|
|
Subscribe / Log in / New account

Security

Holes discovered in SSL certificate validation

By Jake Edge
October 31, 2012

A stinging indictment of the state of SSL client applications was recently published as part of the Proceedings from the ACM Computer and Communications Security (CCS) conference. The six authors of the paper (three each from Stanford and The University of Texas) describe testing that certainly should have been done as part of the application development process, but clearly wasn't. The problem stems partly from the libraries that provide SSL certificate verification, because developers are not using them properly. By and large the low-level library cryptographic protocol implementations are fine, the authors found, but the APIs are designed so poorly that developers commonly misuse them.

The paper [PDF] is entitled "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software" and lives up to that label. It is truly an eye-opening read. The researchers simulated man-in-the-middle attacks using a combination of self-signed and invalid SSL certificates along with a valid certificate for the amusing AllYourSSLAreBelongTo.us domain to observe the effects on various applications. The observations led to the overall conclusion: "SSL certificate validation is completely broken in many critical software applications and libraries".

The researchers used Windows and Ubuntu laptops, a Nexus One smartphone, and an iPad 2 as clients for their testing. A second Ubuntu system running custom Java and C proxies, as well as the Fiddler web debugging proxy, served as the man in the middle. As they noted, the kind of attack that can be launched from the proxies is precisely what SSL is meant to thwart—their testing did not go beyond what an active man in the middle could do:

This is exactly the attack that SSL is intended to protect against. It does not involve compromised or malicious certificate authorities, nor forged certificates, nor compromised private keys of legitimate servers. The only class of vulnerabilities we exploit are logic errors in client-side SSL certificate validation.

What they found was client applications that largely (or completely) accepted various kinds of invalid certificates and blindly sent private information (cookies, authentication information, credit card numbers) over an unsecured link. In many cases, the proxies could make the actual SSL connection to the remote server and funnel the data along—while surreptitiously storing the data away for (ab)use at a later time.

The paper gives plenty of examples of where the applications go wrong. Much of it can be blamed on bad library APIs, they said, in essentially all of the low-level SSL libraries (OpenSSL, GnuTLS, JSSE, CryptoAPI, etc.):

The root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries. Instead of expressing high-level security properties of network tunnels such as confidentiality and authentication, these APIs expose low-level details of the SSL protocol to application developers. As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values.

While that is certainly a problem, the application authors do bear some of the responsibility as well. It is not difficult to test an application against a few types of bad certificates. Because of the complexity of the APIs, developers should probably have been more wary that they might have made a mistake. Given that there is some kind of security requirement for the application (why use SSL otherwise?), it would seem prudent to verify proper functioning. Using a well-tested, industry-standard library is certainly an important piece of the puzzle, but there is more to it than just that.

There is also the problem of higher-level libraries perched atop OpenSSL, et al. The researchers found that libraries like Apache HttpClient, cURL, and the PHP and Python SSL libraries all had flaws in certificate validation. In fact, Python's urllib, urllib2, and httplib documentation warns that no certificate checking is done by the libraries, which evidently doesn't stop "high security" applications from still using them. One of the examples shows how this can all go awry:

Amazon's Flexible Payments Service PHP library attempts to enable hostname verification by setting cURL's CURLOPT_SSL_VERIFYHOST parameter to true. Unfortunately, the correct, default value of this parameter is 2; setting it to true silently changes it to 1 and disables certificate validation. PayPal Payments Standard PHP library introduced the same bug when updating a previous, broken implementation.

These kinds of errors would almost be comical, if they weren't so serious. While it may sound difficult for attackers to position themselves "in the middle", the prevalence of wireless networking these days makes it easier. Taking over an access point (or just running a hostile one as "Free Airport WiFi", say) puts an attacker squarely in the middle. Users that are running the vulnerable applications over a link to a bad access point are susceptible to many kinds of attacks. Compromise of home routers is another possibility. Obviously, malware running upstream in the wired internet is equally dangerous (if harder to pull off).

The researchers conclude the article with recommendations for both application and SSL library developers. For the most part, they are pretty common-sense suggestions (do test your application, don't have multiple inconsistent error reporting mechanisms, etc.) that could certainly apply more widely than just SSL applications and libraries. Obviously, they could not test each and every non-browser SSL-using client (or even all of the SSL client libraries) out there, but the list of vulnerable components from the abstract is rather astonishing:

Vulnerable software includes Amazon's EC2 Java library and all cloud clients based on it; Amazon's and PayPal's merchant SDKs responsible for transmitting payment details from e-commerce sites to payment gateways; integrated shopping carts such as osCommerce, ZenCart, Ubercart, and PrestaShop; AdMob code used by mobile websites; Chase mobile banking and several other Android apps and libraries; Java Web-services middleware—including Apache Axis, Axis 2, Codehaus XFire, and Pusher library for Android—and all applications employing this middleware.

Perhaps the most distressing piece of this research is the appearance—at least—that developers are being pretty cavalier about checking the security baked into their supposedly "high security" applications. Beyond that, it is amazing that payment processors who are dealing with credit cards (and, importantly, credit card fraud) have seemingly not been very diligent about the code they distribute to their customers. All in all, this research shows that even "secure" applications and libraries often skimp on important verification testing—a seriously sad state of affairs.

Comments (28 posted)

Brief items

Security quotes of the week

It checks to see if the /mnt/ubi_boot/mfg_test/enable file exists, and if so, it fires up a telnet service (among other things). However, the mfg_test directory doesn't exist at all on the production system [...] But with the SSID command injection vulnerability, we can easily create it. The commands to create the file are too long to fit into the restricted 32-character SSID input field, so we'll echo them piecemeal into a shell script and then execute that script [...]

Rooted with nothing but the remote control it came with.

-- /dev/ttyS0 on jailbreaking the Netgear NTV300 "NeoTV"

The industry standard is most Social Security numbers are not encrypted. A lot of banks don't encrypt. It's very complicated. It's very cumbersome. There's a lot of numbers involved with it.
-- South Carolina governor Nikki Haley

If you're going to allow users to download all of their data with one command, you might want to double- and triple-check that command. Otherwise it's going to become an attack vector for identity theft and other malfeasance.
-- Bruce Schneier on "data portability" risks

I have X'd out any information that you could use to change my reservation. But it's all there, PNR, seat assignment, flight number, name, [etc.] But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.
-- John Butler shows how to change a boarding pass for less TSA screening

This iommu encrypts addresses on the device bus to avoid [divulging] information to hackers equipped with bus analyzers. Following 3DES, addresses are encrypted multiple times. A XOR cypher is employed for efficiency.
-- Avi Kivity (thanks to Michael S. Tsirkin.)

Comments (2 posted)

New vulnerabilities

cgit: code execution

Package(s):cgit CVE #(s):CVE-2012-4465
Created:October 31, 2012 Updated:November 28, 2012
Description: From the CVE entry:

Heap-based buffer overflow in the substr function in parsing.c in cgit 0.9.0.3 and earlier allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via an empty username in the "Author" field in a commit.

Alerts:
Fedora FEDORA-2012-18464 cgit 2012-11-28
Fedora FEDORA-2012-18462 cgit 2012-11-28
openSUSE openSUSE-SU-2012:1421-1 cgit 2012-10-31
openSUSE openSUSE-SU-2012:1422-1 cgit 2012-10-31

Comments (none posted)

dokuwiki: path disclosure

Package(s):dokuwiki CVE #(s):CVE-2011-3727 CVE-2012-3354
Created:October 30, 2012 Updated:April 9, 2013
Description: From the Red Hat bugzilla [1, 2]:

A full path disclosure flaw was found in the way DokuWiki, a standards compliant, simple to use Wiki, performed sanitization of HTTP POST 'prefix' input value prior passing it to underlying PHP substr() routine, when the PHP error level has been enabled on the particular server. A remote attacker could use this flaw to obtain full path location of particular requested DokuWiki page by issuing a specially-crafted HTTP POST request. (CVE-2012-3354)

DokuWiki 2009-12-25c allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by lib/tpl/index.php and certain other files. (CVE-2011-3727)

Alerts:
Mandriva MDVSA-2013:073 dokuwiki 2013-04-08
Gentoo 201301-07 dokuwiki 2013-01-09
Mageia MGASA-2012-0362 dokuwiki 2012-12-11
Fedora FEDORA-2012-16605 dokuwiki 2012-10-30
Fedora FEDORA-2012-16614 dokuwiki 2012-10-30

Comments (none posted)

drupal7: code execution

Package(s):drupal7 CVE #(s):
Created:October 29, 2012 Updated:October 31, 2012
Description: From the Drupal advisory:

A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.

Alerts:
Fedora FEDORA-2012-16421 drupal7 2012-10-28
Fedora FEDORA-2012-16442 drupal7 2012-10-28

Comments (none posted)

exim4: arbitrary code execution

Package(s):exim4 CVE #(s):CVE-2012-5671
Created:October 26, 2012 Updated:November 1, 2012
Description:

From the Debian advisory:

It was discovered that Exim, a mail transport agent, is not properly handling the decoding of DNS records for DKIM. Specifically, crafted records can yield to a heap-based buffer overflow. An attacker can exploit this flaw to execute arbitrary code.

Alerts:
openSUSE openSUSE-SU-2014:0986-1 exim 2014-08-11
openSUSE openSUSE-SU-2014:0983-1 exim 2014-08-11
Gentoo 201401-32 exim 2014-01-27
Fedora FEDORA-2012-17085 exim 2012-10-31
openSUSE openSUSE-SU-2012:1404-1 exim 2012-10-27
Ubuntu USN-1618-1 exim4 2012-10-26
Debian DSA-2566-1 exim4 2012-10-26
Fedora FEDORA-2012-17044 exim 2012-10-30

Comments (1 posted)

java: multiple unspecified vulnerabilities

Package(s):OpenJDK CVE #(s):CVE-2012-5078 CVE-2012-5080 CVE-2012-5082
Created:October 25, 2012 Updated:October 31, 2012
Description:

From the CVE entries:

CVE-2012-5078: Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

CVE-2012-5080: Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

CVE-2012-5082: Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2 and earlier allows remote attackers to affect availability via unknown vectors.

Alerts:
SUSE SUSE-SU-2012:1398-1 OpenJDK 2012-10-24

Comments (none posted)

kdelibs: multiple vulnerabilities

Package(s):kdelibs CVE #(s):CVE-2012-4512 CVE-2012-4513
Created:October 31, 2012 Updated:February 28, 2013
Description: From the Red Hat advisory:

A heap-based buffer overflow flaw was found in the way the CSS (Cascading Style Sheets) parser in kdelibs parsed the location of the source for font faces. A web page containing malicious content could cause an application using kdelibs (such as Konqueror) to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-4512)

A heap-based buffer over-read flaw was found in the way kdelibs calculated canvas dimensions for large images. A web page containing malicious content could cause an application using kdelibs to crash or disclose portions of its memory. (CVE-2012-4513)

Alerts:
Gentoo 201406-31 konqueror 2014-06-27
Oracle ELSA-2012-1418 kdelibs 2013-02-28
Oracle ELSA-2012-1416 kdelibs 2012-10-30
CentOS CESA-2012:1416 kdelibs 2012-10-30
CentOS CESA-2012:1418 kdelibs 2012-10-30
openSUSE openSUSE-SU-2012:1581-1 kdelibs4 2012-11-28
Scientific Linux SL-kdel-20121030 kdelibs 2012-10-30
Scientific Linux SL-kdel-20121030 kdelibs 2012-10-30
Red Hat RHSA-2012:1418-01 kdelibs 2012-10-30
Red Hat RHSA-2012:1416-01 kdelibs 2012-10-30

Comments (none posted)

kernel: information leak

Package(s):kernel CVE #(s):CVE-2012-0957
Created:October 29, 2012 Updated:November 6, 2012
Description: From the Red Hat bugzilla:

The uname() syscall since 3.0 with the UNAME26 personality leaks kernel stack memory contents.

Alerts:
openSUSE openSUSE-SU-2013:0396-1 kernel 2013-03-05
Oracle ELSA-2013-2507 kernel 2013-02-28
Ubuntu USN-1704-2 Quantal kernel 2013-02-01
Mageia MGASA-2013-0016 kernel-rt 2013-01-24
Ubuntu USN-1704-1 kernel 2013-01-22
Mageia MGASA-2013-0011 kernel-tmb 2013-01-18
Mageia MGASA-2013-0010 kernel 2013-01-18
Mageia MGASA-2013-0012 kernel-vserver 2013-01-18
Mageia MGASA-2013-0009 kernel-linus 2013-01-18
Ubuntu USN-1649-1 linux-ti-omap4 2012-11-30
Ubuntu USN-1647-1 linux-ti-omap4 2012-11-30
Ubuntu USN-1646-1 linux 2012-11-30
Ubuntu USN-1644-1 linux 2012-11-30
Ubuntu USN-1652-1 linux-lts-backport-oneiric 2012-11-30
Fedora FEDORA-2012-17479 kernel 2012-11-06
Red Hat RHSA-2012:1491-01 kernel-rt 2012-12-04
Ubuntu USN-1645-1 linux-ti-omap4 2012-11-30
Ubuntu USN-1648-1 linux 2012-11-30
Fedora FEDORA-2012-16669 kernel 2012-10-28

Comments (none posted)

libqt4: CRIME attack

Package(s):libqt4 CVE #(s):CVE-2012-4929
Created:October 31, 2012 Updated:November 12, 2014
Description: From the CVE entry:

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Alerts:
Debian-LTS DLA-400-1 pound 2016-01-24
Debian DSA-3253-1 pound 2015-05-07
Fedora FEDORA-2014-13777 Pound 2014-11-12
Fedora FEDORA-2014-13764 Pound 2014-11-07
openSUSE openSUSE-SU-2013:1630-1 openssl 2013-11-06
Gentoo 201309-12 apache 2013-09-23
Ubuntu USN-1898-1 openssl 2013-07-03
Fedora FEDORA-2013-4403 mingw-openssl 2013-04-03
CentOS CESA-2013:0587 openssl 2013-03-09
Oracle ELSA-2013-0587 openssl 2013-03-05
Oracle ELSA-2013-0587 openssl 2013-03-04
CentOS CESA-2013:0587 openssl 2013-03-05
Scientific Linux SL-open-20130304 openssl 2013-03-04
Red Hat RHSA-2013:0587-01 openssl 2013-03-04
Mageia MGASA-2013-0053 qt4 2013-02-16
Debian DSA-2627-1 nginx 2013-02-17
Debian DSA-2626-1 lighttpd 2013-02-17
openSUSE openSUSE-SU-2013:0157-1 libqt4 2013-01-23
openSUSE openSUSE-SU-2013:0143-1 libqt4 2013-01-23
Debian DSA-2579-1 apache2 2012-11-30
Ubuntu USN-1627-1 apache2 2012-11-08
Ubuntu USN-1628-1 qt4-x11 2012-11-08
openSUSE openSUSE-SU-2012:1420-1 libqt4 2012-10-31

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):firefox, thunderbird, xulrunner, seamonkey CVE #(s):CVE-2012-4194 CVE-2012-4195 CVE-2012-4196
Created:October 29, 2012 Updated:November 8, 2012
Description: From the Red Hat advisory:

Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, bypass the same-origin policy, or cause Firefox to execute arbitrary code. (CVE-2012-4194, CVE-2012-4195, CVE-2012-4196)

Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Gentoo 201301-01 firefox 2013-01-07
Mageia MGASA-2012-0353 iceape 2012-12-07
CentOS CESA-2012:1413 thunderbird 2012-10-30
Mageia MGASA-2012-0312 thunderbird 2012-10-29
Mandriva MDVSA-2012:170 firefox 2012-11-02
Slackware SSA:2012-304-01 thunderbird 2012-10-30
Oracle ELSA-2012-1413 thunderbird 2012-10-30
Mageia MGASA-2012-0311 firefox 2012-10-29
Oracle ELSA-2012-1407 firefox 2012-10-27
Fedora FEDORA-2012-16988 xulrunner 2012-11-08
SUSE SUSE-SU-2012:1426-1 Mozilla Firefox 2012-10-31
Slackware SSA:2012-304-02 seamonkey 2012-10-30
Scientific Linux SL-fire-20121030 firefox 2012-10-30
Fedora FEDORA-2012-16988 firefox 2012-11-08
Oracle ELSA-2012-1407 firefox 2012-10-26
Slackware SSA:2012-300-01 firefox 2012-10-26
Fedora FEDORA-2012-17307 thunderbird 2012-11-08
Scientific Linux SL-thun-20121030 thunderbird 2012-10-30
Fedora FEDORA-2012-17028 xulrunner 2012-10-30
Fedora FEDORA-2012-17028 firefox 2012-10-30
Red Hat RHSA-2012:1413-01 thunderbird 2012-10-29
CentOS CESA-2012:1407 firefox 2012-10-27
CentOS CESA-2012:1407 firefox 2012-10-27
Ubuntu USN-1620-2 thunderbird 2012-10-30
openSUSE openSUSE-SU-2012:1412-1 Mozilla 2012-10-30
CentOS CESA-2012:1413 thunderbird 2012-10-30
Ubuntu USN-1620-1 firefox 2012-10-26
Red Hat RHSA-2012:1407-01 firefox 2012-10-26

Comments (none posted)

optipng: use after free

Package(s):optipng CVE #(s):
Created:October 31, 2012 Updated:October 31, 2012
Description: From the optipng changelog:

Version 0.7.3 fixed a use-after-free vulnerability in the palette reduction code. This vulnerability was accidentally introduced in version 0.7.

Version 0.7.4 fixed the previous fix, which failed to fix the option -fix. (Thanks to Gynvael Coldwind and Mateusz Jurczyk for the report.)

Alerts:
Fedora FEDORA-2012-16680 optipng 2012-10-31

Comments (none posted)

python-django: information disclosure

Package(s):python-django CVE #(s):CVE-2012-4520
Created:October 30, 2012 Updated:March 8, 2013
Description: From the Mageia advisory:

The Host header parsing in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() -- was incorrectly handling username/password information in the header. Using this, an attacker can cause parts of Django -- particularly the password-reset mechanism -- to generate and display arbitrary URLs to users.

Alerts:
openSUSE openSUSE-SU-2013:1248-1 python-django 2013-07-24
openSUSE openSUSE-SU-2013:1203-1 python-django 2013-07-16
Ubuntu USN-1757-1 python-django 2013-03-07
Debian DSA-2634-1 python-django 2013-02-27
Mandriva MDVSA-2012:181 python-django 2012-12-19
Ubuntu USN-1632-2 python-django 2012-11-20
Ubuntu USN-1632-1 python-django 2012-11-15
Mageia MGASA-2012-0315 python-django 2012-10-29
Fedora FEDORA-2012-16440 Django 2012-10-31
Fedora FEDORA-2012-16417 Django 2012-10-30

Comments (none posted)

request-tracker: multiple vulnerabilities

Package(s):request-tracker3.8 CVE #(s):CVE-2012-4730 CVE-2012-4732 CVE-2012-4734 CVE-2012-4735 CVE-2012-4884
Created:October 29, 2012 Updated:November 8, 2012
Description: From the Debian advisory:

CVE-2012-4730: Authenticated users can add arbitrary headers or content to mail generated by RT.

CVE-2012-4732: A CSRF vulnerability may allow attackers to toggle ticket bookmarks.

CVE-2012-4734: If users follow a crafted URI and log in to RT, they may trigger actions which would ordinarily blocked by the CSRF prevention logic.

CVE-2012-4735: Several different vulnerabilities in GnuPG processing allow attackers to cause RT to improperly sign outgoing email.

CVE-2012-4884: If GnuPG support is enabled, authenticated users attackers can create arbitrary files as the web server user, which may enable arbitrary code execution.

Alerts:
Debian DSA-2567-1 request-tracker3.8 2012-10-26
Fedora FEDORA-2012-17174 rt3 2012-11-08
Fedora FEDORA-2012-17218 rt3 2012-11-08

Comments (none posted)

rtfm: privilege escalation

Package(s):rtfm CVE #(s):CVE-2012-4731
Created:October 29, 2012 Updated:October 31, 2012
Description: From the Debian advisory:

It was discovered that RTFM, the FAQ manager for Request Tracker, allows authenticated users to create articles in any class.

Alerts:
Debian DSA-2568-1 rtfm 2012-10-26

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds