Security
A different sort of "Fake Linus Torvalds"
A Linux Foundation publicity scheme once (in)famously created a "Fake Linus Torvalds" on Twitter, but a different sort of fake has more recently appeared. A message posted to the linux-kernel mailing list on August 15 announced the existence of a PGP key with the same short key ID as that of Torvalds's real key—something that could potentially lead programs and users to confuse the two keys. The problem with key ID collisions has been known for some time, but the message may have served to raise the profile of the dangers of using short PGP IDs.
PGP keys are typically used for encryption or for digitally signing data of some sort. Those signatures can be used to show that a private key corresponding to a particular public key was used, which strongly implies that the owner of the public key was the one who did it—as long as the private key remains private, of course. Signatures are often used on software distributions of various sorts, including packages, kernels, and, sometimes, commits in Git repositories.
These days, the PGP program itself is not widely used, though the standards (such as OpenPGP) it spawned have been picked up and carried forward by projects like GNU Privacy Guard (GnuPG or GPG). The public key for a PGP user is usually represented as an unwieldy blob of text, however; without some kind of "extra" knowledge, there is no way to know that a given key is really owned by the user it purports to come from. There are two somewhat-related mechanisms to address those problems: keyservers and the web of trust.
Keyservers provide a way for users to get someone else's public key, while the web of trust is a way to provide the user some level of trust that key comes from who it purports to. In order to have a key that is more trusted, users will try to get their key signed by other users' keys. When a new key is examined (normally by GPG or some other program), those signatures can be checked to see if the keys used in the signing are already trusted or if they belong to the "strong set" (a group of well-connected keys within the web of trust). Based on that examination, users can choose a trust level they place in the key.
Unfortunately, all of that is somewhat complex and hard for those who are not particularly technically savvy to understand. So tools are meant to help simplify some of that. But one of those simplifications can lead to problems such that users (both savvy and not) may be tricked into using (and trusting) keys that are not owned by the person or organization they think.
Keys have a "fingerprint" that uniquely identifies them, but they are relatively long hexadecimal strings (20 bytes, so 40 characters), which makes them unwieldy as well—at least for day-to-day use. For that reason, shorter substrings called key IDs (usually either four or eight bytes worth of hexadecimal) are often used to "identify" keys. Ten or fifteen years ago, even four-byte IDs were relatively safe, but these days it is rather easy to generate a key with a key ID that collides with an existing key. That's exactly what was done with Torvalds's key as noted in the mailing post (a key for "Fake Greg Kroah-Hartman" was similarly outed in the message).
In fact, a project called "Evil 32" has created a collision for every 32-bit key ID in the strong set. It used its scallion program to create those collisions, each in roughly four seconds using a GPU. Key collisions might not be that big of a problem, except that GPG and other tools don't treat them as an error, so users can end up with the wrong key. GPG certainly warns that untrusted keys are being used, but that is a relatively common warning in "normal" GPG use so it goes unnoticed.
Evil 32 has an example of how the problem might manifest itself. It uses a package from Puppet Labs for the demonstration (though, now, the instructions at Puppet Labs use its full key fingerprint to avoid the problem). When asking the keyserver for the key ID provided (using the --recv-keys option), GPG would actually accept multiple keys with that key ID and add them to the keyring. Because the signature file contained only the key ID at that time, either of the keys could be used to verify the contents of the package. Thus, a version with a backdoor, say, and signed with the attacker's colliding key could be downloaded and would pass a verification step.
At some level though, the root problem is that the web of trust isn't
really being used the way it was envisioned (or, as some would say, the way it
should be used). If users were only trusting keys with signatures of other
trusted entities or that had other indications of trustworthiness and GPG
were configured to reject untrusted keys, the problem would largely not
exist. But, for the most part, the "there is no indication that the
signature belongs to the owner
" warning message is expected by
users—if it is even seen.
Given that GPG is used by other encryption tools, some of which also try to simplify the process for novice users, the fact that multiple keys match a particular key ID may be completely hidden by the interface. That's good for reducing complexity, perhaps, but not so good for security and package integrity. GPG has a well-earned reputation for being difficult to use correctly, though it must be said that alternatives don't seem to be overtaking it any way.
Kroah-Hartman reacted to the revelation of his fake key with some cogent observations about the situation:
As he noted, this problem has been known for some time. There is a blog post from 2011 about it that clearly indicates it is a known problem at that point. A recent post that LWN linked to in June noted colliding key IDs had been found in the wild. The longtime existence of "vanity" key IDs (those that spell out some word or are based on an interesting number) clearly shows the problem—if people can choose their key IDs, nothing stops them from choosing someone else's. In the end, this most recent episode just provided yet another reason for users of PGP keys to pay attention and either use full key fingerprints or the web of trust—perhaps both, though that is probably simply overkill.
Brief items
Security against Election Hacking (Freedom to Tinker)
Over at the Freedom to Tinker blog, Andrew Appel has a two-part series on security attacks and defenses for the upcoming elections in the US (though some of it will obviously be applicable elsewhere too). Part 1 looks at the voting and counting process with an eye toward ways to verify what the computers involved are reporting, but doing so without using the computers themselves (having and verifying the audit trail, essentially). Part 2 looks at the so-called cyberdefense teams and how their efforts are actually harming all of our security (voting and otherwise) by hoarding bugs rather than reporting them to get them fixed.
Problem: What if it’s not an optical-scan computer, what if it’s a paperless touchscreen (“DRE, Direct-Recording Electronic) voting computer? Then whatever numbers the voting computer says, at the close of the polls, are completely under the control of the computer program in there. If the computer is hacked, then the hacker gets to decide what numbers are reported. There are no paper ballots to audit or recount. All DRE (paperless touchscreen) voting computers are susceptible to this kind of hacking. This is our biggest problem.
New vulnerabilities
cracklib2: code execution
| Package(s): | cracklib2 | CVE #(s): | CVE-2016-6318 | ||||||||||||||||||||||||
| Created: | August 22, 2016 | Updated: | December 12, 2016 | ||||||||||||||||||||||||
| Description: | From the Debian-LTS advisory:
It was discovered that there was a stack-based buffer overflow when parsing large GECOS fields in cracklib2, a pro-active password checker library. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
eog: out-of-bounds write
| Package(s): | eog | CVE #(s): | CVE-2016-6855 | ||||||||||||||||||||||||
| Created: | August 24, 2016 | Updated: | September 6, 2016 | ||||||||||||||||||||||||
| Description: | From the bug report: An out-of-bounds write vulnerability in eog was found when processing specially crafted SVG file. Due to passing the error message containing invalid UTF-8 character to GMarkup, out-of-bounds access is triggered. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
firewalld: authentication bypass
| Package(s): | firewalld | CVE #(s): | CVE-2016-5410 | ||||||||||||||||||||
| Created: | August 22, 2016 | Updated: | January 30, 2017 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry:
FirewallD provides dbus api for modification of configuration after user has been authenticated via polkit. This does not apply for 5 methods which can be called by any logged user using dbus api or firewall-cmd cli interface. Any predefined policy can be used, server or desktop. list of concerned dbus methods in firewalld.py: addPassthrough, removePassthrough, addEntry, removeEntry, and setEntries. Any locally logged in user, could use the above firewalld commands to tamper or change the firewall settings. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
glibc: denial of service
| Package(s): | glibc | CVE #(s): | CVE-2016-6323 | ||||||||||||||||||||
| Created: | August 22, 2016 | Updated: | October 20, 2016 | ||||||||||||||||||||
| Description: | From the glibc bugzilla entry:
Since [__startcontext] transfers to a different stack it should be marked .cantunwind, so that the EABI unwinder does not try to unwind past it. This can cause _Unwind_Backtrace (used by backtrace_full in libbacktrace) to infloop. also from Florian Weimer on oss-security: Andreas Schwab of SuSE reported and fixed a glibc bug where the makecontext function would create an execution context which is incompatible with the unwinder, causing it to hang when the generation of a backtrace is attempted: | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
gnupg: flawed random number generation
| Package(s): | gnupg | CVE #(s): | CVE-2016-6313 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 18, 2016 | Updated: | December 2, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute of Technology discovered a flaw in the mixing functions of GnuPG's random number generator. An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. A first analysis on the impact of this bug for GnuPG shows that existing RSA keys are not weakened. For DSA and Elgamal keys it is also unlikely that the private key can be predicted from other public information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: use-after-free
| Package(s): | kernel | CVE #(s): | CVE-2016-6828 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 23, 2016 | Updated: | August 24, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bug report: A use after free vulnerability was found in tcp_xmit_retransmit_queue and other tcp_* functions. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2015-3288 CVE-2012-6701 | ||||||||||||
| Created: | August 24, 2016 | Updated: | August 24, 2016 | ||||||||||||
| Description: | From the openSUSE advisory: CVE-2015-3288 - A security flaw was found in the Linux kernel that there was a way to arbitrary change zero page memory. From the CVE entry: Integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. | ||||||||||||||
| Alerts: |
| ||||||||||||||
knot: denial of service
| Package(s): | knot | CVE #(s): | CVE-2016-6171 | ||||||||
| Created: | August 22, 2016 | Updated: | August 24, 2016 | ||||||||
| Description: | From the Red Hat bugzilla entry:
It was found that knot does not implement reasonable restrictions for zone sizes. This allows an explicitly configured primary DNS server for a zone to crash a secondary DNS server, affecting service of other zones hosted on the same secondary server. | ||||||||||
| Alerts: |
| ||||||||||
mingw-lcms2: heap memory leak
| Package(s): | mingw-lcms2 | CVE #(s): | CVE-2016-10165 | ||||||||||||||||||||||||||||
| Created: | August 24, 2016 | Updated: | January 31, 2017 | ||||||||||||||||||||||||||||
| Description: | From the bug report: An out-of-bounds read in cmstypes.c in Type_MLU_Read function was found, leading to heap memory leak triggered by crafted ICC profile. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
pagure: cross-site scripting
| Package(s): | pagure | CVE #(s): | CVE-2016-1000037 | ||||
| Created: | August 23, 2016 | Updated: | August 24, 2016 | ||||
| Description: | From the Red Hat bug report: It was found that Pagure served uploaded files from its attachment endpoint with content types that instructed the browser to parse HTML files, which could lead to Cross-Site Scripting attacks. | ||||||
| Alerts: |
| ||||||
suckless-tools: screen locking bypass
| Package(s): | suckless-tools | CVE #(s): | CVE-2016-6866 | ||||||||||||||||||||
| Created: | August 22, 2016 | Updated: | November 21, 2016 | ||||||||||||||||||||
| Description: | From the Debian-LTS advisory:
It was discovered that the slock screen locking tool would segfault when the user's account had been disabled. slock called crypt(3) and used the return value for strcmp(3) without checking to see if the return value of crypt(3) was a NULL pointer. If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would return NULL and set errno to EINVAL. This would cause slock to segfault which leaves the machine unprotected. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
xen: denial of service
| Package(s): | xen | CVE #(s): | CVE-2016-4963 | ||||||||||||||||||||||||
| Created: | August 18, 2016 | Updated: | August 24, 2016 | ||||||||||||||||||||||||
| Description: | From the SUSE advisory:
CVE-2016-4963: The libxl device-handling allowed local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore (bsc#979670). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>