Security
LinuxCon: Secure virtualization with sVirt
"I'm the rain in the cloud
" is how Red Hat's Dan Walsh
described himself at the beginning of his LinuxCon talk. There is much
talk of "cloud computing" these days, but there has not been too much
attention paid to the security aspects. Running multiple guest operating
systems on the same hardware is "one of the scariest things you can
do
" from a security point of view, he said. sVirt was developed to
combat the problem by applying SELinux mandatory access controls to
restrict what guests can do—even if they break out of their
containment and can access the Linux host OS.
Before virtualization, servers were separated by network connections, so a misbehaving server would have to launch a network-based attack to break into another server. There are lots of tools available to administrators that will alert or thwart network attacks, but when the servers are running on the same hardware, there is another line of attack: the hypervisor itself. Guests that can perform unauthorized actions on the host OS or hypervisor may be able to access information that is only supposed to be available to a different guest.
These are not theoretical attacks, Walsh said, as there have been
successful attacks against Xen and others. Hypervisor vulnerabilities are the "number one goal
"
of the attacker community right now. The attack against Xen was able to
subvert the SELinux policies that were in place on Red Hat Enterprise Linux
(RHEL) specifically to stop that kind of attack. Those policies failed
because the SELinux labeling of Xen processes and data were left up to
administrators—something that sVirt is meant to fix.
Walsh pointed out that all guest OSes typically run as the same user in the Linux host. So, any exploit means that guests can access any other guest on that host. In the cloud computing scenario, users have no idea who else is sharing their machine, so it could easily be a competitor or someone with a malicious intent. But, enforcing separation between processes is a job that SELinux is good at.
In an SELinux-enabled system, processes and data both get labeled based on how they are allowed to be used. Since virtual machines are processes and their filesystem images are files on the host, proper application of SELinux labels—along with rules to govern the label interactions—will effectively disallow guests from unauthorized access to other guests. The host kernel enforces those rules so, as long as the kernel itself is uncompromised, rogue guests are confined.
As they learned from the Xen compromise, leaving the labeling up to administrators does not work, Walsh said, so they added dynamic labeling into libvirt. sVirt uses a largely unused field—for multi-category security (MCS)—in the SELinux label and generates a random unused value for that field. It labels the image file, then launches the virtual machine using that same label.
Using the MCS field allows the same SELinux rules to be used for all of the guests, but still restrict guests such that each guest can only access its process and data. When the guest exits, the guest image is then relabeled back to its original value. Different labels are used for shared images, depending on whether they are shared as read-only or read-write, which will allow administrators some flexibility while still restricting access to unrelated guest images.
Starting with Fedora 11, virt-manager will, by default, handle the automatic relabeling of virtual machines and data, Walsh said. One would guess that RHEL 6 will have that capability as well.
While it is certainly not a panacea for security in a virtualized environment, sVirt does provide some useful separation between guests. There is still cause to be concerned about potential kernel vulnerabilities that would allow end runs around SELinux, but sVirt reduces the exposure surface. As part of a multi-layered defense, sVirt effectively narrows the cracks that attackers can slip through.
Brief items
Walsh: Cool things with SELinux... Introducing sandbox -X
Red Hat SELinux hacker Dan Walsh has a weblog posting about a new feature added to his SELinux sandbox. sandbox -X essentially combines the sandbox with the idea behind the "xguest" user to create a sandbox for arbitrary desktop applications. It came out of a request to be able to sandbox "acroread": "Acroread and most other desktop applications use multiple communication channels, interacting not just with stdin and stdout, but accessing configuration files, directly or using interprocess calls as with GConf, the X server and other applications, and usually have full run of the user's home directory. A bug in a desktop application can be exploited to attack other processes on the system through any of these channels. Attempting to lock down access to these things usually just causes applications to break, or at least degrades the user experience. In a nutshell, there was no good, general-purpose way to lock down Acroread, or that matter, any other desktop application."
Why open-source DNS is 'internet's dirty little secret' (ZDNet)
ZDNet is running an interview with Nominum manager Jon Shalowitz; it's an amusingly retro experience for those of us who have forgotten what 1990's-style security FUD looked like. "If I have a secret way of blocking a hacker from attacking my software, if it's freeware or open source, the hacker can look at the code. By virtue of something being open source, it has to be open to everybody to look into. I can't keep secrets in there. But if I have a commercial-grade software product, then all of that is closed off, and so things are not visible to the hacker." Needless to say, he is attempting to sell such a product.
New vulnerabilities
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2009-3094 CVE-2009-3095 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 22, 2009 | Updated: | March 1, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
Multiple vulnerabilities were discovered and corrected in apache:
The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command (CVE-2009-3094). The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes (CVE-2009-3095). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
bugzilla: SQL injection
| Package(s): | bugzilla | CVE #(s): | CVE-2009-3125 CVE-2009-3165 CVE-2009-3166 | ||||||||||||||||
| Created: | September 21, 2009 | Updated: | June 4, 2010 | ||||||||||||||||
| Description: | From the Bugzilla advisory:
* Two SQL injection attacks have been discovered in Bugzilla. One only affects the 3.4 series, while the other affects the 3.0, 3.2, and 3.4 series. These are extremely serious vulnerabilities that must be patched immediately. * When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
changetrack: shell command execution
| Package(s): | changetrack | CVE #(s): | CVE-2009-3233 | ||||
| Created: | September 22, 2009 | Updated: | September 23, 2009 | ||||
| Description: | From the Debian advisory: Marek Grzybowski discovered that changetrack, a program to monitor changes to (configuration) files, is prone to shell command injection via metacharacters in filenames. The behaviour of the program has been adjusted to reject all filenames with metacharacters. | ||||||
| Alerts: |
| ||||||
dovecot: buffer overflows
| Package(s): | dovecot | CVE #(s): | CVE-2009-3235 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 23, 2009 | Updated: | October 5, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva alert: Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632 (CVE-2009-3235). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
drupal: multiple vulnerabilities
| Package(s): | drupal | CVE #(s): | |||||||||
| Created: | September 21, 2009 | Updated: | September 23, 2009 | ||||||||
| Description: | From the Drupal advisory:
Multiple vulnerabilities and weaknesses were discovered in Drupal. OpenID association cross site request forgeries: The OpenID module in Drupal 6 allows users to create an account or log into a Drupal site using one or more OpenID identities. OpenID impersonation: The OpenID module is not a compliant implementation of the OpenID Authentication 2.0 specification. An implementation error allows a user to access the account of another user when they share the same OpenID 2.0 provider. File upload: File uploads with certain extensions are not correctly processed by the File API. This may lead to the creation of files that are executable by Apache. The .htaccess that is saved into the files directory by Drupal should normally prevent execution. The files are only executable when the server is configured to ignore the directives in the .htaccess file. Session fixation: Drupal doesn't regenerate the session ID when an anonymous user follows the one time login link used to confirm email addresses and reset forgotten passwords. This enables a malicious user to fix and reuse the session id of a victim under certain circumstances. | ||||||||||
| Alerts: |
| ||||||||||
pidgin: multiple vulnerabilities
| Package(s): | pidgin | CVE #(s): | CVE-2009-2703 CVE-2009-3026 CVE-2009-3083 CVE-2009-3085 | ||||||||||||||||||||||||||||||||||||
| Created: | September 21, 2009 | Updated: | January 18, 2010 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A NULL pointer dereference flaw was found in the way the Pidgin XMPP protocol plug-in processes IQ error responses when trying to fetch a custom smiley. A remote client could send a specially-crafted IQ error response that would crash Pidgin. (CVE-2009-3085) A NULL pointer dereference flaw was found in the way the Pidgin IRC protocol plug-in handles IRC topics. A malicious IRC server could send a specially-crafted IRC TOPIC message, which once received by Pidgin, would lead to a denial of service (Pidgin crash). (CVE-2009-2703) It was discovered that, when connecting to certain, very old Jabber servers via XMPP, Pidgin may ignore the "Require SSL/TLS" setting. In these situations, a non-encrypted connection is established rather than the connection failing, causing the user to believe they are using an encrypted connection when they are not, leading to sensitive information disclosure (session sniffing). (CVE-2009-3026) A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in handles improper MSNSLP invitations. A remote attacker could send a specially-crafted MSNSLP invitation request, which once accepted by a valid Pidgin user, would lead to a denial of service (Pidgin crash). (CVE-2009-3083) | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
postgresql: multiple vulnerabilities
| Package(s): | postgresql-8.1, postgresql-8.3 | CVE #(s): | CVE-2009-3229 CVE-2009-3230 CVE-2009-3231 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 21, 2009 | Updated: | March 8, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that PostgreSQL could be made to unload and reload an already loaded module by using the LOAD command. A remote authenticated attacker could exploit this to cause a denial of service. This issue did not affect Ubuntu 6.06 LTS. (CVE-2009-3229) Due to an incomplete fix for CVE-2007-6600, RESET ROLE and RESET SESSION AUTHORIZATION operations were allowed inside security-definer functions. A remote authenticated attacker could exploit this to escalate privileges within PostgreSQL. (CVE-2009-3230) It was discovered that PostgreSQL did not properly perform LDAP authentication under certain circumstances. When configured to use LDAP with anonymous binds, a remote attacker could bypass authentication by supplying an empty password. This issue did not affect Ubuntu 6.06 LTS. (CVE-2009-3231) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
squid: denial of service
| Package(s): | squid | CVE #(s): | CVE-2009-2855 | ||||||||||||||||||||||||||||
| Created: | September 22, 2009 | Updated: | March 31, 2010 | ||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
webkit: denial of service
| Package(s): | webkit | CVE #(s): | CVE-2009-1711 | ||||||||||||||||||||||||
| Created: | September 23, 2009 | Updated: | January 25, 2011 | ||||||||||||||||||||||||
| Description: | From the Ubuntu alert: Several flaws were discovered in the WebKit browser and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
webkit: arbitrary code execution
| Package(s): | webkit | CVE #(s): | CVE-2009-1712 | ||||||||||||||||||||||||
| Created: | September 23, 2009 | Updated: | January 25, 2011 | ||||||||||||||||||||||||
| Description: | From the Ubuntu alert: It was discovered that WebKit did not prevent the loading of local Java applets. If a user were tricked into viewing a malicious website, an attacker could exploit this to execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-1712) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
xfig: symlink attack vulnerability
| Package(s): | xfig | CVE #(s): | CVE-2009-1962 | ||||||||
| Created: | September 23, 2009 | Updated: | December 28, 2009 | ||||||||
| Description: | From the Mandriva alert: fig in Debian GNU/Linux, possibly 3.2.5, allows local users to read and write arbitrary files via a symlink attack on the xfig-eps[PID], xfig-pic[PID].pix, xfig-pic[PID].err, xfig-pcx[PID].pix, xfig-xfigrc[PID], xfig[PID], fig-print[PID], xfig-export[PID].err, xfig-batch[PID], xfig-exp[PID], or xfig-spell.[PID] temporary files, where [PID] is a process ID (CVE-2009-1962). | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>