Security
Ubuntu details its UEFI secure boot plans
UEFI Secure boot is expected to interfere with many users' desire to replace Windows or dual-boot it with Linux, because Microsoft is mandating that secure boot be enabled on Windows 8 machines at the time of sale. On June 5, we reported on Fedora's plans for handling the secure boot mechanism in UEFI. Ubuntu has subsequently announced its own plans, which take a different approach.
To recap, the secure boot feature constrains the hardware only to boot software that has been signed by a known cryptographic key. The point is that booting only signed, trusted binaries prevents attacks through boot-time malware that could be undetectable after the infected system is up and running. Microsoft is requiring hardware vendors to have secure boot enabled if they want to include the official logo for the upcoming Windows 8, although x86 vendors are also required to allow the machine's owner to turn off secure boot entirely or to install new keys. That option is regarded as insufficient for several reasons, notably that there may be users who are required (e.g., by office rules) to keep secure boot switched on, and that entering new keys for every alternative OS is likely to be an arduous process (even more so for the scenario where one needs to boot a temporary OS, such as from a CD or USB key).
Fedora's strategy is to enroll in Microsoft's developer program, which allows the project to purchase an approved $99 key through Verisign, a key which will be recognized by UEFI secure boot. The key will be used to sign the shim bootloader, which is a "trivial UEFI first-stage bootloader" whose only job is to boot GRUB2. Fedora will also sign the GRUB2 bootloader and the kernel, although the latter two binaries can be signed with the Fedora project's own keys.
Ubuntu's plan
Canonical posted a brief announcement about its own secure boot plan on the company blog on June 22, although the details were to be found in Steve Langasek's message to the ubuntu-devel mailing list. Canonical has generated its own signing key which will be pre-loaded on machines that ship with Ubuntu already installed. Ubuntu CDs will ship with a shim bootloader (the same shim bootloader used by Fedora) signed by one of the existing Microsoft-certified keys, much like the Fedora plan.
After that point, however, the distribution is taking a markedly different approach to the trusted bootloader chain. An Ubuntu system will boot into the efilinux bootloader, which will in turn boot an unsigned kernel image. Under Fedora's plan, the shim bootloader verifies the integrity of GRUB2 before loading it, and GRUB2 in turn verifies the integrity of the kernel. Canonical says that their reading of the specification makes it clear that their secure boot responsibilities stop at the bootloader, and do not extend to the kernel:
Therefore, we will only be requiring authentication of boot loader binaries. Ubuntu will not require signed kernel images or kernel modules.
The decision to use efilinux has its own justification. Because GRUB2
is licensed under the GPLv3, Canonical determined that machines with
Ubuntu pre-installed are subject to the "User Product" provisions of
GPLv3, which requires
that the distributor provide the user with all authorization keys
required to install the software. The company consulted with the FSF
about that topic, and were warned that the authorization key clause
would probably (although not definitely...) apply. Thus, if a hardware vendor shipped an Ubuntu system and did not include a way for users to install keys of their own, Canonical would be compelled to disclose its key. Revealing the signing key would undermine the point
of secure boot and "at that point our certificates would of course
be revoked and everyone would end up worse off.
"
Signatures, revocation, and other fine print
Ubuntu's decision to use its own key for pre-installed machines has spawned relatively little debate, but there is a sharp disagreement over the decision not to sign kernel images. Red Hat's Matthew Garrett (who authored the Fedora secure boot plan) argued that signing only the bootloader is insufficient:
Jamie Strandboge replied
that "the UEFI specification and the Windows 8 logo requirements
is that Secure Boot is designed to protect early boot only,
"
and that signing the kernel and large portions of userspace is
unattractive for several reasons, "not least of which is that it
reduces the utility of the distribution.
"
Strandboge also contended that signing the kernel does not offer a significant level of protection over signing the bootloader, because the existence of any exploitable bootloader undermines the trust chain for all OS vendors. The argument goes that if DistroX's signed bootloader is vulnerable, malware authors could use it to create a malicious live CD image that will boot even on a machine that normally runs DistroY's secure bootloader with its signed kernel. Thus, signing the kernel image is useful for creating a trusted environment for user space, but it does not strengthen the protection of secure boot itself.
There is also the open question of how key-revocations and other updates to the secure boot world will work in practice. Both Fedora and Ubuntu plan to make use of a "shim" bootloader so that they can issue updates to the main bootloader without getting the updates signed by Microsoft. But the distributions will also need to issue revocations for vulnerable, signed bootloader and/or kernel images, and the process by which the OS vendor pushes those updates out has yet to be determined.
Although most multi-boot discussions revolve around dual-booting Windows and a single Linux distribution, that is hardly the only scenario. Canonical said that it will not offer its own signing key to sign the bootloaders of other distributions or vendors, which some feared would make it impossible to install, for example, Fedora on a machine that comes with Ubuntu pre-installed. However, the owners of machines pre-loaded with Ubuntu will still be able to install Fedora or other OSes in tandem, because the company will require its OEMs to include the Microsoft key in the secure boot key database alongside the Ubuntu key.
As Windows 8 draws near, the questions about UEFI secure boot and its impact on users continue to swirl. Clearly there are risks in handing the ultimate say in booting one's machine to a third party (particularly a rival OS vendor like Microsoft), and even though two of the largest distributions have crafted a plan for dealing with secure boot's restrictions, how much of an imposition the final product is still hinges on unknowns like the revocation and update process. But the biggest question that remains is whether it is wise to tacitly endorse secure boot by playing its games in first place. On that, the community may never arrive at a single answer.
Brief items
Security quotes of the week
Last time a voting system company did a DMCA takedown notice (Diebold, in 2004) it got socked with punitive charges for abusing the Digital Millennium Copyright Act, trying to use it to block distribution of material clearly published in the public interest.
Few Web surfers realize how widely data about them gets bought, sold, and combined. But the practice is common. In a recent investigation, ProPublica revealed that Microsoft and Yahoo each offer political campaigns the ability to target voters in similar ways.
Details on Ubuntu's UEFI secure boot plan
Steve Langasek has posted a set of details on how Ubuntu's UEFI secure boot mechanism will work. There are some real differences from the approach taken by Fedora. "Microsoft's Windows 8 logo requirements do say that there must be a way for users to disable secure boot or to install their own keys, and we strongly support this in our own firmware guidelines; but in the event that a manufacturer makes a mistake and delivers a locked-down system with a GRUB 2 image signed by the Ubuntu key, we have not been able to find legal guidance that we wouldn't then be required by the terms of the GPLv3 to disclose our private key in order that users can install a modified boot loader. At that point our certificates would of course be revoked and everyone would end up worse off."
Android application reads credit card data over NFC (The H)
The H discusses a new demonstration application published by a German security researcher capable of reading credit card information over NFC. "Contactless credit card systems have been hacked in the past and while the problems with the technology are worrisome, access via NFC is not a viable way to harvest a great amount of credit card data for obvious reasons. The relatively easy availability of smartphone applications like paycardreader will most likely make them attractive for opportunist fraudsters, however."
New vulnerabilities
apache: privilege escalation
| Package(s): | apache | CVE #(s): | CVE-2012-0883 | ||||||||||||||||||||||||||||
| Created: | June 25, 2012 | Updated: | February 12, 2013 | ||||||||||||||||||||||||||||
| Description: | From the CVE entry:
envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
asterisk: denial of service
| Package(s): | asterisk | CVE #(s): | CVE-2012-3553 | ||||
| Created: | June 26, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the Red Hat bugzilla:
AST-2012-008 previously dealt with a denial of service attack exploitable in the Skinny channel driver that occurred when certain messages are sent after a previously registered station sends an Off Hook message. Unresolved in that patch is an issue in the Asterisk 10 releases, wherein, if a Station Key Pad Button Message is processed after an Off Hook message, the channel driver will inappropriately dereference a Null pointer. Similar to AST-2012-008, a remote attacker with a valid SCCP ID can can use this vulnerability by closing a connection to the Asterisk server when a station is in the "Off Hook" call state and crash the server. This only affects version 10, and is fixed in 10.5.1. | ||||||
| Alerts: |
| ||||||
dhcpcd: remote code execution
| Package(s): | dhcpcd | CVE #(s): | CVE-2012-2152 | ||||
| Created: | June 25, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the Debian advisory:
It was discovered that dhcpcd, a DHCP client, was vulnerable to a stack overflow. A malformed DHCP message could crash the client, causing a denial of service, and potentially remote code execution through properly designed malicious DHCP packets. | ||||||
| Alerts: |
| ||||||
gdk-pixbuf: integer overflow
| Package(s): | gdk-pixbuf | CVE #(s): | CVE-2012-2370 | ||||||||||||||||||||||||||||
| Created: | June 25, 2012 | Updated: | January 17, 2013 | ||||||||||||||||||||||||||||
| Description: | From the Gentoo advisory:
The "read_bitmap_file_data()" function in io-xbm.c contains an integer overflow error | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
ImageMagick: integer overflow
| Package(s): | ImageMagick | CVE #(s): | CVE-2012-1620 | ||||||||
| Created: | June 22, 2012 | Updated: | June 27, 2012 | ||||||||
| Description: | From the Red Hat Bugzilla entry: An out-of heap-based buffer read flaw was found in the way ImageMagick, an image display and manipulation tool for the X Window System, retrieved Exchangeable image file format (Exif) header tag information from certain JPEG files. A remote attacker could provide a JPEG image file, with EXIF header containing specially-crafted tag values, which once opened in some ImageMagick tool would lead to the crash of that tool (denial of service). | ||||||||||
| Alerts: |
| ||||||||||
kernel: NX emulation suspected broken
| Package(s): | kernel | CVE #(s): | |||||
| Created: | June 25, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the Fedora advisory: Disabled 32bit NX emulation. Suspected of being broken and it deviates from upstream. | ||||||
| Alerts: |
| ||||||
kernel: denial of service and iptables bypass
| Package(s): | kernel | CVE #(s): | CVE-2012-2663 | ||||||||||||||||||||
| Created: | June 22, 2012 | Updated: | November 5, 2012 | ||||||||||||||||||||
| Description: | From the Novell Bugzilla entry: SYN+FIN attacks can cause a denial of service condition: While this issue was initially reported as a denial of service flaw, it also alows attackers to bypass certain iptables rules: | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
libpng: multiple vulnerabilities
| Package(s): | libpng | CVE #(s): | CVE-2009-5063 CVE-2011-3464 | ||||||||
| Created: | June 22, 2012 | Updated: | October 22, 2012 | ||||||||
| Description: | From the Gentoo advisory: Multiple vulnerabilities have been discovered in libpng: * The "embedded_profile_len()" function in pngwutil.c does not check for negative values, resulting in a memory leak (CVE-2009-5063). * The "png_formatted_warning()" function in pngerror.c contains an off-by-one error (CVE-2011-3464). | ||||||||||
| Alerts: |
| ||||||||||
libwpd: code execution
| Package(s): | libwpd | CVE #(s): | CVE-2012-2149 | ||||||||||||||||
| Created: | June 27, 2012 | Updated: | July 6, 2012 | ||||||||||||||||
| Description: | From the Red Hat advisory:
A buffer overflow flaw was found in the way libwpd processed certain Corel WordPerfect Office documents (.wpd files). An attacker could provide a specially-crafted .wpd file that, when opened in an application linked against libwpd, such as OpenOffice.org, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
links: multiple vulnerabilities
| Package(s): | links | CVE #(s): | |||||||||
| Created: | June 26, 2012 | Updated: | July 10, 2012 | ||||||||
| Description: | From the Gentoo advisory:
A SSL verification vulnerability and two unspecified vulnerabilities have been discovered in Links. Please review the Secunia Advisory referenced below for details. An attacker might conduct man-in-the-middle attacks. The unspecified errors could allow for out-of-bounds reads and writes. | ||||||||||
| Alerts: |
| ||||||||||
logrotate: symlink and hard link attacks
| Package(s): | logrotate | CVE #(s): | CVE-2011-1549 | ||||
| Created: | June 26, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the CVE entry:
The default configuration of logrotate on Gentoo Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by directories under /var/log/ for packages. | ||||||
| Alerts: |
| ||||||
mantis: multiple vulnerabilities
| Package(s): | mantis | CVE #(s): | CVE-2012-1118 CVE-2012-1119 CVE-2012-1120 CVE-2012-1122 CVE-2012-1123 CVE-2012-2692 | ||||||||||||||||
| Created: | June 25, 2012 | Updated: | November 9, 2012 | ||||||||||||||||
| Description: | From the Debian advisory:
CVE-2012-1118: Mantis installation in which the private_bug_view_threshold configuration option has been set to an array value do not properly enforce bug viewing restrictions. CVE-2012-1119: Copy/clone bug report actions fail to leave an audit trail. CVE-2012-1120: The delete_bug_threshold/bugnote_allow_user_edit_delete access check can be bypassed by users who have write access to the SOAP API. CVE-2012-1122: Mantis performed access checks incorrectly when moving bugs between projects. CVE-2012-1123: A SOAP client sending a null password field can authenticate as the Mantis administrator. CVE-2012-2692: Mantis does not check the delete_attachments_threshold permission when a user attempts to delete an attachment from an issue. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
mediawiki: multiple vulnerabilities
| Package(s): | mediawiki | CVE #(s): | CVE-2010-2789 CVE-2011-0537 CVE-2012-1578 CVE-2012-1579 CVE-2012-1580 CVE-2012-1581 CVE-2012-1582 | ||||
| Created: | June 22, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the Gentoo advisory: MediaWiki allows remote attackers to bypass authentication, to perform imports from any wgImportSources wiki via a crafted POST request, to conduct cross-site scripting (XSS) attacks or obtain sensitive information, to inject arbitrary web script or HTML, to conduct clickjacking attacks, to execute arbitrary PHP code, to inject arbitrary web script or HTML, to bypass intended access restrictions and to obtain sensitive information. | ||||||
| Alerts: |
| ||||||
mini-httpd: code execution
| Package(s): | mini-httpd | CVE #(s): | CVE-2009-4490 | ||||
| Created: | June 25, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the Gentoo advisory:
mini_httpd does not properly check for shell escapes when parsing HTTP requests. A remote attacker could send specially crafted HTTP requests, possibly resulting in execution of arbitrary code with the privileges of the process, or allowing for overwriting of files. | ||||||
| Alerts: |
| ||||||
mono and mono-debugger: multiple vulnerabilities
| Package(s): | mono and mono-debugger | CVE #(s): | CVE-2010-3332 CVE-2010-3369 CVE-2010-4225 | ||||
| Created: | June 22, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the Gentoo advisory: A remote attacker could execute arbitrary code, bypass general constraints, obtain the source code for .aspx applications, obtain other sensitive information, cause a Denial of Service, modify internal data structures, or corrupt the internal state of the security manager. A local attacker could entice a user into running Mono debugger in a directory containing a specially crafted library file to execute arbitrary code with the privileges of the user running Mono debugger. A context-dependant attacker could bypass the authentication mechanism provided by the XML Signature specification. | ||||||
| Alerts: |
| ||||||
mosh: denial of service
| Package(s): | mosh | CVE #(s): | CVE-2012-2385 | ||||||||||||||||||||
| Created: | June 26, 2012 | Updated: | April 10, 2013 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
A denial of service flaw was found in the way mosh, a remote terminal application, performed processing of parameters that have been passed to the terminal in the terminal dispatcher class (previously there was no limit for the count of parameters, which were allowed to be passed to the dispatcher). A remote attacker could use this flaw to cause a denial of service (mosh server to enter long for loop when trying to process the parameters) via specially-crafted escape sequence string. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
msmtp: X.509 NULL spoofing
| Package(s): | msmtp | CVE #(s): | CVE-2009-3942 | ||||
| Created: | June 26, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the CVE entry:
Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | ||||||
| Alerts: |
| ||||||
nbd: denial of service
| Package(s): | nbd | CVE #(s): | CVE-2011-1925 | ||||
| Created: | June 26, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the CVE entry:
nbd-server.c in Network Block Device (nbd-server) 2.9.21 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by causing a negotiation failure, as demonstrated by specifying a name for a non-existent export. | ||||||
| Alerts: |
| ||||||
network-manager: insecure WPA AdHoc connections
| Package(s): | network-manager | CVE #(s): | CVE-2012-2736 | ||||||||||||
| Created: | June 27, 2012 | Updated: | September 12, 2012 | ||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that certain wireless drivers incorrectly handled the creation of WPA-secured AdHoc connections. This could result in AdHoc wireless connections being created without any security at all. This update removes WPA as a security choice for AdHoc connections in NetworkManager. | ||||||||||||||
| Alerts: |
| ||||||||||||||
nvidia-drivers: privilege escalation
| Package(s): | nvidia-drivers | CVE #(s): | CVE-2012-0946 | ||||
| Created: | June 25, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the Gentoo advisory:
A vulnerability has been found in the way NVIDIA drivers handle read/write access to GPU device nodes, allowing access to arbitrary system memory locations. A local attacker could gain escalated privileges. | ||||||
| Alerts: |
| ||||||
openjpeg: code execution
| Package(s): | openjpeg | CVE #(s): | CVE-2012-1499 | ||||||||||||
| Created: | June 21, 2012 | Updated: | June 28, 2012 | ||||||||||||
| Description: | From the Gentoo advisory: An error in jp2.c of OpenJPEG could allow an out-of-bounds write error. A remote attacker could entice a user to open a specially crafted JPEG file, possibly resulting in execution of arbitrary code or a Denial of Service condition. | ||||||||||||||
| Alerts: |
| ||||||||||||||
php: information disclosure/arbitrary code execution
| Package(s): | php | CVE #(s): | CVE-2010-2950 | ||||||||||||||||||||||||||||||||
| Created: | June 27, 2012 | Updated: | July 2, 2012 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A format string flaw was found in the way the PHP phar extension processed certain PHAR files. A remote attacker could provide a specially-crafted PHAR file, which once processed in a PHP application using the phar extension, could lead to information disclosure and possibly arbitrary code execution via a crafted phar:// URI. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
python-httplib2: use of incorrect certificates
| Package(s): | python-httplib2 | CVE #(s): | |||||||||
| Created: | June 25, 2012 | Updated: | April 10, 2013 | ||||||||
| Description: | From the openSUSE advisory:
python-httplib2 used to ship it's own copy of Mozilla NSS certificates, but should use the system-wide ones instead. | ||||||||||
| Alerts: |
| ||||||||||
roundcubemail: cross-site scripting
| Package(s): | roundcubemail | CVE #(s): | CVE-2012-1253 | ||||||||
| Created: | June 22, 2012 | Updated: | June 27, 2012 | ||||||||
| Description: | From the Red Hat Bugzilla entry: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via vectors involving an embedded image attachment. | ||||||||||
| Alerts: |
| ||||||||||
rpm: multiple vulnerabilities
| Package(s): | rpm | CVE #(s): | CVE-2010-2197 CVE-2010-2199 | ||||
| Created: | June 25, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the CVE entries:
rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of spec files, which allows user-assisted remote attackers to remove home directories via vectors involving a ;~ (semicolon tilde) sequence in a Name tag. (CVE-2010-2197). lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to bypass intended access restrictions by creating a hard link to a vulnerable file that has a POSIX ACL, a related issue to CVE-2010-2059. (CVE-2010-2199). | ||||||
| Alerts: |
| ||||||
tomcat: multiple vulnerabilities
| Package(s): | tomcat | CVE #(s): | CVE-2010-4312 CVE-2011-1088 CVE-2011-1183 CVE-2011-1419 CVE-2011-1475 CVE-2011-1582 CVE-2011-2481 | ||||
| Created: | June 25, 2012 | Updated: | June 27, 2012 | ||||
| Description: | From the CVE entries:
The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie. (CVE-2010-4312) Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. (CVE-2011-1088) Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419. (CVE-2011-1183) Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088. (CVE-2011-1419) The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users." (CVE-2011-1475) Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419. (CVE-2011-1582) Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression. (CVE-2011-2481) | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>