Security
"goto fail;" considered harmful
A serious flaw in the way Apple's iOS and OS X verify the keys in an HTTPS connection has been a major black eye for the company. The problem is in some of the open-source code that the company releases, so we can actually see the problem—it is eye-opening to be sure. The bug should have been fairly obvious from code inspection/review or could have been found with some intensive testing, so the fact that it went undetected—at least publicly—for so long is rather amazing.
The problem exists in Apple's Secure Transport API that provides access to SSL/TLS services for both OS X and iOS. It was first introduced in iOS 6, which was released in September 2012, and in OS X 10.9, which was released in October 2013. Updates to iOS 6 and 7, as well as to OS X 10.9, have been released, though the OS X problem went unfixed for several days after the problem was disclosed—which was deemed irresponsible by several observers.
Looking at the code in question should make it quickly apparent to those with even limited knowledge of C that something is amiss. In a function called SSLVerifySignedServerKeyExchange() is the following code:
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
The second "goto fail;" after the SSLHashSHA1.update()
call for &signedParams is a bug. While it is indented to seem
like it depends on the preceding if statement, that is not the case.
There are no curly braces to turn it into a multi-statement if, so
the second goto is unconditionally executed, which skips the rest
of the signature verification.
But "fail" isn't quite accurate here. If it had been, the problem would presumably have been noticed quickly as many HTTPS servers would not have passed muster. Instead, the code at the fail label just cleans up a few things and returns err, which is likely to be zero, since the update() probably did not fail. That means that instead of verifying the signed key that the server sent over, the function will just succeed—for any key offered.
The key in question here is the ephemeral session key that is exchanged using the Diffie-Hellman and Elliptic-curve Diffie-Hellman ephemeral (DHE and ECDHE) key exchange protocols. DHE and ECDHE are used to provide forward secrecy. That key should be signed by the private key corresponding to the public key in the server's certificate. The signature is the proof that the server is actually in possession of that private key—without it, the link between certificate and identity (loosely defined) is broken. The bug allows any signature (thus any key) to validate. That means that a malicious server could use any certificate to spoof that site with impunity—it doesn't need to sign the ephemeral key with the private key it does not possess.
Google's Adam Langley has a nice analysis of the bug. As he noted, servers get to choose what cipher suites they support, so an attacker can force clients to use DHE or ECDHE to trigger the bug (if the client refuses to use one of those, it can't connect at all). The most recent revision of Transport Layer Security (TLS), 1.2, is not affected because the API uses a different function to verify those keys. But earlier versions of TLS and all versions of its predecessor, Secure Sockets Layer (SSL), are affected. Clients could work around the bug by requiring TLS 1.2 (or, less preferably, by disabling the DHE/ECDHE cipher suites)—that would mean they couldn't connect to some servers, perhaps, but they wouldn't run afoul of this problem either.
Evidently, code inspection/review did not turn up this bug (there is some speculation by John Gruber that it is the result of a botched merge). What is perhaps more surprising is that no testing with invalid signatures on the ephemeral keys was done. Langley, who works on the Chrome/Chromium browser, noted that the condition is kind of difficult to test for, because that exchange happens well into TLS/SSL handshake. On the other hand, Gruber also speculated that the NSA may well have known about the flaw from its testing, given that it added Apple to the list of companies participating in the PRISM surveillance program shortly after iOS 6 was released.
It is tempting to recite "Linus's Law" ("given enough eyeballs, all bugs are shallow") and believe that this kind of thing could never happen in free software. Tempting, but wrong. The truth of the matter is that plenty of free software only gets cursory (or no) code review, so something like this could slip through. In this case, Apple's code was available and no one ever publicly complained about it.
As Langley noted, compilers don't generally complain about unreachable code, which is unfortunate, for sure, but warnings tend to have a high false-positive rate, so they are ignored—or suppressed. Code that implements security protocols clearly needs a higher level of scrutiny, though, so one would hope warnings are actually being used by Apple (and OpenSSL, OpenSSH, ...). An incident like this is clear evidence that delivering bug-free code is a never-ending battle.
Brief items
Security quotes of the week
C'mon, folks. Mt. Gox was a trading card swap mart set up by an amateur coder and implemented in PHP! And you expected NSA-levels of trusted computing security, so you trusted your money to it? (Oops. Let's make that better than NSA levels of security.)
uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
You get the idea. Combine a personally memorable sentence with some personally memorable tricks to modify that sentence into a password to create a lengthy password. Of course, the site has to accept all of those non-alpha-numeric characters and an arbitrarily long password. Otherwise, it's much harder.
It's a confusing and confounding concept -- and an unwise proposal -- that would be nothing but trouble for the Internet community and should be rejected.
Peres: Wayland Compositors - Why and How to Handle Privileged Clients!
On his blog, Martin Peres has a lengthy discourse on security in Wayland, which is targeted at replacing X some day. He looks at security properties, the current state of security in Wayland, and has recommendations for Wayland compositor authors on handling privileged clients. "While I think the user-intent method has a higher security than static privilege assignation, I think both should be implemented with the latter used as a way for users to specify they are OK with potentially reducing the security of the desktop environment to let the application he/she wants to run properly. This will lower users’ dissatisfaction and should result in a better security than bypassing some security properties for all applications. I am however worried that some stupid applications may be OK with creating snapshot capabilities from the command line, without requiring the user’s input. A packager would then grant the privileges to this application by default and thus, the mere fact of having this application installed will make your desktop non-confidential anymore." (Thanks to Patrick Guignot.)
PostgreSQL releases security and bug fix update
The PostgreSQL project has released minor versions of all supported series (9.3.3, 9.2.7, 9.1.12, 9.0.16, and 8.4.20) for a number of privilege escalation flaws in the database along with some replication and data integrity fixes. The project also announced a privilege escalation that can occur while running the regression tests using "make check" (which has not been fixed yet). "This update fixes CVE-2014-0060, in which PostgreSQL did not properly enforce the WITH ADMIN OPTION permission for ROLE management. Before this fix, any member of a ROLE was able to grant others access to the same ROLE regardless if the member was given the WITH ADMIN OPTION permission. It also fixes multiple privilege escalation issues, including: CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064, CVE-2014-0065, and CVE-2014-0066." More information is available on the release-specific wiki page and on the general security page. "
All users are urged to update their installations at the earliest opportunity, especially those using binary replication or running a high-security application."
New vulnerabilities
drupal6-ctools: access bypass
| Package(s): | drupal6-ctools | CVE #(s): | |||||||||
| Created: | February 24, 2014 | Updated: | February 26, 2014 | ||||||||
| Description: | From the Drupal advisory:
This module provides content editors with an autocomplete callback for entity titles, as well as an ability to embed content within the Chaos tool suite (ctools) framework. Prior to this version, ctools did not sufficiently check access grants for various types of content other than nodes. It also didn't sufficiently check access before displaying content with the relationship plugin. These vulnerabilities are mitigated by the fact that you must be using entities other than node or users for the autocomplete callback, or you must be using the relationship plugin and displaying the content (e.g. in panels). | ||||||||||
| Alerts: |
| ||||||||||
freeradius: buffer overflow
| Package(s): | freeradius | CVE #(s): | CVE-2014-2015 | ||||||||||||||||||||||||||||||||||||||||
| Created: | February 24, 2014 | Updated: | August 4, 2015 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
SSHA processing in freeradius before 2.2.3 runs into a stack-based buffer overflow in the freeradius rlm_pap module if the password source uses an unusually long hashed password. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
icinga: cross-site request forgery
| Package(s): | icinga | CVE #(s): | CVE-2013-7107 | ||||||||
| Created: | February 24, 2014 | Updated: | February 26, 2014 | ||||||||
| Description: | From the CVE entry:
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in Icinga 1.8.5, 1.9.4, 1.10.2, and earlier allows remote attackers to hijack the authentication of users for unspecified commands via unspecified vectors, as demonstrated by bypassing authentication requirements for CVE-2013-7106. | ||||||||||
| Alerts: |
| ||||||||||
imagemagick: code execution
| Package(s): | imagemagick | CVE #(s): | CVE-2014-1958 CVE-2014-2030 | ||||||||||||||||||||||||||||||||
| Created: | February 24, 2014 | Updated: | May 19, 2014 | ||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
A buffer overflow flaw was found in the way ImageMagick handled PSD images that use RLE encoding. An attacker could create a malicious PSD image file that, when opened in ImageMagick, would cause ImageMagick to crash or, potentially, execute arbitrary code with the privileges of the user running ImageMagick. (CVE-2014-1958). A buffer overflow flaw was found in the way ImageMagick writes PSD images when the input data has a large number of unlabeled layers (CVE-2014-2030). | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
libssh: code execution
| Package(s): | libssh | CVE #(s): | CVE-2012-6063 | ||||
| Created: | February 24, 2014 | Updated: | February 26, 2014 | ||||
| Description: | From the CVE entry:
Double free vulnerability in the sftp_mkdir function in sftp.c in libssh before 0.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors, a different vector than CVE-2012-4559. | ||||||
| Alerts: |
| ||||||
oath-toolkit: replays one time passwords
| Package(s): | oath-toolkit | CVE #(s): | CVE-2013-7322 | ||||||||||||||||
| Created: | February 24, 2014 | Updated: | April 16, 2014 | ||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was found that comments (lines starting with a hash) in /etc/users.oath could prevent one-time-passwords (OTP) from being invalidated, leaving the OTP vulnerable to replay attacks. Further information is available in the mailing list post: http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00000.html | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
openstack-nova: insecure directory permissions
| Package(s): | openstack-nova | CVE #(s): | CVE-2013-7048 | ||||||||||||||||
| Created: | February 25, 2014 | Updated: | April 2, 2014 | ||||||||||||||||
| Description: | From the CVE entry:
OpenStack Compute (Nova) Grizzly 2013.1.4, Havana 2013.2.1, and earlier uses world-writable and world-readable permissions for the temporary directory used to store live snapshots, which allows local users to read and modify live snapshots. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
otrs2: two vulnerabilities
| Package(s): | otrs2 | CVE #(s): | CVE-2014-1471 CVE-2014-1694 | ||||||||
| Created: | February 24, 2014 | Updated: | February 26, 2014 | ||||||||
| Description: | From the CVE entries:
SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL. (CVE-2014-1471) Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets. (CVE-2014-1694) | ||||||||||
| Alerts: |
| ||||||||||
perl-CGI-Application: information leak
| Package(s): | perl-CGI-Application | CVE #(s): | CVE-2013-7329 | ||||||||||||
| Created: | February 26, 2014 | Updated: | March 5, 2014 | ||||||||||||
| Description: | From the Mageia advisory:
When applications using CGI::Application overload setup(), which is normally the case, CGI::Application since version 4.19 has dump_html as a default run-mode unless the application explicitly redefines it. This unexpectedly dumps a complete set of web query data and server environment information as an error page, thus leaking information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
phpmyadmin: cross-site scripting
| Package(s): | phpmyadmin | CVE #(s): | CVE-2014-1879 | ||||||||||||||||||||||||
| Created: | February 21, 2014 | Updated: | July 30, 2014 | ||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action (CVE-2014-1879). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
pidgin-knotify: command execution
| Package(s): | pidgin-knotify | CVE #(s): | CVE-2010-3088 | ||||
| Created: | February 26, 2014 | Updated: | February 26, 2014 | ||||
| Description: | From the CVE entry:
The notify function in pidgin-knotify.c in the pidgin-knotify plugin 0.2.1 and earlier for Pidgin allows remote attackers to execute arbitrary commands via shell metacharacters in a message. | ||||||
| Alerts: |
| ||||||
postgresql: multiple vulnerabilities
| Package(s): | postgresql-8.4 | CVE #(s): | CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 21, 2014 | Updated: | June 23, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory (also, see the PostgreSQL advisory):
Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch): Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund): The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund): If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) Prevent buffer overrun with long datetime strings (Noah Misch): The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas): Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich): Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian): There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane): Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
python-gnupg: shell injection
| Package(s): | python-gnupg | CVE #(s): | CVE-2013-7323 CVE-2014-1927 CVE-2014-1928 CVE-2014-1929 | ||||||||||||
| Created: | February 24, 2014 | Updated: | June 5, 2014 | ||||||||||||
| Description: | From the Red Hat bugzilla:
It was found that the fix for improved shell quoting to guard against shell injection, released in version 0.3.5 of python-gnupg, is not sufficient. This issue has been reported upstream | ||||||||||||||
| Alerts: |
| ||||||||||||||
tcptrack: code execution
| Package(s): | tcptrack | CVE #(s): | CVE-2011-2903 | ||||
| Created: | February 24, 2014 | Updated: | February 26, 2014 | ||||
| Description: | From the CVE entry:
Heap-based buffer overflow in tcptrack before 1.4.2 might allow attackers to execute arbitrary code via a long command line argument. NOTE: this is only a vulnerability in limited scenarios in which tcptrack is "configured as a handler for other applications." | ||||||
| Alerts: |
| ||||||
thunderbird: information disclosure
| Package(s): | thunderbird | CVE #(s): | CVE-2013-6674 | ||||||||
| Created: | February 20, 2014 | Updated: | March 3, 2014 | ||||||||
| Description: | From the Ubuntu advisory:
Fabián Cuchietti and Ateeq ur Rehman Khan discovered that it was possible to bypass Javascript execution restrictions when replying to or forwarding mail messages in certain circumstances. An attacker could potentially exploit this to steal confidential information or modify message content. (CVE-2013-6674) | ||||||||||
| Alerts: |
| ||||||||||
xstream: code execution
| Package(s): | xstream | CVE #(s): | CVE-2013-7285 | ||||||||||||||||
| Created: | February 24, 2014 | Updated: | December 13, 2016 | ||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was found that XStream would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
zabbix: multiple vulnerabilities
| Package(s): | zabbix | CVE #(s): | CVE-2013-5572 CVE-2014-1682 CVE-2014-1685 | ||||||||||||||||||||
| Created: | February 26, 2014 | Updated: | May 26, 2014 | ||||||||||||||||||||
| Description: | From the Mageia advisory:
Zabbix before 2.0.11 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code (CVE-2013-5572). Zabbix before 2.0.11 allows switching users without proper credentials when using HTTP authentication (CVE-2014-1682). In Zabbix before 2.0.11, the admin user is able to update media for other users (CVE-2014-1685). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>