Security
Thwarting the "evil maid"
The "evil maid" attack against disk encryption has been known for quite a few years now. We looked at it back in 2009, shortly after Joanna Rutkowska (who first described the attack) announced a proof-of-concept "evil maid" attack on the popular TrueCrypt disk-encryption tool. In 2011, she also came up with an "Anti Evil Maid" tool; more recently, Matthew Garrett has come up with some refinements that he calls "Anti Evil Maid 2 Turbo Edition". These methods for stopping evil maids (and others with physical access to our systems) are worth a look.
The "evil maid" attack got its name from a scenario where the maid at a hotel (or someone pretending to be) would access a guest's laptop while they were out of their room. The attacker would install a kind of malware in the master boot record (MBR) of the system that would record the decryption password. Another visit is all it would take for the attacker to get the password (and perhaps to decrypt some data). More sophisticated attacks might send the password to the attacker over the network. Some way to access the disk's data, now that it can be decrypted, would need to be arranged (e.g. copy the disk at installation time, steal the laptop later, etc.).
Ensuring the code being run by the system is the same as what is expected is the only mechanism to thwart many of these kinds of attacks. Using the Trusted Platform Module (TPM) hardware that is present on many systems these days can provide a way to ensure that the system's firmware, bootloader, and other code involved in the disk encryption have not changed. Garrett described how the TPM can be used:
If any of those components has been modified, the TPM measurement by the previous component will detect it. In addition, the TPM can be used to encrypt some data that it will only decrypt if all of the PCR values match their expected values. So an encrypted key for the disk could be stored in such a way that it can only be decrypted if the system has not been modified. So far, so good.
But, either the disk decryption key is applied automatically at boot time, which leaves the system open to simply being stolen and booted, or a password can be applied to the boot process. However, that leaves another problem behind, as Garrett outlined:
This is where Rutkowska's Anti Evil Maid comes into play. Users can encrypt a secret phrase with the TPM, which can be used in one of two forms. It can be stored on a USB stick that is consulted whenever the user believes there is a reason to check the integrity of their system. If the TPM can decrypt the phrase, then all is well. That does, however, require the user to decide when to check, which is not fully reliable.
An alternative is to do it on every boot, but that has its flaws as well.
The attacker could simply boot the system, see the phrase, and modify their
malware to simply print the proper phrase. That can also be handled by
password-protecting the TPM, but that results in
the scenario where a fake password prompt is offered, the password is
stored, the malware removes itself, and the system is rebooted. As Garrett
noted, users can be trained to recognize the attack: "if the system
reboots without the user seeing the secret, the user must assume
that their
system has been compromised and that an attacker now has a copy of their
TPM password.
"
The usability of that mechanism is not all that good, though. Garrett has come up with his "Turbo Edition" that adds a dynamic element into the mix, so that both the user and the computer can independently agree on a password that changes frequently. As he pointed out, many already use a one-time password (OTP) for two-factor authentication. In that scenario, users prove to the computer that they can generate the proper OTP, while Garrett's mechanism would reverse that: the computer would prove that it can generate the proper OTP to show that it hasn't been compromised.
Garrett has created a prototype that uses the time-based OTP (TOTP) algorithm to generate the passwords. TOTP takes a secret and the time of day to generate the OTP. That secret can be encrypted by the TPM so it will only be available if the system has not been tampered with. Enrolling the secret into a TOTP smartphone app allows the user to generate the same OTP. So instead of a static secret phrase that gets decrypted and printed to the screen (which a physically present attacker could learn), the boot process calculates an OTP and prints that to the screen, which the user verifies on their smartphone. An attacker who learns an OTP will have no advantage as long as the user is diligent about verifying the OTP on every boot.
It is a clever combination of two existing security technologies that should work well, once all of the pieces are in place. As Garrett pointed out, there are caveats:
There is an alternative to all of these complicated "Anti Evil Maid" techniques, of course: maintaining physical control of laptops (or other systems) at all times. That is a tall order for most people; for the truly paranoid (or targeted), though, it is the safest course. But, for that to be effective, any loss of control, even for a short time, has to result in the system being discarded as "compromised". Obtaining a new, trusted system and retrieving the data from backups will be required, though now the system used for backups is the big target—and may be far harder to prevent physical access to.
Brief items
Security quotes of the week
The NSA would have had to weigh its collection programs against the possibility of public scrutiny. Sony would have had to think about how it would look to the world if it paid its female executives significantly less than its male executives. HBGary would have thought twice before launching an intimidation campaign against a journalist it didn't like, and Hacking Team wouldn't have lied to the UN about selling surveillance software to Sudan. Even the government of Saudi Arabia would have behaved differently.
A new OpenSSL vulnerability
The OpenSSL project has disclosed a new certificate validation vulnerability. "During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and 'issue' an invalid certificate." This is thus a client-side, man-in-the-middle vulnerability.
Note that the affected versions of OpenSSL were released in mid-June; anybody with an older release should not be vulnerable.
NSA releases Linux-based open source infosec tool (ITNews)
ITNews reports that the US National Security Agency is in the process of releasing its systems integrity management platform - SIMP. "SIMP helps to keep networked systems compliant with security standards, the NSA said, and should form part of a layered, "defence-in-depth" approach to information security. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies." Currently only RHEL and CentOS versions 6.6 and 7.1 are supported.
Jones: Future development of Trinity
Here's a discouraging blog post from Dave Jones on why he will no longer be developing the Trinity fuzz tester. "It’s no coincidence that the number of bugs reported found with Trinity have dropped off sharply since the beginning of the year, and I don’t think it’s because the Linux kernel suddenly got lots better. Rather, it’s due to the lack of real ongoing development to 'try something else' when some approaches dry up. Sadly we now live in a world where it’s easier to get paid to run someone else’s fuzzer these days than it is to develop one."
Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention (Linux.com)
Linux.com has an interview with Bruce Schneier. "Schneier: The most important takeaway is that we are all vulnerable to this sort of attack. Whether it's nation-state hackers (Sony), hactivists (HB Gary Federal, Hacking Team), insiders (NSA, US State Department), or who-knows-who (Saudi Arabia), stealing and publishing an organization's internal documents can be a devastating attack. We need to think more about this tactic: less how to prevent it -- we're already doing that and it's not working -- and more how to deal with it. Because as more people wake up and realize how devastating an attack it is, the more we're going to see it."
The Core Infrastructure Initiative census project
The Core Infrastructure Initiative (a Linux Foundation effort to direct resources to critical projects in need of help) has announced a census project to identify the development projects most in need of assistance. "Unlike the Fed’s stress tests, which are opaque, all of the census data and analysis is open source. We are eager for community involvement. We encourage developers to fork the project and experiment with different data sources, different parameters, and different algorithms to test out the concept of an automated risk assessment census. We are also eager for input to help sanitize and complete the data that was used in this first iteration of the census."
New vulnerabilities
java: multiple vulnerabilities
| Package(s): | java-1.7.0-openjdk | CVE #(s): | CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 15, 2015 | Updated: | January 14, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733) A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid. (CVE-2015-4748) It was discovered that the JCE component in OpenJDK failed to use constant time comparisons in multiple cases. An attacker could possibly use these flaws to disclose sensitive information by measuring the time used to perform operations using these non-constant time comparisons. (CVE-2015-2601) Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632) A flaw was found in the way the JSSE component in OpenJDK performed X.509 certificate identity verification when establishing a TLS/SSL connection to a host identified by an IP address. In certain cases, the certificate was accepted as valid if it was issued for a host name to which the IP address resolves rather than for the IP address. (CVE-2015-2625) It was discovered that the JNDI component in OpenJDK did not handle DNS resolutions correctly. An attacker able to trigger such DNS errors could cause a Java application using JNDI to consume memory and CPU time, and possibly block further DNS resolution. (CVE-2015-4749) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
java: two vulnerabilities
| Package(s): | java-1.8.0-openjdk | CVE #(s): | CVE-2015-2659 CVE-2015-3149 | ||||||||||||||||||||||||||||||||
| Created: | July 15, 2015 | Updated: | July 21, 2015 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
It was discovered that the GCM (Galois Counter Mode) implementation in the Security component of OpenJDK failed to properly perform a null check. This could cause the Java Virtual Machine to crash when an application performed encryption using a block cipher in the GCM mode. (CVE-2015-2659) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. Note: This issue was originally fixed as CVE-2015-0383, but the fix was regressed in the RHSA-2015:0809 advisory. (CVE-2015-3149) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
kernel: two remote denial of service vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2015-5364 CVE-2015-5366 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 13, 2015 | Updated: | June 14, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE assignment email, which was evidently prompted by a tweet from grsecurity:
It appears that you are primarily asking for a CVE ID for the issue involving the absence of a cond_resched call. Use CVE-2015-5364. However, the presence of "return -EAGAIN" may also have been a security problem in some realistic circumstances. For example, maybe there's an attacker who can't transmit a flood with invalid checksums, but can sometimes inject one packet with an invalid checksum. The goal of this attacker isn't to cause a system hang; the goal is to cause an EPOLLET epoll application to stop reading for an indefinitely long period of time. This scenario can't also be covered by CVE-2015-5364. Is it better to have no CVE ID at all, e.g., is udp_recvmsg/udpv6_recvmsg simply not intended to defend against this scenario? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libcapsinetwork: denial of service
| Package(s): | libcapsinetwork | CVE #(s): | CVE-2015-0841 | ||||
| Created: | July 13, 2015 | Updated: | July 15, 2015 | ||||
| Description: | From the Gentoo advisory:
An off-by-one buffer overflow in libcapsinetwork network handling code is discovered. A remote attacker could send a specially crafted request to application, that is linked with libcapsinetwork, possibly resulting in a Denial of Service condition. | ||||||
| Alerts: |
| ||||||
libunwind: buffer overflow
| Package(s): | libunwind | CVE #(s): | CVE-2015-3239 | ||||||||||||||||||||||||||||||||||||||||
| Created: | July 13, 2015 | Updated: | October 5, 2015 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian LTS advisory:
Invalid dwarf opcodes can cause references beyond the end of the array. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
openssl: certificate verification botch
| Package(s): | openssl | CVE #(s): | CVE-2015-1793 | ||||||||||||||||||||||||||||||||
| Created: | July 10, 2015 | Updated: | July 15, 2015 | ||||||||||||||||||||||||||||||||
| Description: | From the OpenSSL advisory:
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
perl: denial of service
| Package(s): | perl | CVE #(s): | CVE-2013-7422 | ||||||||
| Created: | July 10, 2015 | Updated: | July 15, 2015 | ||||||||
| Description: | From the Gentoo advisory:
S_regmatch() function lacks proper checks before passing arguments to atoi() A remote attacker could send a specially crafted input, possibly resulting in a Denial of Service condition. | ||||||||||
| Alerts: |
| ||||||||||
portage: certificate verification botch
| Package(s): | portage | CVE #(s): | CVE-2013-2100 | ||||
| Created: | July 10, 2015 | Updated: | July 15, 2015 | ||||
| Description: | From the Gentoo advisory:
Portage does not verify X.509 SSL certificate properly if HTTPS is used. A remote attacker can spoof servers and modify binary package lists via specially crafted certificate. | ||||||
| Alerts: |
| ||||||
python-django: two vulnerabilities
| Package(s): | python-django | CVE #(s): | CVE-2015-5143 CVE-2015-5144 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 9, 2015 | Updated: | October 22, 2015 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2015-5143: Eric Peterson and Lin Hua Cheng discovered that a new empty record used to be created in the session storage every time a session was accessed and an unknown session key was provided in the request cookie. This could allow remote attackers to saturate the session store or cause other users' session records to be evicted. CVE-2015-5144: Sjoerd Job Postmus discovered that some built-in validators did not properly reject newlines in input values. This could allow remote attackers to inject headers in emails and HTTP responses. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
rubygem-moped: denial of service
| Package(s): | rubygem-moped | CVE #(s): | CVE-2015-4411 | ||||||||
| Created: | July 14, 2015 | Updated: | July 15, 2015 | ||||||||
| Description: | From the Red Hat bugzilla:
The following Denial of Service issue was discovered in Moped Ruby gem: If a crafted value will be passed to Moped::BSON::ObjecId.legal? method, this will cause Moped to think MongoDB is down, and ping it 39 more times with intervals. In other words, Moped will keep a worker busy for 5 seconds and make x40 requests to MongoDB. This covers an incomplete fix for CVE-2015-4410. | ||||||||||
| Alerts: |
| ||||||||||
virtuoso-opensource: multiple unspecified vulnerabilities
| Package(s): | virtuoso-opensource | CVE #(s): | |||||
| Created: | July 9, 2015 | Updated: | July 15, 2015 | ||||
| Description: | From a message to the oss-security list from Florian Weimer of Red Hat:
A long time ago, we looked at the low-level data marshaling code in the database server, and found quite a few memory safety issues. We also encountered server crashes and problems which looked like race conditions, affecting server stability. [...] We have not assigned CVE identifiers because the number of different crashes we saw was fairly large, and we could not completely understand how the RPC implementation is pieced together. More information can also be found in the Mageia bug. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>