Security
Exploring options for the openSUSE security policy
Partly in response to Linus Torvalds's (in)famous Google+ rant about desktop security—openSUSE in particular—Andreas Jaeger and others have started gathering use cases for the administration of Linux systems. The target is to try to find a balance between security and convenience for openSUSE users. Part of the difficulty is that Linux distributions are installed on a variety of systems with very different security needs, which makes it difficult to choose any particular default security scheme.
A single-user desktop or laptop has very different security needs from those of a shared desktop or server. Torvalds's complaint was specifically about the root password being needed to add a printer to his daughter's laptop, but he was also unhappy with needing privileges to change the time zone and wireless network. For a system where the only user is also the administrator—at least a semi-privileged administrator—it makes sense to allow those kinds of changes without the root password. But on other systems, like shared machines or servers, it almost certainly doesn't make sense for random users to have those powers.
That's where the balancing act comes in. If a distribution is meant to be installed for several different scenarios, there is no One True Way to set the privileges of users. Even for single-user systems there are differences. Torvalds undoubtedly administers his own laptop differently than he wants his daughter's handled. For the former, he may want to allow package installation using his own password, the root password, or possibly no password at all (though one would guess that's not likely). But, for his daughter's system he wants to hold the root password himself, while allowing a limited number of privileged operations to be done by her. While Torvalds is a high-profile user, his complaints are likely similar to those of others.
In order to help determine what the right security configuration is for openSUSE, Jaeger, Marcus Meissner, and Ludwig Nussel put together a list of use cases that describe tasks that users want to do along with a short security evaluation of each. Things like setting the system time, accessing the network, changing firewall settings, adding printers, package installation, and so on, are listed. Jaeger also posted a "call for action" to the opensuse-factory mailing list, asking for feedback and new use case suggestions.
Much of the resulting conversation centered around the "roles and profiles" that were also described on the web page. There is a tension between convenience for single-user machines and those with more complicated situations, thus higher security needs. But, even among those who would like to see less privilege required for some operations on single-user machines, there are differences of opinion on which operations—and what privilege to require. For example, Marguerite Su wants to be able to install software without the root password on a laptop, but others including Bryen M Yunashko are not so sure that's what they want.
There are also different classes of package installation to consider. Installing an update to a package from a "known good" repository is very different from installing a new package, downgrading a package to an earlier version, or adding a repository. The credentials required for each might be different depending on the scenario.
That part of the thread highlights part of the difficulty in finding the right default settings. The distribution will need to have some way to specify which of the profiles (e.g. single-user, administered single-user, multi-user, server, etc.) should govern, say at installation time, but will also need some way for the overall profile to change, while also allowing individual users to tweak the settings based on their needs. It is a more complex problem than it might seem at first.
Suggestions in the thread range from Carlos E. R.'s installation-time dialogs to determine the right profile to Su's idea of PolKit packages for different profiles and use cases to Hans Witvliet's more granular approach with multiple types of administrative roles that could be assigned to a user. Any or all of those could make up some part of a solution, but in a response to Witvliet, Jaeger focused on the question of defaults:
Finding workable defaults that will cover the majority of cases is clearly needed. Finding a set that will avoid rants like Torvalds's, while still giving a reasonable level of security to openSUSE users, is paramount. But there also needs to be a way for those with different needs to adjust the policies appropriately. Pulling all of that together in a way that is easy to understand, use, and tweak, will be an even harder problem. But it's a problem that needs solving and not just for openSUSE; there are opportunities for cross-distribution collaboration here as well.
Brief items
Security quotes of the week
[...] - .UnicodeString = L"LUFA Keyboard Demo" + .UnicodeString = L"Keyboard (%n%n%n%n)"In fact, it was so [successful] that after I got the code right and programmed it, Xorg immediately crashed on my development machine. :)
Go censor the file, Kyle.
Now spy on the mail, Dale.
And you're on your way
Do a bandwidth cap, Jack.
Takedowns in mass, Ash.
Steal the crypto key, Lee.
And watch the geeks flee.
Security vulnerability in sudo's netmask function patched (The H)
The H reports on a vulnerability in sudo when it is configured for IP-based restrictions on users (typically only for centrally managed sudoers files). "When the developers added IPv6 support, they inadvertently made the matching routine used for IPv4 networks call the IPv6 matching routines when no IPv4 match was found. Because the IPv6 fields would be uninitialised, it was possible for the system to think it had found a match where there wasn't one. Finding a match would, in turn, mean permission would be granted for whatever command the rule was controlling, even when the system was on a different network."
The problem with nerd politics (The Guardian)
Over at the Guardian, Cory Doctorow writes about two problems that govern the relationship between politics and technically oriented folks ("nerds" in Doctorow-speak): "nerd determinism" and "nerd fatalism". "But, while it's true that geeks can get around this sort of thing – and other bad network policies, such as network-level censorship, or vendor locks on our tablets, phones, consoles, and computers – this isn't enough to protect us, let alone the world. It doesn't matter how good your email provider is, or how secure your messages are, if 95% of the people you correspond with use a free webmail service with a lawful interception backdoor, and if none of those people can figure out how to use crypto, then nearly all your email will be within reach of spooks and control-freaks and cops on fishing expeditions."
A Tale of Two Pwnies (Part 1)
For those interested in complex exploits: the Chromium Blog describes how a sequence of six independent bugs was exploited to execute code within the Chromium browser. "Even though Chrome’s renderers execute inside a stricter sandbox than the GPU process, there is a special class of renderers that have IPC interfaces with elevated permissions. These renderers are not supposed to be navigable by web content, and are used for things like extensions and settings pages. However, Pinkie found another bug (117417) that allowed an unprivileged renderer to trigger a navigation to one of these privileged renderers, and used it to launch the extension manager. So, all he had to do was jump on the extension manager’s IPC channel before it had a chance to connect."
New vulnerabilities
android-tools: udev rules set insecure permissions
| Package(s): | android-tools | CVE #(s): | |||||||||||||
| Created: | May 21, 2012 | Updated: | December 4, 2012 | ||||||||||||
| Description: | From the Red Hat bugzilla:
udev rules file packaged with android-tools consists of rules like this: SUBSYSTEM=="usb", ATTR{idVendor}=="0502", MODE="0666" IOW for *any* device with the given vendor ID, its associated device nodes will be world-writable. Despite it follows the upstream guidelines at http://developer.android.com/guide/developing/device.html, this is obviously insecure and contradicts the common practice of using ACL to grant access to the current console user via TAG+="uaccess". | ||||||||||||||
| Alerts: |
| ||||||||||||||
backuppc: cross-site scripting
| Package(s): | backuppc | CVE #(s): | CVE-2011-5081 | ||||||||||||||||||||
| Created: | May 18, 2012 | Updated: | January 7, 2013 | ||||||||||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that BackupPC did not properly sanitize its input when processing RestoreFile error messages, resulting in a cross-site scripting (XSS) vulnerability. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
chromium: multiple vulnerabilities
| Package(s): | chromium | CVE #(s): | CVE-2011-3083 CVE-2011-3084 CVE-2011-3085 CVE-2011-3086 CVE-2011-3087 CVE-2011-3088 CVE-2011-3089 CVE-2011-3090 CVE-2011-3091 CVE-2011-3092 CVE-2011-3093 CVE-2011-3094 CVE-2011-3095 CVE-2011-3096 CVE-2011-3100 CVE-2011-3101 | ||||||||||||||||||||||||
| Created: | May 21, 2012 | Updated: | November 7, 2012 | ||||||||||||||||||||||||
| Description: | From the CVE entries:
browser/profiles/profile_impl_io_data.cc in Google Chrome before 19.0.1084.46 does not properly handle a malformed ftp URL in the SRC attribute of a VIDEO element, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted web page. (CVE-2011-3083) Google Chrome before 19.0.1084.46 does not use a dedicated process for the loading of links found on an internal page, which might allow attackers to bypass intended sandbox restrictions via a crafted page. (CVE-2011-3084) The Autofill feature in Google Chrome before 19.0.1084.46 does not properly restrict field values, which allows remote attackers to cause a denial of service (UI corruption) and possibly conduct spoofing attacks via vectors involving long values. (CVE-2011-3085) Use-after-free vulnerability in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a STYLE element. (CVE-2011-3086) Google Chrome before 19.0.1084.46 does not properly perform window navigation, which has unspecified impact and remote attack vectors. (CVE-2011-3087) Google Chrome before 19.0.1084.46 does not properly draw hairlines, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3088) Use-after-free vulnerability in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving tables. (CVE-2011-3089) Race condition in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to worker processes. (CVE-2011-3090) Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-3091) The regex implementation in Google V8, as used in Google Chrome before 19.0.1084.46, allows remote attackers to cause a denial of service (invalid write operation) or possibly have unspecified other impact via unknown vectors. (CVE-2011-3092) Google Chrome before 19.0.1084.46 does not properly handle glyphs, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3093) Google Chrome before 19.0.1084.46 does not properly handle Tibetan text, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3094) The OGG container in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an out-of-bounds write. (CVE-2011-3095) Use-after-free vulnerability in Google Chrome before 19.0.1084.46 on Linux allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging an error in the GTK implementation of the omnibox. (CVE-2011-3096) Google Chrome before 19.0.1084.46 does not properly draw dash paths, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3100) Google Chrome before 19.0.1084.46 on Linux does not properly mitigate an unspecified flaw in an NVIDIA driver, which has unknown impact and attack vectors. (CVE-2011-3101) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
feedparser: denial of service
| Package(s): | feedparser | CVE #(s): | CVE-2012-2921 | ||||||||||||||||
| Created: | May 23, 2012 | Updated: | April 10, 2013 | ||||||||||||||||
| Description: | From the CVE entry:
Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
ikiwiki: cross-site scripting
| Package(s): | ikiwiki | CVE #(s): | CVE-2012-0220 | ||||||||||||||||
| Created: | May 17, 2012 | Updated: | May 29, 2012 | ||||||||||||||||
| Description: | From the Debian advisory: Raúl Benencia discovered that ikiwiki, a wiki compiler, does not properly escape the author (and its URL) of certain metadata, such as comments. This might be used to conduct cross-site scripting attacks. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
libxml2: code execution
| Package(s): | libxml2 | CVE #(s): | CVE-2011-3102 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 22, 2012 | Updated: | March 1, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Juri Aedla discovered that libxml2 contained an off by one error in its XPointer functionality. If a user or application linked against libxml2 were tricked into opening a specially crafted XML file, an attacker could cause the application to crash or possibly execute arbitrary code with the privileges of the user invoking the program. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openoffice.org: code execution
| Package(s): | openoffice.org | CVE #(s): | CVE-2012-1149 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 17, 2012 | Updated: | June 14, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Tielei Wang discovered that OpenOffice.org does not allocate a large enough memory region when processing a specially crafted JPEG object, leading to a heap-based buffer overflow and potentially arbitrary code execution. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
perl-Config-IniFiles: insecure temporary files
| Package(s): | perl-Config-IniFiles | CVE #(s): | CVE-2012-2451 | ||||||||||||||||||||
| Created: | May 22, 2012 | Updated: | August 21, 2012 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
perl-Config-IniFiles used a predictable temporary file name (${filename}-new) which makes it prone to a symlink attack. If a malicious user were to create a symlink pointing to another file writable by the user running an application that used perl-Config-IniFiles, they could overwrite the contents of that file. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
pidgin-otr: code execution
| Package(s): | pidgin-otr | CVE #(s): | CVE-2012-2369 | ||||||||||||||||||||||||
| Created: | May 18, 2012 | Updated: | July 10, 2012 | ||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format string security flaw. This flaw could potentially be exploited by a remote attacker to cause arbitrary code to be executed on the user's machine. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
rubygem-mail: arbitrary command execution
| Package(s): | rubygem-mail | CVE #(s): | CVE-2012-2139 CVE-2012-2140 | ||||||||||||||||
| Created: | May 21, 2012 | Updated: | May 23, 2012 | ||||||||||||||||
| Description: | From the Red Hat bugzilla:
Two flaws were corrected in rubygem-mail version 2.4.4: A file system traversal in file_delivery method. Arbitrary command execution when using exim or sendmail from the commandline. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
sympa: authorization bypass
| Package(s): | sympa | CVE #(s): | CVE-2012-2352 | ||||||||
| Created: | May 21, 2012 | Updated: | July 12, 2012 | ||||||||
| Description: | From the Debian advisory:
Several vulnerabilities have been discovered in Sympa, a mailing list manager, that allow to skip the scenario-based authorization mechanisms. This vulnerability allows to display the archives management page, and download and delete the list archives by unauthorized users. | ||||||||||
| Alerts: |
| ||||||||||
sudo: privilege escalation
| Package(s): | sudo | CVE #(s): | CVE-2012-2337 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 17, 2012 | Updated: | July 17, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that sudo incorrectly handled network masks when using Host and Host_List. A local user who is listed in sudoers may be allowed to run commands on unintended hosts when IPv4 network masks are used to grant access. A local attacker could exploit this to bypass intended access restrictions. Host and Host_List are not used in the default installation of Ubuntu. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
update-manager: multiple vulnerabilities
| Package(s): | update-manager | CVE #(s): | CVE-2012-0948 CVE-2012-0949 | ||||||||
| Created: | May 18, 2012 | Updated: | June 4, 2012 | ||||||||
| Description: | From the Ubuntu advisory: It was discovered that Update Manager created system state archive files with incorrect permissions when upgrading releases. A local user could possibly use this to read repository credentials. (CVE-2012-0948) Felix Geyer discovered that the Update Manager Apport hook incorrectly uploaded certain system state archive files to Launchpad when reporting bugs. This could possibly result in repository credentials being included in public bug reports. (CVE-2012-0949) | ||||||||||
| Alerts: |
| ||||||||||
wireshark: denial of service
| Package(s): | wireshark | CVE #(s): | |||||
| Created: | May 23, 2012 | Updated: | May 23, 2012 | ||||
| Description: | From the Mandriva advisory:
It may be possible to make Wireshark hang for long or indefinite periods by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. Wireshark version 1.6.8 fixes these issues. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>