Security
SCALE: The Hockeypuck key server
At SCALE 11x in Los Angeles, Gazzang's Casey Marshall presented his work developing Hockeypuck, an alternative public PGP keyserver. Although the company developed Hockeypuck to support one of its own products, the AGPL-licensed server is capable of running a standalone key service, and is compatible with Synchronizing Key Server (SKS), the tool used by almost all public key services.
Keyservers are a critical component in the public key infrastructure (PKI), even though they rarely attract significant attention. They enable PGP-aware client applications to search for and retrieve users' public keys, which is what enables parties to encrypt messages to one another without prior agreement. In addition to sender's and recipient's keys, PGP relies on a "web of trust" built up by verifiable signatures from other PGP keys. Aside from secure private email, PGP encryption is also used in an increasing number of other tasks, such as verifying software package signatures. Marshall observed that this system is in essence a globally distributed social network; the Internet's keyservers share identities in a distributed fashion across a truly global pool. Because keyservers distribute the load and can synchronize, it is very hard for an attacker to tamper with or otherwise undermine the keys.
SKS is by far the most commonly used keyserver, Marshall said, and it offers a powerful set of features. It uses an efficient "set reconciliation" algorithm to keep the global database of keys in sync between remote peers, and it uses Berkeley DB for data storage. Although there is an older, email-based protocol for querying and retrieving keys, SKS is built around the HTTP Keyserver Protocol (HKP), which Marshall described as being RESTful before REST was popular.
Enter Hockeypuck
Marshall got into keyserver development while working on a Gazzang product called zTrustee. The product is a closed source storage service that uses OpenPGP keys to encrypt data. Because the service relies on generating and storing separate keys for separate objects, it quite naturally processes keys in heavy volume, which is not the typical workload for a keyserver. The company has been using SKS to distribute keys to clients, he said, but SKS is very write-heavy, and under sufficient load it was found to cause unacceptable delays.
Hoping to improve on the situation, Marshall started writing Hockeypuck. It is not yet ready to replace SKS in zTrustee, but interested developers can test it out. The project is hosted at Launchpad.net and mirrored on Github. Binary packages are already available for Ubuntu 13.04, and there is a publicly accessible instance of the server running at hockeypuck.gazzang.net. GPG users can query the server by supplying it as a command line switch, for example:
gpg --keyserver hockeypuck.gazzang.net --search-keys Santa
The public server's web interface presents a minimalist "Google-style" search page (which, as he pointed out, includes an "I'm Feeling Lucky" button that is not really intended for serious usage). Hockeypuck does not participate in the global set reconciliation algorithm of the SKS keyservers, but the public server was initialized with a dump file provided by an SKS server six months ago, so it contains a significant subset of the total global key pool.
Hockeypuck is written in Go, which Marshall said he selected for several reasons. Its simplicity and modularity make it fun to write in, he said, but it also offers useful features and high-performance message passing. The wide assortment of libraries available included an OpenPGP implementation, which he used, although he noted that there are not many OpenPGP implementations to choose from—most PGP development takes the form of additional services built on top a small set of OpenPGP stacks.
Lessons learned
At the moment, Hockeypuck uses MongoDB for storage; Marshall said he would be adding PostgreSQL support next, and perhaps other database connectors later. The server architecture is fairly straightforward, he said. A separate goroutine handles each HTTP request, opening a channel to a worker that queries the database. Scaling the system could be as simple as running one worker per CPU, or more sophisticated techniques could be employed depending on the database backend.
Indeed, Marshall said, the choice of MongoDB has come with its share of problems. It was easy to develop with, he said; Go even has a library for it. "You give it a struct, and you get a struct back." But not being a real relational database imposes limitations, starting with the fact that you cannot index something just because you want to. The Hockeypuck database is indexed on the uid field (which contains names and email addresses), thus it cannot also run searches on other fields (like key-ID); a truly full-text search is not possible. He also found it necessary to reverse the order of key fingerprints, placing the shorter key-ID at the beginning of the record so that it can be read and searched faster. Maintaining performance has also been tricky, he said; loading data into MongoDB is very quick, but updates must be aggregated for write efficiency. Ultimately, he concluded, MongoDB makes it very easy to write database applications, but it shifts more work onto configuration and deployment.
Maintaining the public Hockeypuck server has also imparted its share of lessons, he said. For example, an unknown user downloaded Marshall's own key, added new email addresses as uid fields, then re-uploaded the key to the server. An OpenPGP client application would not have been fooled by the deception because the grafted-on fields were not signed by the primary key, but the incident pointed out to Marshall that Hockeypuck needed to do its part as well. He quickly added code that checked the signatures on uploads, and reloaded the SKS key database just to be on the safe side. Technically, he observed, keyservers themselves are not meant to be trusted entities—the keys are designed to be verified or rejected cryptographically—but maintaining a tidy and valid database is important too.
Keys to the future
Hockeypuck's key loading is quite fast already, Marshall said; it can load about two million keys in 24 hours. Queries, in turn, are "reasonably fast," and the database appears to be the bottleneck. But apart from increasing performance, he has several other important items on his to-do list. For example, one improvement is support for OpenPGP version 3 signatures. Version 4 signatures are the standard today, but version 3 signatures can still be found in the wild.
A far bigger task (which Marshall regards as the missing "killer feature") is implementing the SKS reconciliation algorithm. This will allow Hockeypuck to interoperate with the global pool of public keys. He has started work on an implementation of the algorithm (that he named conflux), which he hopes will be general-purpose enough to serve as a synchronization library outside of the keyserver itself. Conflux is "getting there," he said; the mathematical portions are passing unit tests, but he still has work to do on the network protocol itself.
Further down the line, he speculated that Hockeypuck could serve as an SSH keyserver as well, and perhaps work with other authentication schemes like Password Authenticated Key Exchange by Juggling (J-PAKE) or convergence.io.
Trust stuff
Despite the fact that Hockeypuck "competes" with SKS, Marshall said he has found the SKS community to be very friendly, and many were excited to hear about Hockeypuck and its implementation of the set reconciliation algorithm. An independent implementation of the feature is good news for any project, but especially for infrastructure projects like SKS, because the "web of trust" that it implements is so crucial.
Marshall concluded his talk by asking attendees to examine the web of trust and how it functions. We trust different identity credentials for very different reasons, he said: we trust PGP keys because of either the signatures of other PGP users or our participation in key-signing events; we trust SSH keys because they are the same key we encountered the first time we connected; we trust SSL/TLS certificates because they contain a signature from a certificate authority that our browser trusts. Our trust will have a stronger foundation if it includes multiple factors, he said; perhaps, for example, PGP keys need to incorporate notions of identity beyond email addresses alone.
Keyservers could also play a role in advancing the conversation about identity management, he suggested. As he noted at the beginning of the session, the SKS global key pool has functioned as a decentralized social network for years—perhaps there are ways to leverage it, such as linking PGP keys to OpenID or OAuth accounts, or to make SSH user authentication as widely accepted as SSH host authentication already is.
Of course, PGP is still in use by just a fraction of global email users; its critics have long argued that public key encryption and the PKI are too complicated for mass appeal. That is a difficult claim to prove, particularly since it is hard to disentangle the ideas of PKI from its client software implementations. But even for those who understand and use PGP on a regular basis, the accidental monoculture of SKS keyservers poses its own potential risks. Hockeypuck might never overtake SKS in popularity, but by offering an additional choice and by shining new light on HKP and other factors, it may strengthen critical pieces of PKI anyway.
Brief items
Security quotes of the week
The comprehensive surveillance state, combined with measures to deal with the loyalty of the enforcer class, is the end game: it is where current trends lead. It will be justified to the public as a measure to decrease crime and protect innocents (especially children), but it will lead to a more advanced Stasi state.
We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users. Our fast turn around time on this security issue is a reflection of the priority and focus we place on security. Security is more than a side item for us, it's part of our core principles.
New vulnerabilities
389-ds-base: denial of service
| Package(s): | 389-ds-base | CVE #(s): | CVE-2013-0312 | ||||||||||||||||
| Created: | March 12, 2013 | Updated: | March 13, 2013 | ||||||||||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the way LDAPv3 control data was handled by 389 Directory Server. If a malicious user were able to bind to the directory (even anonymously) and send an LDAP request containing crafted LDAPv3 control data, they could cause the server to crash, denying service to the directory. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
crypto-utils: symlink attack
| Package(s): | crypto-utils | CVE #(s): | CVE-2012-3504 | ||||||||
| Created: | March 11, 2013 | Updated: | March 13, 2013 | ||||||||
| Description: | From the CVE entry:
The nssconfigFound function in genkey.pl in crypto-utils 2.4.1-34 allows local users to overwrite arbitrary files via a symlink attack on the "list" file in the current working directory. | ||||||||||
| Alerts: |
| ||||||||||
gksu-polkit: root privilege escalation
| Package(s): | gksu-polkit | CVE #(s): | CVE-2012-5617 | ||||||||||||
| Created: | March 7, 2013 | Updated: | August 5, 2013 | ||||||||||||
| Description: | From the Red Hat Bugzilla entry: Miroslav Trmac reported that gksu-polkit ships with an extremely permissive PolicyKit policy configuration file. Because gksu-polkit allows a user to execute a program with administrative privileges, and because the default allow_active setting is "auth_self" rather than "auth_admin", any local user can use gksu-polkit to execute arbitrary programs (like a bash shell) with root privileges. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2013-1828 CVE-2013-1792 CVE-2013-1825 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 11, 2013 | Updated: | July 12, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla [1], [2], [3]:
A local user could use the missing size check in sctp_getsockopt_assoc_stats() function to escalate their privileges. On x86 this might be mitigated by destination object size check as the destination size is known at compile time. A race condition leading to a NULL pointer dereference is discovered in the Linux kernel. It occurs during parallel invocation of install_user_keyrings & lookup_user_key routines. Linux kernels built with crypto user APIs are vulnerable to the information disclosure flaw. It occurs when user calls the `crypto_*_report' APIs via netlink based crypto API interface. A privileged user/program (CAP_NET_ADMIN) could use this flaw to read kernel memory area. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2013-1772 | ||||||||||||||||||||||||||||
| Created: | March 7, 2013 | Updated: | July 12, 2013 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way file permission checks for the "/dev/kmsg" file were performed in restricted root environments (for example, when using a capability-based security model). A local user able to write to this file could cause a denial of service. (CVE-2013-1772, Low) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
krb5: denial of service
| Package(s): | krb5 | CVE #(s): | CVE-2013-1415 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 11, 2013 | Updated: | March 25, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
libproxy: format string flaw
| Package(s): | libproxy | CVE #(s): | CVE-2012-5580 | ||||
| Created: | March 11, 2013 | Updated: | March 13, 2013 | ||||
| Description: | From the Red Hat bugzilla:
A format string flaw was reported in libproxy's proxy commandline tool (bin/proxy). This was corrected upstream and is included in the 0.4.0 release. | ||||||
| Alerts: |
| ||||||
MRG Grid: denial of service
| Package(s): | MRG Grid | CVE #(s): | CVE-2012-4462 | ||||||||
| Created: | March 7, 2013 | Updated: | March 13, 2013 | ||||||||
| Description: | From the Red Hat advisory: It was found that attempting to remove a job via "/usr/share/condor/aviary/jobcontrol.py" with CPROC in square brackets caused condor_schedd to crash. If aviary_query_server was configured to listen to public interfaces, this could allow a remote attacker to cause a denial of service condition in condor_schedd. While condor_schedd was restarted by the condor_master process after each exit, condor_master would throttle back restarts after each crash. This would slowly increment to the defined MASTER_BACKOFF_CEILING value (3600 seconds/1 hour, by default). (CVE-2012-4462) | ||||||||||
| Alerts: |
| ||||||||||
MRG Messaging: multiple vulnerabilities
| Package(s): | MRG Messaging | CVE #(s): | CVE-2012-4446 CVE-2012-4458 CVE-2012-4459 | ||||||||
| Created: | March 7, 2013 | Updated: | March 13, 2013 | ||||||||
| Description: | From the Red Hat advisory: It was found that the Apache Qpid daemon (qpidd) treated AMQP connections with the federation_tag attribute set as a broker-to-broker connection, rather than a client-to-server connection. This resulted in the source user ID of messages not being checked. A client that can establish an AMQP connection with the broker could use this flaw to bypass intended authentication. For Condor users, if condor-aviary is installed, this flaw could be used to submit jobs that would run as any user (except root, as Condor does not run jobs as root). (CVE-2012-4446) It was found that the AMQP type decoder in qpidd allowed arbitrary data types in certain messages. A remote attacker could use this flaw to send a message containing an excessively large amount of data, causing qpidd to allocate a large amount of memory. qpidd would then be killed by the Out of Memory killer (denial of service). (CVE-2012-4458) An integer overflow flaw, leading to an out-of-bounds read, was found in the Qpid qpid::framing::Buffer::checkAvailable() function. An unauthenticated, remote attacker could send a specially-crafted message to Qpid, causing it to crash. (CVE-2012-4459) | ||||||||||
| Alerts: |
| ||||||||||
openshift: multiple vulnerabilities
| Package(s): | openshift | CVE #(s): | CVE-2013-0327 CVE-2013-0328 CVE-2013-0329 CVE-2013-0330 CVE-2013-0331 | ||||
| Created: | March 13, 2013 | Updated: | March 13, 2013 | ||||
| Description: | From the Red Hat advisory:
It was found that Jenkins did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into Jenkins, into visiting a specially-crafted URL, the attacker could perform operations on Jenkins. (CVE-2013-0327, CVE-2013-0329) A cross-site scripting (XSS) flaw was found in Jenkins. A remote attacker could use this flaw to conduct an XSS attack against users of Jenkins. (CVE-2013-0328) A flaw could allow a Jenkins user to build jobs they do not have access to. (CVE-2013-0330) A flaw could allow a Jenkins user to cause a denial of service if they are able to supply a specially-crafted payload. (CVE-2013-0331) | ||||||
| Alerts: |
| ||||||
openssh: information disclosure
| Package(s): | openssh | CVE #(s): | CVE-2012-0814 | ||||||||
| Created: | March 13, 2013 | Updated: | March 13, 2013 | ||||||||
| Description: | From the CVE entry:
The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory. | ||||||||||
| Alerts: |
| ||||||||||
perl: denial of service
| Package(s): | perl | CVE #(s): | CVE-2013-1667 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 11, 2013 | Updated: | April 3, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Yves Orton discovered a flaw in the rehashing code of Perl. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. Specifically an attacker could create a set of keys of a hash causing a denial of service via memory exhaustion. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
puppet: multiple vulnerabilities
| Package(s): | puppet | CVE #(s): | CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654 CVE-2013-1655 CVE-2013-2274 CVE-2013-2275 | ||||||||||||||||||||||||||||||||
| Created: | March 13, 2013 | Updated: | August 2, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2013-1640: An authenticated malicious client may request its catalog from the puppet master, and cause the puppet master to execute arbitrary code. The puppet master must be made to invoke the `template` or `inline_template` functions during catalog compilation. CVE-2013-1652: An authenticated malicious client may retrieve catalogs from the puppet master that it is not authorized to access. Given a valid certificate and private key, it is possible to construct an HTTP GET request that will return a catalog for an arbitrary client. CVE-2013-1653: An authenticated malicious client may execute arbitrary code on Puppet agents that accept kick connections. Puppet agents are not vulnerable in their default configuration. However, if the Puppet agent is configured to listen for incoming connections, e.g. listen = true, and the agent's auth.conf allows access to the `run` REST endpoint, then an authenticated client can construct an HTTP PUT request to execute arbitrary code on the agent. This issue is made worse by the fact that puppet agents typically run as root. CVE-2013-1654: A bug in Puppet allows SSL connections to be downgraded to SSLv2, which is known to contain design flaw weaknesses This affects SSL connections between puppet agents and master, as well as connections that puppet agents make to third party servers that accept SSLv2 connections. Note that SSLv2 is disabled since OpenSSL 1.0. CVE-2013-1655: An unauthenticated malicious client may send requests to the puppet master, and have the master load code in an unsafe manner. It only affects users whose puppet masters are running ruby 1.9.3 and above. CVE-2013-2274: An authenticated malicious client may execute arbitrary code on the puppet master in its default configuration. Given a valid certificate and private key, a client can construct an HTTP PUT request that is authorized to save the client's own report, but the request will actually cause the puppet master to execute arbitrary code. CVE-2013-2275: The default auth.conf allows an authenticated node to submit a report for any other node, which is a problem for compliance. It has been made more restrictive by default so that a node is only allowed to save its own report. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
ruby: denial of service
| Package(s): | ruby | CVE #(s): | CVE-2013-1821 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 8, 2013 | Updated: | April 4, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
vdsm: insecure node image
| Package(s): | vdsm | CVE #(s): | CVE-2012-5518 | ||||
| Created: | March 12, 2013 | Updated: | March 13, 2013 | ||||
| Description: | From the Red Hat bugzilla:
When new node image is being created, vdsm.rpm is added to the node image and self-signed key (and certificate) is created. This key/cert allows vdsm to start and serve requests from anyone who has a matching key/cert which could be anybody holding the node image.
Upstream fix: | ||||||
| Alerts: |
| ||||||
xulrunner: code execution
| Package(s): | xulrunner | CVE #(s): | CVE-2013-0787 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 8, 2013 | Updated: | June 3, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mozilla advisory: VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand() function while internal editor operations are occurring. This could allow for arbitrary code execution. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
zfs-fuse: executable stack
| Package(s): | zfs-fuse | CVE #(s): | |||||||||
| Created: | March 13, 2013 | Updated: | March 13, 2013 | ||||||||
| Description: | From the Red Hat bugzilla:
Several programs in this package have an executable stack. This makes it susceptible to stack based exploits should another weakness be found in the affected programs:
| ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>