Security
Decentralized storage with Camlistore
Reducing reliance on proprietary web services has been a major target of free-software developers for years now. But it has taken on increased importance in the wake of Edward Snowden's disclosures about service providers cooperating with government mass-surveillance programs—not to mention the vulnerability that many providers have to surveillance techniques whether they cooperate or not. While some projects (such as Mailpile, ownCloud, or Diaspora) set out to create a full-blown service that users can be in complete control of, others, such as the Tahoe Least-Authority Filesystem, focus on more general functionality like decentralized data storage. Camlistore is a relative newcomer to the space; like Tahoe-LAFS it implements a storage system, but its creators are particularly interested in its use as a storage layer for blogs, content-management systems (CMSes), filesharing, and other web services.
Camlistore is a content-addressable storage (CAS) system with an emphasis on decentralized data storage. Specifically, the rationale for the project notes that it should be usable on a variety of storage back-ends, including Amazon's S3, local disk, Google Drive, or even mobile devices, with full replication of content between different locations.
Content addressability means that objects can be stored without assigning them explicit file names or placing them in a directory hierarchy. Instead, the "identity" of each object is a hash or digest calculated over the content of the object itself; subsequent references to the object are made by looking up the object's digest—where it is stored is irrelevant. As the rationale document notes, this property is a perfect fit for a good many objects used in web services today: photos, blog comments, bookmarks, "likes," and so on. These objects are increasing created in large numbers, and rarely does a file name or storage location come into play. Rather, they are accessed through a search interface or a visual browsing feature.
The Camlistore project produces both an implementation of such a decentralized storage system and a schema for representing various types of content. The schema would primarily be of interest to those wishing to use Camlistore as a storage layer for other applications.
The project's most recent release is version 0.7, from February 27. The storage server (with several available back-ends) is included in the release, as are a web-based interface, a Filesystem in Userspace (FUSE) module for accessing Camlistore as a filesystem, several tools for interoperating with existing web services, and mobile clients for Android and iOS.
The architecture of a Camlistore repository includes storage nodes (referred to by the charming name "blob servers") and indexing/search nodes, which index uploaded items by their digests and provide a basic search interface. The various front-end applications (including the mobile and web interfaces) handle both connecting to a blob server for object upload and retrieval and connecting to a search server for finding objects.
There can be several blob servers that fully synchronize with one another by automatically mirroring all data; the existing implementations can use hard disk storage or any of several online storage services. At the blob-server level, the only items that are tracked are blobs: immutable byte sequences that are uploaded to the service. Each blob is indexed by its digest (also called a blobref); Camlistore supports SHA1, MD5, and SHA256 as digest functions. Blobs themselves are encrypted (currently with AES-128, although other ciphers may be added in the future).
Semantically speaking, a blob does not contain any metadata—it is just a bunch of bytes. Metadata is attached to a blob by associating the blob with a data type from the schema, then cryptographically signing the result. Subsequently, an application can alter the attributes of a blob by creating a new signed schema blob (called a "claim"). For any blob, then, all of the claims on it are saved in the data store and can be replayed or backed up at will. That way, stored objects are mutable, but the changes to them are non-destructive. The current state of an object is the application of all of the claims associated with a blob, applied in the order of their timestamps.
This storage architecture allows for, potentially, a wide variety of front-end clients. Index servers already exist that use SQLite, LevelDB, MySQL, PostgreSQL, MongoDB, and Google App Engine's data store to manage the indexed blobs. Since an index server is logically separate from the blob servers that it indexes, it is possible to run an index on a portable device that sports little built-in storage, and still be able to transparently access all of the content maintained in the remote storage locations. In addition, Camlistore has the concept of a "graph sync," in which only a subset of the total blob storage is synchronized to a particular device. While full synchronization is useful to preserve the data in the event that a web service like Amazon S3 unexpectedly becomes unreachable, there are certainly many scenarios when it makes sense to keep only some of the data on hand.
As far as using the blob storage is concerned, at present Camlistore only implements two models: the basic storage/search/retrieval approach one would use to manage the entire collection, and directly sharing a particular item with another user. By default, each Camlistore server is private to a single user; users can share an object by generating a signed assertion that another user is permitted to access the object. This signed assertion is just one more type of claim for the underlying blob in the database. Several user-authentication options are supported, but for now the recipient of the share needs to have an account on the originating Camlistore system.
It may be a while before Camlistore is capable of serving as a storage layer for a blog, photo-hosting site, or other web service, but when it is ready, it will bring some interesting security properties with it. As mentioned, all claims on items in the database are signed—using GPG keys. That not only allows for verification of important operations (like altering the metadata of a blob), but it means it would be possible to perform identity checks for common operations like leaving comments. Camlistore does have some significant competition from other decentralized storage projects, Tahoe-LAFS included, but it will be an interesting project to watch.
Brief items
Security quotes of the week
The depressing part of this is that there's no reason to believe that Panasonic are especially bad here - especially since a large number of vendors are shipping much the same Mediatek code, and so probably have similar (if not identical) issues. The future is made up of network-connected appliances that are using your electricity to mine somebody else's Dogecoin. Our nightmarish dystopia may be stranger than expected.
OpenSSL code beyond repair, claims creator of “LibreSSL” fork (Ars Technica)
Ars Technica takes a look at the LibreSSL fork of OpenSSL created by the OpenBSD project. "The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess. "Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers," de Raadt told Ars in an e-mail. "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself.""
New vulnerabilities
cacti: multiple vulnerabilities
| Package(s): | cacti | CVE #(s): | CVE-2014-2708 CVE-2014-2709 CVE-2014-2326 CVE-2014-2328 CVE-2014-2327 | ||||||||||||||||||||||||||||
| Created: | April 17, 2014 | Updated: | June 30, 2014 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entries [1, 2]:
CVE-2014-2708 is for the SQL injection issues in graph_xport.php. CVE-2014-2709 is for the shell escaping issues in lib/rrd.php A posting to bugtraq from Deutsche Telekom noted multiple flaws in Cacti 0.8.7g: CVE-2014-2326: stored XSS "The Cacti application is susceptible to stored XSS attacks. This is mainly the result of improper output encoding." CVE-2014-2327: missing CSRF token "The Cacti application does not implement any CSRF tokens. More about CSRF attacks, risks and mitigations see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). This attack has a vast impact on the security of the Cacti application, as multiple configuration parameters can be changed using a CSRF attack. One very critical attack vector is the modification of several binary files in the Cacti configuration, which may then be executed on the server. This results in full compromise of the Cacti host by just clicking a web link. A proof of concept exploit has been developed, which allows this attack, resulting in full (system level) access of the Cacti system. Further attack scenarios include the modification of the Cacti configuration and adding arbitrary (admin) users to the application." CVE-2014-2328: use of exec-like function calls without safety checks allow arbitrary command execution "Cacti makes use of exec-like method PHP function calls, which execute command shell code without any safety checks in place. In combination with a CSRF weakness this can be triggered without the knowledge of the Cacti user. Also, for more elaborate attacks, this can be combined with a XSS attack. Such an attack will result in full system (Cacti host) access without any interaction or knowledge of the Cacti admin." | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
java: three unspecified vulnerabilities
| Package(s): | java-1.7.0-oracle | CVE #(s): | CVE-2014-0432 CVE-2014-0448 CVE-2014-2422 | ||||||||||||||||||||||||
| Created: | April 17, 2014 | Updated: | May 14, 2014 | ||||||||||||||||||||||||
| Description: | Yet again more unspecified Java vulnerabilities. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
java: multiple unspecified vulnerabilities
| Package(s): | java-1.6.0-sun | CVE #(s): | CVE-2014-0449 CVE-2014-2401 CVE-2014-2409 CVE-2014-2420 CVE-2014-2428 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 17, 2014 | Updated: | June 3, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | More in a long series of unspecified Java vulnerabilities. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2014-2851 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 18, 2014 | Updated: | May 6, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2014-0155 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 21, 2014 | Updated: | May 6, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry
The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mysql: multiple unspecified vulnerabilities
| Package(s): | mysql-5.5 | CVE #(s): | CVE-2014-0384 CVE-2014-2419 CVE-2014-2430 CVE-2014-2431 CVE-2014-2432 CVE-2014-2436 CVE-2014-2438 CVE-2014-2440 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 23, 2014 | Updated: | July 24, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to XML. (CVE-2014-0384) Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition. (CVE-2014-2419) Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema. (CVE-2014-2430) Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options. (CVE-2014-2431) Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated. (CVE-2014-2432) Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR. (CVE-2014-2436) Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication. (CVE-2014-2438) Unspecified vulnerability in the MySQL Client component in Oracle MySQL 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (CVE-2014-2440) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openshift-origin-broker: authentication bypass
| Package(s): | openshift-origin-broker | CVE #(s): | CVE-2014-0188 | ||||||||
| Created: | April 23, 2014 | Updated: | April 23, 2014 | ||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the way openshift-origin-broker handled authentication requests via the remote user authentication plug-in. A remote attacker able to submit a request to openshift-origin-broker could set the X-Remote-User header, and send the request to a passthrough trigger, resulting in a bypass of the authentication checks to gain access to any OpenShift user account on the system. | ||||||||||
| Alerts: |
| ||||||||||
openssl: denial of service
| Package(s): | openssl | CVE #(s): | CVE-2010-5298 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 18, 2014 | Updated: | July 24, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: A read buffer can be freed even when it still contains data that is used later on, leading to a use-after-free. Given a race condition in a multi-threaded application it may permit an attacker to inject data from one connection into another or cause denial of service. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
otrs: cross-site scripting
| Package(s): | otrs | CVE #(s): | CVE-2014-2553 CVE-2014-2554 | ||||||||||||
| Created: | April 22, 2014 | Updated: | June 10, 2014 | ||||||||||||
| Description: | From the SUSE bug report:
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields. | ||||||||||||||
| Alerts: |
| ||||||||||||||
python-django: multiple vulnerabilities
| Package(s): | python-django | CVE #(s): | CVE-2014-0472 CVE-2014-0473 CVE-2014-0474 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 22, 2014 | Updated: | May 5, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function. An attacker could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution. (CVE-2014-0472) Paul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. An attacker could possibly use this flaw to obtain a valid cookie and perform attacks which bypass the CSRF restrictions. (CVE-2014-0473) Michael Koziarski discovered that Django did not always perform explicit conversion of certain fields when using a MySQL database. An attacker could possibly use this issue to obtain unexpected results. (CVE-2014-0474) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
python-django-horizon: cross-site scripting
| Package(s): | python-django-horizon | CVE #(s): | CVE-2014-0157 | ||||||||||||||||
| Created: | April 23, 2014 | Updated: | May 30, 2014 | ||||||||||||||||
| Description: | From the CVE entry:
Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard in OpenStack Dashboard (aka Horizon) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to inject arbitrary web script or HTML via the description field of a Heat template. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
qemu: code execution
| Package(s): | qemu | CVE #(s): | CVE-2014-0150 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 18, 2014 | Updated: | December 12, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest. A privileged guest user could use this flaw to corrupt qemu process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the qemu process. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
qemu-kvm: multiple vulnerabilities
| Package(s): | qemu-kvm | CVE #(s): | CVE-2014-0142 CVE-2014-0143 CVE-2014-0144 CVE-2014-0145 CVE-2014-0146 CVE-2014-0147 CVE-2014-0148 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 23, 2014 | Updated: | April 23, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147) A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0142) A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0146) It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0148) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rsync: denial of service
| Package(s): | rsync | CVE #(s): | CVE-2014-2855 | ||||||||||||||||||||||||
| Created: | April 18, 2014 | Updated: | March 29, 2015 | ||||||||||||||||||||||||
| Description: | From the Mageia advisory: Ryan Finnie discovered that rsync 3.1.0 contains a denial of service issue when attempting to authenticate using a nonexistent username. A remote attacker could use this flaw to cause a denial of service via CPU consumption. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>