Security
A new Dual EC DRBG flaw
The dual elliptic curve deterministic random bit generator (Dual EC DRBG) cryptographic algorithm has a dubious history—it is believed to have been backdoored by the US National Security Agency (NSA)—but is mandated by the FIPS 140-2 US government cryptographic standard. That means that any cryptographic library project that is interested in getting FIPS 140-2 certified needs to implement the discredited random number algorithm. But, since certified libraries cannot change a single line—even to fix major, fatal bugs—having a non-working version of Dual EC DRBG may actually be the best defense against the backdoor. Interestingly, that is exactly where the OpenSSL project finds itself.
OpenSSL project manager Steve Marquess posted
the tale to the openssl-announce mailing list on December 19. It is,
he said, "an unusual bug report for an unusual situation
". It
turns out that the Dual EC DRBG implementation in OpenSSL is fatally
flawed, to the point where using it at all will either crash or stall the
program. Given that the FIPS-certified code cannot be changed without
invalidating the certification, and that the bug has existed since the
introduction of Dual EC DRBG into OpenSSL, it is clear that no one has
actually used that algorithm from OpenSSL. It did, however, pass the
testing required for the certification somehow.
It is also interesting to note that the financial sponsor of the feature
adding support for Dual EC DRBG, who is not named, did so after the
algorithm was already known to be questionable. It was part of a request to
implement all of SP
800-90A, which is a suite of four DRBGs that Marquess called
"more or less mandatory
" for FIPS certification. At the time, the project
recognized the "dubious reputation
" for Dual EC DRBG, but also
considers OpenSSL to be a comprehensive library and toolkit: "As such it implements many algorithms
of varying strength and utility, from worthless to robust.
" Dual EC
DRBG was not even enabled by default, but it was put into the library.
The bug was discovered by Stephen Checkoway and Matt Green of the Johns Hopkins University Information Security Institute, Marquess said. Though there is a one-line patch to fix the problem included with the bug report, there are no plans to apply it. Instead, OpenSSL will be removing the Dual EC DRBG code from its next FIPS-targeted version. The US National Institute of Standards and Technology (NIST), which oversees FIPS and other government cryptography standards, has recently recommended not using Dual EC DRBG [PDF]. Since that recommendation, Dual EC DRBG has been disabled in OpenSSL anyway. Because there is essentially the same amount of testing required for fixing or removing the algorithm (for FIPS recertification), removal seems like the right course.
The problem stems from a requirement in FIPS that each block of output random numbers not match the previous block. It is, effectively, a crude test that the algorithm is actually producing random-looking data (and not repeating blocks of zeroes, for example). When there is no previous block to compare against, OpenSSL generates one that should be discarded after the comparison. But the Dual EC DRBG implementation botched the discard operation by not updating the state correctly.
Dual EC DRBG was under suspicion for other reasons even before it was adopted by NIST in 2006. In 2007, Bruce Schneier raised the alarm about an NSA backdoor in the algorithm. For one thing, Dual EC DRBG is different than the other three algorithms specified in SP 800-90A in that it is three orders of magnitude slower and that it was only added at the behest of the NSA. It was found that the elliptic curve constants chosen by NIST (with unspecified provenance) could be combined with another set of numbers—not generally known, except possibly by the NSA—to predict the output of the random number generator after observing 32 bytes of its output. Those secret numbers could have been generated at the same time the EC constants were, but it is unknown if they actually were.
The NIST standards were a bit unclear about whether the EC constants were required, but Marquess noted that the testing lab required using the constants (aka "points"):
So, what we have here is a likely backdoored algorithm that almost no one used
(evidently unless they were paid
$10 million) added to an open-source cryptography library funded by
money from an unnamed
third party. After "rigorous" testing, that code was certified as
conforming to a US government cryptographic standard, but it never actually
worked at all. According to Marquess: "Frankly the FIPS 140-2 validation testing isn't very useful for catching
'real world' problems.
"
It is almost comical (except to RSA's BSafe customers, anyway), but it does highlight some fundamental problems in the US (and probably other) government certification process. Not finding this bug is one thing, but not being able to fix it (or, more importantly, being unable to fix a problem in an actually useful cryptographic algorithm) without spending lots of time and money on recertification seems entirely broken. The ham-fisted way that the NSA went about putting the backdoor into the standard is also nearly amusing. If all its attempts were similarly obvious and noisy, we wouldn't have much to worry about—unfortunately that seems unlikely to be the case.
One other thing to possibly consider: did someone on the OpenSSL project "backdoor" the Dual EC DRBG implementation such that it could never work, but would pass the certification tests? Given what was known about the algorithm and how unlikely it was that it would ever be used by anyone with any cryptographic savvy, it may have seemed like a nice safeguard to effectively disable the backdoor. Perhaps that is far-fetched, but one can certainly imagine a developer being irritated by having to implement the NSA's broken random number generator—and doing something about it. Either way, we will probably never really know for sure.
Brief items
Security quotes of the week
If there are any other skeletons in the closet, it’s probably a good time to air them out before we find out there’s other things you repeatedly did not disclose. Look on the bright side: can it really be any worse than that time you had to replace every single freakin’ token in the world?
All of these serious terrorism cases argue not for the gathering of ever vaster troves of information but simply for a better understanding of the information the government has already collected and that are derived from conventional law enforcement and intelligence methods.
GNUnet 0.10.0 released
The GNUnet secure peer-to-peer networking framework has released version 0.10.0. "This release represents a major overhaul of the cryptographic primitives used by the system. GNUnet used RSA 2048 since its inception in 2001, but as of GNUnet 0.10.0, we are "powered by Curve25519". Naturally, changing cryptographic primitives like this breaks backwards compatibility entirely. We have used this opportunity to implement protocol improvements all over the system." GNUnet provides four applications: anonymous censorship-resistant file-sharing, a virtual private network (VPN) service, the GNU name system (GNS) a fully-decentralized and censorship resistant replacement for DNS, and GNUnet Conversation that allows voice calls to be made over GNUnet.
Huang: On Hacking MicroSD Cards
Worth a read: this posting by Andrew "bunnie" Huang on loading new firmware into a MicroSD card. "From the security perspective, our findings indicate that even though memory cards look inert, they run a body of code that can be modified to perform a class of MITM attacks that could be difficult to detect; there is no standard protocol or method to inspect and attest to the contents of the code running on the memory card’s microcontroller. Those in high-risk, high-sensitivity situations should assume that a 'secure-erase' of a card is insufficient to guarantee the complete erasure of sensitive data."
New vulnerabilities
aaa_base: incorrect /etc/shadow permissions
| Package(s): | aaa_base | CVE #(s): | CVE-2013-3713 | ||||
| Created: | December 27, 2013 | Updated: | January 1, 2014 | ||||
| Description: | From the openSUSE advisory: On systems installed via the Live Media that /etc/shadow file was readable by the "users" group, which was not intended. (bnc#843230, CVE-2013-3713) Reason for this was that the user "root" was put into the "users" group. | ||||||
| Alerts: |
| ||||||
ack: code execution
| Package(s): | ack | CVE #(s): | CVE-2013-7069 | ||||||||||||
| Created: | December 20, 2013 | Updated: | January 28, 2014 | ||||||||||||
| Description: | From the Red Hat bug report: A flaw was found in the way ack, a tool similar to grep, processed .ackrc files. If a local user ran ack in an attacker-controlled directory, it would lead to arbitrary code execution with the privileges of the user running ack. This issue affects versions 2.00 to 2.10 (such as the version in Fedora 19), and should be fixed in version 2.12. It does not affect versions below 2.00 (such as those in EPEL). | ||||||||||||||
| Alerts: |
| ||||||||||||||
asterisk: denial of service
| Package(s): | asterisk | CVE #(s): | CVE-2013-7100 | ||||||||||||||||||||||||||||||||
| Created: | December 23, 2013 | Updated: | January 8, 2014 | ||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Buffer overflow in the unpacksms16 function in apps/app_sms.c in Asterisk Open Source 1.8.x before 1.8.24.1, 10.x before 10.12.4, and 11.x before 11.6.1; Asterisk with Digiumphones 10.x-digiumphones before 10.12.4-digiumphones; and Certified Asterisk 1.8.x before 1.8.15-cert4 and 11.x before 11.2-cert3 allows remote attackers to cause a denial of service (daemon crash) via a 16-bit SMS message. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
boinc-client: denial of service
| Package(s): | boinc-client | CVE #(s): | CVE-2013-2298 | ||||||||||||
| Created: | December 27, 2013 | Updated: | January 1, 2014 | ||||||||||||
| Description: | From the Red Hat bugzilla entry: Multiple stack overflow flaws were found in the way the XML parser of boinc-client, a Berkeley Open Infrastructure for Network Computing (BOINC) client for distributed computing, performed processing of certain XML files. A rogue BOINC server could provide a specially-crafted XML file that, when processed would lead to boinc-client executable crash. | ||||||||||||||
| Alerts: |
| ||||||||||||||
denyhosts: denial of service
| Package(s): | denyhosts | CVE #(s): | CVE-2013-6890 | ||||||||||||||||||||||||
| Created: | December 23, 2013 | Updated: | January 5, 2015 | ||||||||||||||||||||||||
| Description: | From the Debian advisory:
Helmut Grohne discovered that denyhosts, a tool preventing SSH brute-force attacks, could be used to perform remote denial of service against the SSH daemon. Incorrectly specified regular expressions used to detect brute force attacks in authentication logs could be exploited by a malicious user to forge crafted login names in order to make denyhosts ban arbitrary IP addresses. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
devscripts: command execution
| Package(s): | devscripts | CVE #(s): | CVE-2013-7050 | ||||
| Created: | December 23, 2013 | Updated: | January 1, 2014 | ||||
| Description: | From the CVE entry:
The get_main_source_dir function in scripts/uscan.pl in devscripts before 2.13.8, when using USCAN_EXCLUSION, allows remote attackers to execute arbitrary commands via shell metacharacters in a directory name. | ||||||
| Alerts: |
| ||||||
eucalyptus: denial of service and information disclosure
| Package(s): | eucalyptus | CVE #(s): | CVE-2012-4067 CVE-2013-2296 | ||||
| Created: | January 1, 2014 | Updated: | January 1, 2014 | ||||
| Description: | Eucalyptus contains two vulnerabilities in the "Walrus" object store. An XML parsing problem (CVE-2012-4067, ESA-09) can enable unspecified denial of service attacks, while a missing authentication step (CVE-2013-2296, ESA-10) could allow unauthorized access to the internal bucket logs. | ||||||
| Alerts: |
| ||||||
horizon: information disclosure
| Package(s): | horizon | CVE #(s): | CVE-2013-6858 | ||||||||||||
| Created: | December 20, 2013 | Updated: | April 4, 2014 | ||||||||||||
| Description: | From the Ubuntu advisory: Chris Chapman discovered cross-site scripting (XSS) vulnerabilities in Horizon via the Volumes and Network Topology pages. An authenticated attacker could exploit these to conduct stored cross-site scripting (XSS) attacks against users viewing these pages in order to modify the contents or steal confidential data within the same domain. | ||||||||||||||
| Alerts: |
| ||||||||||||||
keystone: access control bypass
| Package(s): | keystone | CVE #(s): | CVE-2013-6391 | ||||||||||||||||
| Created: | December 20, 2013 | Updated: | April 7, 2014 | ||||||||||||||||
| Description: | From the Ubuntu advisory: Steven Hardy discovered that Keystone did not properly enforce trusts when using the ec2tokens API. An authenticated attacker could exploit this to retrieve a token not scoped to the trust and elevate privileges to the trustor's roles. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
libgadu: missing ssl certificate validation
| Package(s): | libgadu | CVE #(s): | CVE-2013-4488 | ||||||||||||||||||||
| Created: | December 30, 2013 | Updated: | September 24, 2014 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Libgadu, an open library for communicating using the protocol e-mail, was found to have missing the ssl certificate validation. The issue is that libgadu uses openSSL library for creating secure connections. A program using openSSL can perform SSL handshake by invoking the SSL_connect function. Some certificate validation errors are signaled through, the return values of the SSL_connect, while for the others errors SSL_connect returns OK but sets internal "verify result" flags. Application must call ssl_get_verify_result function to check if any such errors occurred. This check seems to be missing in libgadu. And thus a man-in-the-middle attack is possible failing all the SSL protection. Upstream suggested that it was a conscious decision as libgadu is reverse-engineered implementation of a proprietary protocol, they had no control over the certificates used for SSL connections, so they would add a note to the documentation about this. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
libreswan: denial of service
| Package(s): | libreswan | CVE #(s): | CVE-2013-4564 | ||||||||||||
| Created: | December 23, 2013 | Updated: | January 1, 2014 | ||||||||||||
| Description: | From the Red Hat bugzilla:
As noted in bug #1031818, libreswan suffers from a problem with the new ike_pad= feature that was implemented in version 3.6: During an effort to ignore IKEv2 minor version numbers as required for RFC-5996, complete parse errors of any IKE packets with version 2.1+ were mistakenly accepted for further processing. This causes a crash later on if the IKE packet is mangled (e.g. too short). Openswan turns out not to be vulnerable because it happens to abort on the mismatched IKE length versus packet length before it inspects the rest of the IKE header. And since reading an invalid IKE major aborts further parsing of the IKE header, the length remains at 0, and so it will always mismatch. | ||||||||||||||
| Alerts: |
| ||||||||||||||
memcached: multiple vulnerabilities
| Package(s): | memcached | CVE #(s): | CVE-2013-7239 CVE-2013-0179 | ||||||||||||||||||||||||||||||||||||||||
| Created: | January 1, 2014 | Updated: | February 3, 2014 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2011-4971: Stefan Bucur reported that memcached could be caused to crash by sending a specially crafted packet. CVE-2013-7239: It was reported that SASL authentication could be bypassed due to a flaw related to the management of the SASL authentication state. With a specially crafted request, a remote attacker may be able to authenticate with invalid SASL credentials. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
openssl: multiple vulnerabilities
| Package(s): | openssl | CVE #(s): | CVE-2013-6450 CVE-2013-6449 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 1, 2014 | Updated: | December 29, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Multiple security issues have been fixed in OpenSSL: The TLS 1.2 support was susceptible to denial of service and retransmission of DTLS messages was fixed. In addition this updates disables the insecure Dual_EC_DRBG algorithm (which was unused anyway, see http://marc.info/?l=openssl-announce&m=13874711982232... for further information) and no longer uses the RdRand feature available on some Intel CPUs as a sole source of entropy unless explicitly requested. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openssl: denial of service
| Package(s): | openssl | CVE #(s): | CVE-2013-6449 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 23, 2013 | Updated: | January 6, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
A flaw was reported for OpenSSL 1.0.1e, that can cause application using OpenSSL to crash when using TLS version 1.2. Issue was reported via the following OpenSSL upstream ticket: http://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guest | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
perl-Proc-Daemon: writes pidfile with mode 666
| Package(s): | perl-Proc-Daemon | CVE #(s): | CVE-2013-7135 | ||||||||||||||||||||
| Created: | December 30, 2013 | Updated: | January 27, 2014 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was reported that perl-Proc-Daemon, when instructed to write a pid file, does that with a umask set to 0, so the pid file ends up with mode 666. This might be a security issue. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
puppet: insecure temporary files
| Package(s): | puppet | CVE #(s): | CVE-2013-4969 | ||||||||||||||||||||||||||||||||
| Created: | January 1, 2014 | Updated: | February 20, 2014 | ||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
An unsafe use of temporary files was discovered in Puppet, a tool for centralized configuration management. An attacker can exploit this vulnerability and overwrite an arbitrary file in the system. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
python-setuptools: code execution
| Package(s): | python-setuptools | CVE #(s): | CVE-2013-2215 | ||||||||
| Created: | January 1, 2014 | Updated: | March 30, 2015 | ||||||||
| Description: | From the Red Hat bugzilla:
A security flaw was found in the way Python Setuptools, a collection of enhancements to the Python distutils module, that allows more easily to build and distribute Python packages, performed integrity checks when loading external resources, previously extracted from zipped Python Egg archives(formerly if the timestamp and file size of a particular resource expanded from the archive matched the original values, the resource was successfully loaded). A local attacker, with write permission into the Python's EGG cache (directory) could use this flaw to provide a specially-crafted resource (in expanded form) that, when loaded in an application requiring that resource to (be able to) run, would lead to arbitrary code execution with the privileges of the user running the application. | ||||||||||
| Alerts: |
| ||||||||||
rubygem-actionmailer: denial of service
| Package(s): | rubygem-actionmailer-3_2 | CVE #(s): | CVE-2013-4389 | ||||||||||||||||||||||||||||||||
| Created: | December 23, 2013 | Updated: | March 27, 2014 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
rubygem-i18n: cross-site scripting
| Package(s): | rubygem-i18n | CVE #(s): | CVE-2013-4492 | ||||||||||||||||||||
| Created: | December 23, 2013 | Updated: | January 21, 2014 | ||||||||||||||||||||
| Description: | From the CVE entry:
Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2013-7113 CVE-2013-7114 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 20, 2013 | Updated: | January 6, 2014 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries: CVE-2013-7113 - epan/dissectors/packet-bssgp.c in the BSSGP dissector in Wireshark 1.10.x before 1.10.4 incorrectly relies on a global variable, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-7114 - Multiple buffer overflows in the create_ntlmssp_v2_key function in epan/dissectors/packet-ntlmssp.c in the NTLMSSP v2 dissector in Wireshark 1.8.x before 1.8.12 and 1.10.x before 1.10.4 allow remote attackers to cause a denial of service (application crash) via a long domain name in a packet. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
xen: denial of service/privilege escalation
| Package(s): | xen | CVE #(s): | CVE-2013-6400 | ||||||||||||||||||||||||||||
| Created: | December 23, 2013 | Updated: | January 1, 2014 | ||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Xen 4.2.x and 4.3.x, when using Intel VT-d and a PCI device has been assigned, does not clear the flag that suppresses IOMMU TLB flushes when unspecified errors occur, which causes the TLB entries to not be flushed and allows local guest administrators to cause a denial of service (host crash) or gain privileges via unspecified vectors. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>