Security
The LoadPin security module
The merging of security-module stacking was supposed to jump-start the creation of a whole set of small, special-purpose security modules. By making it possible for security modules to play well together, stacking enables modules that solve one little problem rather than implementing an entire security policy. Thus far, the flood of new modules has yet to begin, but the LoadPin module from Kees Cook demonstrates the sort of problem that little security modules might be written to solve.Security-conscious developers have long worried about code that is loaded into the kernel at run time; such code could clearly, if malicious, subvert the security of the entire system. Mechanisms like the signing of kernel modules are designed to prevent the loading of such code. In the end, though, a signature on a loadable module really only guarantees one thing: where that module came from. If the provenance of kernel modules (or other files loaded into the kernel) could be ascertained by other means, it would not be necessary to sign them.
ChromeOS keeps its security-sensitive files, including kernel modules, in read-only storage; that storage is verified as a whole before the system boots. In such a setting, the loading of modules from the read-only partition is safe regardless of whether they have been signed; they are known to come from Google and cannot have been modified since. So a reasonable security policy for ChromeOS systems might well be to load modules (without signature checking) from the secure partition, while rejecting the loading of modules from anywhere else.
That is the policy that LoadPin was created to implement. It takes advantage of the relatively new kernel file-loading mechanism to intercept all attempts to load a file into the kernel; these include loading kernel modules, reading firmware, loading a security policy, or loading an image for kexec(). In each case, the filesystem containing the file to be loaded is compared against the filesystem used in the first load operation after boot; if the two don't match, the attempt is rejected. All that is required is to build the security module into the kernel; there is no other configuration needed or possible.
The resulting mechanism is, obviously, quite simple in nature. Administrators who want to enable file loading from multiple filesystems, or who want to change the allowed filesystem during the lifetime of the system will be out of luck. But, for the simple case where the system boots from a trusted, read-only image, LoadPin does all that is needed.
In truth, the interface isn't quite that simple. If (and only if) the first load operation is satisfied by a writable filesystem, the LoadPin module will log a warning and establish a sysctl knob (kernel/load_pinning) that can be used to turn the feature on or off. This, of course, is a debugging mechanism; normally one would not want to be able to write to the filesystem containing the trusted modules. After all, the immutability of the trusted filesystem is the foundation on which the trust in its contents is being built. On a production system, the ability to disable pinning would also be undesirable.
It would not be surprising if other developers eventually showed up wanting to add more complex configuration options to this module. One could imagine wanting to apply different policies to different types of files (firmware or kexec() images), for example. The current module is also likely to run into trouble on systems that boot with an initramfs image; the first modules will almost certainly be loaded from that image (that's why it exists, usually), causing loads to be pinned to a temporary filesystem that will go away at the end of the bootstrap process. In the current patch, if the filesystem to which loading is pinned disappears, loading of files will be disabled entirely — behavior that makes sense, but which may not lead to the desired results in an initramfs setting.
But that is work for later, should somebody decide that it is needed. For now, the simple security module would appear to be enough for Google's needs. Indeed, the copyright dates in the code suggest that it has been in use there since 2011.
As Casey Schaufler suggested in his talk on writing one's own security module, the stacking mechanism makes it possible to implement a wide variety of possible policies. LoadPin, perhaps, will be the start of a series of modules from developers who have extended the kernel's security mechanisms in novel ways. The potential is there for some interesting ideas to be contributed back to the kernel. Given that relatively few people seem to think that we have solved all of the security problems with what we have now, that seems like it should be a step in the right direction.
Brief items
Security quotes of the week
OSVDB: FIN
The Open Sourced Vulnerability Database (OSVDB) has been shut down. "This was not an easy decision, and several of us struggled for well over ten years trying to make it work at great personal expense. The industry simply did not want to contribute and support such an effort. The OSVDB blog will continue to be a place for providing commentary on all things related to the vulnerability world." (Thanks to Paul Wise)
New vulnerabilities
apache-commons-collections: code execution
| Package(s): | apache-commons-collections | CVE #(s): | CVE-2015-8103 | ||||||||||||
| Created: | April 4, 2016 | Updated: | April 14, 2016 | ||||||||||||
| Description: | From the CVE entry:
The Jenkins CLI subsystem in CloudBees Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'". | ||||||||||||||
| Alerts: |
| ||||||||||||||
Chromium: denial of service
| Package(s): | Chromium | CVE #(s): | CVE-2016-3679 | ||||||||||||||||
| Created: | April 1, 2016 | Updated: | April 6, 2016 | ||||||||||||||||
| Description: | From the CVE entry: Multiple unspecified vulnerabilities in Google V8 before 4.9.385.33, as used in Google Chrome before 49.0.2623.108, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
file: buffer over-write
| Package(s): | file | CVE #(s): | |||||
| Created: | April 6, 2016 | Updated: | April 6, 2016 | ||||
| Description: | From the Mageia advisory:
The file command was vulnerable to a buffer over-write with a malformed magic file. | ||||||
| Alerts: |
| ||||||
kernel: timing side channel vulnerability
| Package(s): | kernel | CVE #(s): | CVE-2016-2085 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 6, 2016 | Updated: | April 6, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Xiaofei Rex Guo discovered a timing side channel vulnerability in the Linux Extended Verification Module (EVM). An attacker could use this to affect system integrity. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
kubernetes: improper admission check control
| Package(s): | kubernetes | CVE #(s): | |||||
| Created: | April 1, 2016 | Updated: | April 6, 2016 | ||||
| Description: | From the Red Hat bug report: It was found that patch will check admission control with an empty object and if it passes, then will proceed to update the object with the patch. Admission control plugins don't get a chance to see/validate what is actually going to be updated. | ||||||
| Alerts: |
| ||||||
lhasa: code execution
| Package(s): | lhasa | CVE #(s): | CVE-2016-2347 | ||||||||||||||||
| Created: | April 4, 2016 | Updated: | April 15, 2016 | ||||||||||||||||
| Description: | From the Debian advisory:
Marcin Noga discovered an integer underflow in Lhasa, a lzh archive decompressor, which might result in the execution of arbitrary code if a malformed archive is processed. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
libebml: use-after-free vulnerability
| Package(s): | libebml | CVE #(s): | CVE-2015-8789 | ||||
| Created: | March 31, 2016 | Updated: | April 6, 2016 | ||||
| Description: | From the Debian advisory: Context-dependent attackers could trigger a use-after-free vulnerability by providing a maliciously crafted EBML document. | ||||||
| Alerts: |
| ||||||
libqt4: unsafe SSL ciphers
| Package(s): | libqt4 | CVE #(s): | |||||||||
| Created: | March 31, 2016 | Updated: | August 31, 2016 | ||||||||
| Description: | From the openSUSE advisory: Various unsafe SSL ciphers have been disabled in the standard SSL classes. Also the RC4 based ciphers have been disabled. | ||||||||||
| Alerts: |
| ||||||||||
mercurial: three vulnerabilities
| Package(s): | mercurial | CVE #(s): | CVE-2016-3630 CVE-2016-3068 CVE-2016-3069 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 4, 2016 | Updated: | May 3, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Slackware advisory:
This update fixes security issues and bugs, including remote code execution in binary delta decoding, arbitrary code execution with Git subrepos, and arbitrary code execution when converting Git repos. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
networkmanager: multiple vulnerabilities
| Package(s): | NetworkManager | CVE #(s): | |||||
| Created: | April 4, 2016 | Updated: | April 6, 2016 | ||||
| Description: | From the Fedora advisory:
[ 1 ] Bug #1268617 - NetworkManager: get_ip_iface_identifier(): NetworkManager killed by SIGABRT [ 2 ] Bug #1270247 - NetworkManager: nm_device_get_unmanaged_flag(): NetworkManager killed by SIGSEGV [ 3 ] Bug #1241198 - NetworkManager: nm_supplicant_interface_get_scanning(): NetworkManager killed by SIGSEGV [ 4 ] Bug #1298007 - NetworkManager: nm_supplicant_interface_get_scanning(): NetworkManager killed by SIGSEGV | ||||||
| Alerts: |
| ||||||
oar: privilege escalation
| Package(s): | oar | CVE #(s): | CVE-2016-1235 | ||||
| Created: | April 6, 2016 | Updated: | April 6, 2016 | ||||
| Description: | From the Debian advisory:
Emmanuel Thome discovered that missing sanitising in the oarsh command of OAR, a software used to manage jobs and resources of HPC clusters, could result in privilege escalation. | ||||||
| Alerts: |
| ||||||
optipng: code execution
| Package(s): | optipng | CVE #(s): | CVE-2016-2191 | ||||||||||||||||||||||||||||||||
| Created: | April 5, 2016 | Updated: | June 27, 2016 | ||||||||||||||||||||||||||||||||
| Description: | From the Arch Linux advisory:
An invalid write may occur in optipng before version 0.7.6 while processing bitmap images due to `crt_row' being (inc|dec)remented without any boundary checking when encountering delta escapes. This issue can possibly be used to execute arbitrary code. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
php: multiple vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2015-8865 CVE-2016-4070 CVE-2016-4071 CVE-2016-4072 CVE-2016-4073 CVE-2016-8866 CVE-2016-8867 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 4, 2016 | Updated: | December 22, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | PHP 5.6.20 fixes numerous bugs. See the PHP changelog for details. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
squid: denial of service
| Package(s): | squid | CVE #(s): | CVE-2016-3947 | ||||||||||||||||||||||||||||||||||||
| Created: | April 4, 2016 | Updated: | April 6, 2016 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Arch Linux advisory:
Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses. This problem allows a malicious client script and remote server delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
squid: denial of service
| Package(s): | squid | CVE #(s): | CVE-2016-3948 | ||||||||||||||||||||||||||||||||||||||||
| Created: | April 6, 2016 | Updated: | November 11, 2016 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Due to incorrect bounds checking, Squid before 3.5.16 is vulnerable to a denial of service attack when processing HTTP responses. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
thunderbird: unspecified vulnerabilities
| Package(s): | thunderbird/thunderbird-l10n | CVE #(s): | |||||||||
| Created: | April 1, 2016 | Updated: | April 14, 2016 | ||||||||
| Description: | According to the Mageia bug report: Mozilla released Thunderbird 38.7.1 on March 25: https://www.mozilla.org/en-US/thunderbird/38.7.1/releasenotes/ The only change is that they disabled the Graphite2 font shaping library, presumably because of multiple security issues, deciding that disabling the library was more efficient than attempting to fix multiple, potentially unknown vulnerabilities. | ||||||||||
| Alerts: |
| ||||||||||
vtun: denial of service
| Package(s): | vtun | CVE #(s): | |||||||||||||
| Created: | April 5, 2016 | Updated: | April 25, 2016 | ||||||||||||
| Description: | From the Red Hat bugzilla:
A vulnerability was found in the vtun package. When you send a SIGHUP to a vtun client process and it cannot connect to the remote server, vtun tries to reconnect without sleep between each attempt. In result, the vtun process uses a lot of CPU, and writes to syslog without limit. | ||||||||||||||
| Alerts: |
| ||||||||||||||
xchat-gnome: man-in-the-middle attack
| Package(s): | xchat-gnome | CVE #(s): | CVE-2013-7449 | ||||
| Created: | April 5, 2016 | Updated: | April 7, 2016 | ||||
| Description: | From the Ubuntu advisory:
It was discovered that XChat-GNOME incorrectly verified the hostname in an SSL certificate. An attacker could trick XChat-GNOME into trusting a rogue server's certificate, which was signed by a trusted certificate authority, to perform a man-in-the-middle attack. | ||||||
| Alerts: |
| ||||||
xen: multiple vulnerabilities
| Package(s): | xen | CVE #(s): | CVE-2012-6030 CVE-2012-6031 CVE-2012-6032 CVE-2012-6033 CVE-2012-6034 CVE-2012-6035 CVE-2012-6036 | ||||
| Created: | April 5, 2016 | Updated: | April 6, 2016 | ||||
| Description: | From the CVE entries:
The do_tmem_op function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (host crash) and possibly have other unspecified impacts via unspecified vectors related to "broken locking checks" in an "error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. (CVE-2012-6030) The do_tmem_get function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (CPU hang and host crash) via unspecified vectors related to a spinlock being held in the "bad_copy error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. (CVE-2012-6031) Multiple integer overflows in the (1) tmh_copy_from_client and (2) tmh_copy_to_client functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (memory corruption and host crash) via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. (CVE-2012-6032) The do_tmem_control function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly check privileges, which allows local guest OS users to access control stack operations via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. (CVE-2012-6033) The (1) tmemc_save_get_next_page and (2) tmemc_save_get_next_inv functions and the (3) TMEMC_SAVE_GET_POOL_UUID sub-operation in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 "do not check incoming guest output buffer pointers," which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. (CVE-2012-6034) The do_tmem_destroy_pool function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly validate pool ids, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. (CVE-2012-6035) The (1) memc_save_get_next_page, (2) tmemc_restore_put_page and (3) tmemc_restore_flush_page functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 do not check for negative id pools, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or possibly execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. (CVE-2012-6036) | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>