Security
The Glibc DNS resolution vulnerability
While the recently disclosed GNU C library (Glibc) DNS bug (CVE-2015-7547) is quite serious, one of the interesting aspects is that the real scope of the problem is not yet known. The ability to exploit this bog-standard buffer overflow is dependent on a number of other factors, so there are no known vectors for widespread code execution—publicly known, anyway. There are certainly millions of vulnerable systems out there, many of which are not likely to ever be patched, but it is truly unclear if that will lead to large numbers of compromised systems.
There are a number of obstacles in the way of an attacker wishing to exploit this bug. First off, a client application must call getaddrinfo() to resolve a domain name and use the AF_UNSPEC address family. That family indicates that either an IPv4 or IPv6 address is acceptable, which is the normal way that getaddrinfo() is called these days. Glibc then does two parallel queries for the A and AAAA records for the domain. It is the buffer handling in this parallel query step where things go awry.
Many systems are not configured to query a local caching nameserver; instead Glibc will make a query to the remote nameserver that was configured (or auto-configured by DHCP or the like) for the system. That means these two queries leave the system and, crucially, replies are received. Typically, DNS replies are short, but they can be as large as 64KB. Glibc allocates 2KB bytes on the stack for the reply, but it has provisions to increase that by allocating a heap buffer for replies that are larger. Unfortunately, if the query needs to be retried, the stack buffer gets used instead of the larger, newly allocated buffer, so roughly 62KB of attacker-controlled data can be written to the stack.
There are still more requirements to make all of this happen, though. Normally, UDP is used to do the query, which is typically limited to 512-byte replies, but a man-in-the-middle (MITM) attacker could send more data. But any server could set the "truncation bit" in the reply to cause the client to switch to TCP for its query. Causing the client to retry is evidently tricky, but can be done. The net result can be as bad as a bunch of attacker data on the stack, but even that may be difficult to turn into code execution due to address-space layout randomization (ASLR) and other defensive measures.
Ostensibly it would seem that an attacker could simply set up a DNS server for their domain that would send malicious responses (while causing retries), then "force" clients into looking up this compromised domain. But there are complications; most notably any caching resolvers between the attacker and victim will reject most or all of the malicious responses because they aren't well-formed. It is unclear, however, whether cache-surviving, malicious responses can be constructed.
In a detailed advisory, Glibc developer Carlos O'Donell of Red Hat indicated that the possibility exists:
Dan Kaminsky followed up on that in his own detailed analysis:
But Kaminsky goes on to posit that "some networks are going to be
vulnerable to some cache traversal attacks sometimes
", under the
theory that attacks only get better over time. The emphasis on the cache
is important. An MITM attacker does not need the malicious
responses to reside in intermediary caching resolvers (and an MITM can do
plenty of other malicious things), but others who might want to exploit
this flaw do need that. If a way is found to get these malicious
responses into caches, CVE-2015-7547 gets a whole lot worse.
The scope of programs affected by the vulnerability is rather surprising as well. As Kaminsky and others have noted, the problem affects many different programs, from sudo and httpd to gpg and ssh—and beyond. Languages like Python, Haskell, JavaScript, and others are also affected. Some of these "memory-safe" languages protect against buffer overflows in programs written in the language, but the runtimes for those languages use Glibc, so flaws at that level can still affect them. And plenty of programs look up domain names for a variety of reasons. As Kaminsky put it:
Clearly the best "mitigation" is to update affected systems, but that may not be possible in many cases. There are an enormous number of Glibc-using devices out there (e.g. some home routers) that rarely, if ever, get updates. Even if updates are released, getting them into the hands of users and onto the devices is decidedly non-trivial. That has some looking for other types of mitigation.
One that is often mentioned is limiting the size of DNS replies. If no reply is large enough to tickle the bug, then devices running the old code won't be affected. That still doesn't solve the MITM problem, but Kaminsky also argued that length-limiting will have other hard-to-diagnose effects, so it should be avoided. There is a reason that DNS has been engineered to allow for larger responses, so it is effectively too late to put that cat back in the bag.
Using a local caching resolver, rather than requiring Glibc to query the network, will also help in environments where that is possible. If cache-traversing responses eventually surface, they can be handled at that level. Both local and remote caching servers can be changed as we learn more over time. Kaminsky described it this way:
Some devices, Android devices in particular, use different C libraries, which are presumably not vulnerable to this particular flaw. There are undoubtedly other vulnerabilities in those, with unknown effects and scope—at least publicly. The bug in Glibc has existed for almost eight years (it was introduced in Glibc 2.9 in May 2008); it is hard to guess what else lurks there—or elsewhere.
It is refreshing to see a security vulnerability disclosed without a name, logo, animated GIF, and hype-ridden web page touting it. Instead we have the disclosure announcements along with some sober analysis of what it all might mean. That used to be the norm and, while it may be a little awkward to use "CVE-2015-7547" rather than some catchy name, it is a welcome change from the hoopla surrounding Heartbleed, GHOST, and others.
Brief items
Security quotes of the week
It’s decided to seek a precedent that would allow it to force every American company to create a backdoor for the Government to snoop on anyone it so pleases.
The logic is outrageous: “People got shot. So we need a backdoor into your phone.”
Passwords were changed under FBI orders that should not have been. San Bernardino officials did not avail themselves of common device management software that could have prevented this entire problem -- software of a sort that most responsible corporations and other organizations already use with company-owned smartphones in employee hands.
Kaminsky: A Skeleton Key of Unknown Strength
Dan Kaminsky looks at the Glibc DNS bug (CVE-2015-7547). "We’ve investigated the DNS lookup path, which requires the glibc exploit to survive traversing one of the millions of DNS caches dotted across the Internet. We’ve found that it is neither trivial to squeeze the glibc flaw through common name servers, nor is it trivial to prove such a feat is impossible. The vast majority of potentially affected systems require this attack path to function, and we just don’t know yet if it can. Our belief is that we’re likely to end up with attacks that work sometimes, and we’re probably going to end up hardening DNS caches against them with intent rather than accident. We’re likely not going to apply network level DNS length limits because that breaks things in catastrophic and hard to predict ways."
New vulnerabilities
chromium: code execution
| Package(s): | chromium-browser | CVE #(s): | CVE-2016-1628 | ||||||||||||
| Created: | February 22, 2016 | Updated: | February 24, 2016 | ||||||||||||
| Description: | From the CVE entry:
pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, does not validate a certain precision value, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted JPEG 2000 image in a PDF document, related to the opj_pi_next_rpcl, opj_pi_next_pcrl, and opj_pi_next_cprl functions. | ||||||||||||||
| Alerts: |
| ||||||||||||||
chromium: code execution
| Package(s): | chromium | CVE #(s): | CVE-2016-1629 | ||||||||||||||||||||||||||||||||||||
| Created: | February 22, 2016 | Updated: | February 24, 2016 | ||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Google Chrome before 48.0.2564.116 allows remote attackers to bypass the Blink Same Origin Policy and a sandbox protection mechanism via unspecified vectors. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
didiwiki: unintended access
| Package(s): | didiwiki | CVE #(s): | CVE-2013-7448 | ||||||||||||
| Created: | February 22, 2016 | Updated: | April 12, 2016 | ||||||||||||
| Description: | From the Debian advisory:
Alexander Izmailov discovered that didiwiki, a wiki implementation, failed to correctly validate user-supplied input, thus allowing a malicious user to access any part of the filesystem. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ffmpeg: denial of service
| Package(s): | ffmpeg | CVE #(s): | CVE-2016-2329 | ||||||||
| Created: | February 22, 2016 | Updated: | February 24, 2016 | ||||||||
| Description: | From the CVE entry:
libavcodec/tiff.c in FFmpeg before 2.8.6 does not properly validate RowsPerStrip values and YCbCr chrominance subsampling factors, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted TIFF file, related to the tiff_decode_tag and decode_frame functions. | ||||||||||
| Alerts: |
| ||||||||||
GraphicsMagick: out-of-bounds read flaw
| Package(s): | GraphicsMagick | CVE #(s): | CVE-2015-8808 | ||||||||||||||||||||||||||||||||||||
| Created: | February 24, 2016 | Updated: | February 24, 2016 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
An out-of-bounds read flaw was found in the parsing of GIF files using GraphicsMagick. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
hamster-time-tracker: two denial of service flaws
| Package(s): | hamster-time-tracker | CVE #(s): | |||||||||
| Created: | February 18, 2016 | Updated: | February 25, 2016 | ||||||||
| Description: | The Red Hat bugzilla entries: 1 and 2 have some more information about two different crashes of the server processes. | ||||||||||
| Alerts: |
| ||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2016-1576 CVE-2016-1575 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 23, 2016 | Updated: | February 24, 2016 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. (CVE-2016-1576) halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs. A local unprivileged attacker could use this to gain privileges. (CVE-2016-1575) | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
libssh: insecure ssh sessions
| Package(s): | libssh | CVE #(s): | CVE-2016-0739 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 23, 2016 | Updated: | March 24, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian LTS advisory:
Aris Adamantiadis of the libssh team discovered that libssh, an SSH2 protocol implementation used by many applications, did not generate sufficiently long Diffie-Hellman secrets. This vulnerability could be exploited by an eavesdropper to decrypt and to intercept SSH sessions. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
libssh2: insecure ssh sessions
| Package(s): | libssh2 | CVE #(s): | CVE-2016-0787 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 23, 2016 | Updated: | November 23, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Andreas Schneider reported that libssh2, a SSH2 client-side library, passes the number of bytes to a function that expects number of bits during the SSHv2 handshake when libssh2 is to get a suitable value for 'group order' in the Diffie-Hellman negotiation. This weakens significantly the handshake security, potentially allowing an eavesdropper with enough resources to decrypt or intercept SSH sessions. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libxmp: multiple vulnerabilities
| Package(s): | libxmp | CVE #(s): | |||||
| Created: | February 18, 2016 | Updated: | February 24, 2016 | ||||
| Description: | From the Mageia advisory:
The libxmp package has been updated to version 4.3.11, fixing several bugs, including possible crashes when loading corrupted input data. See the upstream changelog for details. | ||||||
| Alerts: |
| ||||||
mariadb: multiple vulnerabilities
| Package(s): | mariadb mysql | CVE #(s): | CVE-2015-4807 CVE-2016-0599 CVE-2016-0601 | ||||||||||||||||
| Created: | February 22, 2016 | Updated: | February 24, 2016 | ||||||||||||||||
| Description: | From the CVE entries:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier, when running on Windows, allows remote authenticated users to affect availability via unknown vectors related to Server : Query Cache. (CVE-2015-4807) Unspecified vulnerability in Oracle MySQL 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2016-0599) Unspecified vulnerability in Oracle MySQL 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Partition. (CVE-2016-0601) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
ntp: three vulnerabilities
| Package(s): | ntp | CVE #(s): | CVE-2015-7973 CVE-2015-7975 CVE-2015-7976 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 24, 2016 | Updated: | February 24, 2016 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was found that when NTP is configured in broadcast mode, a man-in-the-middle attacker or a malicious client could replay packets received from the broadcast server to all (other) clients. This could cause the time on affected clients to become out of sync over a longer period of time. (CVE-2015-7973) It was found that ntpq did not implement a proper lenght check when calling nextvar(), which executes a memcpy(), on the name buffer. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-7975) The ntpq saveconfig command does not do adequate filtering of special characters from the supplied filename. Note: the ability to use the saveconfig command is controlled by the 'restrict nomodify' directive, and the recommended default configuration is to disable this capability. If the ability to execute a 'saveconfig' is required, it can easily (and should) be limited and restricted to a known small number of IP addresses. (CVE-2015-7976) | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
obs-service-download_files: code injection
| Package(s): | obs-service-download_files | CVE #(s): | |||||
| Created: | February 22, 2016 | Updated: | February 24, 2016 | ||||
| Description: | From the openSUSE advisory:
Various code/parameter injection issues could have allowed malicious service definition to execute commands or make changes to the user's file system | ||||||
| Alerts: |
| ||||||
php-horde-horde: cross-site scripting
| Package(s): | php-horde-horde | CVE #(s): | CVE-2015-8807 CVE-2016-2228 | ||||||||||||||||
| Created: | February 22, 2016 | Updated: | February 29, 2016 | ||||||||||||||||
| Description: | From the Red Hat bugzilla:
An XSS vulnerability was found in _renderVarInput_number in Horde/Core/Ui/VarRenderer/Html.php, where input in numeric field wasn't properly escaped. (CVE-2015-8807). A cross-site scripting vulnerability was found in php-horde application framework. No input validation was put in place while searching via the menu bar. (CVE-2016-2228). | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
poco: SSL server spoofing
| Package(s): | poco | CVE #(s): | CVE-2014-0350 | ||||||||
| Created: | February 22, 2016 | Updated: | February 24, 2016 | ||||||||
| Description: | From the CVE entry:
The Poco::Net::X509Certificate::verify method in the NetSSL library in POCO C++ Libraries before 1.4.6p4 allows man-in-the-middle attackers to spoof SSL servers via crafted DNS PTR records that are requested during comparison of a server name to a wildcard domain name in an X.509 certificate. | ||||||||||
| Alerts: |
| ||||||||||
websvn: cross-site scripting
| Package(s): | websvn | CVE #(s): | CVE-2016-2511 | ||||||||||||||||
| Created: | February 24, 2016 | Updated: | March 21, 2016 | ||||||||||||||||
| Description: | From the Debian advisory:
Jakub Palaczynski discovered that websvn, a web viewer for Subversion repositories, does not correctly sanitize user-supplied input, which allows a remote user to run reflected cross-site scripting attacks. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>