Security
Mayhem finds 1200 bugs
The reporting of 1200 bugs, some of which may have security implications, is sure to overwhelm any distribution's bug handling abilities. So it was rather helpful that Alexandre Rebert started out by posting to the debian-devel mailing list rather than just flooding the bug tracker. Beyond just the sheer number of bugs, though, there is a question of dealing with so many potential security issues, which are generally handled differently than regular bugs. Rebert and other security researchers at Carnegie Mellon University (CMU) found the bugs in binaries from the Debian repositories using an automated bug finder called Mayhem [PDF]
Mayhem is a closed-source research project at CMU CyLab that uses symbolic execution on binary programs to find exploitable bugs in the code. It does its job by looking for load and store instructions that can be influenced by the inputs to the program. It examines the paths through the program using a "hybrid symbolic execution" mechanism that combines normal execution of the program with symbolic execution of an intermediate language representation that is created whenever a tainted (i.e. dependent on user input) branch condition is detected. The symbolic execution looks for ways to exploit the tainted code and builds an exploit if it can. The Mayhem paper goes into a lot more detail, perhaps enough for others to reproduce the technique.
The bugs are "exploitable" in the sense that each crash can execute arbitrary code. While code execution bugs are serious, the programs in question are typically run by regular users from the shell, so being able to get a shell (which is the usual proof of concept used by demonstration exploits as well as by Mayhem) is not a huge accomplishment. But being able to get a shell means that an exploit could do anything the user could do, including exposing or deleting files, participating in a botnet, sending spam, and so on. The exploits require specially crafted arguments and/or input files to trigger the bugs, so users would have to be tricked into running the programs that way.
Of course, any setuid programs or those accessible via the web or other internet services are a much larger concern. That's not to downplay what the Mayhem team has done in any way, but fuzzing has shown us that arbitrary inputs to programs often lead to crashes—the trick is finding a way to get users to provide crafted inputs that lead to an interesting (to the attacker) result. Regardless, the bugs do need to be fixed, and the Mayhem team has provided a wealth of information to do just that.
Each bug report comes with a tar file (an example for gcov was provided with Rebert's message) that contains a script to reproduce the problem, files containing the arguments and input that cause the crash, the core dump, and more. Reports for each of the bugs were sent to the appropriate Debian package maintainers, though some of those addresses were actually mailing lists, as Paul Wise pointed out. That allows us to see some of the reports, including one for the nfsidmap binary in the nfs-common package. Rebert's message also linked to a text file that lists all of the affected packages and their maintainers.
There are almost certainly more bugs out there for Mayhem to find as the team limited the search space of the tool, allowing just five minutes of run time per binary. They also limit the bugs reported to one per binary and five per package. There are likely to be plenty of duplicate bugs on the list as well; bugs in libraries may well appear for multiple binaries. And, of course, the bugs aren't limited to Debian, as many of the packages will be in the repositories of lots of different distributions; all or nearly all of them will not be Debian-specific at all.
Unfortunately, there is no automated way to extract addresses for the upstream developers or mailing lists from the Debian packages. The bug reports may ultimately need to make their way upstream, but the Mayhem team couldn't find a way to do that, so they started with the Debian maintainers. As Andreas Tille noted, some packages may have implemented the machine-readable debian/copyright file, which might provide an upstream contact and email address. But, for security reports, even that may not be the right place to send the message.
But, in fact, Rebert has recognized that the
security tag on most of the proposed bug reports was probably not accurate. "It looks like a majority of the crashes have
little security implications
", he said, so that tag will be removed
before the actual bug reports get submitted. It isn't clear that a
security contact would be needed in the majority of cases but, since Mayhem
sets out to find exploitable bugs, "responsible disclosure" might still
indicate that a security list or email should be used to report the problems.
The problem is, in some ways, similar to the question of where bugs should be filed that we reported on last week. Which bug tracker (distribution or upstream) to use is contentious enough when looking at single bugs reported by users; 1200 bugs increases the scale of the problem significantly. The clear indication is that Mayhem can find lots more if it were given free rein, though the duplicates need to eliminated or substantially reduced or the team risks overwhelming distributions and upstreams.
The "huge pile of bugs" problem is a consequence of the closed-source nature of Mayhem. If the tool were available to be used by various projects' developers as part of their testing, the bugs could be found and fixed in the normal course of development. Rebert mentioned the possibility of creating some kind of Mayhem web service, but it would be far more useful if the tool was free software (even "free as in beer" would be better than the existing situation). Since public funds were used to develop the tool, one might hope the public would get a bit more out of that spending. The Mayhem paper mentions that the US Defense Advanced Research Projects Agency (DARPA) helped fund some of the work, but, alas, that funding doesn't seem to come with a mandate to publish the source.
It's clear that running Mayhem on the 23,000 or so binaries found in the Debian "Wheezy" repository has found real bugs, some of which are "exploitable" in limited scenarios. Some are probably worse than that, however, and as the tool gets improved, it may be able to narrow in on more dangerous bugs. One might guess that CMU and the Mayhem developers plan to commercialize Mayhem. That is, of course, their prerogative, but it is unfortunate that tools like Mayhem and the Coverity static analyzer (which came out of Stanford University) are not free software tools. One suspects they would see much more use—and, possibly, improvement—if they were.
Brief items
Security quotes of the week
An interesting Android package verification vulnerability
Bluebox Security claims to have found a way to modify code contained within an Android application package without breaking the associated cryptographic signature. "All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been." The problem was evidently disclosed to Google in February; details are promised at the Black Hat USA conference starting July 27.
New vulnerabilities
ffmpeg: multiple vulnerabilities
| Package(s): | ffmpeg | CVE #(s): | CVE-2013-3671 CVE-2013-3672 CVE-2013-3673 CVE-2013-3674 | ||||||||
| Created: | June 27, 2013 | Updated: | July 3, 2013 | ||||||||
| Description: | From the Mageia advisory: * CVE-2013-3671: The format_line function in log.c in libavutil uses inapplicable offset data during a certain category calculation, which allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via crafted data that triggers a log message. * CVE-2013-3672: The mm_decode_inter function in mmvideo.c in libavcodec does not validate the relationship between a horizontal coordinate and a width value, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted American Laser Games (ALG) MM Video data. * CVE-2013-3673: The gif_decode_frame function in gifdec.c in libavcodec does not properly manage the disposal methods of frames, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted GIF data. * CVE-2013-3674: The cdg_decode_frame function in cdgraphics.c in libavcodec does not validate the presence of non-header data in a buffer, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted CD Graphics Video data. | ||||||||||
| Alerts: |
| ||||||||||
Foreman: multiple vulnerabilities
| Package(s): | Foreman | CVE #(s): | CVE-2013-2113 CVE-2013-2121 | ||||
| Created: | June 28, 2013 | Updated: | July 3, 2013 | ||||
| Description: | From the Red Hat advisory: A flaw was found in the create method of the Foreman Bookmarks controller. A user with privileges to create a bookmark could use this flaw to execute arbitrary code with the privileges of the user running Foreman, giving them control of the system running Foreman (such as installing new packages) and all systems managed by Foreman. (CVE-2013-2121) A flaw was found in the way the Foreman UsersController controller handled user creation. A non-admin user with privileges to create non-admin accounts could use this flaw to create admin accounts, giving them control of the system running Foreman (such as installing new packages) and all systems managed by Foreman. (CVE-2013-2113) | ||||||
| Alerts: |
| ||||||
openstack-keystone: authentication bypass
| Package(s): | openstack-keystone | CVE #(s): | CVE-2013-2157 | ||||||||||||||||||||
| Created: | June 28, 2013 | Updated: | August 12, 2013 | ||||||||||||||||||||
| Description: | From the openSUSE bug report: Jose Castro Leon from CERN reported a vulnerability in the way the Keystone LDAP backend authenticates users. When provided with an empty password, the backend would perform an anonymous LDAP bind that would result in successfully authenticating the user. An attacker could therefore easily impersonate and get valid tokens for any user. Only Keystone setups using LDAP authentication backend are affected. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
php-radius: buffer overflow
| Package(s): | php-radius | CVE #(s): | CVE-2013-2220 | ||||||||||||||||||||||||
| Created: | July 3, 2013 | Updated: | July 26, 2013 | ||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
Fix a security issue in radius_get_vendor_attr() by enforcing checks of the VSA length field against the buffer size. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
python-keystoneclient: password disclosure
| Package(s): | python-keystoneclient | CVE #(s): | CVE-2013-2013 | ||||||||||||||||
| Created: | June 28, 2013 | Updated: | September 18, 2013 | ||||||||||||||||
| Description: | From the openSUSE bug report: OpenStack keystone places a username and password on the command line, which allows local users to obtain credentials by listing the process. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
python-keystoneclient: multiple vulnerabilities
| Package(s): | python-keystoneclient | CVE #(s): | CVE-2013-2166 CVE-2013-2167 | ||||||||
| Created: | June 28, 2013 | Updated: | July 3, 2013 | ||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way python-keystoneclient handled encrypted data from memcached. Even when the memcache_security_strategy setting in "/etc/swift/proxy-server.conf" was set to ENCRYPT to help prevent tampering, an attacker on the local network, or possibly an unprivileged user in a virtual machine hosted on OpenStack, could use this flaw to bypass intended restrictions and modify data in memcached that will later be used by services utilizing python-keystoneclient (such as Nova, Cinder, Swift, Glance, and so on). (CVE-2013-2166) A flaw was found in the way python-keystoneclient verified data from memcached. Even when the memcache_security_strategy setting in "/etc/swift/proxy-server.conf" was set to MAC to perform signature checking, an attacker on the local network, or possibly an unprivileged user in a virtual machine hosted on OpenStack, could use this flaw to modify data in memcached that will later pass signature checking in python-keystoneclient. (CVE-2013-2167) | ||||||||||
| Alerts: |
| ||||||||||
ruby: SSL server spoofing
| Package(s): | ruby | CVE #(s): | CVE-2013-4073 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 28, 2013 | Updated: | August 6, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ruby advisory: When a CA a SSL client trusts allows to issue the server certificate that has null byte in subjectAltName, remote attackers can obtain the certificate for ‘www.ruby-lang.org\0.example.com’ from the CA to spoof ‘www.ruby-lang.org’ and do man-in-the-middle between Ruby’s SSL client and SSL servers. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
wireshark: two dissector vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2013-4079 CVE-2013-4080 | ||||||||||||||||||||||||
| Created: | June 27, 2013 | Updated: | September 30, 2013 | ||||||||||||||||||||||||
| Description: | From the Mageia advisory: The GSM CBCH dissector could crash (CVE-2013-4079). The Assa Abloy R3 dissector could consume excessive memory and CPU (CVE-2013-4080). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
wordpress: multiple vulnerabilities
| Package(s): | wordpress | CVE #(s): | CVE-2013-2173 CVE-2013-2199 CVE-2013-2200 CVE-2013-2201 CVE-2013-2202 CVE-2013-2203 CVE-2013-2204 CVE-2013-2205 | ||||||||||||||||||||||||
| Created: | July 2, 2013 | Updated: | July 3, 2013 | ||||||||||||||||||||||||
| Description: | From the Mageia advisory:
A denial of service flaw was found in the way Wordpress, a blog tool and publishing platform, performed hash computation when checking password for password protected blog posts. A remote attacker could provide a specially- crafted input that, when processed by the password checking mechanism of Wordpress would lead to excessive CPU consumption (CVE-2013-2173). Inadequate SSRF protection for HTTP requests where the user can provide a URL can allow for attacks against the intranet and other sites. This is a continuation of work related to CVE-2013-0235, which was specific to SSRF in pingback requests and was fixed in 3.5.1 (CVE-2013-2199). Inadequate checking of a user's capabilities could allow them to publish posts when their user role should not allow for it; and to assign posts to other authors (CVE-2013-2200). Inadequate escaping allowed an administrator to trigger a cross-site scripting vulnerability through the uploading of media files and plugins (CVE-2013-2201). The processing of an oEmbed response is vulnerable to an XXE (CVE-2013-2202). If the uploads directory is not writable, error message data returned via XHR will include a full path to the directory (CVE-2013-2203). Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project (CVE-2013-2204). Cross-domain XSS in SWFUpload (CVE-2013-2205). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
xdm: denial of service
| Package(s): | xdm | CVE #(s): | CVE-2013-2179 | ||||
| Created: | July 2, 2013 | Updated: | July 3, 2013 | ||||
| Description: | From the openSUSE advisory:
xdm was updated on crypt() NULL pointer crashes: | ||||||
| Alerts: |
| ||||||
xen: multiple vulnerabilities
| Package(s): | xen | CVE #(s): | CVE-2013-2211 CVE-2013-1432 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 2, 2013 | Updated: | July 19, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
CVE-2013-2211: libxl allows guest write access to sensitive console related xenstore keys CVE-2013-1432: Page reference counting error due to XSA-45/CVE-2013-1918 fixes | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
xml-security-c: code execution
| Package(s): | xml-security-c | CVE #(s): | CVE-2013-2210 | ||||||||
| Created: | June 28, 2013 | Updated: | July 3, 2013 | ||||||||
| Description: | From the Debian advisory: Jon Erickson of iSIGHT Partners Labs discovered a heap overflow in xml-security-c, an implementation of the XML Digital Security specification. The fix to address CVE-2013-2154 introduced the possibility of a heap overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code, possibly leading to arbitrary code execution. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>