Security
Typosquatting in package repositories
"Typosquatting" is normally associated with registering domain names that are variants of popular domains, such that a user trying to reach the site might mistype and land on the variant page, which might be serving up malware, ads, or some kind of phishing scam. But in early June, Nikolai Tschacher reported on some research he had done that used typos in package names for languages like Python and Ruby to show that their package repositories were vulnerable; an attacker could use that flaw to execute code on remote systems. It was a fairly eye-opening report (as is the thesis [PDF] it was based on) that bears some further scrutiny.
Package managers often require privileges, which makes packages both a security danger and a target for attackers. Distribution packages are normally signed by a distribution key, which makes it much harder—though certainly not impossible—for an attacker to subvert those packages. But language package repositories, or those for frameworks like Node.js, are not so centralized. In fact, they are meant to be places where anyone can upload their code, with little or no vetting of that code.
So it is relatively easy for an attacker to upload a package with malware to sites like the Python Package Index (PyPI), RubyGems.org, or npmjs.org, but that is only part of the puzzle. In order to get users to actually install the packages, they must be enticed to do that somehow—that's where typosquatting comes into play.
So, if there is a popular PyPI package called "requests", which, of course, there is, then a typo version of the name, "reqeusts", say, might find its way to some systems. A user who typed:
$ sudo pip install reqeusts
would be installing a potentially malicious package—and doing so as root.
The danger of installing language packages as root is well known, but it is still regularly done. The pip command for Python runs setup.py from the package as part of the installation process. That makes it easy for a malicious actor to run their code to get malware onto the system—or for a researcher to add some non-malicious test code to the system. The JavaScript npm package manager and the Ruby gem package manager also provide ways to execute code at installation time.
So Tschacher created some 200 packages that each contained a notification program and used some form of typo for its name. He uploaded them to the repositories over a few months and waited to see what notifications he would get. The notification program gathered some basic information about the system and whether the user was doing the installation with administrative rights; that information was sent back to his server. The notification program also printed a warning to the user that explained that they had probably grabbed the wrong package with a link to a page about his research.
In two phases that totaled roughly two months, Tschacher gathered information from more than 17,000 unique IP addresses. Most of those were for PyPI packages (15,221), with far lesser amounts for RubyGems.org (1631) and npmjs.com (525) files. Those differences may reflect the relative popularity of the package repositories and/or cultural differences in those language communities. In any case, a whopping 43% of the installers did so with administrative rights.
There are other statistics that he gathered and reported in the blog post and thesis. For example, the installation requests came from a broad swath of the internet, including a few from .gov and .mil domains. Interestingly, roughly 10% of the IP addresses he could resolve to a hostname were requests from Amazon's AWS cloud service.
One other piece of his research was for the notification program to check the .bash_history files on Linux and other Unix systems to report on what other incorrect package names had been tried on the system. These might be standard library package names (e.g. urllib2) that can be registered in a repository, popular names of other tools (e.g. git, docker), or just shortened names of real packages (e.g. scikit rather than scikit-learn). He used some of the names he harvested that way in the second phase of running the experiment with good success.
His post lists several ways for package repositories to avoid these kinds
of problems, starting with the
obvious: "Prevent Direct Code Execution on Installations
".
His other suggestions in the post are to generate (and blacklist) potential
typo candidate names and to analyze the repository server log files to find
potential typos as well. The thesis itself goes into much more detail on
ideas for reducing the vulnerability's footprint.
At some level, it is not terribly surprising that installing code uploaded by random folks on the internet is dangerous. Doing so as root is even more so, but there is generally plenty an attacker can do even if their code is only granted access to an unprivileged user account. Even if the typosquatting problem were reduced (by limiting the registration of typo package names, say) and the installation of the package did not directly run code provided by the attacker, there would still be concerns. Eventually, users may get the typo into their code and "import reqeusts" will obviously have to execute the code supplied by the reqeusts module—limiting typo registrations will reduce the problem, but can hardly eliminate it. Not to mention that users may simply be able to be tricked into installing any package name that an attacker chooses.
Curated package repositories, like those run by Linux distributions and others, go a long way toward eliminating these problems. But they also have to put a fair amount of bureaucracy between a code purveyor and the user in order to avoid distributing malicious code—which is just what PyPI and repositories like that are trying to avoid.
Something interesting to ponder is what might have happened to Tschacher had he done that research in the US. From his thesis it seems that he did correspond with PyPI operators and others while the research was ongoing, who asked him to make some changes (such as removing the pip typos in .bash_history piece), but were fairly tolerant overall. On the other hand, there are various US computer laws that have sometimes been (ab)used by (over)zealous prosecutors to go after security and other researchers. One hopes that legitimate research such as this would not be so affected.
Brief items
Security quotes of the week
A more accurate statement might have been: 'Your data is safe from governments, except for the ways we don’t know about and the ways we cannot tell you about.' The other thing Schmidt didn't say is: 'And of course, we still have complete access to it all, and can sell it to whomever we want… and you will have no recourse.'
Ubuntu forums compromised
Canonical has disclosed that the Ubuntu forum system has been compromised. "The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table. They used this access to download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed."
Tor veteran Lucky Green exits, torpedos critical 'Tonga' node and relays (The Register)
The Register reports that longtime Tor contributor Lucky Green is quitting and closing down the node and bridge authority he operates. "Practically, it's a big deal. Bridge Authorities are part of the infrastructure that lets users get around some ISP-level blocks on the network (not, however, defeating deep packet inspection). They're also incorporated in the Tor code, meaning that to remove a Bridge Authority is going to need an update." The shutdown is scheduled for August 31. (Thanks to Nomen Nescio)
New vulnerabilities
atomic-openshift: information leak
| Package(s): | atomic-openshift | CVE #(s): | CVE-2016-5392 | ||||
| Created: | July 15, 2016 | Updated: | July 20, 2016 | ||||
| Description: | From the Red Hat advisory: The Kubernetes API server contains a watch cache that speeds up performance. Due to an input validation error OpenShift Enterprise may return data for other users and projects when queried by a user. An attacker with knowledge of other project names could use this vulnerability to view their information. | ||||||
| Alerts: |
| ||||||
binutils: multiple vulnerabilities
| Package(s): | binutils | CVE #(s): | CVE-2016-2226 CVE-2016-4487 CVE-2016-4488 CVE-2016-4489 CVE-2016-4490 CVE-2016-4492 CVE-2016-4493 CVE-2016-6131 | ||||
| Created: | July 18, 2016 | Updated: | July 20, 2016 | ||||
| Description: | From the Debian LTS advisory:
Some minor security issues have been identified and fixed in binutils in Debian LTS. These are: CVE-2016-2226: Exploitable buffer overflow. CVE-2016-4487: Invalid write due to a use-after-free to array btypevec. CVE-2016-4488: Invalid write due to a use-after-free to array ktypevec. CVE-2016-4489: Invalid write due to integer overflow. CVE-2016-4490: Write access violation. CVE-2016-4492: Write access violations. CVE-2016-4493: Read access violations. CVE-2016-6131: Stack buffer overflow when printing bad bytes in Intel Hex objects | ||||||
| Alerts: |
| ||||||
ecryptfs-utils: two vulnerabilities
| Package(s): | ecryptfs-utils | CVE #(s): | CVE-2016-6224 CVE-2015-8946 | ||||||||||||
| Created: | July 20, 2016 | Updated: | November 2, 2016 | ||||||||||||
| Description: | From the Red Hat bugzilla:
CVE-2015-8946: A vulnerability was found in ecryptfs-setup-swap script that is provided by the upstream ecryptfs-utils project. On systems using systemd 211 or newer and GPT partitioning, the unencrypted swap partition was being automatically activated during boot and the encrypted swap was not used. This was due to ecryptfs-setup-swap not marking the swap partition as "no-auto", as defined by the Discoverable Partitions Spec. CVE-2016-6224: A vulnerability was found in ecryptfs-setup-swap script that is provided by the upstream ecryptfs-utils project. When GPT swap partitions are located on NVMe or MMC drives, ecryptfs-setup-swap fails to mark these swap partitions as "no-auto". As a consequence, when using encrypted home directory with an NVMe or MMC drive, the swap is left unencrypted. There's also a usability issue in that users are erroneously prompted to enter a pass-phrase to unlock their swap partition at boot. This vulnerability exists due to an incomplete fix for CVE-2015-8946 | ||||||||||||||
| Alerts: |
| ||||||||||||||
firefox: code execution
| Package(s): | MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss | CVE #(s): | CVE-2016-2824 | ||||||||
| Created: | July 14, 2016 | Updated: | July 20, 2016 | ||||||||
| Description: | From the SUSE advisory:
CVE-2016-2824: Out-of-bounds write with WebGL shader (MFSA 2016-53) (bsc#983651). | ||||||||||
| Alerts: |
| ||||||||||
graphicsmagick: out-of-bounds read
| Package(s): | graphicsmagick | CVE #(s): | CVE-2016-8808 | ||||
| Created: | July 15, 2016 | Updated: | July 20, 2016 | ||||
| Description: | From the Mageia advisory: A read out-of-bound in the parsing of gif files using GraphicsMagick. | ||||||
| Alerts: |
| ||||||
httpd: HTTP redirect
| Package(s): | httpd apache apache2 | CVE #(s): | CVE-2016-5387 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 19, 2016 | Updated: | August 22, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
java-1.8.0-openjdk: multiple vulnerabilities
| Package(s): | java-1.8.0-openjdk | CVE #(s): | CVE-2016-3458 CVE-2016-3500 CVE-2016-3508 CVE-2016-3550 CVE-2016-3587 CVE-2016-3598 CVE-2016-3606 CVE-2016-3610 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 20, 2016 | Updated: | September 13, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
* Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606, CVE-2016-3587, CVE-2016-3598, CVE-2016-3610) * Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) * Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: code execution
| Package(s): | kernel | CVE #(s): | CVE-2016-4794 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2016 | Updated: | July 20, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
CVE-2016-4794: Use-after-free vulnerability in mm/percpu.c in the Linux kernel allowed local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls (bnc#980265). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: two vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2016-5696 CVE-2016-6156 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 20, 2016 | Updated: | September 28, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
CVE-2016-5696: A flaw was found in the implementation of the Linux kernels handling of networking challenge ack where an attacker is able to determine the shared counter. This may allow an attacker to inject or take over a TCP connection between a server and client without having to be a traditional Man In the Middle (MITM) style attack. CVE-2016-6156: Double-fetch vulnerability was found in /drivers/platform/chrome/cros_ec_dev.c in the Chrome driver in the Linux kernel before 4.6.1. In function ec_device_ioctl_xcmd(), the driver fetches user space data by pointer arg via copy_from_user(), and this happens twice at line 137 and line 145 respectively. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libarchive: multiple vulnerabilities
| Package(s): | libarchive | CVE #(s): | CVE-2015-8916 CVE-2015-8917 CVE-2015-8919 CVE-2015-8920 CVE-2015-8921 CVE-2015-8922 CVE-2015-8923 CVE-2015-8924 CVE-2015-8925 CVE-2015-8926 CVE-2015-8928 CVE-2015-8930 CVE-2015-8931 CVE-2015-8932 CVE-2015-8933 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 15, 2016 | Updated: | July 20, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: Hanno Böck discovered that libarchive contained multiple security issues when processing certain malformed archive files. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
libgd2: two vulnerabilities
| Package(s): | libgd2 | CVE #(s): | CVE-2016-6132 CVE-2016-6214 | ||||||||||||||||||||||||||||
| Created: | July 18, 2016 | Updated: | July 20, 2016 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Several vulnerabilities were discovered in libgd2, a library for programmatic graphics creation and manipulation. A remote attacker can take advantage of these flaws to cause a denial-of-service against an application using the libgd2 library (application crash), or potentially to execute arbitrary code with the privileges of the user running the application. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
openjpeg2: multiple vulnerabilities
| Package(s): | openjpeg2 | CVE #(s): | CVE-2016-3183 CVE-2016-3181 CVE-2016-3182 CVE-2016-4796 CVE-2016-4797 | ||||||||||||||||||||||||
| Created: | July 15, 2016 | Updated: | July 20, 2016 | ||||||||||||||||||||||||
| Description: | From the Fedora advisory: CVE-2016-3182: Heap corruption in opj_free function. CVE-2016-3181: Out-of-bounds read in opj_tcd_free_tile function. CVE-2016-3183: Out-of-bounds read in sycc422_to_rgb function. CVE-2016-4797: Division-by-zero in function opj_tcd_init_tile in tcd.c. CVE-2016-4796: Heap buffer overflow in function color_cmyk_to_rgb in color.c. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
pagure: unspecified
| Package(s): | pagure | CVE #(s): | |||||
| Created: | July 19, 2016 | Updated: | July 20, 2016 | ||||
| Description: | Pagure 2.2.2 fixes undisclosed vulnerabilities. | ||||||
| Alerts: |
| ||||||
perl: code execution
| Package(s): | perl | CVE #(s): | CVE-2016-6185 | ||||||||||||||||||||||||||||||||
| Created: | July 18, 2016 | Updated: | September 16, 2016 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
An arbitrary code execution can be achieved if loading code from untrusted current working directory despite the '.' is removed from @INC. Vulnerability is in XSLoader that uses caller() information to locate .so file to load. If malicious attacker creates directory named `(eval 1)` with malicious binary file in it, it will be loaded if the package calling XSLoader is in parent directory. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
python-django: cross-site scripting
| Package(s): | python-django | CVE #(s): | CVE-2016-6186 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 19, 2016 | Updated: | August 31, 2016 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
It was discovered that Django, a high-level Python web development framework, is prone to a cross-site scripting vulnerability in the admin's add/change related popup. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
ruby-eventmachine: denial of service
| Package(s): | ruby-eventmachine | CVE #(s): | |||||||||
| Created: | July 18, 2016 | Updated: | August 8, 2016 | ||||||||
| Description: | From the Debian LTS advisory:
EventMachine, a Ruby network engine could be crashed by opening a high number of parallel connections (>= 1024) towards a server using the EventMachine engine. The crash happens due to the file descriptors overwriting the stack. | ||||||||||
| Alerts: |
| ||||||||||
sudo: race condition
| Package(s): | sudo | CVE #(s): | CVE-2015-8239 | ||||||||||||
| Created: | July 18, 2016 | Updated: | July 27, 2016 | ||||||||||||
| Description: | From the Red Hat bugzilla:
A vulnerability in functionality for adding support of SHA-2 digests along with the command was found. The sudoers plugin performs this digest verification while matching rules, and later independently calls execve() to execute the binary. This results in a race condition if the digest functionality is used as suggested (in fact, the rules are matched before the user is prompted for a password, so there is not negligible time frame to replace the binary from underneath sudo). Versions affected are since 1.8.7. | ||||||||||||||
| Alerts: |
| ||||||||||||||
util-linux: denial of service
| Package(s): | util-linux | CVE #(s): | CVE-2016-5011 | ||||||||||||||||||||||||
| Created: | July 15, 2016 | Updated: | December 15, 2016 | ||||||||||||||||||||||||
| Description: | From the Mageia advisory: The util-linux libblkid is vulnerable to a Denial of Service attack during MSDOS partition table parsing, in the extended partition boot record (EBR). If the next EBR starts at relative offset 0, parse_dos_extended() will loop until running out of memory. An attacker could install a specially crafted MSDOS partition table in a storage device and trick a user into using it. This library is used, among others, by systemd-udevd daemon. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>