Security
Known-exploit detection for the kernel
An attacker might try a number of different kernel exploits before actually getting one that works with a specific running kernel. If the kernel were instrumented to detect the failed attempts, it could alert system administrators about an in-progress attack in addition to returning an error code to the attacker. That's the idea behind a patch set proposed by Vegard Nossum: complain loudly when someone attempts to exploit a closed security hole.
Any given kernel will have both patched and unpatched vulnerabilities; hopefully the latter are far fewer than the former. When targeting a system, attackers can either figure out which kernel version is running and what vulnerabilities it is likely to have, or they can just try to exploit a bunch of recent vulnerabilities. Many attacks seem to be of this untargeted, mass-attack style, so recognizing and flagging failed attempts may help administrators put a stop to the attacks.
Nossum suggested adding an exploit() annotation to the fixes for specific kinds of now-closed security holes. For example, in sock_alloc_send_pskb() from net/core/sock.c:
if (npages > MAX_SKB_FRAGS) {
exploit("CVE-2012-2136");
goto failure;
}
In suitably configured kernels, that would put out a rate-limited message to the system logs noting a "possible exploit attempt". But, he said, the annotations should not be for all bugs, nor should they have an unlimited lifespan:
I also propose to keep each exploit() annotation around for only ~5 years after the bug was discovered/fixed. This will allow us to catch most of the intrusion attempts while still not littering the kernel code forever.
The reaction has largely been positive, though there were some concerns and quibbles. Ted Ts'o wondered if malware writers would just start checking kernel versions more carefully to avoid setting off the alarms. But Kees Cook is not convinced that testing for kernel versions will be all that effective:
Ts'o disagreed, as he believes the
landscape mostly consists of distribution kernels: "testing for various distribution kernel
versions, as well as specific ChromeOS and Android kernel versions,
wouldn't be that difficult for an attacker, and would probably allow
them to avoid detection for 99% of the Linux systems found in the
wild
".
Cook noted that careful attackers aren't
really the focus of this work. He believes that there are a lot more custom
kernels installed than Ts'o does, but recognizes there is no real way to
know. There are "sloppy attackers
", though, who will probe
all kinds of kernels without doing any checks first—Nossum's patches would
potentially catch some of those.
Furthermore, Ts'o is skeptical that the enterprise
distributions will even build with the CONFIG_EXPLOIT_DETECTION
flag turned on. The support burden for explaining false positives (and actual
attacks for that matter) might be rather high. While not speaking in any
official capacity, Jiri Kosina said that he
suspected SUSE would indeed turn off exploit detection to try to
"maintain sanity of our support engineers
".
Ryan Mallon is worried that attackers will just clean out the logs as soon as they hit upon a successful attack. But Ingo Molnar pointed out that many sites do not rely on log files on the local disk, but instead use the network or append-only media to protect their logs.
The logistics of adding the annotations as well as maintaining them going
forward was another area of concern. Cook volunteered to help add
annotations, but wanted to make sure that he wasn't the only one doing so.
Dave Jones wondered about tests to ensure
the triggers are still firing correctly when code around them changes.
James Morris is also concerned about the
long-term maintenance of the triggers. He is not at all sure that the feature
belongs in the mainline "without at least first being proven in the
field
".
Adding tests could also help ensure that a vulnerability doesn't get
reintroduced, which is something that has happened several times in the
past, as Molnar pointed out. In addition,
he said, annotating earlier bugs will help alert kernel developers to "'hotspot' areas in the
kernel that tend to attract more bugs than others
". The
annotations will also help point out dangerous patterns in the code.
Nossum has been maintaining the patch set
for around six months at this point. It consists of two base patches, one
that adds
the exploit() call and another to hook it into the audit
subsystem, and then seven patches to add annotations for CVEs from the past
two years. The latter patches are largely "one-liners in the error
path of a specific input validation check
". He doesn't believe there
is much of a maintenance burden for the triggers and plans to maintain a public
git repository with the patches going forward.
Linus Torvalds was generally in favor of
the idea: "I think that it's a good idea to at least have
the option to complain about certain errors, and leave markers in the
logs about things that look suspicious.
" But he doesn't want to see
annotations added for random CVEs, just those that are actually being used
by rootkits or other malware. Cook and Nossum both seem to be on the same
page with Torvalds; that only "serious privilege escalation
issues
" (in Cook's words) get annotated.
While it may not catch that many attackers, catching even one is clearly better than none. Given that the patch is lightweight, and has a low maintenance burden, it wouldn't be a surprise to see it get added to the mainline before too long. As Molnar suggested, for more security-sensitive installations, exploit() could be turned into a more active deterrent that freezes all tasks being run by the suspected UID. It could certainly be a useful tool in the ever-escalating battle between administrators and attackers.
Brief items
Security quotes of the week
Tor didn't break; Kim did.
If Brazil hears only one thing from me, let it be this: when all of us band together against injustices and in defence of privacy and basic human rights, we can defend ourselves from even the most powerful systems.
EFF: Google removes vital privacy feature from android
The Electronic Frontier Foundation has put out a release bemoaning the removal of the "AppOps" feature from the Android 4.4.2 release. "When asked for comment, Google told us that the feature had only ever been released by accident — that it was experimental, and that it could break some of the apps policed by it. We are suspicious of this explanation, and do not think that it in any way justifies removing the feature rather than improving it." AppOps allows the tweaking of individual permissions for apps; it will be interesting to see whether CyanogenMod finds a way to retain support for this feature.
Deslauriers: Ubuntu Touch and User Privacy
On his blog, UbuntuFor example, instead of granting permission to directly access all of the user’s contact list, an application can request access to a contact. The system address book will then display a list of contacts to the user and only the specific contact selected by the user will be sent to the application. The application only has access to the contact which was specifically authorized by the user. If a flashlight application needs access to a user contact in order for a “Recommend this app to friends!” button to work, the user will be making an informed choice, as the request will be the direct result of having pressed the button. The flashlight app can be used without fear of it accessing contact information during normal usage." AppArmor is used behind the scenes to confine the apps.
New vulnerabilities
curl: information disclosure
| Package(s): | curl | CVE #(s): | CVE-2013-6422 | ||||||||||||
| Created: | December 18, 2013 | Updated: | December 20, 2013 | ||||||||||||
| Description: | From the Ubuntu advisory:
Marc Deslauriers discovered that libcurl incorrectly verified CN and SAN name fields when digital signature verification was disabled in the GnuTLS backend. When libcurl is being used in this uncommon way by specific applications, an attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. | ||||||||||||||
| Alerts: |
| ||||||||||||||
djvulibre: code execution
| Package(s): | djvulibre | CVE #(s): | CVE-2012-6535 | ||||||||||||
| Created: | December 17, 2013 | Updated: | February 10, 2014 | ||||||||||||
| Description: | From the CVE entry:
DjVuLibre before 3.5.25.3, as used in Evince, Sumatra PDF Reader, VuDroid, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted DjVu (aka .djv) file. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gnupg: side channel attack
| Package(s): | gnupg | CVE #(s): | CVE-2013-4576 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 18, 2013 | Updated: | June 27, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen ciphertexts. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
hdapsd: unspecified vulnerability
| Package(s): | hdapsd | CVE #(s): | |||||||||
| Created: | December 16, 2013 | Updated: | December 23, 2013 | ||||||||
| Description: | From the Fedora advisory:
New version with minor fixes and mitigating possible security issue. | ||||||||||
| Alerts: |
| ||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2013-2929 CVE-2013-2930 CVE-2013-4513 CVE-2013-4587 CVE-2013-6376 CVE-2013-6381 CVE-2013-6383 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 18, 2013 | Updated: | May 8, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h (CVE-2013-2929) The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application. (CVE-2013-2930) Buffer overflow in the oz_cdev_write function in drivers/staging/ozwpan/ozcdev.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted write operation. (CVE-2013-4513) Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value (CVE-2013-4587) The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode. (CVE-2013-6376) Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size. (CVE-2013-6381) The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (CVE-2013-6383) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2013-4512 CVE-2013-4514 CVE-2013-4515 CVE-2013-6763 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 18, 2013 | Updated: | December 18, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation (CVE-2013-4512). Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability and providing a long station-name string, related to the (1) wvlan_uil_put_info and (2) wvlan_set_station_nickname functions (CVE-2013-4514). The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl call (CVE-2013-4515). The uio_mmap_physical function in drivers/uio/uio.c in the Linux kernel before 3.12 does not validate the size of a memory block, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted mmap operations, a different vulnerability than CVE-2013-4511 (CVE-2013-6763). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: two vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2013-6367 CVE-2013-6368 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 13, 2013 | Updated: | February 14, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's Local Advanced Programmable Interrupt Controller (LAPIC) implementation. A privileged guest user could use this flaw to crash the host. (CVE-2013-6367, Important) A memory corruption flaw was discovered in the way KVM handled virtual APIC accesses that crossed a page boundary. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-6368, Important) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libiodbc: code execution
| Package(s): | libiodbc | CVE #(s): | |||||
| Created: | December 17, 2013 | Updated: | December 18, 2013 | ||||
| Description: | From the Slackware advisory:
This update fixes an rpath pointing to a location in /tmp that was found in two test programs (iodbctest and iodbctestw). This could have allowed a local attacker with write access to /tmp to add modified libraries (and execute arbitrary code) as any user running the test programs. | ||||||
| Alerts: |
| ||||||
llvm: code execution
| Package(s): | llvm | CVE #(s): | |||||
| Created: | December 17, 2013 | Updated: | December 18, 2013 | ||||
| Description: | From the Slackware advisory:
The LLVM package included binaries with an rpath pointing to the build location in /tmp. This allows an attacker with write access to /tmp to add modified libraries (and execute arbitrary code) as any user running the LLVM binaries. This updated package rebuilds LLVM to exclude the build directories from the rpath information. | ||||||
| Alerts: |
| ||||||
mit-krb5: denial of service
| Package(s): | mit-krb5 | CVE #(s): | CVE-2013-6800 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 17, 2013 | Updated: | December 18, 2013 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
An unspecified third-party database module for the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.10.x allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request, a different vulnerability than CVE-2013-1418. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
monitorix: three vulnerabilities
| Package(s): | monitorix | CVE #(s): | CVE-2013-7070 CVE-2013-7071 CVE-2013-7072 | ||||
| Created: | December 13, 2013 | Updated: | December 18, 2013 | ||||
| Description: | From the Red Hat bugzilla entry: The issue is that the built-in HTTP server failed to adequately sanitize request strings of malicious JavaScript. So by leveraging this issue, an attacker may be able to inject arbitrary cookies. The same issue could also cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. Input passed via requests to the "handle_request()" function (lib/HTTPServer.pm) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. | ||||||
| Alerts: |
| ||||||
mozilla: information leak
| Package(s): | mozilla | CVE #(s): | CVE-2013-6629 CVE-2013-6630 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 12, 2013 | Updated: | June 6, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Firefox advisory page: Google security researcher Michal Zalewski reported issues with JPEG format image processing with Start Of Scan (SOS) and Define Huffman Table (DHT) markers in the libjpeg library. This could allow for the possible reading of arbitrary memory content as well as cross-domain image theft. (CVE-2013-6629, CVE-2013-6630) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
MRG: multiple vulnerabilities
| Package(s): | MRG | CVE #(s): | CVE-2013-4404 CVE-2013-4405 CVE-2013-4414 CVE-2013-4461 | ||||||||
| Created: | December 18, 2013 | Updated: | December 18, 2013 | ||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the way cumin enforced user roles, allowing an unprivileged cumin user to access a range of resources without having the appropriate role. A remote, authenticated attacker could use this flaw to access privileged information, and perform a variety of privileged operations. (CVE-2013-4404) It was found that multiple forms in the cumin web interface did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who is logged into the cumin web interface, into visiting a specially crafted URL, the attacker could perform actions in the context of the logged in user. (CVE-2013-4405) It was found that cumin did not properly escape input from the "Max allowance" field in the "Set limit" form of the cumin web interface. A remote attacker could use this flaw to perform cross-site scripting (XSS) attacks against victims by tricking them into visiting a specially crafted URL. (CVE-2013-4414) A flaw was found in the way cumin parsed POST request data. A remote attacker could potentially use this flaw to perform SQL injection attacks on cumin's database. (CVE-2013-4461) | ||||||||||
| Alerts: |
| ||||||||||
nbd: incorrect access control
| Package(s): | nbd | CVE #(s): | CVE-2013-6410 | ||||||||||||
| Created: | December 12, 2013 | Updated: | December 18, 2013 | ||||||||||||
| Description: | From the Red Hat bug report: Due to incorrect use of strncmp() in the parser for this file, however, it would allow clients to connect so long as their IP address in ASCII representation would start with something in the ACL file; e.g., 198.51.100.12 would be allowed if 198.51.100.1 was listed. | ||||||||||||||
| Alerts: |
| ||||||||||||||
openjpeg: information leak
| Package(s): | mingw-openjpeg | CVE #(s): | CVE-2013-6053 | ||||||||||||||||||||||||||||
| Created: | December 16, 2013 | Updated: | January 5, 2015 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Raphael Geissert discovered out-of-bounds memory read flaws in OpenJPEG. If a specially-crafted image were opened by an application linked against OpenJPEG, it could cause the application to crash or lead to information leaks. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
openstack-nova: multiple vulnerabilities
| Package(s): | openstack-nova | CVE #(s): | CVE-2013-4469 CVE-2013-4463 | ||||||||||||
| Created: | December 12, 2013 | Updated: | January 31, 2014 | ||||||||||||
| Description: | From the Red Hat bug reports: Pedraig Brady from Red Hat additionally discovered that OSSA 2013-012 did not fully address CVE-2013-2096 in the non-default case where use_cow_images=False, and malicious qcow images are being transferred from Glance. In that specific case, an authenticated user could still consume large amounts of disk space for each instance using the malicious image, potentially also resulting in a Denial of Service attack on Nova compute nodes. (CVE-2013-2096) Bernhard M. Wiedemann from SUSE reported a vulnerability in Nova's control of the size of disk images. By using malicious compressed qcow2 disk images, an authenticated user may consume large amounts of disk space for each image, potentially resulting in a Denial of Service attack on Nova compute nodes. (CVE-2013-4463) | ||||||||||||||
| Alerts: |
| ||||||||||||||
owncloud: security restriction bypass
| Package(s): | owncloud | CVE #(s): | CVE-2013-6403 | ||||||||||||||||||||||||||||||||||||
| Created: | December 13, 2013 | Updated: | November 24, 2014 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory: Possible security bypass on admin page under certain circumstances and MariaDB (CVE-2013-6403). | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
php: multiple vulnerabilities
| Package(s): | php5 | CVE #(s): | CVE-2013-6712 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 12, 2013 | Updated: | December 18, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: Stefan Esser discovered that PHP incorrectly parsed certificates. An attacker could use a malformed certificate to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6420) It was discovered that PHP incorrectly handled DateInterval objects. An attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2013-6712) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
qt4: denial of service
| Package(s): | qt4-x11, qtbase-opensource-src | CVE #(s): | CVE-2013-4549 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 18, 2013 | Updated: | May 2, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that QXmlSimpleReader in Qt incorrectly handled XML entity expansion. An attacker could use this flaw to cause Qt applications to consume large amounts of resources, resulting in a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rubygem-actionpack: cross-site scripting
| Package(s): | rubygem-actionpack | CVE #(s): | CVE-2013-6415 | ||||||||||||||||||||||||||||||||||||
| Created: | December 18, 2013 | Updated: | December 18, 2013 | ||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
rubygem-actionpack: multiple vulnerabilities
| Package(s): | rubygem-actionpack | CVE #(s): | CVE-2013-4491 CVE-2013-6414 CVE-2013-6417 | ||||||||||||||||||||||||||||
| Created: | December 18, 2013 | Updated: | December 18, 2013 | ||||||||||||||||||||||||||||
| Description: | From the CVE entries:
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. (CVE-2013-4491) actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching. (CVE-2013-6414) actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155. (CVE-2013-6417) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
thttpd: world readable logfile
| Package(s): | thttpd | CVE #(s): | CVE-2013-0348 | ||||||||
| Created: | December 13, 2013 | Updated: | January 6, 2014 | ||||||||
| Description: | From the Novell bugzilla entry: Agostino Sarubbo reported back in February that thttpd creates a world readable log file. | ||||||||||
| Alerts: |
| ||||||||||
webyast: privilege escalation
| Package(s): | webyast | CVE #(s): | CVE-2013-3709 | ||||||||||||||||||||
| Created: | December 17, 2013 | Updated: | January 6, 2014 | ||||||||||||||||||||
| Description: | From the SUSE advisory:
Local privilege escalation via secret rails tokens execution. This vulnerability was reported by joernchen of Phenoelit. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
wireshark: denial of service
| Package(s): | wireshark | CVE #(s): | CVE-2013-5717 | ||||
| Created: | December 17, 2013 | Updated: | December 18, 2013 | ||||
| Description: | From the CVE entry:
The Bluetooth HCI ACL dissector in Wireshark 1.10.x before 1.10.2 does not properly maintain a certain free list, which allows remote attackers to cause a denial of service (application crash) via a crafted packet that is not properly handled by the wmem_block_alloc function in epan/wmem/wmem_allocator_block.c. | ||||||
| Alerts: |
| ||||||
xen: denial of service
| Package(s): | xen | CVE #(s): | CVE-2013-6885 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 17, 2013 | Updated: | March 28, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
xorg-server: code execution
| Package(s): | xorg-server | CVE #(s): | CVE-2013-6424 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 18, 2013 | Updated: | January 22, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Bryan Quigley discovered an integer underflow in the Xorg X server which could lead to denial of service or the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
xtrabackup: poor encryption
| Package(s): | xtrabackup | CVE #(s): | CVE-2013-6394 | ||||||||
| Created: | December 13, 2013 | Updated: | February 18, 2014 | ||||||||
| Description: | From the Novell bugzilla entry: A fixed initialization vector (constant string) was used while encrypting the data. This opened the encrypted stream/data to plaintext attacks among others. | ||||||||||
| Alerts: |
| ||||||||||
zabbix: remote command execution
| Package(s): | zabbix | CVE #(s): | CVE-2013-6824 | ||||||||||||||||||||
| Created: | December 13, 2013 | Updated: | January 23, 2014 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: It is found that if a flexible user parameter is configured in the agent, including a newline in the parameters will execute newline section as a separate command even if UnsafeUserParameters are disabled. This type of attack is known to be only possible from Zabbix server or Zabbix proxy systems that are explicitly allowed in the agent configuration. Only flexible user parameters are vulnerable, static ones are not. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>