Security
Responsible disclosure in open source: The crypt() vulnerability
At the end of May, five separate open source projects released patches to close the same security hole in their software. This coordinated release and vulnerability handling is a demonstration that "responsible disclosure" can work, especially in open source.
Responsible disclosure is the practice of security researchers discovering a vulnerability and contacting the software vendor to give them a reasonable time to fix it before the vulnerability is published. It contrasts with the policy of "full disclosure" in which security people publish the full details of any vulnerability immediately, in order to get information to the public as quickly as possible. Mostly, these two terms have shown up in the media as part of controversies, or even legal battles, which pit security researchers against software companies and each other.
While the inflammatory confrontations gain most of the news headlines, it doesn't have to be that way. In fact, among open source projects, it isn't that way most of the time. The recent multi-product Crypt-DES vulnerability patch shows that responsible disclosure can and does work well in the open source world.
The Crypt-DES vulnerability
Robin Xu and Joseph Bonneau at Cambridge University had been investigating how non-ASCII passwords were handled by various systems for more than a year. Bonneau started on this research because of the massive Gawker security breach in 2010. In the course of investigating that, his team uncovered several issues with non-ASCII passwords in commonly used software. While the one at Gawker was quickly addressed — to some degree — he and Xu began a research project on the insecurities introduced by applying algorithms designed for ASCII to Unicode text.
The version of crypt() using the DES algorithm (hereafter crypt-DES) is a simple irreversible hash designed to prevent storing passwords in plain text. Introduced in old Unix days, it had the advantages of easy implementation, portability between systems and programming languages, computational speed, and is hard enough to crack that dictionary attacks and social engineering were generally easier ways to grab passwords. Given the age and limited computational "strength" of crypt-DES, however, this is no longer true; brute-force computation of crypt() passwords is easily done. Programmers are encouraged to use more modern hashing and encryption algorithms, such as SHA1 and Blowfish. The "extended" DES version was introduced in BSDi in the early 1990's, improving the algorithm to have a larger "salt", more rounds of encryption, and also to support passwords longer than eight characters by "folding" them down to eight 7-bit characters using a first round of DES hashing.
The last improvement is the problem which causes the crypt() vulnerability. Crypt-DES was designed for ASCII characters, and programmers who upgraded systems to support Unicode didn't really check to see how crypt-DES would work with Unicode passwords, since by that point crypt-DES was no longer mainstream. As it turns out, the folding is broken; the algorithm regards characters containing the byte 0x80 as a "stop" character and disregards any parts of the password after that byte. In many Unicode encodings, characters — such as the common character À — can contain a 0x80 byte, causing all characters after that one to be disregarded. This means if your password was Àlbanez60, then crypt-DES would match it with any password beginning with À.
This is also a good illustration of how security is a process and not an end result. Crypt-DES was an adequately secure password hashing approach well into the mid 1990's, which is why people stopped testing it. It was the introduction of popular Unicode-compliant versions of programming languages and databases which has made it less secure than anyone realized.
Contacting projects
Having found this issue, Xu, Bonneau, and other Cambridge graduate students spent several weeks examining some common software and found that the defective version of Crypt-DES was still shipping with several open source software packages, among them PostgreSQL and FreeBSD. Having found the vulnerability, they emailed the private security mailing lists for the affected projects.
The PostgreSQL security team received this email on April 24th:
The Cambridge team had previously contacted a few other projects, including FreeBSD. The FreeBSD and PostgreSQL projects had to decide what to do about patching the vulnerability. For anyone affected by it, an updated version of crypt-DES would require that all affected passwords (ones containing the 0x80 byte) be regenerated. While neither PostgreSQL nor FreeBSD used crypt-DES for system authentication, both supply functions which are used to hash application passwords. Because of this disruption to some users' applications, it couldn't be done casually.
The FreeBSD security team contacted the OpenBSD, NetBSD and DragonflyBSD projects. Rubin Xu's research indicated that PHP's crypt() also had the faulty algorithm, and had attempted to contact the PHP security team without success. Members of FreeBSD contacted them and brought them into the discussion. NetBSD turned out not to be vulnerable.
Coordinating a release
Among the affected projects, this vulnerability was considered moderate in severity, since it only affected a minority of users of each project. Not only did users need to build applications using crypt() with DES, despite other, more modern hashing options being available, but the password vulnerability only affects passwords with Unicode characters including the 0x80 byte. Specifically, the vulnerability was limited to:
- BSD users who used the included crypt() library with DES (the default) to support their applications.
- PostgreSQL users who installed the optional pgCrypto extension and used its crypt() function with the default DES encryption.
- PHP users who used the PHP crypt() function with DES on platforms without native encryption support, most notably Windows.
On the other hand, the vulnerability affects passwords, which means it's specifically a hole in code people have written to secure their systems. That raised this vulnerability from obscure to moderately serious. So FreeBSD filed for a Common Vulnerability and Exposure number (CVE), and the projects began trying to coordinate a release.
From the perspective of the projects, once one project announced a release and CVE-2012-2143 became public, it wouldn't take much cleverness for a even a newbie black hat to figure out the vulnerability in other products. That meant coordinating a release date among five different projects. In surprisingly short order, they reached a compromise date of May 30th, which was the earliest reasonable release date. On that date:
- FreeBSD released a security update.
- OpenBSD updated its hotfixes repository.
- DragonflyBSD released a security update.
- PostgreSQL released a source code patch for pgCrypto, with a full update release to follow on June 4.
- PHP released a new Release Candidate with the fix, although it did not publicize the issue.
The entire timeline from the discovery of the vulnerability to deploying fixes for multiple projects took about three months. The majority of this time (about seven weeks) was taken up by the researchers finding and contacting affected projects. If there's room for improvement in the process of responsible discovery, it's that finding affected projects or products and contacting their security teams is slow and time-consuming. The remaining five weeks is only two weeks longer than the minimum time for most packaged projects to do a release at all, due to packaging, scheduling, testing, and coordination requirements. One could easily argue that immediate disclosure would have gotten the news about the vulnerability out much sooner, but it's not clear how that would have benefited affected users until fixes for their software were available.
In relatively short order, five major open source projects were updated to close it. Nobody was threatened, no single project's users or developers were singled out, the security researchers were thanked for their work, and nobody needed to spend more than a few hours of their time getting the fixes made and released. At least from the perspective of software maintainers and regular users, this episode looks like a success.
Why it worked this time
This whole episode had two important factors to make it a relative success: the security researchers were university staff unmotivated by fame or profit, and the open source projects are community non-profits lacking incentives to defer or deny patching security holes. This meant that everyone involved was motivated to fix the vulnerability in the fastest, most responsible way possible.
This is by no means exceptional in the open source world. On the PostgreSQL project today, as with many other open source projects, companies and academic researchers regularly practice responsible disclosure, letting the developers know about a security issue in a reasonable time to fix it. If anything, this is the rule in the non-profit open source world. So why does disclosure cause friction, user exposure, blog wars, and legal threats in the for-profit world?
Well, when you look at failures of security disclosure, the overwhelming trend is bad faith. Software companies don't want to do expensive releases and get bad press for security issues, so they put off security researchers forever, or even threaten them. Security people or their employers want fame and attention so they publicize security holes as widely as possible without verification, or giving the vendor a chance to patch issues. Or worse, researchers, companies and agencies participate in a marketplace of secret security exploits.
So, while responsible disclosure can and does work in the non-profit open source world, it's not clear how to transfer these practices to the for-profit world, or even if it's possible to do so. Maybe the answer is simply to use more open source software.
[ Note that MITRE has not updated their CVE database. As such, the CVE link for the exploit will still show as "pending". ]
Brief items
Security quotes of the week
So why not just use Coreboot? Because it doesn't help solve this problem in any way.
Critical vulnerability derails Ruby on Rails (The H)
The H reports on a newly-discovered SQL injection vulnerability in Ruby on Rails, affecting the 3.0.x, 3.1.x, and 3.2.x versions. "The vulnerability exists in versions 3.0 and later of Active Record, Rail's database layer, and is exposed when using nested query parameters. Code that directly passes parameters to a where method, is affected. For example, using the common idiom params[:id] can be tricked into returning a crafted hash which causes the generated SQL statement to query an arbitrary table.
" The Rails team pushed out a fix, but shortly thereafter had to follow it up with another.
New vulnerabilities
apache-commons-compress: denial of service
| Package(s): | apache-commons-compress | CVE #(s): | CVE-2012-2098 | ||||||||||||||||||||
| Created: | June 4, 2012 | Updated: | February 13, 2014 | ||||||||||||||||||||
| Description: | From the CVE entry:
Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs. Fixed in version 1.4.1. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
arpwatch: privilege escalation
| Package(s): | arpwatch | CVE #(s): | CVE-2012-2653 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 4, 2012 | Updated: | July 20, 2016 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Steve Grubb from Red Hat discovered that a patch for arpwatch (as shipped at least in Red Hat and Debian distributions) in order to make it drop root privileges would fail to do so and instead add the root group to the list of the daemon uses. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
bind: multiple vulnerabilities
| Package(s): | bind9 | CVE #(s): | CVE-2012-1667 CVE-2012-1033 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 6, 2012 | Updated: | August 7, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the
Dan Luther discovered that Bind incorrectly handled zero length rdata fields. A remote attacker could use this flaw to cause Bind to crash or behave erratically, resulting in a denial of service. (CVE-2012-1667) It was discovered that Bind incorrectly handled revoked domain names. A remote attacker could use this flaw to cause malicious domain names to be continuously resolvable even after they have been revoked. (CVE-2012-1033) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
drupal7: full path disclosure
| Package(s): | drupal7 | CVE #(s): | CVE-2012-2922 | ||||||||||||||||||||
| Created: | June 4, 2012 | Updated: | November 2, 2012 | ||||||||||||||||||||
| Description: | From the CVE entry:
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2011-3101 CVE-2012-1937 CVE-2012-1938 CVE-2012-1939 CVE-2012-1940 CVE-2012-1941 CVE-2012-1944 CVE-2012-1945 CVE-2012-1946 CVE-2012-1947 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 6, 2012 | Updated: | January 8, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947) Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled. It was found that the Content Security Policy (CSP) implementation in Firefox no longer blocked Firefox inline event handlers. A remote attacker could use this flaw to possibly bypass a web application's intended restrictions, if that application relied on CSP to protect against flaws such as cross-site scripting (XSS). (CVE-2012-1944) If a web server hosted HTML files that are stored on a Microsoft Windows share, or a Samba share, loading such files with Firefox could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening HTML files from Microsoft Windows shares, or Samba shares, that are mounted on their systems. (CVE-2012-1945) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
globus-gridftp-server: privilege escalation
| Package(s): | globus-gridftp-server | CVE #(s): | |||||||||||||||||||||||||
| Created: | June 4, 2012 | Updated: | June 6, 2012 | ||||||||||||||||||||||||
| Description: | GridFTP acts as the wrong user when user doesn't exist. See this globus advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2012-2127 CVE-2012-2319 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 4, 2012 | Updated: | October 3, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the SUSE advisory:
CVE-2012-2127: Various leaks in namespace handling over fork where fixed, which could be exploited by e.g. vsftpd access by remote users. CVE-2012-2319: A memory corruption when mounting a hfsplus filesystem was fixed that could be used by local attackers able to mount filesystem to crash the system. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
moodle: multiple vulnerabilities
| Package(s): | moodle | CVE #(s): | CVE-2012-2353 CVE-2012-2354 CVE-2012-2355 CVE-2012-2356 CVE-2012-2357 CVE-2012-2358 CVE-2012-2359 CVE-2012-2360 CVE-2012-2361 CVE-2012-2362 CVE-2012-2363 CVE-2012-2364 CVE-2012-2365 CVE-2012-2366 CVE-2012-2367 | ||||||||||||
| Created: | June 1, 2012 | Updated: | August 2, 2012 | ||||||||||||
| Description: | From the Fedora advisory: Update Information: CVE-2012-2353 MSA-12-0024: Hidden information access issue CVE-2012-2354 MSA-12-0025: Personal communication access issue CVE-2012-2355 MSA-12-0026: Quiz capability issue CVE-2012-2356 MSA-12-0027: Question bank capability issues CVE-2012-2357 MSA-12-0028: Insecure authentication issue CVE-2012-2358 MSA-12-0029: Information editing access issue CVE-2012-2359 MSA-12-0030: Capability manipulation issue CVE-2012-2360 MSA-12-0031: Cross-site scripting vulnerability in Wiki CVE-2012-2361 MSA-12-0032: Cross-site scripting vulnerability in Web services CVE-2012-2362 MSA-12-0033: Cross-site scripting vulnerability in Blog CVE-2012-2363 MSA-12-0034: Potential SQL injection issue CVE-2012-2364 MSA-12-0035: Cross-site scripting vulnerability in "download all" CVE-2012-2365 MSA-12-0036: Cross-site scripting vulnerability in category identifier CVE-2012-2366 MSA-12-0037: Write access issue in Database activity module CVE-2012-2367 MSA-12-0038: Calendar event write permission issue Correct CAS unbundling. Drop bundled language packs. New upstreams, multiple vulnerabilities. | ||||||||||||||
| Alerts: |
| ||||||||||||||
nut: application crash
| Package(s): | nut | CVE #(s): | CVE-2012-2944 | ||||||||||||||||||||||||||||||||||||
| Created: | June 1, 2012 | Updated: | September 28, 2012 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: Nut could be made to crash if it received specially crafted network traffic. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openoffice.org: code execution
| Package(s): | openoffice.org | CVE #(s): | CVE-2012-2334 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 5, 2012 | Updated: | June 14, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
An integer overflow flaw, leading to a buffer overflow, was found in the way OpenOffice.org processed an invalid Escher graphics records length in Microsoft Office PowerPoint documents. An attacker could provide a specially-crafted Microsoft Office PowerPoint document that, when opened, would cause OpenOffice.org to crash or, potentially, execute arbitrary code with the privileges of the user running OpenOffice.org. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
php: integer overflow
| Package(s): | php5 | CVE #(s): | CVE-2012-2386 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 5, 2012 | Updated: | July 16, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
Specially crafted tar archives could cause an integer overflow in the phar extension | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
postgresql: multiple vulnerabilities
| Package(s): | postgresql-8.3, postgresql-8.4, postgresql-9.1 | CVE #(s): | CVE-2012-2143 CVE-2012-2655 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 5, 2012 | Updated: | September 28, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that PostgreSQL incorrectly handled certain bytes passed to the crypt() function when using DES encryption. An attacker could use this flaw to incorrectly handle authentication. (CVE-2012-2143) It was discovered that PostgreSQL incorrectly handled SECURITY DEFINER and SET attributes on procedural call handlers. An attacker could use this flaw to cause PostgreSQL to crash, leading to a denial of service. (CVE-2012-2655) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
python-crypto: insecure key generation
| Package(s): | python-crypto | CVE #(s): | CVE-2012-2417 | ||||||||||||||||||||||||||||||||||||||||
| Created: | June 4, 2012 | Updated: | April 10, 2013 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
A security flaw was found in the implementation of ElGamal algorithm of python-crypto, a cryptography library for Python language, in the way how random number 'g' was generated. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
rubygem-rack-cache: information leak
| Package(s): | rubygem-rack-cache | CVE #(s): | |||||
| Created: | June 6, 2012 | Updated: | June 6, 2012 | ||||
| Description: | From the Red Hat bugzilla:
The Rack::Cache rubygem has a flaw where it will cache sensitive headers (such as Set-Cookie response headers), which could leak potentially sensitive information. | ||||||
| Alerts: |
| ||||||
socat: buffer overflow
| Package(s): | socat | CVE #(s): | CVE-2012-0219 | ||||||||||||||||||||||||||||
| Created: | June 1, 2012 | Updated: | May 29, 2013 | ||||||||||||||||||||||||||||
| Description: | From the Fedora advisory: Fix for CVE-2012-0219 heap-based buffer overflow | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Nathan Willis
Next page:
Kernel development>>