A story of three kernel vulnerabilities

By Jonathan Corbet
February 19, 2013

A security-oriented firm called Trustwave recently sent out a preview of an upcoming report [PDF] that features some focused criticism of how the Linux community handles security vulnerabilities. Indeed, it says: "Software developers vary greatly in their ability to respond and patch zero-day vulnerabilities. In this study, the Linux platform had the worst response time, with almost three years on average from initial vulnerability to patch." Whether or not one is happy with how security updates work with Linux, three years sounds like a rather longer response time than most of us normally expect. Your editor decided to examine the situation by focusing on two vulnerabilities that are said to be included in the Trustwave report and one that is not.

Three years?

As of this writing, Trustwave's full report is not available, so a detailed look at its claims is not possible. But, according to this ZDNet article, the average response time was calculated from these two "zero-day" vulnerabilities:

CVE-2009-4307: a divide-by-zero crash in the ext4 filesystem code. Causing this oops requires convincing the user to mount a specially-crafted ext4 filesystem image.
CVE-2009-4020: a buffer overflow in the HFS+ filesystem exploitable, once again, by convincing a user to mount a specially-crafted filesystem image on the target system.

The ext4 problem was reported on October 1, 2009 by R.N. Sastry, who had been doing some filesystem fuzz testing. The report included the filesystem image that triggered the bug — that is the "exploit code" that Trustwave used to call this bug a zero-day vulnerability. Since the problem was limited to a kernel oops, and since it required the victim's cooperation (in the form of mounting the attacker's filesystem) to trigger, the ext4 developers did not feel the need to drop everything and fix it immediately; Ted Ts'o committed a fix toward the end of November. SUSE was the first distributor to issue an update containing the fix; that happened on January 17, 2010. Red Hat did not put out an update until the end of March — nearly five months after the problem was disclosed — and Mandriva waited until February of 2011.

One might argue that things happened slowly, even for an extremely low-priority bug, but where does "three years" come from? It turns out that the fix did not work properly on the x86 architecture; Xi Wang reported the problem's continued existence on December 26, 2011, and sent a proper fix on January 9, 2012. A new CVE number (CVE-2012-2100) was assigned for the problem and the fix was promptly committed into the mainline. Distributors were a bit slow to catch up, though; Debian issued an update in March, Ubuntu in May, and Red Hat waited until mid-November — nearly eleven months after disclosure — to ship the fix to its users. The elapsed time from the initial disclosure until Red Hat's shipping an update that fixes the problem properly is, indeed, just over three years.

The story for the HFS/HFS+ vulnerability is similar. An initial patch fixing a buffer overflow in the HFS filesystem was posted by Amerigo Wang at the beginning of December, 2009. The fix was committed by Linus on December 15, and distributor updates began with Red Hat's on January 19, 2010. Some distributors were rather slower, but it was another hard-to-exploit bug that was deemed to have a low priority.

The problem is that the kernel supports another (newer) filesystem called HFS+. It is a separate filesystem implementation, but it contains a fair amount of code that was cut-and-pasted from the original HFS implementation, much like ext4 started with a copy of the ext3 code. The danger of this type of code duplication is well known: developers will fix a bug in one copy but not realize that the same issue may be present in the other copy as well. Naturally enough, that was the case here; the HFS+ filesystem had the same buffer overflow vulnerability, but nobody thought to do anything about it until Timo Warns quietly told a few kernel developers about it at the end of April 2012. Greg Kroah-Hartman committed a fix on May 4, and the problem was publicly disclosed a few days after that. Once again, a new CVE number (CVE-2012-2319) was assigned, and, once again, distributors dawdled with the fixes; openSUSE sent an update in June, while Red Hat waited until October, five months after the problem became known. The time period from the initial disclosure of the HFS vulnerability until Red Hat's update for the HFS+ problem was just short of three years.

One could look at this situation two ways. On one hand, Trustwave has clearly chosen its vulnerabilities carefully, then applied an interpretation that yielded the longest delay possible. Neither story above describes a zero-day vulnerability knowingly left open for three years; for most of that time, it was assumed that the problems had been fixed. That is doubly true for the HFS+ filesystem, for which the vulnerability was not even disclosed until May, 2012. Given the nature of the vulnerabilities, it is highly unlikely that the black hats were jealously guarding them in the meantime; the odds are good that no system has ever been compromised by exploiting either one of them. Trustwave's claims, if they are indeed built on these two vulnerabilities, are dubious and exaggerated at best.

On the other hand, even low-priority vulnerabilities requiring the victim's cooperation should be fixed — and fixed properly — in a timely manner, and it is not at all clear that happened with these problems. The response to the ext4 problem was arguably fast enough given the nature of the problem, but the fact that the problem persisted on the obscure x86 architecture suggests that the testing applied to that fix was, at best, incomplete. In the HFS/HFS+ case, one could argue that somebody should have thought to check for copies of the bug elsewhere. The fact that the HFS and HFS+ filesystems are nearly unused and nearly unmaintained did not help in this case, but attackers do not restrict themselves to well-maintained code. And, for both bugs, distributors took their time to get the fixes out to their users. We can do better than that.

Meanwhile, in 2013

Perhaps the slowness observed above is the natural response to vulnerabilities that nobody is actually all that worried about. Had they been something more serious, it could be argued, the response would have been better. As it happens, there is an open issue at the time of this writing that can be examined to see how well we do respond; the answer is a bit discouraging.

On January 20, a discussion on the private kernel security list went public with this patch posting by Oleg Nesterov. It seems that the Linux implementation of the ptrace() system call contains a race condition: a traced process's registers can be changed in a way that causes the kernel to restore that process's stack contents to an arbitrary location. The end result is the ability to run arbitrary code in kernel mode. It is a local attack, in that the attacker needs to be able to run an exploit program on the target system. But, given the ability to run such a program, the attacker can obtain full root privileges. That is the kind of vulnerability that needs quick attention; it puts every system out there at the mercy of any untrusted users that may have accounts there — or at the mercy of any attacker that may be able to compromise a network service to run an arbitrary program.

On February 15, the vulnerability was disclosed as such, complete with handy exploit code for those who do not wish to write their own. Most victims are unlikely to apply the kernel patch included with the exploit that makes the race condition easier to hit; the exploit also needs the ability to run a process with real-time priority to win the race more reliably. But, even without the patch or real-time scheduling, a sufficiently patient attacker should be able to time things right eventually. Solar Designer reacted to the disclosure this way:

I haven't looked into this closely yet, but at first glance it looks like the worst Linux kernel vulnerability in a few years. For distro vendor kernels (rather than mainline, which was patched almost a month ago), this is a 0-day.

Arguably this should not be a zero-day vulnerability: the public discussion of the fix is nearly one month old, and the private discussion had been going on for some time before. But, as of this writing, no distributors have issued updates for this problem. That leads to some obvious questions; quoting Solar Designer again:

The mainline commits from January are by Oleg Nesterov of Red Hat. Why wasn't(?) the issue handled with due severity within Red Hat, then - such that Red Hat would at the very least have a statement on whether and which of their kernels are affected by now.

One assumes that such a statement will be forthcoming in the near future. In the meantime, users and system administrators worldwide need to be worried about whether their systems are vulnerable and who might be exploiting the problem.

Once again, we can do better than that. This bug was known to be a serious vulnerability from the outset; one of the developers who reported it (Salman Qazi, of Google) also provided the exploit code to show how severe the situation was. Distributors knew about the problem and had time to respond to it — but that response did not happen in a timely manner. The ptrace() problem will certainly be straightened out in less than three years, but that still may not be a reason for pride. Users should not be left wondering what the situation is (at least) one month after distributors know about a serious vulnerability.

Index entries for this article
Kernel	Security/Vulnerabilities
Security	Bug reporting
Security	Linux kernel

A story of three kernel vulnerabilities

Posted Feb 19, 2013 18:19 UTC (Tue) by joey (guest, #328) [Link] (13 responses)

While the ptrace hole is clearly a higher priority class of security hole than a filesystem security hole, filesystem holes barely need the "victim's cooperation" to exploit anymore.

For example, at LCA2013, the swag bag contained a small USB key with a penguin logo. I'm amoung the probably majority of attendees who plugged that key into a laptop without disabling the default automounting. That could have easily been a mass exploit vector to access development machines for many Linux and free software developers and perhaps a LWN editor too. ;)

AFAIK it was not, nor was the PDF file on the drive that some attendees also opened.. But all that is needed to do such a mass exploit is an inexpensive hardware order and a bit of social engineering... and a "low priority" kernel security hole.

A story of three kernel vulnerabilities

Posted Feb 19, 2013 19:32 UTC (Tue) by ms-tg (subscriber, #89231) [Link] (12 responses)

Is it also possible to exploit this by mounting an image of a filesystem on loopback?

A story of three kernel vulnerabilities

Posted Feb 20, 2013 7:12 UTC (Wed) by smurf (subscriber, #17840) [Link]

Definitely.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 7:17 UTC (Wed) by error27 (subscriber, #8346) [Link] (10 responses)

$ mount -o loop foo mnt
mount: only root can do that

But otherwise yes, the fuzzer uses loop back filesystems for testing. The thing about USB sticks is that most distros automount them when you plug them in.

Probably they should not automount less used filesystems.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 9:54 UTC (Wed) by josh (subscriber, #17465) [Link] (9 responses)

I'd argue that rarely-used filesystems (90% of the "Miscellaneous Filesystems" menu in kconfig) ought to become FUSE modules running in a seccomp sandbox, having only the permissions they need to read or write the mounted device and respond to FUSE requests.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 12:48 UTC (Wed) by robert_s (subscriber, #42402) [Link] (8 responses)

Because the people who use rarely used filesystems don't want them to be fast?

In an ideal world of course, it would be possible to run all filesystem drivers as FUSE modules or in kernel.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 13:39 UTC (Wed) by robert_s (subscriber, #42402) [Link] (7 responses)

>In an ideal world of course, it would be possible to run all filesystem drivers as FUSE modules or in kernel.

Replying to myself - upon reading to the bottom of these comments it seems libguestfs can do this to some extent.

Perhaps a security-conscious distribution should consider doing auto-mounting of any "removable" block devices through such a mechanism.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 14:31 UTC (Wed) by drag (guest, #31333) [Link] (6 responses)

I don't see the benefit of using 'FUSE' from a security perspective.

FUSE still goes to through kernel file system interface, and then you have all the file system code, and the setuid fuse binaries and special permissions that the user has to have to access /dev/fuse.

It seems to me to be a attempt to throw code and complexity to obsofgate (sp?) a potential security hole. It just seems to be a better to approach just to fix the code.

Also I am pretty sure that if somebody plugs a device into a machine they have the full intention of mounting it to see what is on it. Having a 'ack' button may be useful in a case where you do not want a device mounted while you are away from the computer and the screen is locked, but besides that having a extra step the user must go through to mount it would serve little purpose. It may make people feel more comfortable or help people (like me) that tend to do odd things with flash file systems that precludes mounting them.

This is the case were potentially some sort of 'anti-virus' code may be useful to validate the device before mounting it, but that seems to open up a whole new can of worms.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 14:48 UTC (Wed) by robert_s (subscriber, #42402) [Link] (3 responses)

>I don't see the benefit of using 'FUSE' from a security perspective.

Well you'd better tell the authors of libguestfs then (largely RedHat) as security seems to be its main intention.

If you're saying that an exploit granting access to a user space program is just as dangerous as it having access to kernel space, I think most people would disagree with you.

The point is not whether or not the user wants to mount the device - let's take it for granted that they do, so confirmation is irrelevant. It's whether that USB stick that was just handed to them at a conference is able to directly exploit their kernel on insertion through a specially crafted filesystem.

"Just fix"ing "the code" in this case means "always getting all filesystem code 100% right 100% of the time".

A story of three kernel vulnerabilities

Posted Feb 20, 2013 16:01 UTC (Wed) by drag (guest, #31333) [Link] (2 responses)

> If you're saying that an exploit granting access to a user space program is just as dangerous as it having access to kernel space, I think most people would disagree with you.

No.

I am saying that taking a security problem that exists in kernel space and then trying to fix it by moving to a mixture of kernel space and userspace and throwing in a couple setuid root binaries isn't a silver bullet.

Fuse requires kernel file system features as well as setuid root binaries to operate properly. Without granting users access to /dev/fuse you can't 'mount' fuse file systems. Just granting users the ability to use fuse is a security risk in itself.

Now if you were to say that you wanted to use something like GVFS, which itself doesn't require any special privileges or fuse mounts or anything like that, then that's different. That is completely in a user account, but it's not POSIX compatible and requires programs to be GVFS aware.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 16:07 UTC (Wed) by drag (guest, #31333) [Link] (1 responses)

Oh and as far as 'userspace vs kernelspace', since all this stuff requires root privileges to do, unless you want to depend entirely on GVFS and whatnot, then any exploit that gives you root access gives you kernel access. Pretty much same different, unfortunately.

A story of three kernel vulnerabilities

Posted Feb 21, 2013 19:40 UTC (Thu) by alonz (subscriber, #815) [Link]

The only setuid binary involved with using FUSE is "fusermount", which only opens /dev/fuse and immediately drops privilege. The filesystem handler itself runs as an unprivileged user.

So I, for one, really don't get your point.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 20:33 UTC (Wed) by josh (subscriber, #17465) [Link]

Just running in userspace doesn't necessarily give you an inherent security advantage, especially if running as the primary user on the system. However, many more facilities exist to isolate and sandbox userspace binaries to protect against exploits. For instance: take a kernel filesystem driver, port it to FUSE, and run the actual process that does filesystem parsing inside of a seccomp sandbox that only has permission to read and write the mounted device and respond to FUSE requests. Then, even if that filesystem parsing got exploited, the exploit can do very little to harm the system. It could crash, slow down filesystem accesses, serve up arbitrary file content (already possible if you control the filesystem image), or burn CPU, but it can't make arbitrary system calls and can't easily escalate privileges.

they have the full intention of mounting it to see what is on it

Posted Feb 28, 2013 21:20 UTC (Thu) by Wol (subscriber, #4433) [Link]

Not at all.

Assuming the automount works even if the screen is locked (as I get the impression is often the case), this is a perfect way of breaking into someone else's machine. If the exploit opens a root shell on a secret port, that machine is now owned ...

So in that case, the user knows exactly what is on it. They want to see what's on the machine.

So a confirmatory pop-up (as I get on my gentoo system) *is* a very effective security step.

Cheers,
Wol

A story of three kernel vulnerabilities

Posted Feb 19, 2013 19:45 UTC (Tue) by spender (guest, #23067) [Link] (17 responses)

The Trustwave "analysis" obviously has a severe bias and its sample size makes it a joke. It's unfortunate, because there are many legitimate examples that could have been used instead. Just a sampling from my changelogs shows tons of vulnerabilities whose fixes haven't been backported to earlier stable kernels.

The PTRACE_SETREGS race vulnerability in various incarnations goes back to at least 2.4, so at least 12 years of vulnerability (both on x86 and x86_64 BTW). FWIW, given the characteristics of the vulnerability, the constraints on it, and the extensive cleanup required to not bring the system down with it, it's unlikely to be exploitable on a grsecurity system with KERNEXEC/UDEREF enabled. If it were possible, a large infoleak of kernel .text would be needed (which we've hopefully eradicated via USERCOPY) and an additional infoleak or reliable address with which to store a ROP payload.

BTW I released the ARM blog I had mentioned earlier, for those who are interested:
https://forums.grsecurity.net/viewtopic.php?f=7&t=3292

-Brad

A story of three kernel vulnerabilities

Posted Feb 19, 2013 21:47 UTC (Tue) by Trou.fr (subscriber, #26289) [Link] (14 responses)

I concur with spender's remark, the vulnerabilities could have been selected to underline a real problem with security and not just metrics with a DoS nobody will ever trigger (the ext4 one is a joke).

However, the handling of the ptrace vuln is very representative of the state of security in the Linux world.

Nobody cares about real security. The only progress that has been made in actual security in a _mainline_ distro was in Ubuntu with the work of Kees Cook. Distros don't care about security, Linus doesn't care either so we're stuck with a platform with very little progresss in 10 years.

The support for signed kernel module is quite representative too : it's been implemented because of UEFI, 10 years too late (in Linus' words).

Seeing the awesome work in grsecurity and PaX being ignored is depressing. The discussion about the inclusion of grsecurity in Debian is quite revealing : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090 :( It leads to fragmentation : people with security needs manage and maintain their own grsecurity kernel and just don't even try to push it upstream because of the refusals they will get...

Microsoft, which was despised for its horrible security 10 years ago has made such progress that Linux is considerably behind now. I just hope we'll be able to catch up.

A story of three kernel vulnerabilities

Posted Feb 19, 2013 22:05 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link] (2 responses)

support for signed kernel modules has existed for a long time and wasn't created because of UEFI. It has been in the distro kernels for years before it got upstream. Specifically, RHEL kernels have been using it. It just got recently upstream however.

A story of three kernel vulnerabilities

Posted Feb 19, 2013 22:59 UTC (Tue) by spender (guest, #23067) [Link] (1 responses)

Signed module support is still completely useless unless the /dev/cpu/*/msr vulnerability is fixed properly. Checking for CAP_SYS_RAWIO doesn't cut it.

-Brad

A story of three kernel vulnerabilities

Posted Feb 19, 2013 23:37 UTC (Tue) by mjg59 (subscriber, #23239) [Link]

If you're root you've also got access to the MMIO regions of a bunch of devices with DMA engines, so just locking down MSR access isn't going to be a huge win. The Secure Boot work covers most of this, but it's based on the assumption that unless you've got some mechanism for verifying the integrity of your bootloader and on-disk kernel, the security improvement isn't huge - modify the embedded sectors of the bootloader (so tripwire won't pick things up), and just wait for the system to be rebooted for a kernel security update.

Signed module support in RHEL was never about security, it was about supportability. If customers are willing to use MSR hacks to load unsigned modules they're also going to be willing to just modify their bug reports to remove the tainted flags, so making it foolproof was never a great concern.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 10:30 UTC (Wed) by renox (guest, #23785) [Link] (4 responses)

> I concur with spender's remark, the vulnerabilities could have been selected to underline a real problem with security and not just metrics with a DoS nobody will ever trigger (the ext4 one is a joke).

"could have been"? What about the HFS+ exploit?
As joey remarked above, it is a real issue..
By focusing on the ext4 DOS, you "forget" the other issue.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 13:52 UTC (Wed) by Trou.fr (subscriber, #26289) [Link] (3 responses)

well it's a "real" issue but it's nothing compared to others that have a wide security impact as in every script kiddie can pwn a webserver :
1) outdated CMS with remote code execution (mostly PHP)
2) easy execution of any executable
3) ready to use exploit that works reliably as unprivileged user

The HFS+ vuln is not exploitable in that case. While it can be used for "physical" attacks like the USB key, it is not usable remotely.

_Thousands_ of servers have been compromised with that scenario :
1) vulnerable webapp
2) escalation to root using kernel vulnerability (or poor sysadmin)
3) ssh backdoor to collect passwords
4) compromise other hosts, goto 3
5) use compromised servers as DDoS platforms, proxy, whatever...

A story of three kernel vulnerabilities

Posted Feb 20, 2013 16:24 UTC (Wed) by bfields (subscriber, #19510) [Link] (2 responses)

In the late eighties/early nineties I seem to recall infected floppy disks were the main (or at least a very common) vector for virus transmission.

If people don't exchange data on usb keys as much as they used to on floppies, perhaps that wouldn't be as effective these days.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 23:59 UTC (Wed) by andrel (guest, #5166) [Link] (1 responses)

Supposedly Stuxnet was transmitted using a USB key.

A story of three kernel vulnerabilities

Posted Feb 21, 2013 11:55 UTC (Thu) by Trou.fr (subscriber, #26289) [Link]

Stuxnet used a vulnerability in the Windows shell (the so-called LNK vulnerability), not in the filesystem code.

As for floppies, viruses spread mostly by running infected executables, not using vulns.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 20:44 UTC (Wed) by corsac (subscriber, #49696) [Link] (4 responses)

And about support for signed modules: I'm sure everyone loves having an X509/ASN1 parser running in ring0.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 21:23 UTC (Wed) by raven667 (subscriber, #5198) [Link]

There is far far far more than that when it comes to complex interfaces. Aside from the arbitrariness of ioctl there is bpf and GPU command validation as well as iptables and who knows what else that is passing complex data structures into the kernel.

A story of three kernel vulnerabilities

Posted Feb 21, 2013 3:16 UTC (Thu) by draco (subscriber, #1792) [Link] (1 responses)

There's nothing about signing stuff that requires ASN.1 or X.509. Also, it's entirely possible that userspace uses ASN.1/X.509 to get at the keys to sign with, but something else to carry the signature itself.

If the kernel must parse ASN.1/X.509 to parse the signature for authentication...yikes, but that's not a requirement. (And even if they are, I hope it's a really limited implementation.)

A story of three kernel vulnerabilities

Posted Feb 21, 2013 6:16 UTC (Thu) by corsac (subscriber, #49696) [Link]

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;...

A story of three kernel vulnerabilities

Posted Feb 21, 2013 19:13 UTC (Thu) by zlynx (guest, #2285) [Link]

I'd rather have an ASN1 parser in there than yet another custom format. At least ASN1 is well defined and doesn't shift its meaning on different machine architectures.

A story of three kernel vulnerabilities

Posted Mar 1, 2013 17:56 UTC (Fri) by lopgok (guest, #43164) [Link]

I think the SELinux is real security 'progress in a _mainline_ distro'.

It is in the mainline kernel.
It is enabled by default in RHEL and fedora and perhaps elsewhere.
I heard it is even in the newest Android builds.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 9:17 UTC (Wed) by epa (subscriber, #39769) [Link]

Yes, they took a biased sample. But that's the thing about security: you cannot rely on the law of averages to help you. An attacker only needs to be lucky once. If Trustwave can cherry-pick three vulnerabilities which took a long time to fix, an attacker can do the same. So it is quite legitimate to criticize the state of security fixes based on one security hole left unpatched, even if there were a thousand others fixed promptly.

A story of three kernel vulnerabilities

Posted Feb 22, 2013 5:41 UTC (Fri) by jtc (guest, #6246) [Link]

'The Trustwave "analysis" obviously has a severe bias and its sample size makes it a joke.'

Not only is their analysis biased, but, if the zdnet summary of their report is to be believed, they've shown themselves to be incompetent:

"Zero-day flaws — software vulnerabilities for which no patch is available — in the Linux kernel that were patched last year took an average of 857 days to be closed, Trustwave found. In comparison zero-day flaws in current Windows OSes patched last year were fixed in 375 days."

The obvious implication is that this is a claim that the average of time to close for all zero-day defects in the Linux kernel is 3 years (versus 375 days for Windows). Obviously, an average cannot be calculated from 2 instances, which are very likely worst-case, out of many critical defects. Such miscalculation, of course, implies incompetence (or the zdnet summary is inaccurate). The criticism that these 2 cases took too long to fix is, perhaps, warranted, but nobody paying attention will conclude from their report that the implication of the headline ("Linux trailed Windows in patching zero-days in 2012...") is anything other than bullshit.

Interestingly, at the end of the zdnet article is:

"The Trustwave report says the number of critical vulnerabilities, as determined by the Common Vulnerability Scoring System (CVSS) assessment of factors like potential impact and exploitability, identified in the Linux kernel was lower than in Windows last year, with nine in Linux compared to 34 in Windows. The overall seriousness of vulnerabilities was also lower in Linux than Windows, with Linux having an average CVSS score of 7.68 for its vulnerabilities, compared to 8.41 for Microsoft."

This might be viewed as evidence that Trustwave is not biased, but, unfortunately for them in light of their main (apparent) claim, not as evidence that they are not incompetent.

A story of three kernel vulnerabilities

Posted Feb 19, 2013 19:48 UTC (Tue) by dlang (guest, #313) [Link]

This is one of the big problems with using 'vendor' kernels

They are supposed to be more reliable because they have better testing, but that testing takes time, and no distro ships the latest upstream kernel, so every distro has the added delay that they need to

1. notice that a change needs to be backported to their private kernel (I'm sure the usual suspects will again blast the kernel developers for not labeling every patch with it's security implication so that people could only look at 'security' patches, but that's a very old debate)

2. backport the change (figuring out if the patch has other implications due to other, unrelated changes that have taken place in the meantime)

3. test the 'new' kernel

4. ship the 'new' kernel to users.

All of this takes a long time, a few months of delay is actually surprisingly good (although 11-13 months seems to be a bit on the long side)

A story of three kernel vulnerabilities

Posted Feb 19, 2013 20:28 UTC (Tue) by hibiscus (guest, #86633) [Link] (5 responses)

Just for the record, the attached "PoC" code, really was "PoC". It's very far from a "handy working exploit".

The race is hard to win in this case. And as you can see, the PoC requires a kernel patch to work reliably.

A story of three kernel vulnerabilities

Posted Feb 19, 2013 21:00 UTC (Tue) by drag (guest, #31333) [Link] (4 responses)

'work reliably' is a relative term.

How many times can a script kiddie try the exploit in a minute? In a hour? In a day? I don't know the details on this exploit, but I expect the answers to any of those questions should range from the thousands to the tens of thousand attempts.

How many times does it have to work? The answer, of course, is 'once'. So if the exploit is as little as 0.0001% reliable I bet it can can lead to a rooted computer 100% of the time given the right circumstances.

A story of three kernel vulnerabilities

Posted Feb 19, 2013 21:30 UTC (Tue) by hibiscus (guest, #86633) [Link] (3 responses)

bruteforcing could be baked into a real exploit, but if you're not smart about it it could still take days.

A story of three kernel vulnerabilities

Posted Feb 20, 2013 4:09 UTC (Wed) by rahvin (guest, #16953) [Link] (2 responses)

The point is that even a bad exploit that takes days could be scripted to run automatically while the cracker does other things. Unless you've got some rate limiting on such things a script can be written to automate even a 0.000001% success rate into a 100% success rate given time.

A story of three kernel vulnerabilities

Posted Feb 21, 2013 15:03 UTC (Thu) by alankila (guest, #47141) [Link] (1 responses)

To inject some numbers to this claim, and unless I am badly mistaken, the failure chance is 99.999999%. Raising that number to the power of approximately 70 million yields around 50 % success probability. It is fundamentally a matter of chance, so 100% success can never be achieved, though something very close to it can be achieved, of course.

In any case this sort of probabilities require means to fire the attack several times per second or it will probably take years of continuous attempting before succeeding. Unfortunately ptrace sounds like the sort of thing you can try thousands of times per second.

A story of three kernel vulnerabilities

Posted Feb 21, 2013 16:20 UTC (Thu) by drag (guest, #31333) [Link]

I am guessing that those numbers are the worst case scenario when it comes to the viewpoint of the attacker. I would expect that there are a significant number of things that can be done to improve the odds.

Filesystem vulnerabilities

Posted Feb 20, 2013 10:42 UTC (Wed) by rwmj (subscriber, #5474) [Link] (2 responses)

Vendors seem not to consider filesystem vulnerabilities to be serious (including Red Hat who I work for). Yet they are very serious when you add virtualization into the mix.

For example OpenStack out of the box will mount untrusted guest filesystems on the host kernel, so all you need to do is upload a malicious filesystem image to a public cloud in order to attack the host and any other VMs running on the same system.

We (Red Hat) have worked to mitigate this by using libguestfs which adds several layers of protection between a malicious filesystem and the host:

http://libguestfs.org/guestfs.3.html#security-of-mounting...

But with sysadmins still using kpartx / loopback mounting, there's still a need to take fs vulnerabilities much more seriously.

Filesystem vulnerabilities

Posted Feb 21, 2013 1:06 UTC (Thu) by dgc (subscriber, #6611) [Link] (1 responses)

> Vendors seem not to consider filesystem vulnerabilities to be serious
> (including Red Hat who I work for).

Vendors take them extremely seriously, but there's lots more to the process than "OMG!!! Security Problem! World ends at 5pm if we don't have a fix by then!". As a filesystem developer (who co-incidentally works for Red Hat, too) I have fixed my fair share of fsfuzz related bug reports over the years.

So, what's the real issue here? It's that most fuzzer "filesystem vulnerabilities" are either a simple denial-of-service (non-exploitable kernel crash), or are only possible to exploit when you *already have root* or someone does something stupid from a security perspective. However, once a problem is reported to the security process it is captured, and the security process takes over everything regardless of whether subsequent domain-expert analysis shows that the bug is security problem or not.

> For example OpenStack out of the box will mount untrusted guest
> filesystems on the host kernel,

This is a prime example of "doing something stupid from a security perspective". Virtualisation is irrelevant here - the openstack application is doing the equivalent of picking up a USB stick in the car park and plugging it into a machine on a secured network.....

However, to really understand the situation from an fs developer POV you need to understand a bit of history and a bit about risk. That is, any change to filesystem format validation routines has risk of causing corruption or false detection of corruption, and hence you can seriously screw over the entire filesystem's user base with a bad fix.

Think about it for a moment - a divide by zero crash on a specifically corrupted filesystem is simply not something occurs in production environments. However, the changes to the code that detects and avoids the problem is executed repeatedly by every single ext4 installation in existence. IOWs, the number of people that may be affected by the corrupted filesystem div0 problem is *exceedingly tiny*, while the number of people that could be affected by a bad fix is, well, the entire world.

Then consider that the CVE process puts pressure on the developers to fix the problem *right now* regardless of any other factors. Hence the fixes tend to rushed, not well thought out, are only lightly tested and not particularly well reviewed. In the filesystems game, than means the risk of regressions or the fix not working entirely as intended is significant.

In the past this risk was ignored for security fixes, and that's why we have a long history of needing to add more fixes to previous security fixes. We have proven that the risk of regressions from rushed fixes is real and it cannot be ignored. Hence -in this arena- the CVE process could be considered more harmful to users than leaving the problem unfixed while we take the usual slower, more considered release process. i.e. the CVE process (and measuring vendor performance with CVE open/close metrics) simply does not take into account that fixing bugs badly can be far worse for users than taking extra time to fix the bug properly.

Vendors that do due diligence (i.e. risk assessment of such bugs outside of the security process) are more likely to correctly classify fuzz-based filesystem bugs compared to the security process. Hence we see vendors mitigating the risk of regressions by testing the filesystem fixes fully before releasing them rather than rushing out a fix just to close a CVE quickly.

IOWs, -more often than not- vendors are doing exactly the right thing by their user base with respect to filesystem vulnerabilities. The vendors should be congratulated for improving on a process that had been proven to give sub-standard results, not flamed for it...

-Dave.

Filesystem vulnerabilities

Posted Feb 21, 2013 1:55 UTC (Thu) by PaXTeam (guest, #24616) [Link]

the CVE process has nothing to do with how fast a bug is fixed. it's only concerned with cataloging bugs, disclosure/fix/etc strategy is always up to the vendor/author. so if you had a problem with rushed fixes in the past, look no further than your own managers who forced you to do it.

A story of three kernel vulnerabilities

Posted Feb 22, 2013 10:36 UTC (Fri) by ortalo (guest, #4654) [Link]

Am I mistaken or don't we have every other year a report showing that linux kernel security bugs are fixed very slowly? It started approximately since linux itself gained significant reputation in that area against proprietary operating systems (so nearly forever).
I think it's FUD. Admittedly that's an uninformed comment because I am so convinced of that, that I do not even take the time to read the reports in question anymore...
But I'd like to outline something factual: I see 2 CVE ids here from 2009.
In 2009 only, there were over 5500 CVE ids. The evolution of the number of CVE entries since 2000 is, in my opinion, a much more interesting topic [1].
Now my question for Trustwave: who funded that research?

Just my 2/5500 cents...

[1] BTW, I have a graph of that data at http://rodolphe.ortalo.free.fr/COURS_SE_2012_r3.pdf, page 15, but everyone can grab it from cve.mitre.org

Can't disable unused filesystems

Posted Feb 22, 2013 23:13 UTC (Fri) by jmorris42 (guest, #2203) [Link] (7 responses)

Of course something else that would help if if Linux still had something resembling documented, knowable/controllable behavior. In the days of old /etc/filesystems declared which filesystems could be automatically detected and mounted, all others requiring an explicit mount with the -t switch to force detection of the filesystem.

That file still exists of course, and the mount command will still honor it when issued from a command line; but it is ignored by graphical desktops. And this defect is undocumented and if filed as a bug would be instantly closed as NOTABUG.

For example the machine I'm typing on dual boots Win7 and has an NTFS filesystem for it. Despite efforts to suppress it, it shows an icon on my desktop and if I right click it the desktop environment happily offers to mount it and it will succeed. Meanwhile /etc/filesystems is still the stock one supplied by Fedora. It lists vfat, hfs and hfsplus (why) but does not mention ntfs.

In a sane world a Linux desktop would not automatically mount rare filesystems, better still it would honor /etc/filesystems so the user could control it. Just how many users need hfs support? On a removable device? Close enough to zero it should default to no. These days ext[234],vfat,ntfs,iso9660 and udf probably should default to supported with everything else off.

Can't disable unused filesystems

Posted Feb 23, 2013 12:39 UTC (Sat) by cortana (subscriber, #24596) [Link] (3 responses)

It might be possible to implement something like this today with udev rules... if you could set the UDISKS_SYSTEM_INTERNAL property on a disk based on the value of one of its partitions ID_FS_TYPE properties. However I don't know how well that would interact with more interesting disk layouts (e.g., NTFS filesystem inside a LUKS container only unlocked once the user has double-clicked on it in the GUI).

As for /etc/filesystems and /proc/filesystems, these days mount itself only seems to consult them if '-t auto' is used (or '-t' is absent entirely) and if libblkid fails to identify the correct filesystem. So I get the feeling that /etc/filesystems is really a remnant of an obsolete feature that hasn't been used since kernel module autoloading went in.

Can't disable unused filesystems

Posted Mar 2, 2013 16:59 UTC (Sat) by jmorris42 (guest, #2203) [Link] (2 responses)

Yea, /etc/filesystems is documented as only being consulted for -t auto or leaving the switch off entirely. If you explicitly specify a filesystem you expect the system to do what you told it.

But the key point remains, after several replies nobody can point to a way to actually solve a problem that exists on all graphical desktops.

udev is clearly not intended to be modified by the end user. It isn't documented, the files controlling it are written in a way to be hostile to manual editing and the entire subsystem has been churning for years.

Simply stopping the modules from loading isn't a good solution either.

You can't even reliably suppress the icons from appearing on a desktop. I once found a way to do it, it worked until the next Fedora.

Can't disable unused filesystems

Posted Mar 3, 2013 15:42 UTC (Sun) by cortana (subscriber, #24596) [Link] (1 responses)

udisks does provide properties you can use to prevent volumes from being mounted by and/or shown to the user, so this should be possible. The churn is a huge pain in the arse, however. And I see it's about to get worse, since udisks is being replaced by udisks2... :/

Can't disable unused filesystems

Posted Mar 4, 2013 15:27 UTC (Mon) by nix (subscriber, #2304) [Link]

In effect udisks has been unmaintained for ages. I've reported several bugs that could well be security holes upstream (writes through null pointers, writes through uninitalized, pointers, the code quality is really quite dire). Not one has ever got a response.

Can't disable unused filesystems

Posted Feb 24, 2013 8:49 UTC (Sun) by paulj (subscriber, #341) [Link] (1 responses)

Ah, so I'm not the only frustrated by lots of "disk" icons appearing in nautilus, that are to do with the system, and there not being any reasonably obvious way (either from UI or in /etc) to hide them?

Arg!

Sure CAN disable unused filesystems =:^)

Posted Mar 12, 2013 3:59 UTC (Tue) by Duncan (guest, #6647) [Link]

On gentoo anyway, turning off such filesystem support, and automount support in general, is easy. Appropriate USE flags and kernel ensure support for this is NOT builtin. Of course whether you consider gentoo "a reasonably obvious way" or not is up to you, but...

My gentoo/kde systems are build without udisks, policykit, etc support, the appropriate USE flags turned off, both due to the heavy dependencies (udisks-1 wanted lvm2, udisks2 wants gparted while I use gptfdisk, I need those installed like I need another hole in my head!). And the kernel is built for the specific system it's on, monolithic, module support turned off. (Tho I did have to package.provided a couple runtime deps, including kdesu, that I didn't need anyway. I could of course have edited and overlaid the ebuilds to kill the runtime deps, but that would have been a repeated edit over many updates. Package.provideing them only need be done once.)

So no automounting or GUI superuser access and for SURE no support for obscure filesystems!

Where specific privlege-required functions are to be used by the GUI user, I configure sudoers to allow the specific command, no more, no less, with or without password required, depending on the need and how locked down the command actually is. Yes, that does require that the user use the commandline for it, but IMO, if a user isn't comfortable using the commandline, they have no business running superuser/privileged commands in the first place.

Of course that's a bit drastic for many, but that's precisely the point, gentoo, being build from source by the user, allows turning off unneeded features at end-user-controlled build-time, as opposed to centralized distro decided "someone might use it so we better enable it" defaults, at /their/ buildtime. If you want automount, turn on the appropriate USE flags, else turn them off and don't even have the otherwise required components installed in the first place. Actually, it's more than that, in effect, over time gentoo STRONGLY ENCOURAGES observance of the security "only install what you actually use" rule, because otherwise you're repeatedly building updates for stuff you don't use anyway, so if you're not actually using it, it quickly becomes simpler to just turn it off and not worry about building it any more.

So yes, there's a "reasonably obvious" way to turn them off... switch to a distro (and desktop, if necessary, but I'd guess gnome on gentoo allows turning it off too, I just don't know for sure as I don't use it) that allows it, if yours doesn't. =:^)

Duncan

Can't disable unused filesystems

Posted Feb 24, 2013 15:40 UTC (Sun) by spender (guest, #23067) [Link]

Grsecurity can do this. It happily prevents udisks from auto-loading modules for whatever filesystems on behalf of unprivileged users. It's unfortunate though that Linux is moving in this direction (of security decisions being made in userland brokers) as it hinders the ability to enforce more secure mandatory security policies.

Grsecurity will also prevent mount from being able to load arbitrary kernel modules (it will be restricted to modules that register a filesystem).

This is a subset of the full GRKERNSEC_MODHARDEN feature which prevents unprivileged users from being able to auto-load kernel modules, without having to implement a posteriori blacklists.

-Brad

A story of three kernel vulnerabilities

Posted Feb 28, 2013 6:40 UTC (Thu) by geek (guest, #45074) [Link]

"...for most of that time, it was assumed that the problems had been fixed."
Isn't that, in principle, a testable assumption? I'd be interested to know if there is a testing discipline around such an assumption, I suppose it isn't the only time this has occurred.

Dave