Security
Secrecy and the DNS flaw
By now, most folks will have seen reports of the design flaw discovered in DNS as it has seen fairly widespread coverage, even in the non-technical press. It is rare to see such a coordinated disclosure and security update amongst that many of the big players in the computer industry. While fixes abound, the actual problem has yet to be disclosed, which has both positives and negatives.
Responsible disclosure policies dictate that vulnerabilities be kept secret until all affected vendors can create an update. Because this flaw is in the design of DNS, most implementations were affected. This still doesn't quite explain the roughly six months between the discovery of the problem and the release of the fix. Evidently it took a meeting of the minds at the Microsoft campus in March to decide upon the right course of action. Once the fixes were done, presumably they were released on the next "patch Tuesday"—Microsoft's monthly security update day.
Normally, once fixes are available, information about the vulnerability is released. But, for a number of reasons, that has not happened in this case. One of the main reasons is that DNS is an essential internet service and it will take time for affected users to patch their systems. In addition, there have been no reports of this flaw being exploited "in the wild", reducing the pressure to divulge it.
Security researcher Dan Kaminsky discovered the flaw and he has yet another, "blatantly selfish" reason for keeping it quiet as he would like to be able to announce it at Black Hat in Las Vegas in early August:
None of these seem like horrible reasons to keep the vulnerability quiet for a time (roughly 30 days), but they do leave some DNS implementations and worried administrators without the information they need to evaluate the situation. Administrators do not know what traffic patterns or other symptoms to look for to determine if exploits are being attempted. Smaller, less prominent DNS implementations were not included in the collaboration, thus they don't have enough information to decide whether they are vulnerable or not.
A perfect example is Dnsmasq, a lightweight DNS server for smaller networks. Dnsmasq is often used in embedded Linux distributions targeted for home wireless routers. Simon Kelley, Dnsmasq developer, was asked about the vulnerability; his response speaks volumes:
Kelley has since released a patched version, but it is still unknown whether it is needed or, really, if it even fixes the problem. It is difficult to know for sure that a security hole has been closed if information about the hole is not available. This points to the problems that can come from withholding vulnerability information.
Based on the patches and some information from Kaminsky and others, it is clear that this is a cache poisoning vulnerability. Since source port randomization is the change that was applied to alleviate, but not eliminate, the flaw, we can surmise that Kaminsky found a way to reduce the number of spoofed replies that need to be sent to something tractable. According Internet Systems Consortium, developers of the BIND DNS server, the only true solution is DNSSEC, which implies that the current fixes only make cache poisoning less likely, not impossible.
Source port randomization is a technique that has been advocated by Daniel J. Bernstein (i.e. djb) for many years. He implemented it in his djbdns name server long ago. Essentially, it chooses a random source UDP port for each query that the name server makes, which has the effect of increasing the randomness that an attacker needs to be able to predict before being able to poison the cache.
While the market share of Dnsmasq may be miniscule, there are certainly other DNS implementations that are also concerned. In addition, we are relying on those who are "in the know" to be on the lookout for suspicious traffic that might indicate the vulnerability being exploited. Kaminsky is certainly under no obligation to reveal anything, but one wonders if the safest course would have been for him to provide details now, even at the expense of his "thunder".
Brief items
Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis.com)
Dan Kaminsky has found a flaw in the design of DNS that can allow cache poisoning as an article at Securosis.com details. This has lead to a CERT advisory as well as a coordinated release of patched DNS servers from all affected vendors. Evidently source port randomization is helpful in alleviating the problem. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn't directly possible." That last claim seems rather strong, time will tell, but it makes sense to be prepared to upgrade affected servers as soon as distributions make them available.
Mozilla Foundation developing a model for a security metric (heise online)
An article at heise online describes Mozilla's new security metrics project, which is an attempt to measure the relative security of Firefox. "One of the main factors cited is how long Firefox users are exposed to a threat while a hole remains unpatched. The developers say they want to use the security metric derived from the results to identify any problematic stage in the development and patch process."
New vulnerabilities
bind9: DNS cache poisoning
| Package(s): | bind9 | CVE #(s): | CVE-2008-1447 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2008 | Updated: | March 16, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
glib2: buffer overflow
| Package(s): | glib2 | CVE #(s): | CVE-2008-2371 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 3, 2008 | Updated: | April 9, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The glib2 library has a heap-based overflow that is caused by incorrect option handling in pcre. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
jetty: multiple vulnerabilities
| Package(s): | jetty | CVE #(s): | CVE-2007-5615 CVE-2007-5614 CVE-2007-5613 | ||||||||||||
| Created: | July 7, 2008 | Updated: | February 17, 2009 | ||||||||||||
| Description: | From the Red Hat bugzilla: For CVE-2007-5613: "Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies." For CVE-2007-5614: "Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors." For CVE-2007-5615: "CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors." | ||||||||||||||
| Alerts: |
| ||||||||||||||
linuxdcpp: denial of service
| Package(s): | linuxdcpp | CVE #(s): | CVE-2008-2953 CVE-2008-2954 | ||||||||||||||||
| Created: | July 3, 2008 | Updated: | December 9, 2008 | ||||||||||||||||
| Description: | From the Red Hat
bug report:
CVE-2008-2953: Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause a denial of service (crash) via "partial file list requests" that trigger a NULL pointer dereference. CVE-2008-2954: client/NmdcHub.cpp in Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause a denial of service (crash) via an empty private message, which triggers an out-of-bounds read. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
mercurial: unauthorized access
| Package(s): | mercurial | CVE #(s): | CVE-2008-2942 | ||||||||||||
| Created: | July 3, 2008 | Updated: | July 18, 2008 | ||||||||||||
| Description: | From the National Vulnerability Database: Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file. | ||||||||||||||
| Alerts: |
| ||||||||||||||
openldap: denial of service
| Package(s): | openldap | CVE #(s): | CVE-2008-2952 | ||||||||||||||||||||||||||||||||||||||||
| Created: | July 3, 2008 | Updated: | October 17, 2008 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the National Vulnerability Database: liblber/io.c in OpenLDAP 2.3.41, 2.3.42, and possibly other versions allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams, which triggers an assertion error. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
php: multiple vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2007-1649 CVE-2008-2107 CVE-2008-2108 CVE-2008-2829 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 4, 2008 | Updated: | June 1, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
PHP 5.2.1 allows context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with S:, which does not properly track the number of input bytes being processed. (CVE-2007-1649) The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed. (CVE-2008-2107) The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions. (CVE-2008-2108) php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message. (CVE-2008-2829) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
phpMyAdmin: cross-site scripting
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2008-2960 | ||||||||
| Created: | July 7, 2008 | Updated: | February 2, 2009 | ||||||||
| Description: | From the NVD Entry: Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7, when register_globals is enabled and .htaccess support is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving scripts in libraries/. | ||||||||||
| Alerts: |
| ||||||||||
pidgin: buffer overflow
| Package(s): | Pidgin | CVE #(s): | CVE-2008-2927 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 9, 2008 | Updated: | December 7, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The MSN protocol handler in pidgin contains an integer overflow vulnerability. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
poppler: memory management bug
| Package(s): | poppler | CVE #(s): | CVE-2008-2950 | ||||||||||||||||||||||||||||||||
| Created: | July 9, 2008 | Updated: | September 12, 2008 | ||||||||||||||||||||||||||||||||
| Description: | Poppler (prior to version 0.6.3-r1) contains "a memory management issue" which can be exploited (via a specially crafted PDF file) to run arbitrary code. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
ruby: directory traversal vulnerability
| Package(s): | ruby | CVE #(s): | CVE-2008-1891 | ||||||||||||||||||||
| Created: | July 3, 2008 | Updated: | October 10, 2008 | ||||||||||||||||||||
| Description: | From the National Vulnerability Database: Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
ruby: integer overflow
| Package(s): | ruby | CVE #(s): | CVE-2008-2376 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 3, 2008 | Updated: | December 17, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Ruby has an integer overflow vulnerability in in the rb_ary_fill() function. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
sipp: buffer overflows
| Package(s): | sipp | CVE #(s): | CVE-2008-2085 | ||||||||
| Created: | July 9, 2008 | Updated: | July 9, 2008 | ||||||||
| Description: | The sipp tool suffers from multiple buffer overflows which enable denial of service attacks and possible remote code execution vulnerabilities. | ||||||||||
| Alerts: |
| ||||||||||
squid: denial of service
| Package(s): | squid | CVE #(s): | CVE-2004-0918 | ||||||||
| Created: | July 3, 2008 | Updated: | July 9, 2008 | ||||||||
| Description: | From the National Vulnerability Database: The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a denial of service (server restart) via certain SNMP packets with negative length fields that causes a memory allocation error. | ||||||||||
| Alerts: |
| ||||||||||
vsftpd: denial of service
| Package(s): | vsftpd | CVE #(s): | CVE-2008-2375 | ||||||||||||||||
| Created: | July 9, 2008 | Updated: | July 30, 2008 | ||||||||||||||||
| Description: | Another denial of service vulnerability based on a memory leak has been found in vsftpd; this one is exploitable by way of invalid authentication attempts. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
webkit: memory corruption
| Package(s): | WebKit | CVE #(s): | CVE-2008-2307 | ||||||||
| Created: | July 9, 2008 | Updated: | November 24, 2008 | ||||||||
| Description: | WebKit suffers from a memory corruption issue in its JavaScript array handling code, leading to denial of service problems and the potential for remote code execution. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>