Security
ABS: Android security underpinnings
In a two-hour session at the 2013 Android Builders Summit, Marko Gargenta described the "underpinnings" of Android security. It was a wide-ranging talk that filled in many details of the Android security model and its implementation. There are multiple layers in the Android stack, Gargenta said, showing a slide [JavaScript] of the Android architecture. He broke the stack up into four layers: kernel, native code, API, and apps. Each of those has its own security concerns, he said.
Apps
In the Android security architecture, apps cannot directly interact with each other, nor with any of the other processes on the system. Those other processes come about as the Android system is initialized. After the kernel boots, init launches a few daemons needed by the rest of the system (vold, netd, installd), then starts the servicemanager. In turn, the servicemanager launches zygote, which is the "initial app" and the root of the app tree. All of those processes run as the root user, but anything started after that (including the system_server and any apps) run under its own user ID (UID).
Each app runs in its own process, and by default is not allowed do anything to adversely affect any other app, the system, or the user. That separation is enforced by the kernel's normal user permissions. On top of that, Android adds a fine-grained permission system that allows users to grant specific privileges to apps, but the apps must declare the privileges they want ahead of time.
Apps can explicitly share resources and data with other apps via the binder inter-process communication (IPC) mechanism, ContentProviders, Intents, the filesystem, local sockets, and so on. That sharing is outside of the scope of the Android security model. All apps are treated equally by the system, with the same level of application sandboxing.
The sole enforcement mechanism for the application sandbox is the Linux kernel. The Dalvik virtual machine (VM) does not provide a security boundary (unlike the Java VM). Each app has its own Dalvik VM as well as all the Android resources (activities, services, receivers, providers, etc.) in its process space.
Apps are stored in a .apk files, which must be signed. The signature is meant to uniquely identify the owner of the app, but that doesn't necessarily translate to a real life entity. It is, instead, used to create a trust relationship between apps. The signature is also used to verify that the contents of .apk file have been correctly signed with the owner's key and have not been corrupted.
App signing uses public-key cryptography as defined by the Java JAR specification. Most developers will already have a key that was created by Eclipse and lives in .android/debug.keystore. The keytool utility should be used to create a more permanent keystore. No third party certificate authority (CA) is needed for signing the keys as they can be self-signed. Google Play store policy for apps requires a key that is valid until at least October 2033, but keys should be valid for 25 years or more, Gargenta said.
Once an app is signed, it is "zipped" into a archive file, which is essentially what an .apk is. Each file in the zip archive is individually signed, and those signatures are stored in a file in the META-INF directory. The .apk contains the classes, resources, and the manifest, along with META-INF. One can use jarsigner to sign the files, and keytool to verify keys and signatures.
The platform itself has four different keys, which are often overlooked by people creating their own ROM. There is a "platform" key used to sign the core frameworks, a "shared" key for ContentProviders, a "media" key for the media frameworks and applications (e.g. Gallery, DrmProvider), and a "testkey" for everything else. Those can be created using keytool. Shipping a ROM with the default keys is a big mistake, Gargenta said, because anyone can create an update.zip firmware update file to replace any part of the system they want.
Users
Android doesn't use Linux users (and UIDs) in the usual way. There are
"virtual users" that correspond to each app. When installed, an app gets a
UID (and
identical group ID)
assigned to it. Up until Ice Cream Sandwich (ICS, Android 4.0), the UIDs
were assigned starting at 10,001 and given names like app_N,
where N is the offset from 10,000. After ICS, the mapping took
multiple human users into account, so the names became uM_aN, where
M corresponds to the human user, and uses a different formula
(100,000 * user + appnum, so u10_a3 becomes 101,003 1,010,003).
There is no passwd file on an Android system, but the mapping from app to UID can be found in the /system/packages.list file. That file lists the app name, UID, and the location of the app's private data storage in the filesystem. When an app is first downloaded, it is put into a quarantine space and examined by installd; if the signature check passes, a UID/GID is assigned and the app is installed. It is possible to have multiple apps (all signed with the same key) running under the same UID, but they are really considered by the system to be part of the same app.
Files
Android has a few separate filesystems. The /system filesystem is "essentially the ROM", Gargenta said. It is mounted read-only and contains the Android OS, system libraries and apps, system executables, and so on. The application developer and user have no access to that filesystem (unless the device is rooted), and it contains no user data, so it doesn't need to be backed up or encrypted.
The /data partition is mounted read-write and contains all of the downloaded apps and the storage for all apps (including the system apps). The /data/data directory is the location where apps store their data. A a subdirectory named after the app is created that is owned by its UID/GID and has permissions that does not allow access from other UIDs. This is how the storage sandbox is handled. There is a lib directory in the app's storage, which holds the native libraries that the app needs. That directory is added to the LD_LIBRARY_PATH of apps before they are started.
The init process mounts the filesystems and sets the permissions for the files in those filesystems, which can be seen in the init.rc file. It ensures that /system is mounted read-only as it may have previously been mounted read-write for an over-the-air (OTA) update.
In Android 4.2 ("Jelly Bean"), support for multiple human users was added for uses like tablets that are shared by multiple family members. The number of supported users is set in a configuration file; for phones the value is 1, but tablets it is often set to 8. When there are multiple users, apps can be installed for one or more of them. In that case, the data is not shared—instead, each user gets their own copy of the app's data directory, but the code and libraries are shared (the latter using a symbolic link from the lib directory).
Permissions
Permissions are at the heart of the app security model for Android. One can see the list of all permissions in the system using the "pm list permissions" command in the adb shell. Also, the "run-as" command can be used to test permissions as granted to specific apps. That is useful for debugging and testing, Gargenta said.
Some permissions are better than others, at least in terms of being featured in the Google Play store, he said. He listed the Top Ten Bad Permissions. These are permissions that, if requested by an app, make it less likely to be featured in the store. For the most part, these are somewhat dangerous permissions that are a red flag that the application is asking for more than it needs—or more than it should need.
For example, the SEND_SMS and RECEIVE_SMS permissions (for sending and receiving text messages) were at the top of the list. Unless the app is an SMS program, it shouldn't be using those. Instead, it should start an SMS composer activity, which will activate an existing SMS app to handle the message. Similarly, using an intent for ACTION_IMAGE_CAPTURE will bring up the camera to allow the user to take a picture and return the result. That avoids requiring the CAMERA permission. He had suggestions for several other permissions as well.
Permissions in Android map to groups (i.e. GIDs). If a particular app is granted a permission, it is added to the group. For example, Android's "paranoid networking" works by checking if the user is in the "inet" group; if so, it allows network access, otherwise not. The permissions for files and devices are set by the init process
Gargenta also briefly looked at some other Android security topics, including encryption, malware, and device administration for companies that are issuing phones to their employees (or allowing those employees to use their own). Those topics were something of an aside to the deep dive into Android security. Overall, there was a lot to digest in a fairly short period of time, as Gargenta's slides would suggest. A longer time slot might have been harder to allocate for a two-day conference like ABS, but there was certainly material enough to fill it.
[ Thanks to the Linux Foundation for assisting with travel costs to San Francisco for ABS. ]
Brief items
Security quotes of the week
What's next? It wouldn't surprise me too much if nothing happens until someone demonstrates how to use a signed Linux system to attack Windows. Microsoft's response to that will probably determine whether anyone ends up caring.
Second, small and simple elections are easier to secure. This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. The only way manual systems could work for a larger group would be through a pyramid-like mechanism, with small groups reporting their manually obtained results up the chain to more central tabulating authorities.
And third: When an election process is left to develop over the course of a couple of thousand years, you end up with something surprisingly good.
A nasty local kernel vulnerability
Over the weekend, the networking tree accepted a fix for an out-of-bounds access error that appears to be exploitable by an unprivileged local user to gain root access. Even worse, there are indications that this bug (which affects kernels from 3.3 onward) has been known about since mid-2012; exploits exist in the wild. No distributor updates exist as of this writing; presumably they will not be long in coming.[Update February 27: Distributions have started putting out updates for the vulnerability.]
New vulnerabilities
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2012-3499 CVE-2012-4558 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 26, 2013 | Updated: | May 14, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
Various XSS (cross-site scripting vulnerability) flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp (CVE-2012-3499). XSS (cross-site scripting vulnerability) in mod_proxy_balancer manager interface (CVE-2012-4558). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
bind: denial of service
| Package(s): | bind | CVE #(s): | CVE-2012-5689 | ||||||||||||||||||||||||||||||||
| Created: | February 22, 2013 | Updated: | March 11, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
ISC BIND 9.8.x through 9.8.4-P1 and 9.9.x through 9.9.2-P1, in certain configurations involving DNS64 with a Response Policy Zone that lacks an AAAA rewrite rule, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for an AAAA record. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
django: multiple vulnerabilities
| Package(s): | python-django | CVE #(s): | CVE-2013-0305 CVE-2013-0306 | ||||||||||||||||||||||||||||||||
| Created: | February 27, 2013 | Updated: | March 22, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2013-0305: Orange Tsai discovered that the bundled administrative interface of django could expose supposedly-hidden information via its history log. CVE-2013-0306: Mozilla discovered that an attacker can abuse django's tracking of the number of forms in a formset to cause a denial-of-service attack due to extreme memory consumption. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
dovecot: restriction bypass/directory traversal
| Package(s): | dovecot | CVE #(s): | CVE-2011-2166 CVE-2011-2167 | ||||||||||||||||
| Created: | February 21, 2013 | Updated: | February 27, 2013 | ||||||||||||||||
| Description: | From the CVE entries:
script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script. (CVE-2011-2166) script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script. (CVE-2011-2167) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
evolution: information disclosure
| Package(s): | evolution | CVE #(s): | CVE-2011-3201 | ||||||||||||||||
| Created: | February 21, 2013 | Updated: | March 11, 2013 | ||||||||||||||||
| Description: | From the Red Hat advisory:
The way Evolution handled mailto URLs allowed any file to be attached to the new message. This could lead to information disclosure if the user did not notice the attached file before sending the message. With this update, mailto URLs cannot be used to attach certain files, such as hidden files or files in hidden directories, files in the /etc/ directory, or files specified using a path containing "..". | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
fusionforge: multiple privilege escalation flaws
| Package(s): | fusionforge | CVE #(s): | CVE-2013-1423 | ||||
| Created: | February 27, 2013 | Updated: | February 27, 2013 | ||||
| Description: | From the Debian advisory:
Helmut Grohne discovered multiple privilege escalation flaws in FusionForge, a web-based project-management and collaboration software. Most of the vulnerabilities are related to the bad handling of privileged operations on user-controlled files or directories. | ||||||
| Alerts: |
| ||||||
hplip: insecure temp files
| Package(s): | hplip | CVE #(s): | CVE-2013-0200 | ||||||||||||||||||||||||||||||||
| Created: | February 21, 2013 | Updated: | April 10, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Tim Waugh of Red Hat discovered temporary file handling flaws in HPLIP. A local attacker could use these flaws to perform a symbolic link attack, overwriting arbitrary files accessible to a process using HPLIP. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
java: unspecified vulnerability
| Package(s): | java | CVE #(s): | CVE-2013-1487 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 21, 2013 | Updated: | February 27, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE 7 Update 13 and earlier and 6 Update 39 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2012-4542 CVE-2013-0309 CVE-2013-0310 CVE-2013-0311 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 21, 2013 | Updated: | July 12, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
It was found that the default SCSI command filter does not accommodate commands that overlap across device classes. A privileged guest user could potentially use this flaw to write arbitrary data to a LUN that is passed-through as read-only. (CVE-2012-4542) A flaw was found in the way pmd_present() interacted with PROT_NONE memory ranges when transparent hugepages were in use. A local, unprivileged user could use this flaw to crash the system. (CVE-2013-0309) A flaw was found in the way CIPSO (Common IP Security Option) IP options were validated when set from user mode. A local user able to set CIPSO IP options on the socket could use this flaw to crash the system. (CVE-2013-0310) A flaw was found in the way the vhost kernel module handled descriptors that spanned multiple regions. A privileged guest user in a KVM guest could use this flaw to crash the host or, potentially, escalate their privileges on the host. (CVE-2013-0311) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2013-0228 CVE-2013-0313 CVE-2013-0871 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 22, 2013 | Updated: | June 14, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Linux kernel when returning from an iret assumes that %ds segment is safe and uses it to reference various per-cpu related fields. Unfortunately the user can modify the LDT and provide a NULL one. Whenever an iret is called we end up in xen_iret and try to use the %ds segment and cause an general protection fault. Malicious or buggy unprivileged user space can cause the guest kernel to crash, or permit a privilege escalation within the guest, or operate erroneously. (CVE-2013-0228) Linux kernel built with Extended Verification Module(EVM) and configured properly, is vulnerable to a NULL pointer de-reference flaw, caused by accessing extended attribute routines of sockfs inode object. An unprivileged user/program could use this to crash the kernel, resulting in DoS. (CVE-2013-0313) A race condition in ptrace can lead to kernel stack corruption and arbitrary kernel-mode code execution. (CVE-2013-0871) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2013-1763 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 26, 2013 | Updated: | March 22, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Mathias Krause discovered a bounds checking error for netlink messages requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit this flaw to crash the system or run programs as an administrator. This patch fixes the problem. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
keystone: multiple vulnerabilities
| Package(s): | keystone | CVE #(s): | CVE-2013-0282 CVE-2013-1664 CVE-2013-1665 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 21, 2013 | Updated: | September 4, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Nathanael Burton discovered that Keystone did not properly verify disabled users. An authenticated but disabled user would continue to have access rights that were removed. (CVE-2013-0282) Jonathan Murray discovered that Keystone would allow XML entity processing. A remote unauthenticated attacker could exploit this to cause a denial of service via resource exhaustion. Authenticated users could also use this to view arbitrary files on the Keystone server. (CVE-2013-1664, CVE-2013-1665) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mozilla: distinguishing and plaintext-recovery attacks
| Package(s): | firefox thunderbird nss | CVE #(s): | CVE-2013-1620 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 22, 2013 | Updated: | April 5, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openssh: code execution
| Package(s): | openssh | CVE #(s): | CVE-2012-5536 | ||||||||||||||||
| Created: | February 21, 2013 | Updated: | March 11, 2013 | ||||||||||||||||
| Description: | From the Red Hat advisory:
Due to the way the pam_ssh_agent_auth PAM module was built in Red Hat Enterprise Linux 6, the glibc's error() function was called rather than the intended error() function in pam_ssh_agent_auth to report errors. As these two functions expect different arguments, it was possible for an attacker to cause an application using pam_ssh_agent_auth to crash, disclose portions of its memory or, potentially, execute arbitrary code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
openssl: denial of service
| Package(s): | openssl | CVE #(s): | CVE-2012-2686 | ||||||||||||||||||||||||||||||||
| Created: | February 21, 2013 | Updated: | February 27, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly handled certain crafted CBC data when used with AES-NI. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
pigz: information disclosure
| Package(s): | pigz | CVE #(s): | CVE-2013-0296 | ||||||||
| Created: | February 26, 2013 | Updated: | March 27, 2013 | ||||||||
| Description: | From the Red Hat bugzilla:
A security flaw was found in the way pigz, a parallel implementation of gzip, created temporary files to (temporary) store / represent 'to be compressed archive content' (the files were created with world readable permissions). A local attacker could use this flaw to obtain sensitive information (archive content). | ||||||||||
| Alerts: |
| ||||||||||
pixman: stack-based buffer overflow
| Package(s): | pixman | CVE #(s): | CVE-2013-1591 | ||||||||||||||||||||||||||||||||||||
| Created: | February 27, 2013 | Updated: | April 10, 2013 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Stack-based buffer overflow in libpixman, as used in Pale Moon before 15.4, has unspecified impact and attack vectors. The upstream commit to correct this flaw: http://cgit.freedesktop.org/pixman/commit... The affected code (pixman/pixman-inlines.h, fast_composite_scaled_bilinear()) is present in the version of pixmap shipped with Fedora 17 (0.24.4), but is not present in Red Hat Enterprise Linux 5 or 6 (the fast_composite_scaled_bilinear() function is in pixman/pixman-fast-path.h, but the vulnerable code is not there and I don't detect anything comparable). So it's likely that the vulnerable code was introduced after 0.22.0. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
rails: multiple vulnerabilities
| Package(s): | RubyOnRails | CVE #(s): | CVE-2013-0262 CVE-2013-0263 | ||||||||||||||||||||||||||||||||
| Created: | February 25, 2013 | Updated: | May 8, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals." (CVE-2013-0262) Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time. (CVE-2013-0263) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
rdma: multiple vulnerabilities
| Package(s): | RDMA | CVE #(s): | CVE-2012-4517 CVE-2012-4518 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 21, 2013 | Updated: | March 11, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A denial of service flaw was found in the way ibacm managed reference counts for multicast connections. An attacker could send specially-crafted multicast packets that would cause the ibacm daemon to crash. (CVE-2012-4517) It was found that the ibacm daemon created some files with world-writable permissions. A local attacker could use this flaw to overwrite the contents of the ibacm.log or ibacm.port file, allowing them to mask certain actions from the log or cause ibacm to run on a non-default port. (CVE-2012-4518) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ruby: denial of service
| Package(s): | ruby1.9.1 | CVE #(s): | CVE-2013-0269 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 21, 2013 | Updated: | May 1, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
The JSON gem 1.7.x before 1.7.7, 1.6.x before 1.6.8, and 1.5.x before 1.5.5 allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
transmission: code execution
| Package(s): | transmission | CVE #(s): | CVE-2012-6129 | ||||||||||||
| Created: | February 25, 2013 | Updated: | March 20, 2013 | ||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that Transmission incorrectly handled certain micro transport protocol packets. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
util-linux-ng: information disclosure
| Package(s): | util-linux-ng | CVE #(s): | CVE-2013-0157 | ||||||||||||||||||||||||||||
| Created: | February 21, 2013 | Updated: | May 3, 2013 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
An information disclosure flaw was found in the way the mount command reported errors. A local attacker could use this flaw to determine the existence of files and directories they do not have access to. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>