is corrected in upstream 1.4.11 and 1.6.5. Wireshark was improperly handling NULL pointers when displaying packet information which could lead to a crash. It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. This is corrected in upstream 1.4.11 and 1.6.5. The RLC dissector could overflow a buffer. It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. This is corrected in upstream 1.4.11 and 1.6.5. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
xkeyboard-config: screensaver lock bypass
| Package(s): | xkeyboard-config | CVE #(s): | CVE-2012-0064 | ||||||||||||
| Created: | January 20, 2012 | Updated: | January 30, 2012 | ||||||||||||
| Description: | From the Red Hat bugzilla:
It was found that XKB actions for debugging X.org clients were enabled by default. This could cause a screen locking application such as gnome-screensaver to be killed when those key combinations were triggered. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>