User: Password:
|
|
Subscribe / Log in / New account

Security

Static security analysis of Tizen apps

By Nathan Willis
June 4, 2014
TDC 2014

At the 2014 Tizen Developer Conference (TDC) in San Francisco, Dan Wallach of Rice University delivered a presentation about his ongoing work to perform security analysis of third-party apps written for Tizen mobile devices. While static analysis can never catch every violation of security rules, a framework that helps automate the process would simplify any "app store" review process, as well as providing side benefits to the app and platform developers.

Wallach's research is partly funded by Samsung, he disclosed at the beginning of his talk, but his presentation in no way indicates that he speaks on the company's behalf. Wallach works at Rice's Computer Security Lab, and co-leads a team of researchers and PhD students on this project. The target is performing automated, static analysis of mobile Tizen apps submitted to the app store, in order to reduce the amount of time that each app demands of a human reviewer.

Analysis of Tizen apps

Wallach's team is only investigating one piece of the app review process, of course. Tizen offers two development frameworks: HTML5/JavaScript and native code; Wallach's team is looking at native apps while someone else is doing similar work on analysis of HTML5 apps. But Tizen apps can also be compiled with either a GCC or LLVM toolchain; Wallach's team is focusing on analysis of the LLVM-generated apps.

[Dan Wallach at TDC 2014]

The reason is that the LLVM toolchain produces cross-platform LLVM "bitcode" executables (which are intended to run on either Intel or ARM hardware, both architectures that are supported by Tizen). The LLVM bitcode is an intermediate representation of the compiled program, designed to be optimized, he said, but that also means it is ripe for other forms of analysis. It preserves the high-level semantics of the program, unlike machine code, and it can be generated from multiple languages (unlike Java bytecode). Finally, it supports multiple architectures (which is of particular interest to the Tizen project), so one analysis framework would assist a lot of developers.

The security analysis performed by the team is static, he explained, meaning that the submitted app is not executed. Instead, the framework examines the program structure, flagging potential security problems. The basic idea is to mark points where app security is "tainted;" for example, in a potential information leak, such a point would have both a "source" call (e.g., requesting the device's GPS location) and a "sink" (e.g., sending some data to a remote server).

Obviously, if there is no conditional branching in the program flow between the source and the sink, it is trivial to determine if the program copies the GPS location into the data structure sent to the remote server, which could be a violation of security policy. Static analysis has to cope with the conditional flows, Wallach said. Historically, static analysis has been a conservative approach: assuming all branches in the code are taken, which can lead to false positives. It must also deal with other complexities such as pointer aliasing and object-oriented method dispatching, both of which introduce a lot of unknowns to cope with. On the other hand, he said, the opposite approach—dynamic analysis—tends to produce false negatives.

Control-flow analysis is not a new problem, of course, and there are existing approaches to reducing the potentially overwhelming number of false positives. The techniques do require some knowledge of the platform: knowing what the most likely vulnerabilities are, knowing what special cases should be allowed, and so on.

The group at Rice has been working for the past year to build an LLVM information-flow analysis engine for Tizen, though the project is far from finished. As of now, the group's work can statically analyze LLVM-bitcode Tizen apps, although Wallach pointed out that it does not analyze the Tizen libraries or kernel for vulnerabilities. Samsung provided the team with 30 apps as test cases, and the analysis found only one privacy leak, but just as importantly, it produced no false positives or false negatives. 30 apps (and 30 known apps, for that matter) is not a large test set, of course; an audience member asked Wallach if he would be interested in working on his company's library of 300 apps, to which Wallach replied "that would be fantastic."

The framework that the team is developing is intended to fit into the Tizen app-store submission process, so that new submissions are analyzed and a report is generated for a human analyst to look over. Security problems caught would send the app back to the developer for further work, but could also be used to help the Tizen project refine its security policies. Wallach noted that this approach differs from both Apple's app store review process and Google's; Apple's is secretive but apparently labor-intensive and slow, while Google's is known to be 100% automated and fast, but allows problematic apps to slip through.

What's next

The next stage of the ongoing research, Wallach said, is to perform similar analysis of the Tizen libraries. Everyone likes to think about their platform APIs as being discrete, orthogonal entities, he said—Bluetooth, Networking, Filesystem, etc.—each of which mediates access to some specific kernel-level feature. But in reality, they overlap quite a bit and share access to the same resources. In many cases they are interdependent, too.

That makes it difficult to construct strict security policies, as Tizen would like to do. For example, he described a well-known 1996-era Java vulnerability. The URL handler was intended to let an application retrieve a remote URL, but the URL-handling code also understood other protocol schemes like file:, which created a vulnerability. But simply blacklisting file: was not sufficient, since applications should be allowed to create and retrieve temporary files (for caching and so on).

The group's plan is to perform its static analysis on the Tizen libraries to map all of the platform APIs to kernel calls, then use that mapping to verify (and update) Tizen's Smack security policies. But the analysis will have other benefits, too. It can be adapted into the Tizen build process, so that any changes to the libraries that have security-policy implications can be flagged automatically. It will also allow higher-level APIs to be written while forbidding direct calls to lower-level dependencies.

Subsequently, the group may also annotate code with #pragma statements to denote exceptions to the security policy that a human auditor has determined is safe. The example he gave was an app doing a filesystem read to a cache file that it owns; an auditor can mark this with

    #pragma SecurityAudited(OpenFile)

and eliminate a false-positive result in the automated analysis step. The group also intends to perform an information-flow analysis of the entire Tizen library set, and to analyze Tizen's multiple inter-process communication (IPC) mechanisms. When he was first approached about working with Tizen, Wallach recalled, he asked "what's your IPC mechanism?" and was a bit surprised at the answer: "which one?" Comparable work in Android, he noted, has uncovered and fixed many security holes.

Eventually, he concluded, as the Tizen app ecosystem grows, the "known bad behavior" patterns will emerge, and analysis can focus more directly on them. In the meantime, static analysis frameworks like his team is developing will help reduce the pressure put on Tizen's Smack policy maintainers (by consolidating and simplifying rules), and will help developers write safer apps. It may even be possible, he said, to eliminate the need to manually write app "manifest" files (which list the permissions that an app requires); if the analyzer can determine which privileges the app actually uses, that is better than a list of what it claims it needs.

There is always a risk that making the security analysis process public will have the side effect of showing app developers "what they can get away with," he admitted, but that trade-off is one that the project and app-store maintainers will have to make. Wallach's group has also not yet made its code available to the public; for the project to have a significant impact on Tizen (rather than just on Samsung's app store), such a release will, no doubt, eventually be needed by the rest of the community.

[The author would like to thank the Tizen Association for travel assistance to attend TDC 2014.]

Comments (3 posted)

Brief items

Security quotes of the week

The implications of this gladden my "right to be forgotten" hating heart. If you're an EU user searching for Joe Blow, and the EU has forced removal of a search result related to him on, say, google.fr, the warning notice informing you that results have been removed for that search give you an immediate cue that you might want to head over to google.com to see what the EU censorship bureaucrats deemed unfit for your eyes. In essence, it's a built in Streisand Effect, courtesy of the EU itself! Before this, you might not even have noticed the result in question among other results for that search .
Lauren Weinstein

I think it provides a vivid illustration of how invasive this technology is and how the courts regulate its use. It’s one thing to have a generic description of how it’s used; it’s another thing to read a first-hand account of how people are walking up to people’s doors and windows sending powerful signals to [cell phones] inside. This transcript illustrates both the fact that bystanders' phones were being tracked and that the police operating the device knew that’s what the device was doing.
— ACLU attorney Nathan Freed Wessler on cell phone tracking devices known as "stingrays"

The question that remains is this: What should we expect in the future -- are there more Heartbleeds out there?

Yes. Yes there are. The software we use contains thousands of mistakes -- many of them security vulnerabilities. Lots of people are looking for these vulnerabilities: Researchers are looking for them. Criminals and hackers are looking for them. National intelligence agencies in the United States, the United Kingdom, China, Russia, and elsewhere are looking for them. The software vendors themselves are looking for them.

Bruce Schneier

Of course, we in the real world know that shaved apes like us never saw a system we didn't want to game. So in the event that sarcasm detectors ever get a false positive rate of less than 99% (or a false negative rate of less than 1%) I predict that everybody will start deploying sarcasm as a standard conversational gambit on the internet. Trolling the secret service will become a competitive sport, the goal being to not receive a visit from the SS [Secret Service] in response to your totally serious threat to kill the resident of 1600 Pennsylvania Avenue. Al Qaida terrrrst training camps will hold tutorials on metonymy, aggressive irony, cynical detachment, and sarcasm as a camouflage tactic for suicide bombers. Post-modernist pranks will draw down the full might of law enforcement by mistake, while actual death threats go encoded as LOLCat macros. Any attempt to algorithmically detect sarcasm will fail because sarcasm is self-referential and the awareness that a sarcasm detector may be in use will change the intent behind the message.
Charlie Stross

Comments (32 posted)

Making end-to-end encryption easier to use (Google Online Security Blog)

The Google Online Security Blog has announced the alpha release of an OpenPGP-compliant end-to-end encryption extension for the Chrome/Chromium browser. "While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools. However, you won’t find the End-to-End extension in the Chrome Web Store quite yet; we’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it. (And we mean it: our Vulnerability Reward Program offers financial awards for finding security bugs in Google code, including End-to-End.)"

Comments (18 posted)

Critical new bug in crypto library leaves Linux, apps open to drive-by attacks (Ars Technica)

Ars Technica reports on a buffer overflow in GnuTLS, which is an alternative to OpenSSL for SSL/TLS support. The length checks for the session ID in the ServerHello message were not correct, which allowed the overflow. "Maliciously configured servers can exploit the bug by sending malformed data to devices as they establish encrypted HTTPS connections. Devices that rely on an unpatched version of GnuTLS can then be remotely hijacked by malicious code of the attacker's choosing, security researchers who examined the fix warned. The bug wasn't patched until Friday [May 30], with the release of GnuTLS versions 3.1.25, 3.2.15, and 3.3.4. While the patch has been available for three days, it will protect people only when the GnuTLS-dependent software they use has incorporated it. With literally hundreds of packages dependent on the library, that may take time." This analysis shows how the bug could be exploited for arbitrary code execution.

Comments (13 posted)

Patch All The Things! New "Cupid" Technique Exploits Heartbleed Bug (PCMagazine)

Cupid is an exploit for the Heartbleed bug in OpenSSL that can target both servers and endpoints running Linux and Android, reports PCMagazine. "Luis Grangeia, a researcher at SysValue, created a proof-of-concept code library that he calls "Cupid." Cupid consists of two patches to existing Linux code libraries. One allows an "evil server" to exploit Heartbleed on vulnerable Linux and Android clients, while the other allows an "evil client" to attack Linux servers. Grangeia has made the source code freely available, in hopes that other researchers will join in to learn more about just what kind of attacks are possible."

Comments (6 posted)

New vulnerabilities

chkrootkit: privilege escalation

Package(s):chkrootkit CVE #(s):CVE-2014-0476
Created:June 4, 2014 Updated:June 13, 2014
Description: From the Debian advisory:

Thomas Stangner discovered a vulnerability in chkrootkit, a rootkit detector, which may allow local attackers to gain root access when /tmp is mounted without the noexec option.

Alerts:
Mageia MGASA-2014-0249 chkrootkit 2014-06-04
Ubuntu USN-2230-1 chkrootkit 2014-06-04
Debian DSA-2945-1 chkrootkit 2014-06-03
Fedora FEDORA-2014-7090 chkrootkit 2014-06-13
Fedora FEDORA-2014-7071 chkrootkit 2014-06-13
Mandriva MDVSA-2014:122 chkrootkit 2014-06-11

Comments (none posted)

chromium-browser: multiple vulnerabilities

Package(s):chromium-browser CVE #(s):CVE-2014-1743 CVE-2014-1744 CVE-2014-1745 CVE-2014-1746 CVE-2014-1747 CVE-2014-1748 CVE-2014-1749 CVE-2014-3152
Created:June 2, 2014 Updated:March 30, 2016
Description: From the CVE entries:

Use-after-free vulnerability in the StyleElement::removedFromDocument function in core/dom/StyleElement.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaScript code that triggers tree mutation. (CVE-2014-1743)

Integer overflow in the AudioInputRendererHost::OnCreateStream function in content/browser/renderer_host/media/audio_input_renderer_host.cc in Google Chrome before 35.0.1916.114 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a large shared-memory allocation. (CVE-2014-1744)

Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger removal of an SVGFontFaceElement object, related to core/svg/SVGFontFaceElement.cpp. (CVE-2014-1745)

The InMemoryUrlProtocol::Read function in media/filters/in_memory_url_protocol.cc in Google Chrome before 35.0.1916.114 relies on an insufficiently large integer data type, which allows remote attackers to cause a denial of service (out-of-bounds read) via vectors that trigger use of a large buffer. (CVE-2014-1746)

Cross-site scripting (XSS) vulnerability in the DocumentLoader::maybeCreateArchive function in core/loader/DocumentLoader.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to inject arbitrary web script or HTML via crafted MHTML content, aka "Universal XSS (UXSS)." (CVE-2014-1747)

The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame. (CVE-2014-1748)

Multiple unspecified vulnerabilities in Google Chrome before 35.0.1916.114 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2014-1749)

Integer underflow in the LCodeGen::PrepareKeyedOperand function in arm/lithium-codegen-arm.cc in Google V8 before 3.25.28.16, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a negative key value. (CVE-2014-3152)

Alerts:
Fedora FEDORA-2015-6845 v8 2015-05-08
Fedora FEDORA-2015-6908 v8 2015-05-08
Mageia MGASA-2014-0413 chromium-browser-stable 2014-10-09
Gentoo 201408-16 chromium 2014-08-30
Ubuntu USN-2298-1 oxide-qt 2014-07-23
Debian DSA-2939-1 chromium-browser 2014-05-31
openSUSE openSUSE-SU-2014:0783-1 chromium 2014-06-12
Fedora FEDORA-2016-1a7f7ffb58 webkitgtk3 2016-03-21
Ubuntu USN-2937-1 webkitgtk 2016-03-21
Fedora FEDORA-2016-5d6d75dbea webkitgtk 2016-03-22
Mageia MGASA-2016-0120 webkit 2016-03-25
Fedora FEDORA-2016-9ec1850fff webkitgtk 2016-03-29
openSUSE openSUSE-SU-2016:0915-1 webkitgtk 2016-03-30
Gentoo 201612-41 webkit-gtk 2016-12-13

Comments (none posted)

emacs: multiple vulnerabilities

Package(s):emacs CVE #(s):CVE-2014-3421 CVE-2014-3422 CVE-2014-3423 CVE-2014-3424
Created:May 30, 2014 Updated:March 29, 2015
Description:

From the Red Hat bug report:

Steve Kemp discovered multiple temporary file handling issues in Emacs. A local attacker could use these flaws to perform symbolic link attacks against users running Emacs. Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100

CVE-2014-3421 was assigned to the issue in lisp/gnus/gnus-fun.el Upstream fix: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html

CVE-2014-3422 was assigned to the issue in lisp/emacs-lisp/find-gc.el Upstream fix: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00056.html

CVE-2014-3423 was assigned to the issue in lisp/net/browse-url.el (this one does not currently have a fix) Upstream note: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00057.html

CVE-2014-3424 was assigned to the issue in lisp/net/tramp.el Upstream fix: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00060.html

Alerts:
Mandriva MDVSA-2015:117 emacs 2015-03-29
openSUSE openSUSE-SU-2014:1460-1 emacs 2014-11-20
Mageia MGASA-2014-0250 emacs 2014-06-06
Fedora FEDORA-2014-6554 emacs 2014-05-29
Mandriva MDVSA-2014:118 emacs 2014-06-10

Comments (none posted)

gnutls: code execution

Package(s):gnutls26 CVE #(s):CVE-2014-3466
Created:June 2, 2014 Updated:July 24, 2014
Description: From the Debian advisory:

Joonas Kuorilehto discovered that GNU TLS performed insufficient validation of session IDs during TLS/SSL handshakes. A malicious server could use this to execute arbitrary code or perform denial or service.

This Red Hat bug report has some more information.

Alerts:
Mandriva MDVSA-2015:072 gnutls 2015-03-27
Oracle ELSA-2014-0684 gnutls 2014-07-23
SUSE SUSE-SU-2014:0800-1 GnuTLS 2014-06-16
Fedora FEDORA-2014-6963 mingw-gnutls 2014-06-10
Fedora FEDORA-2014-6953 mingw-gnutls 2014-06-10
Fedora FEDORA-2014-6881 gnutls 2014-06-10
Slackware SSA:2014-156-01 gnutls 2014-06-05
openSUSE openSUSE-SU-2014:0767-1 gnutls 2014-06-06
openSUSE openSUSE-SU-2014:0763-1 gnutls 2014-06-06
SUSE SUSE-SU-2014:0758-1 gnutls 2014-06-05
Scientific Linux SLSA-2014:0595-1 gnutls 2014-06-03
Scientific Linux SLSA-2014:0594-1 gnutls 2014-06-03
Oracle ELSA-2014-0594 gnutls 2014-06-03
Oracle ELSA-2014-0595 gnutls 2014-06-03
Fedora FEDORA-2014-6891 gnutls 2014-06-04
CentOS CESA-2014:0594 gnutls 2014-06-04
CentOS CESA-2014:0595 gnutls 2014-06-04
Red Hat RHSA-2014:0595-01 gnutls 2014-06-03
Red Hat RHSA-2014:0594-01 gnutls 2014-06-03
Mageia MGASA-2014-0248 gnutls 2014-06-02
Ubuntu USN-2229-1 gnutls26 2014-06-02
Debian DSA-2944-1 gnutls26 2014-06-01
Mandriva MDVSA-2014:109 gnutls 2014-06-09
Mandriva MDVSA-2014:108 gnutls 2014-06-09
SUSE SUSE-SU-2014:0788-2 GnuTLS 2014-06-13
Gentoo 201406-09 gnutls 2014-06-13
SUSE SUSE-SU-2014:0758-2 GnuTLS 2014-06-13
SUSE SUSE-SU-2014:0788-1 GnuTLS 2014-06-13
Red Hat RHSA-2014:0684-01 gnutls 2014-06-10

Comments (none posted)

gnutls: NULL pointer dereference flaw

Package(s):gnutls CVE #(s):CVE-2014-3465
Created:June 3, 2014 Updated:July 24, 2014
Description: From the Mageia advisory:

A NULL pointer dereference flaw was discovered in GnuTLS's gnutls_x509_dn_oid_name(). The function, when called with the GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its caller. However, it could previously return NULL when parsed X.509 certificates included specific OIDs

Alerts:
Mandriva MDVSA-2015:072 gnutls 2015-03-27
Oracle ELSA-2014-0684 gnutls 2014-07-23
Slackware SSA:2014-156-01 gnutls 2014-06-05
openSUSE openSUSE-SU-2014:0767-1 gnutls 2014-06-06
openSUSE openSUSE-SU-2014:0763-1 gnutls 2014-06-06
Mageia MGASA-2014-0248 gnutls 2014-06-02
Mandriva MDVSA-2014:108 gnutls 2014-06-09
Gentoo 201406-09 gnutls 2014-06-13
Red Hat RHSA-2014:0684-01 gnutls 2014-06-10

Comments (none posted)

java: insecure random numbers

Package(s):IBM Java 6 CVE #(s):CVE-2014-0878
Created:May 30, 2014 Updated:June 4, 2014
Description: From the Novell bug entry:

The IBMSecureRandom component in the IBMJCE and IBMSecureRandom cryptographic providers in IBM SDK Java Technology Edition 5.0 before Service Refresh 16 FP6, 6 before Service Refresh 16, 6.0.1 before Service Refresh 8, 7 before Service Refresh 7, and 7R1 before Service Refresh 1 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by predicting the random number generator's output.

Alerts:
SUSE SUSE-SU-2014:0733-2 IBM Java 7 2014-06-02
SUSE SUSE-SU-2014:0728-3 IBM Java 6 2014-06-03
SUSE SUSE-SU-2014:0733-1 IBM Java 7 2014-05-30
SUSE SUSE-SU-2014:0728-2 IBM Java 6 2014-05-30

Comments (none posted)

libarchive: multiple vulnerabilities

Package(s):libarchive CVE #(s):CVE-2010-4666 CVE-2011-1779
Created:June 2, 2014 Updated:June 4, 2014
Description: From the CVE entries

Buffer overflow in libarchive 3.0 pre-release code allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CAB file, which is not properly handled during the reading of Huffman code data within LZX compressed data. (CVE-2010-4666)

Multiple use-after-free vulnerabilities in libarchive 2.8.4 and 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted (1) TAR archive or (2) ISO9660 image. (CVE-2011-1779)

Alerts:
Gentoo 201406-02 libarchive 2014-06-01

Comments (none posted)

libtasn1: multiple vulnerabilities

Package(s):libtasn1 CVE #(s):CVE-2014-3467 CVE-2014-3468 CVE-2014-3469
Created:June 3, 2014 Updated:March 29, 2015
Description: From the Mageia advisory:

Multiple buffer boundary check issues were discovered in libtasn1 library, causing it to read beyond the boundary of an allocated buffer. An untrusted ASN.1 input could cause an application using the library to crash (CVE-2014-3467).

It was discovered that libtasn1 library function asn1_get_bit_der() could incorrectly report negative bit length of the value read from ASN.1 input. This could possibly lead to an out of bounds access in an application using libtasn1, for example in case if application tried to terminate read value with NUL byte (CVE-2014-3468).

A NULL pointer dereference flaw was found in libtasn1's asn1_read_value_type() / asn1_read_value() function. If an application called the function with a NULL value for an ivalue argument to determine the amount of memory needed to store data to be read from the ASN.1 input, libtasn1 could incorrectly attempt to dereference the NULL pointer, causing an application using the library to crash (CVE-2014-3469).

Alerts:
Mandriva MDVSA-2015:116 libtasn1 2015-03-29
Debian DSA-3056-1 libtasn1-3 2014-10-26
Gentoo 201408-09 libtasn1 2014-08-29
SUSE SUSE-SU-2014:0931-1 libtasn1 2014-07-24
Oracle ELSA-2014-0687 libtasn1 2014-07-23
Ubuntu USN-2294-1 libtasn1-3, libtasn1-6 2014-07-22
SUSE SUSE-SU-2014:0800-1 GnuTLS 2014-06-16
Red Hat RHSA-2014:0687-01 libtasn1 2014-06-10
Fedora FEDORA-2014-6919 libtasn1 2014-06-10
Mandriva MDVSA-2014:107 libtasn1 2014-06-09
Slackware SSA:2014-156-02 libtasn1 2014-06-05
Slackware SSA:2014-156-01 gnutls 2014-06-05
SUSE SUSE-SU-2014:0758-1 gnutls 2014-06-05
Scientific Linux SLSA-2014:0596-1 libtasn1 2014-06-03
Scientific Linux SLSA-2014:0594-1 gnutls 2014-06-03
Oracle ELSA-2014-0596 libtasn1 2014-06-03
Oracle ELSA-2014-0594 gnutls 2014-06-03
Fedora FEDORA-2014-6895 libtasn1 2014-06-04
CentOS CESA-2014:0596 libtasn1 2014-06-04
CentOS CESA-2014:0594 gnutls 2014-06-04
Red Hat RHSA-2014:0596-01 libtasn1 2014-06-03
Red Hat RHSA-2014:0594-01 gnutls 2014-06-03
Mageia MGASA-2014-0247 libtasn1 2014-06-02
SUSE SUSE-SU-2014:0788-2 GnuTLS 2014-06-13
SUSE SUSE-SU-2014:0758-2 GnuTLS 2014-06-13
SUSE SUSE-SU-2014:0788-1 GnuTLS 2014-06-13

Comments (none posted)

moodle: information leak

Package(s):moodle CVE #(s):CVE-2014-0217
Created:May 30, 2014 Updated:June 4, 2014
Description:

From the Moodle security alert:

Description: Access to files linked on HTML blocks on the My home page was not being checked in the correct context allowing access to unauthenticated users.

Issue summary: Files linked in HTML blocks on My home are available to non authenticated users

Alerts:
Fedora FEDORA-2014-10802 moodle 2014-09-25
Fedora FEDORA-2014-6585 moodle 2014-05-29
Fedora FEDORA-2014-6577 moodle 2014-05-29

Comments (none posted)

openstack-foreman-installer: insecure defaults

Package(s):openstack-foreman-installer CVE #(s):CVE-2013-6470
Created:May 30, 2014 Updated:June 4, 2014
Description:

From the Red Hat advisory:

It was discovered that the Qpid configuration created by openstack-foreman-installer did not have authentication enabled when run with default settings in standalone mode. An attacker able to establish a TCP connection to Qpid could access any OpenStack back end using Qpid (for example, nova) without any authentication.

Alerts:
Red Hat RHSA-2014:0517-01 openstack-foreman-installer 2014-05-29

Comments (none posted)

openstack-heat-templates: multiple vulnerabilities

Package(s):openstack-heat-templates CVE #(s):CVE-2014-0040 CVE-2014-0041 CVE-2014-0042
Created:May 30, 2014 Updated:June 4, 2014
Description:

From the Red Hat advisory:

It was discovered that certain heat templates used HTTP to insecurely download packages and signing keys via Yum. An attacker could use this flaw to conduct man-in-the-middle attacks to prevent essential security updates from being installed on the system. (CVE-2014-0040)

It was found that certain heat templates disabled SSL protection for various Yum repositories (sslverify=false). An attacker could use this flaw to conduct man-in-the-middle attacks to prevent essential security updates from being installed on the system. (CVE-2014-0041)

It was discovered that certain heat templates disabled GPG signature checking of packages via Yum (gpgcheck=0). An attacker could use this flaw to conduct man-in-the-middle attacks to install arbitrary packages on the system. (CVE-2014-0042)

Alerts:
Red Hat RHSA-2014:0579-01 openstack-heat-templates 2014-05-29

Comments (none posted)

openstack-neutron: privilege escalation

Package(s):openstack-neutron CVE #(s):CVE-2013-6433
Created:May 30, 2014 Updated:October 1, 2014
Description:

From the Red Hat advisory:

It was discovered that the default sudo configuration provided in OpenStack Networking, which is specific to the openstack-neutron package shipped by Red Hat, did not correctly specify a configuration file for rootwrap, potentially allowing an unauthenticated user to escalate their privileges.

Alerts:
Red Hat RHSA-2014:1339-01 openstack-neutron 2014-09-30
Ubuntu USN-2255-1 neutron 2014-06-25
Red Hat RHSA-2014:0516-01 openstack-neutron 2014-05-29

Comments (none posted)

openstack-nova: unintended file access

Package(s):openstack-nova CVE #(s):CVE-2014-0134
Created:May 30, 2014 Updated:June 4, 2014
Description:

From the Red Hat advisory:

It was found that overwriting the disk inside of an instance with a malicious image, and then switching the instance to rescue mode, could potentially allow an authenticated user to access arbitrary files on the compute host depending on the file permissions and SELinux constraints of those files. Only setups that used libvirt to spawn instances and which had the use of cow images disabled ("use_cow_images = False" in nova configuration) were affected.

Alerts:
Ubuntu USN-2247-1 nova 2014-06-17
Red Hat RHSA-2014:0578-01 openstack-nova 2014-05-29

Comments (none posted)

php5: denial of service

Package(s):php5 CVE #(s):CVE-2014-0237 CVE-2014-0238
Created:June 2, 2014 Updated:July 7, 2014
Description: From the CVE entries:

The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. (CVE-2014-0237)

The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. (CVE-2014-0238)

Alerts:
Oracle ELSA-2015-2155 file 2015-11-23
Red Hat RHSA-2015:2155-07 file 2015-11-19
Mandriva MDVSA-2015:080 php 2015-03-28
Debian-LTS DLA-145-1 php5 2015-01-31
Scientific Linux SLSA-2014:1606-2 file 2014-11-03
Red Hat RHSA-2014:1766-01 php55-php 2014-10-30
Red Hat RHSA-2014:1765-01 php54-php 2014-10-30
Red Hat RHSA-2014:1606-02 file 2014-10-14
Debian DSA-3021-2 file 2014-09-10
Debian DSA-3021-1 file 2014-09-09
Gentoo 201408-11 php 2014-08-29
Oracle ELSA-2014-1606 file 2014-10-16
Scientific Linux SLSA-2014:1012-1 php53 and php 2014-08-06
CentOS CESA-2014:1013 php 2014-08-06
CentOS CESA-2014:1012 php53 2014-08-06
Oracle ELSA-2014-1013 php 2014-08-06
Oracle ELSA-2014-1012 php53 2014-08-06
Oracle ELSA-2014-1012 php53 2014-08-06
CentOS CESA-2014:1012 php53 2014-08-06
Red Hat RHSA-2014:1012-01 php53 2014-08-06
Fedora FEDORA-2014-7992 file 2014-07-05
SUSE SUSE-SU-2014:0869-1 php53 2014-07-04
Red Hat RHSA-2014:1013-01 php 2014-08-06
Ubuntu USN-2254-2 php5 2014-06-25
Ubuntu USN-2254-1 php5 2014-06-23
Fedora FEDORA-2014-6904 php-phpunit-PHPUnit-MockObject 2014-06-17
Fedora FEDORA-2014-6901 php-phpunit-PHPUnit-MockObject 2014-06-17
Fedora FEDORA-2014-6904 php-doctrine-orm 2014-06-17
Fedora FEDORA-2014-6901 php-doctrine-orm 2014-06-17
Fedora FEDORA-2014-6904 php 2014-06-17
Fedora FEDORA-2014-6901 php 2014-06-17
Slackware SSA:2014-160-01 php 2014-06-09
Mandriva MDVSA-2014:115 php 2014-06-10
Mageia MGASA-2014-0258 php 2014-06-06
Mageia MGASA-2014-0252 file 2014-06-06
Debian DSA-2943-1 php5 2014-06-01
Mandriva MDVSA-2014:116 file 2014-06-10
openSUSE openSUSE-SU-2014:0786-1 php5 2014-06-12
openSUSE openSUSE-SU-2014:0784-1 php5 2014-06-12
Scientific Linux SLSA-2015:2155-7 file 2015-12-21

Comments (none posted)

policycoreutils: privilege escalation

Package(s):policycoreutils CVE #(s):CVE-2014-3215
Created:May 30, 2014 Updated:March 29, 2015
Description:

From the CVE entry:

seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions, and executes programs in a way that changes the relationship between the setuid system call and the getresuid saved set-user-ID value, which makes it easier for local users to gain privileges by leveraging a program that mistakenly expected that it could permanently drop privileges.

Alerts:
Oracle ELSA-2015-3064 kernel 3.8.13 2015-07-31
Oracle ELSA-2015-3064 kernel 3.8.13 2015-07-31
Oracle ELSA-2015-3035 kernel 2015-05-13
Oracle ELSA-2015-3035 kernel 2015-05-13
Oracle ELSA-2015-3036 kernel 2015-05-13
Oracle ELSA-2015-3036 kernel 2015-05-13
Oracle ELSA-2015-3034 Unbreakable Enterprise kernel 2015-04-23
Oracle ELSA-2015-3034 Unbreakable Enterprise kernel 2015-04-23
Oracle ELSA-2015-3033 Unbreakable Enterprise kernel 2015-04-23
Oracle ELSA-2015-3033 Unbreakable Enterprise kernel 2015-04-23
Oracle ELSA-2015-3032 Unbreakable Enterprise kernel 2015-04-23
Oracle ELSA-2015-3032 Unbreakable Enterprise kernel 2015-04-23
Scientific Linux SLSA-2015:0864-1 kernel 2015-04-21
Oracle ELSA-2015-0864 kernel 2015-04-21
CentOS CESA-2015:0864 kernel 2015-04-22
Red Hat RHSA-2015:0864-01 kernel 2015-04-21
Mandriva MDVSA-2015:156 libcap-ng 2015-03-29
Gentoo 201412-44 policycoreutils 2014-12-26
Mageia MGASA-2014-0251 libcap-ng 2014-06-06
openSUSE openSUSE-SU-2014:0749-1 libcap-ng 2014-06-03
openSUSE openSUSE-SU-2014:0736-1 policycoreutils 2014-05-30
Mandriva MDVSA-2014:117 libcap-ng 2014-06-10

Comments (none posted)

smb4k: credential cache leak

Package(s):smb4k CVE #(s):CVE-2014-2581
Created:June 3, 2014 Updated:June 23, 2014
Description: From the Smb4K 1.1.1 release notes:

Fixed potential security issue reported by Heiner Markert. Do not allow the cruid option to be entered via the "Additional options" line edit. Also, implement a check in Smb4KMountJob::createMountAction() that removes the cruid option from the custom options returned by Smb4KSettings::customCIFSOptions().

Alerts:
Mageia MGASA-2014-0271 smb4k 2014-06-20
Fedora FEDORA-2014-6255 smb4k 2014-06-02
Fedora FEDORA-2014-6258 smb4k 2014-06-02

Comments (none posted)

typo3-src: multiple vulnerabilities

Package(s):typo3-src CVE #(s):
Created:June 2, 2014 Updated:February 23, 2015
Description: From the Typo3 advisory:

It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing.

Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment.

Alerts:
Debian DSA-2942-1 typo3-src 2014-06-01

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds