Security
Locking down module parameters
Support for UEFI secure boot has been available in most mainstream Linux distributions for several years now, but there are still some wrinkles to work out. Some distributors are concerned about various ways for the root user to alter the kernel in ways that would allow the secure-boot assurances to be circumvented. For years, there have been efforts to "lock down" the kernel so that the known ways of evading secure boot can be disabled by distributions and others. The latest piece of that puzzle is a proposal to annotate kernel module parameters such that some can be disallowed when a secure-boot kernel is running.
Back in November, David Howells posted the latest version of the "kernel lockdown" patches, which he has picked up and expanded from those pushed by Matthew Garrett back in 2012 and 2013. The patch set restricted a lot of different functionality that would allow user space to modify the running kernel image (which, in turn, allows user space to circumvent secure boot). The restrictions disallow things like loading unsigned kernel modules, writing to /dev/mem or /dev/kmem, using kexec_load() to run a different kernel, various ways to directly access the hardware, and so on.
Previous iterations of the patch set have run aground at least partly due to the kexec_load() restrictions, because some kernel developers did not want to see the useful kexec facility completely disabled. An alternative system call (kexec_file_load()) was added that will only allow booting signed kernels, which neatly solved things for both sides. This time, the main objection came from Alan Cox, who thought there was a fundamental piece missing:
Without that at least fixed I don't see the point in merging this. Either we don't do it (which given the level of security the current Linux kernel provides, and also all the golden key messups from elsewhere might be the honest approach), or at least try and do the job right.
Essentially, Cox is arguing that changing certain kernel module parameters before loading a (signed) module is yet another avenue for modifying the kernel image. His objection led Howells to quickly post an RFC patch of sorts that would restrict certain operations in drivers when kernel_is_locked_down() is true. While that was on the right track, Cox said, he would rather see a whitelist-based approach, rather than the blacklist-based one that Howells proposed.
All of that led to the module parameter annotation patch set that Howells posted on December 1. The idea is that all module parameters will be annotated to describe what kind of hardware resource they control (if any). That information can be used in a subsequent patch to restrict which can be used in a locked-down kernel.
The change was made by altering the module_param*() macros, which are helpers for modules that need to take parameters at load time. An argument was added for the "hardware type" and the macros were renamed to module_param_hw*(). As can be seen in the first patch of the series, the types are I/O port, I/O memory address, interrupt number, DMA channel, DMA address, or other. The change made in the second patch demonstrates the idea:
-module_param(mmio_address, ulong, 0);
+module_param_hw(mmio_address, ulong, iomem, 0);
The other 37 patches in the series annotate various module parameters
throughout the tree
(mostly, of course, in drivers/). But Greg Kroah-Hartman was not
particularly impressed ("ick ick ick
") with the idea. He
suggested that the secure boot patch set (i.e. kernel lockdown) was not
going anywhere, so there was no need for the annotations. Furthermore, he
was skeptical that stopping root users from setting these module parameters
was really going to help stop secure-boot abuses.
Garrett noted that the patch set was
currently being carried by "basically every single mainstream Linux distribution
", however.
This costs time and effort by the distributions to rebase the patches on newer
kernels. Beyond that, at least some of the module parameters can be used
to route around secure boot:
Given that distributions ship the lockdown patches, and that Cox has said that some way to disable module parameters should be part of that, Garrett argued that the annotations should be merged unless there were technical objections to the implementation. Kroah-Hartman was not buying that argument, though. Distributions are not shipping the annotations and the annotations patches don't actually disable anything, they just make it possible to do so, he said. He also suggested simply marking all module parameters (or any that touch the hardware) as "bad", rather than trying to pick and choose which were usable for a locked-down kernel.
But the annotations have other uses, Cox said. Locking down raw I/O access, even for systems that are not running under the secure-boot restrictions, is valuable. Right now, certain unrelated capabilities can be used to effectively get the CAP_SYS_RAWIO capability by loading modules with crafted parameters, but the kernel could eliminate that possibility by using the annotations.
Howells also wondered about the seemingly
contradictory ordering requirements from Kroah-Hartman and Cox: "for
Alan, I have
to fix the module parameter hole first; for you, I have to do the secure boot
support first
". Like Cox, though, Howells thinks the annotations
have value in their own right: "However, annotation [of] module parameters
to indicate hardware resource configuration seems potentially useful in its
own right - and lets the policy be decided later.
"
There does seem to be something of a rock and a hard place problem here. The kernel lockdown patches are not particularly popular with quite a few kernel developers (including Linus Torvalds, which makes things that much harder), but they are shipping. That would seem to indicate that they belong upstream or, at least, that something implementing that functionality belongs upstream.
The annotations, themselves, are relatively harmless (other than providing a bit of churn) and will allow Cox's module parameter issue to be addressed. That will lead to a more secure kernel, overall, with or without secure boot. Once the relevant maintainers have reviewed the patches (and those reviews are starting to trickle in), it would seem that the patches should be merged (though Torvalds would need to override Kroah-Hartman's NAK). The 4.10 merge window will be opening soon; it's likely too late for the annotation patches to make that cut but, with luck, they could make it for 4.11. The larger (and more invasive in the eyes of some) lockdown patch set would seem to have surmounted the known technical objections at that point; whether that paves the way for those to be merged remains to be seen.
Brief items
Security quotes of the week
BitUnmap: Attacking Android Ashmem (Project Zero blog)
Google's Project Zero blog has a detailed look at exploiting a vulnerability in Android's ashmem shared-memory facility. "The mismatch between the mmap-ed and munmap-ed length provides us with a great exploitation primitive! Specifically, we could supply a short length for the mmap operation and a longer length for the munmap operation - thus resulting in deletion of an arbitrarily large range of virtual memory following our bitmap object. Moreover, there’s no need for the deleted range to contain one continuous memory mapping, since the range supplied in munmap simply ignores unmapped pages. Once we delete a range of memory, we can then attempt to “re-capture” that memory region with controlled data, by causing another allocation in the remote process. By doing so, we can forcibly “free” a data structure and replace its contents with our own chosen data -- effectively forcing a use-after-free condition."
Google's OSS-Fuzz project
The Google security blog announces the OSS-Fuzz project, which performs continuous fuzz testing of free-software project repositories. "OSS-Fuzz has already found 150 bugs in several widely used open source projects (and churns ~4 trillion test cases a week). With your help, we can make fuzzing a standard part of open source development, and work with the broader community of developers and security testers to ensure that bugs in critical open source applications, libraries, and APIs are discovered and fixed."
Bottomley: Using Your TPM as a Secure Key Store
James Bottomley has posted a tutorial on using the trusted platform module to store cryptographic keys. "The main thing that came out of this discussion was that a lot of this stack complexity can be hidden from users and we should concentrate on making the TPM 'just work' for all cryptographic functions where we have parallels in the existing security layers (like the keystore). One of the great advantages of the TPM, instead of messing about with USB pkcs11 tokens, is that it has a file format for TPM keys (I’ll explain this later) which can be used directly in place of standard private key files."
New vulnerabilities
busybox: two vulnerabilities
| Package(s): | busybox | CVE #(s): | CVE-2016-2147 CVE-2016-2148 | ||||
| Created: | December 5, 2016 | Updated: | December 7, 2016 | ||||
| Description: | From the Gentoo advisory:
Multiple vulnerabilities have been discovered in BusyBox. A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. | ||||||
| Alerts: |
| ||||||
calamares: encryption bypass
| Package(s): | calamares | CVE #(s): | |||||||||
| Created: | December 2, 2016 | Updated: | December 7, 2016 | ||||||||
| Description: | From the Fedora advisory:
A security update that fixes Calamares bug CAL-405: https://calamares.io/bugs/browse/CAL-405 When installing with a LUKS-encrypted `/` partition, Calamares was always creating a keyfile to decode `/` and storing it in the initramfs. It did that even with an unencrypted separate `/boot` partition. As a result, the keyfile would be stored in cleartext on the `/boot` partition, and it was possible to unlock the `/` partition without ever entering a passphrase. This completely defeated the security of LUKS. Please note that this only affects manual partitioning. The automatic partitioning never leaves `/boot` unencrypted (and it is, in fact, recommended to also always encrypt `/boot` when doing manual partitioning). This update fixes the `dracutlukscfg` module to not add the keyfile to `install_items` in the `dracut` configuration (so that `dracut` will not include it onto the initramfs) if `/boot` is separate and unencrypted. | ||||||||||
| Alerts: |
| ||||||||||
chromium: multiple vulnerabilities
| Package(s): | chromium | CVE #(s): | CVE-2016-5203 CVE-2016-5204 CVE-2016-5205 CVE-2016-5206 CVE-2016-5207 CVE-2016-5208 CVE-2016-5209 CVE-2016-5210 CVE-2016-5211 CVE-2016-5212 CVE-2016-5213 CVE-2016-5214 CVE-2016-5215 CVE-2016-5216 CVE-2016-5217 CVE-2016-5218 CVE-2016-5219 CVE-2016-5220 CVE-2016-5221 CVE-2016-5222 CVE-2016-5223 CVE-2016-5224 CVE-2016-5225 CVE-2016-5226 CVE-2016-9650 CVE-2016-9651 CVE-2016-9652 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 5, 2016 | Updated: | January 19, 2017 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Arch Linux advisory:
- CVE-2016-5203 (arbitrary code execution): An use after free flaw was found in the PDFium component of the Chromium browser. - CVE-2016-5204 (cross-site scripting): An universal XSS flaw was found in the Blink component of the Chromium browser. - CVE-2016-5205 (cross-site scripting): An universal XSS flaw was found in the Blink component of the Chromium browser. - CVE-2016-5206 (same-origin policy bypass): A same-origin bypass flaw was found in the PDFium component of the Chromium browser. - CVE-2016-5207 (cross-site scripting): An universal XSS flaw was found in the Blink component of the Chromium browser. - CVE-2016-5208 (cross-site scripting): An universal XSS flaw was found in the Blink component of the Chromium browser. - CVE-2016-5209 (arbitrary code execution): An out of bounds write flaw was found in the Blink component of the Chromium browser. - CVE-2016-5210 (arbitrary code execution): An out of bounds write flaw was found in the PDFium component of the Chromium browser. - CVE-2016-5211 (arbitrary code execution): An use after free flaw was found in the PDFium component of the Chromium browser. - CVE-2016-5212 (arbitrary filesystem access): A local file disclosure flaw was found in the DevTools component of the Chromium browser. - CVE-2016-5213 (arbitrary code execution): An use after free flaw was found in the V8 component of the Chromium browser. - CVE-2016-5214 (insufficient validation): A file download protection bypass was discovered in the Chromium browser. - CVE-2016-5215 (arbitrary code execution): An use after free flaw was found in the Webaudio component of the Chromium browser. - CVE-2016-5216 (arbitrary code execution): An use after free flaw was found in the PDFium component of the Chromium browser. - CVE-2016-5217 (insufficient validation): An use of unvalidated data flaw was found in the PDFium component of the Chromium browser. - CVE-2016-5218 (content spoofing): An address spoofing flaw was found in the Omnibox component of the Chromium browser. - CVE-2016-5219 (arbitrary code execution): An use after free flaw was found in the V8 component of the Chromium browser. - CVE-2016-5220 (arbitrary filesystem access): A local file access flaw was found in the PDFium component of the Chromium browser. - CVE-2016-5221 (arbitrary code execution): An integer overflow flaw was found in the ANGLE component of the Chromium browser. - CVE-2016-5222 (content spoofing): An address spoofing flaw was found in the Omnibox component of the Chromium browser. - CVE-2016-5223 (arbitrary code execution): An integer overflow flaw was found in the PDFium component of the Chromium browser. - CVE-2016-5224 (same-origin policy bypass): A same-origin bypass flaw was found in the SVG component of the Chromium browser. - CVE-2016-5225 (access restriction bypass): A CSP bypass flaw was found in the Blink component of the Chromium browser. - CVE-2016-5226 (cross-site scripting): A limited XSS flaw was found in the Blink component of the Chromium browser. - CVE-2016-9650 (information disclosure): A CSP referrer disclosure vulnerability has been discovered in the Chromium browser. - CVE-2016-9651 (access restriction bypass): A private property access flaw was found in the V8 component of the Chromium browser. - CVE-2016-9652 (arbitrary code execution): Various fixes from internal audits, fuzzing and other initiatives. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
firefox: same-origin bypass
| Package(s): | firefox | CVE #(s): | CVE-2016-9078 | ||||||||||||||||
| Created: | December 1, 2016 | Updated: | December 7, 2016 | ||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that data: URLs can inherit the wrong origin after a HTTP redirect in some circumstances. An attacker could potentially exploit this to bypass same-origin restrictions. (CVE-2016-9078) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
firefox: code execution
| Package(s): | firefox-esr firefox thunderbird | CVE #(s): | CVE-2016-9079 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 1, 2016 | Updated: | December 15, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
A use-after-free vulnerability in the SVG Animation was discovered in the Mozilla Firefox web browser, allowing a remote attacker to cause a denial of service (application crash) or execute arbitrary code, if a user is tricked into opening a specially crafted website. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GraphicsMagick: non-null null pointer
| Package(s): | GraphicsMagick imagemagick | CVE #(s): | CVE-2016-9559 | ||||||||||||||||||||
| Created: | December 6, 2016 | Updated: | December 7, 2016 | ||||||||||||||||||||
| Description: | From the openSUSE bug report:
A fuzz on an updated version with the undefined behavior sanitizer enabled, revealed a null pointer which is declared to never be null. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
gstreamer1-plugins-good: buffer overflow
| Package(s): | gstreamer1-plugins-good | CVE #(s): | CVE-2016-9808 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 6, 2016 | Updated: | December 7, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
A heap-based buffer overflow vulnerability was found in FLIC decoder in flx_decode_delta_fli() function. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
imagemagick: code execution
| Package(s): | imagemagick | CVE #(s): | CVE-2016-9556 | ||||||||||||||||||||||||||||||||||||
| Created: | December 1, 2016 | Updated: | December 7, 2016 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Debian security tracker entry:
Heap buffer overflow in heap-buffer-overflow in IsPixelGray | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2016-9644 | ||||||||||||
| Created: | December 1, 2016 | Updated: | December 7, 2016 | ||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that the __get_user_asm_ex implementation in the Linux kernel for x86/x86_64 contained extended asm statements that were incompatible with the exception table. A local attacker could use this to gain administrative privileges. (CVE-2016-9644) | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2016-8650 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 6, 2016 | Updated: | December 7, 2016 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key and is key-payload independent. This vulnerably can be triggered by any unprivileged user with a local shell account. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2016-8655 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 6, 2016 | Updated: | December 13, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Philip Pettersson discovered a race condition in the af_packet implementation in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service (system crash) or run arbitrary code with administrative privileges. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2013-5634 | ||||
| Created: | December 6, 2016 | Updated: | December 7, 2016 | ||||
| Description: | From the CVE entry:
arch/arm/kvm/arm.c in the Linux kernel before 3.10 on the ARM platform, when KVM is used, allows host OS users to cause a denial of service (NULL pointer dereference, OOPS, and host OS crash) or possibly have unspecified other impact by omitting vCPU initialization before a KVM_GET_REG_LIST ioctl call. | ||||||
| Alerts: |
| ||||||
kernel: two vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2016-8632 CVE-2016-9555 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 7, 2016 | Updated: | February 3, 2017 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability. (CVE-2016-8632) The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data. (CVE-2016-9555) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libctnative: SSL improvements
| Package(s): | libtcnative-1-0 | CVE #(s): | |||||
| Created: | December 2, 2016 | Updated: | December 7, 2016 | ||||
| Description: | From the openSUSE advisory:
* Unconditionally disable export Ciphers. | ||||||
| Alerts: |
| ||||||
libdwarf: multiple vulnerabilities
| Package(s): | libdwarf | CVE #(s): | CVE-2016-8679 CVE-2016-8680 CVE-2016-8681 CVE-2016-9275 CVE-2016-9276 CVE-2016-9480 CVE-2016-9558 | ||||
| Created: | December 5, 2016 | Updated: | December 7, 2016 | ||||
| Description: | From the Arch Linux advisory:
- CVE-2016-8679 (information disclosure): An out of bounds heap read vulnerability was found in _dwarf_get_size_of_val triggered by invoking dwarfdump command on crafted file. - CVE-2016-8680 (information disclosure): An out of bounds heap read vulnerability was found in _dwarf_get_abbrev_for_code triggered by invoking dwarfdump command on crafted file. - CVE-2016-8681 (information disclosure): An out of bounds heap read vulnerability was found in _dwarf_get_abbrev_for_code triggered by invoking dwarfdump command on crafted file. - CVE-2016-9275 (information disclosure): An out of bounds heap read was found in _dwarf_skim_forms in dwarf_macro5.c triggered by crafted input to dwarfdump utility. - CVE-2016-9276 (information disclosure): An out of bounds heap read was found in dwarf_get_aranges_list in dwarf_arrange.c triggered by crafted input to dwarfdump utility. - CVE-2016-9480 (information disclosure): libdwarf allows context-dependent attackers to obtain sensitive information or cause a denial of service by using the "malformed dwarf file" approach, related to a "Heap Buffer Over-read" issue affecting the dwarf_util.c component. - CVE-2016-9558 (denial of service): A negation overflow vulnerability was found in dwarf_leb.c triggered by crafted input to dwarfdump utility. | ||||||
| Alerts: |
| ||||||
mapserver: information leak
| Package(s): | mapserver | CVE #(s): | CVE-2016-9839 | ||||||||||||
| Created: | December 7, 2016 | Updated: | December 21, 2016 | ||||||||||||
| Description: | From the Debian LTS advisory:
It was discovered that there was an information leakage vulnerability in mapserver, a CGI-based framework for Internet map services. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mozilla: file overwrites
| Package(s): | thunderbird firefox | CVE #(s): | CVE-2016-5294 | ||||||||||||||||
| Created: | December 6, 2016 | Updated: | December 7, 2016 | ||||||||||||||||
| Description: | From the Mageia advisory:
The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
openafs: information leak
| Package(s): | openafs | CVE #(s): | CVE-2016-9772 | ||||||||||||
| Created: | December 5, 2016 | Updated: | February 3, 2017 | ||||||||||||
| Description: | From the Debian LTS advisory:
It was discovered that there was an information leak vulnerability in openafs, a distributed filesystem. Due to incomplete initialization or clearing of reused memory, OpenAFS directory objects are likely to contain 'dead' directory entry information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
patch: denial of service
| Package(s): | patch | CVE #(s): | |||||
| Created: | December 5, 2016 | Updated: | December 7, 2016 | ||||
| Description: | From the Gentoo advisory:
Due to a flaw in Patch, the application can enter an infinite loop when processing a specially crafted diff file. A local attacker could pass a specially crafted diff file to Patch, possibly resulting in a Denial of Service condition. | ||||||
| Alerts: |
| ||||||
pecl-http: code execution
| Package(s): | pecl-http | CVE #(s): | CVE-2016-5873 | ||||
| Created: | December 7, 2016 | Updated: | December 7, 2016 | ||||
| Description: | From the Gentoo advisory:
A buffer overflow can be triggered in the URL parsing functions of the PECL HTTP extension. This allows overflowing a buffer with data originating from an arbitrary HTTP request. A remote attacker, through a specially crafted URI, could possibly execute arbitrary code with the privileges of the process. | ||||||
| Alerts: |
| ||||||
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2016-4412 CVE-2016-9847 CVE-2016-9848 CVE-2016-9849 CVE-2016-9850 CVE-2016-9851 CVE-2016-9852 CVE-2016-9853 CVE-2016-9854 CVE-2016-9855 CVE-2016-9856 CVE-2016-9857 CVE-2016-9858 CVE-2016-9859 CVE-2016-9860 CVE-2016-9861 CVE-2016-9864 CVE-2016-9865 CVE-2016-9866 | ||||||||||||||||||||||||||||
| Created: | December 5, 2016 | Updated: | January 11, 2017 | ||||||||||||||||||||||||||||
| Description: | From the phpMyAdmin release announcement:
The phpMyAdmin project is pleased to announce the release of phpMyAdmin versions 4.6.5 (including bug and security fixes), 4.4.15.9 (security fixes), and 4.0.10.18 (security fixes). We recommend all users update their phpMyAdmin installations. The Red Hat bugzilla notes that these security fixes are advisories PMASA-2016-57 to PMASA-2016-71. The Mageia advisory adds lots more information, including CVE numbers: In phpMyAdmin before 4.4.15.9, when the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created using a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies (CVE-2016-9847). In phpMyAdmin before 4.4.15.9, phpinfo.php shows PHP information including values of sensitive HttpOnly cookies (CVE-2016-9848). In phpMyAdmin before 4.4.15.9, it is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username (CVE-2016-9849). In phpMyAdmin before 4.4.15.9, a vulnerability in username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time (CVE-2016-9850). In phpMyAdmin before 4.4.15.9, with a crafted request parameter value it is possible to bypass the logout timeout (CVE-2016-9851). In phpMyAdmin before 4.4.15.9, by calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin is written to the export file (CVE-2016-9852, CVE-2016-9853, CVE-2016-9854, CVE-2016-9855). In phpMyAdmin before 4.4.15.9, several XSS vulnerabilities have been reported, including an improper fix for PMASA-2016-10 and a weakness in a regular expression using in some JavaScript processing (CVE-2016-9856, CVE-2016-9857). In phpMyAdmin before 4.4.15.9, with a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature (CVE-2016-9858). In phpMyAdmin before 4.4.15.9, with a crafted request parameter value it is possible to initiate a denial of service attack in import feature (CVE-2016-9859). In phpMyAdmin before 4.4.15.9, an unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true; (CVE-2016-9860). In phpMyAdmin before 4.4.15.9, due to the limitation in URL matching, it was possible to bypass the URL white-list protection (CVE-2016-9861). In phpMyAdmin before 4.4.15.9, with a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the mysql database (CVE-2016-9864). In phpMyAdmin before 4.4.15.9, due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function (CVE-2016-9865). In phpMyAdmin before 4.4.15.9, when the arg_separator is different from its default value of &, the token was not properly stripped from the return URL of the preference import action (CVE-2016-9866). | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
virtualbox: code execution
| Package(s): | virtualbox | CVE #(s): | CVE-2016-6309 | ||||
| Created: | December 6, 2016 | Updated: | December 7, 2016 | ||||
| Description: | From the CVE entry:
statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session. | ||||||
| Alerts: |
| ||||||
xen: multiple vulnerabilities
| Package(s): | xen | CVE #(s): | CVE-2016-9385 CVE-2016-9377 CVE-2016-9378 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 5, 2016 | Updated: | December 7, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
CVE-2016-9385: Both writes to the FS and GS register base MSRs as well as the WRFSBASE and WRGSBASE instructions require their input values to be canonical, or a #GP fault will be raised. When the use of those instructions by the hypervisor was enabled, the previous guard against #GP faults (having recovery code attached) was accidentally removed. A malicious guest administrator can crash the host, leading to a DoS. CVE-2016-9377, CVE-2016-9378:There are two closely-related bugs. When Xen emulates instructions which generate software interrupts it needs to perform a privilege check involving an IDT lookup. This check is sometimes erroneously conducted as if the IDT had the format for a 32-bit guest, when in fact it is in the 64-bit format. Xen will then read the wrong part of the IDT and interpret it in an unintended manner. When Xen emulates instructions which generate software interrupts, and chooses to deliver the software interrupt, it may try to use the method intended for injecting exceptions. This is incorrect, and results in a guest crash. These instructions are not usually handled by the emulator. Exploiting the bug requires ability to force use of the emulator. An unprivileged guest user program may be able to crash the guest. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>