[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Security

"Evil Maid" attack against disk encryption

By Jake Edge
October 28, 2009

Physical security is important. The "Evil Maid" attack serves as a reminder that briefly allowing a laptop out of your control, even with an encrypted hard disk, means that all security bets are off—the machine should be considered potentially compromised. Obviously different users have different levels of paranoia about their data security, but the Evil Maid attack shows just how simple it can be for others to access your data.

There is nothing particularly new in the proof-of-concept (PoC) attack against TrueCrypt disk encryption software, but the simplicity of the approach should give one pause. Joanna Rutkowska described the attack back in January, but the need for physical computer security goes back much further than that. But, folks are less wary of physical attacks against laptops today because of whole-disk encryption. Rutkowska's PoC, along with last year's report on "cold boot" attacks, should make it clear that encryption—at least without some kind of Trusted Platform Module (TPM) support—is not a complete solution

The basic idea behind Evil Maid is that someone gets access to a laptop for a fairly short period of time (a few minutes), and, in that time, boots it from a USB key. One obvious vector is a hotel maid (or someone acting as one), who enters someone's room while they are out to dinner, which is what gives the attack its name. The USB key contains a payload that hooks the TrueCrypt password prompting code and stores the last password entered. The payload gets added to the Master Boot Record (MBR) of the laptop so that it becomes active on the next boot.

While it has not been implemented in the PoC, there is no reason that the malware couldn't send the password off via the network; currently it just reports it back the next time the Evil Maid USB key is booted. That would require the attacker to access the laptop twice—with its user typing in the encryption key in between—but a multi-day hotel stay would give ample opportunity for that to occur.

As Bruce Schneier points out, this attack is in no way limited to TrueCrypt, as other solutions suffer from the same vulnerabilities. Both Schneier and Rutkowska look at some potential workarounds, but, in the final analysis, physical access allows an attacker too many ways around these security measures. Even Trusted Computing, with appropriate TPM hardware, can succumb to certain kinds of attacks.

Microsoft's BitLocker drive encryption uses the TPM, which provides reasonable assurance that the right code is being booted, but even that can fall prey to Evil Maid-style attacks, as Rutkowska describes:

Namely the Evil Maid for Bitlocker would have to display a fake Bitlocker prompt (that could be identical to the real Bitlocker prompt), but after obtaining a correct password from the user Evil Maid would not be able to pass the execution to the real Bitlocker code, as the SRTM [Static Root of Trust Measurement] chain will be broken. Instead, Evil Maid would have to pretend that the password was wrong, uninstall itself, and then reboot the platform. Thus, a Bitlocker user that is confident that he or she entered the correct password, but the OS didn't boot correctly, should destroy the laptop.

Rutkowska also describes a "Poor Man's Solution" which calculates hashes of various unencrypted portions of the disk (especially the MBR). The Disk Hasher is a bootable Linux-based USB key that calculates and stores the hashes on the USB key, as well as verifying the correct hashes prior to booting. As she points out, it only protects against disk-based attacks—BIOS reflashing would subvert Disk Hasher.

Requiring a password in the BIOS before booting is another possible workaround, but one that may not provide as much security as it at first seems. BIOS reflashing is one possible attack, but an easier—though more time-consuming than the "standard" Evil Maid attack—method would be to remove the disk, attach it to another laptop and install the necessary code. It also adds complexity to the attack, but the 5-15 minutes needed to swap out a laptop hard disk is not all that difficult to come by in the hotel scenario.

This PoC, along with other attacks against encrypted disks, is very useful to remind users that hard disk encryption is no panacea. You still must consider which kinds of threats you are trying to protect against. Disk encryption is great for preventing accidental disclosure of private information when someone steals a laptop, but is much less useful for an attack that is focused on accessing the data on a particular laptop. Much like internet security, fairly straightforward protection techniques are fine to thwart the random attacker but are probably insufficient for one who is focused on subverting your defenses in particular.

Comments (25 posted)

Brief items

Firefox 3.5.4 and 3.0.15 now available for download

Mozilla has announced the availability of Firefox 3.5.4 and 3.0.15. Each fixes some fairly serious sounding security problems (3.5.4, 3.0.15) including multiple "critical" flaws. "We strongly recommend that all Firefox users upgrade to this latest release. If you already have Firefox 3.5 or Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting "Check for Updates..." from the Help menu. " Distribution updates will presumably be available soon as well.

Full Story (comments: none)

New vulnerabilities

acroread: multiple vulnerabilities

Package(s):acroread CVE #(s):CVE-2007-0048 CVE-2009-2979 CVE-2009-2980 CVE-2009-2981 CVE-2009-2982 CVE-2009-2983 CVE-2009-2985 CVE-2009-2986 CVE-2009-2988 CVE-2009-2990 CVE-2009-2991 CVE-2009-2993 CVE-2009-2994 CVE-2009-2996 CVE-2009-2997 CVE-2009-2998 CVE-2009-3431 CVE-2009-3458 CVE-2009-3459 CVE-2009-3462
Created:October 26, 2009 Updated:October 28, 2009
Description:

From the CVE entries:

CVE-2007-0048: Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, when used with Internet Explorer, Google Chrome, or Opera, allows remote attackers to cause a denial of service (memory consumption) via a long sequence of # (hash) characters appended to a PDF URL, related to a "cross-site scripting issue."

CVE-2009-2979: Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 do not properly perform XMP-XML entity expansion, which allows remote attackers to cause a denial of service via a crafted document.

CVE-2009-2980: Integer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors.

CVE-2009-2981: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to bypass intended Trust Manager restrictions via unspecified vectors.

CVE-2009-2982: An unspecified certificate in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow remote attackers to conduct a "social engineering attack" via unknown vectors.

CVE-2009-2983: Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors.

CVE-2009-2985: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2996.

CVE-2009-2986: Multiple heap-based buffer overflows in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors.

CVE-2009-2988: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which allows attackers to cause a denial of service via unspecified vectors.

CVE-2009-2990: Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors.

CVE-2009-2991: Unspecified vulnerability in the Mozilla plug-in in Adobe Reader and Acrobat 8.x before 8.1.7, and possibly 7.x before 7.1.4 and 9.x before 9.2, might allow remote attackers to execute arbitrary code via unknown vectors.

CVE-2009-2993: The JavaScript for Acrobat API in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 does not properly implement the (1) Privileged Context and (2) Safe Path restrictions for unspecified JavaScript methods, which allows remote attackers to create arbitrary files, and possibly execute arbitrary code, via the cPath parameter in a crafted PDF file. NOTE: some of these details are obtained from third party information.

CVE-2009-2994: Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors.

CVE-2009-2996: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2985.

CVE-2009-2997: Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors.

CVE-2009-2998: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-3458.

CVE-2009-3431: Stack consumption vulnerability in Adobe Reader and Acrobat 9.1.3, 9.1.2, 9.1.1, and earlier 9.x versions; 8.1.6 and earlier 8.x versions; and possibly 7.1.4 and earlier 7.x versions allows remote attackers to cause a denial of service (application crash) via a PDF file with a large number of [ (open square bracket) characters in the argument to the alert method. NOTE: some of these details are obtained from third party information.

CVE-2009-3458: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2998.

CVE-2009-3459: Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these details are obtained from third party information.

CVE-2009-3462: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 on Unix, when Debug mode is enabled, allow attackers to execute arbitrary code via unspecified vectors, related to a "format bug."

Alerts:
Gentoo 200910-03 acroread 2009-10-25
SuSE SUSE-SA:2009:049 acroread, 2009-10-26

Comments (none posted)

acroread: denial of service

Package(s):acroread,acroread_ja CVE #(s):CVE-2009-2992
Created:October 26, 2009 Updated:October 28, 2009
Description:

From the CVE entry:

CVE-2009-2992: An unspecified ActiveX control in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 does not properly validate input, which allows attackers to cause a denial of service via unknown vectors.

Alerts:
SuSE SUSE-SA:2009:049 acroread, 2009-10-26

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox seamonkey CVE #(s):CVE-2009-1563 CVE-2009-3274 CVE-2009-3370 CVE-2009-3372 CVE-2009-3373 CVE-2009-3374 CVE-2009-3375 CVE-2009-3376 CVE-2009-3380 CVE-2009-3382
Created:October 28, 2009 Updated:June 14, 2010
Description: Firefox 3.5.4 and 3.0.15 have been released with fixes for the usual set of scary vulnerabilities.
Alerts:
Gentoo 201301-01 firefox 2013-01-07
Mandriva MDVSA-2010:071 mozilla-thunderbird 2010-04-23
Fedora FEDORA-2010-7100 seamonkey 2010-04-21
SuSE SUSE-SR:2010:013 apache2-mod_php5/php5, bytefx-data-mysql/mono, flash-player, fuse, java-1_4_2-ibm, krb5, libcmpiutil/libvirt, libmozhelper-1_0-0/mozilla-xulrunner190, libopenssl-devel, libpng12-0, libpython2_6-1_0, libtheora, memcached, ncpfs, pango, puppet, python, seamonkey, te_ams, texlive 2010-06-14
CentOS CESA-2010:0153 thunderbird 2010-03-26
Ubuntu USN-915-1 thunderbird 2010-03-18
CentOS CESA-2010:0154 thunderbird 2010-03-17
Red Hat RHSA-2010:0153-02 thunderbird 2010-03-17
Red Hat RHSA-2010:0154-02 thunderbird 2010-03-17
Mandriva MDVSA-2009:290-1 firefox 2009-12-02
Debian DSA-1931-1 nspr 2009-11-08
Slackware SSA:2009-306-01 mozilla 2009-11-03
Fedora FEDORA-2009-10878 epiphany-extensions 2009-10-29
Red Hat RHSA-2009:1530-01 firefox 2009-10-27
Mandriva MDVSA-2009:294 firefox 2009-11-05
Fedora FEDORA-2009-10878 evolution-rss 2009-10-29
Fedora FEDORA-2009-10878 galeon 2009-10-29
Fedora FEDORA-2009-10878 gnome-python2-extras 2009-10-29
Fedora FEDORA-2009-10878 gnome-web-photo 2009-10-29
Ubuntu USN-853-2 firefox 2009-11-11
SuSE SUSE-SA:2009:052 MozillaFirefox 2009-11-04
Ubuntu USN-853-1 firefox-3.0, firefox-3.5, xulrunner-1.9, xulrunner-1.9.1 2009-10-31
Fedora FEDORA-2009-10878 firefox 2009-10-29
Fedora FEDORA-2009-10878 ruby-gnome2 2009-10-29
Fedora FEDORA-2009-10981 yelp 2009-11-04
Fedora FEDORA-2009-10981 xulrunner 2009-11-04
Fedora FEDORA-2009-10981 ruby-gnome2 2009-11-04
Fedora FEDORA-2009-10981 pcmanx-gtk2 2009-11-04
Fedora FEDORA-2009-10981 perl-Gtk2-MozEmbed 2009-11-04
Fedora FEDORA-2009-10981 mugshot 2009-11-04
Fedora FEDORA-2009-10981 Miro 2009-11-04
Fedora FEDORA-2009-10981 mozvoikko 2009-11-04
Fedora FEDORA-2009-10981 kazehakase 2009-11-04
Fedora FEDORA-2009-10981 google-gadgets 2009-11-04
Fedora FEDORA-2009-10981 gnome-web-photo 2009-11-04
Fedora FEDORA-2009-10981 gnome-python2-extras 2009-11-04
Fedora FEDORA-2009-10981 epiphany-extensions 2009-11-04
Fedora FEDORA-2009-10981 gecko-sharp2 2009-11-04
Fedora FEDORA-2009-10981 evolution-rss 2009-11-04
Fedora FEDORA-2009-10981 firefox 2009-11-04
Fedora FEDORA-2009-10981 galeon 2009-11-04
Fedora FEDORA-2009-10981 epiphany 2009-11-04
Fedora FEDORA-2009-10981 blam 2009-11-04
Fedora FEDORA-2009-10878 chmsee 2009-10-29
Fedora FEDORA-2009-10878 google-gadgets 2009-10-29
Fedora FEDORA-2009-10878 kazehakase 2009-10-29
Fedora FEDORA-2009-10878 Miro 2009-10-29
Fedora FEDORA-2009-10878 monodevelop 2009-10-29
Fedora FEDORA-2009-10878 mozvoikko 2009-10-29
Fedora FEDORA-2009-10878 pcmanx-gtk2 2009-10-29
Fedora FEDORA-2009-10878 perl-Gtk2-MozEmbed 2009-10-29
Fedora FEDORA-2009-10878 seahorse-plugins 2009-10-29
Fedora FEDORA-2009-10878 xulrunner 2009-10-29
Fedora FEDORA-2009-10878 yelp 2009-10-29
Mandriva MDVSA-2009:290 firefox 2009-10-29
Debian DSA-1922-1 xulrunner 2009-10-28
Fedora FEDORA-2009-10878 hulahop 2009-10-29
Fedora FEDORA-2009-10878 blam 2009-10-29
Fedora FEDORA-2009-10878 eclipse 2009-10-29
CentOS CESA-2009:1531 seamonkey 2009-10-28
CentOS CESA-2009:1531 seamonkey 2009-10-28
SuSE SUSE-SR:2009:018 cyrus-imapd, neon/libneon, freeradius, strongswan, openldap2, apache2-mod_jk, expat, xpdf, mozilla-nspr 2009-11-10
Fedora FEDORA-2009-10878 epiphany 2009-10-29
CentOS CESA-2009:1530 firefox 2009-10-28
Red Hat RHSA-2009:1531-01 seamonkey 2009-10-27

Comments (none posted)

kernel: missing initialization flaws

Package(s):kernel CVE #(s):CVE-2005-4881 CVE-2009-3228
Created:October 22, 2009 Updated:October 8, 2010
Description: From the Red Hat alert:

multiple, missing initialization flaws were found in the Linux kernel. Padding data in several core network structures was not initialized properly before being sent to user-space. These flaws could lead to information leaks. (CVE-2005-4881, CVE-2009-3228, Moderate)

Alerts:
Mandriva MDVSA-2010:188 kernel 2010-09-23
Mandriva MDVSA-2010:198 kernel 2010-10-07
SuSE SUSE-SA:2009:064 kernel 2009-12-22
SuSE SUSE-SA:2009:061 kernel 2009-12-14
Mandriva MDVSA-2009:329 kernel 2009-12-09
Ubuntu USN-864-1 linux, linux-source-2.6.15 2009-12-05
SuSE SUSE-SA:2009:060 kernel 2009-12-02
Red Hat RHSA-2009:1540-01 kernel-rt 2009-11-03
Red Hat RHSA-2009:1548-01 kernel 2009-11-03
CentOS CESA-2009:1548 kernel 2009-11-04
Red Hat RHSA-2009:1522-01 kernel 2009-10-22
Mandriva MDVSA-2009:301 kernel 2009-11-20
Debian DSA-1929-1 linux-2.6 2009-11-05
Debian DSA-1927-1 linux-2.6 2009-11-05
Debian DSA-1928-1 linux-2.6.24 2009-11-05
CentOS CESA-2009:1522 kernel 2009-10-26

Comments (none posted)

kernel: buffer overflow

Package(s):kernel CVE #(s):CVE-2009-2584
Created:October 22, 2009 Updated:October 28, 2009
Description: From the National Vulnerability Database entry:

"Off-by-one error in the options_write function in drivers/misc/sgi-gru/gruprocfs.c in the SGI GRU driver in the Linux kernel 2.6.30.2 and earlier on ia64 and x86 platforms might allow local users to overwrite arbitrary memory locations and gain privileges via a crafted count argument, which triggers a stack-based buffer overflow. "

Alerts:
Ubuntu USN-852-1 linux, linux-source-2.6.15 2009-10-22

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2009-2695
Created:October 22, 2009 Updated:March 1, 2010
Description: From the National Vulnerability Database entry:

"The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs. "

Alerts:
Debian DSA-2004-1 linux-2.6.24 2010-02-27
Red Hat RHSA-2009:1672-01 kernel 2009-12-15
Red Hat RHSA-2009:1540-01 kernel-rt 2009-11-03
Red Hat RHSA-2009:1548-01 kernel 2009-11-03
CentOS CESA-2009:1548 kernel 2009-11-04
Debian DSA-1915-1 linux-2.6 2009-10-22
Ubuntu USN-852-1 linux, linux-source-2.6.15 2009-10-22
Red Hat RHSA-2009:1587-01 kernel 2009-11-17

Comments (none posted)

kernel: insufficient randomization

Package(s):kernel CVE #(s):CVE-2009-3238
Created:October 22, 2009 Updated:February 15, 2010
Description: From the National Vulnerability Database entry:

"The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time.""

Alerts:
SuSE SUSE-SA:2010:012 kernel 2010-02-15
SuSE SUSE-SA:2009:055 kernel 2009-11-12
Debian DSA-1928-1 linux-2.6.24 2009-11-05
SuSE SUSE-SA:2009:054 kernel 2009-11-11
Debian DSA-1929-1 linux-2.6 2009-11-05
Debian DSA-1927-1 linux-2.6 2009-11-05
Ubuntu USN-852-1 linux, linux-source-2.6.15 2009-10-22

Comments (none posted)

kernel: insecure file creation

Package(s):kernel CVE #(s):CVE-2009-3286
Created:October 22, 2009 Updated:February 15, 2010
Description: From the National Vulnerability Database entry:

"NFSv4 in the Linux kernel 2.6.18, and possibly other versions, does not properly clean up an inode when an O_EXCL create fails, which causes files to be created with insecure settings such as setuid bits, and possibly allows local users to gain privileges, related to the execution of the do_open_permission function even when a create fails."

Alerts:
SuSE SUSE-SA:2010:012 kernel 2010-02-15
SuSE SUSE-SA:2009:060 kernel 2009-12-02
Debian DSA-1928-1 linux-2.6.24 2009-11-05
CentOS CESA-2009:1548 kernel 2009-11-04
Red Hat RHSA-2009:1548-01 kernel 2009-11-03
Ubuntu USN-852-1 linux, linux-source-2.6.15 2009-10-22
Debian DSA-1929-1 linux-2.6 2009-11-05
Debian DSA-1915-1 linux-2.6 2009-10-22

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2009-3288
Created:October 22, 2009 Updated:May 7, 2010
Description: From the National Vulnerability Database entry:

"The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD. NOTE: this is only exploitable by users who can open the cdrom device."

Alerts:
rPath rPSA-2010-0037-1 kernel 2010-05-07
Ubuntu USN-852-1 linux, linux-source-2.6.15 2009-10-22

Comments (none posted)

kernel: denial of service

Package(s):linux-2.6 CVE #(s):CVE-2009-3613
Created:October 23, 2009 Updated:December 22, 2009
Description: From the Debian advisory: Alistair Strachan reported an issue in the r8169 driver. Remote users can cause a denial of service (IOMMU space exhaustion and system crash) by transmitting a large amount of jumbo frames.
Alerts:
SuSE SUSE-SA:2009:064 kernel 2009-12-22
CentOS CESA-2009:1671 kernel 2009-12-18
Red Hat RHSA-2009:1671-01 kernel 2009-12-15
Ubuntu USN-864-1 linux, linux-source-2.6.15 2009-12-05
Debian DSA-1928-1 linux-2.6.24 2009-11-05
Red Hat RHSA-2009:1540-01 kernel-rt 2009-11-03
Red Hat RHSA-2009:1548-01 kernel 2009-11-03
CentOS CESA-2009:1548 kernel 2009-11-04
Debian DSA-1915-1 linux-2.6 2009-10-22

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2009-3612
Created:October 27, 2009 Updated:February 15, 2010
Description: From the National Vulnerability Database entry:

The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881.

Alerts:
SuSE SUSE-SA:2010:012 kernel 2010-02-15
SuSE SUSE-SA:2009:064 kernel 2009-12-22
CentOS CESA-2009:1670 kernel 2009-12-17
Red Hat RHSA-2009:1670-01 kernel 2009-12-15
SuSE SUSE-SA:2009:061 kernel 2009-12-14
Mandriva MDVSA-2009:329 kernel 2009-12-09
Ubuntu USN-864-1 linux, linux-source-2.6.15 2009-12-05
SuSE SUSE-SA:2009:060 kernel 2009-12-02
Red Hat RHSA-2009:1540-01 kernel-rt 2009-11-03
Mandriva MDVSA-2009:301 kernel 2009-11-20
Debian DSA-1929-1 linux-2.6 2009-11-05
Fedora FEDORA-2009-10639 kernel 2009-10-21
Debian DSA-1927-1 linux-2.6 2009-11-05
Fedora FEDORA-2009-11038 kernel 2009-11-05
Debian DSA-1928-1 linux-2.6.24 2009-11-05

Comments (none posted)

mapserver: integer overflow

Package(s):mapserver CVE #(s):CVE-2009-2281
Created:October 23, 2009 Updated:October 28, 2009
Description: From the Debian advisory: An integer overflow when processing HTTP requests can lead to a heap-based buffer overflow. An attacker can use this to execute arbitrary code either via crafted Content-Length values or large HTTP request. This is partly because of an incomplete fix for CVE-2009-0840.
Alerts:
Debian DSA-1914-1 mapserver 2009-10-22

Comments (none posted)

nginx: denial of service

Package(s):nginx CVE #(s):
Created:October 27, 2009 Updated:October 28, 2009
Description: From the Debian alert:

Jasson Bell discovered that a remote attacker could cause a denial of service (segmentation fault) by sending a crafted request.

Alerts:
Debian DSA-1920-1 nginx 2009-10-26

Comments (none posted)

phpmyadmin: multiple vulnerabilities

Package(s):phpMyAdmin CVE #(s):CVE-2009-3696 CVE-2009-3697
Created:October 26, 2009 Updated:October 28, 2009
Description:

From the CVE entries:

CVE-2009-3696: Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table.

CVE-2009-3697: SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters.

Alerts:
SuSE SUSE-SR:2009:017 php5, newt, rubygem-actionpack, rubygem-activesupport, java-1_4_2-ibm, postgresql, samba, phpMyAdmin, viewvc 2009-10-26
Debian DSA-1918-1 phpmyadmin 2009-10-25

Comments (none posted)

poppler: denial of service

Package(s):poppler CVE #(s):CVE-2009-3605
Created:October 23, 2009 Updated:March 5, 2010
Description: From the Ubuntu advisory: It was discovered that poppler contained multiple security issues when parsing malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program.
Alerts:
Gentoo 201310-03 poppler 2013-10-06
Mandriva MDVSA-2011:175 poppler 2011-11-15
Mandriva MDVSA-2010:055 poppler 2010-03-04
Mandriva MDVSA-2009:346 kde 2009-12-29
Mandriva MDVSA-2009:334 poppler 2009-12-17
SuSE SUSE-SR:2009:018 cyrus-imapd, neon/libneon, freeradius, strongswan, openldap2, apache2-mod_jk, expat, xpdf, mozilla-nspr 2009-11-10
Ubuntu USN-850-2 poppler 2009-10-22
Slackware SSA:2009-302-02 poppler 2009-10-29
Slackware SSA:2009-302-01 xpdf 2009-10-29

Comments (none posted)

python-markdown2: multiple vulnerabilities

Package(s):python-markdown2 CVE #(s):
Created:October 27, 2009 Updated:October 28, 2009
Description: From the Fedora alert:

Update from 1.0.1.11 to 1.0.1.15, which fixes some issues, including these two security-related bugs: - [Issue 30] Fix a possible XSS via JavaScript injection in a carefully crafted image reference (usage of double-quotes in the URL). - [Issue 29] Fix security hole in the md5-hashing scheme for handling HTML chunks during processing.

Alerts:
Fedora FEDORA-2009-10329 python-markdown2 2009-10-09
Fedora FEDORA-2009-10377 python-markdown2 2009-10-09

Comments (none posted)

rubygem-actionpack: information leak

Package(s):rubygem-actionpack CVE #(s):CVE-2009-3086
Created:October 26, 2009 Updated:June 15, 2011
Description:

From the CVE entry:

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.

Alerts:
Debian DSA-2260-1 rails 2011-06-14
Gentoo 200912-02 rails 2009-12-20
SuSE SUSE-SR:2009:017 php5, newt, rubygem-actionpack, rubygem-activesupport, java-1_4_2-ibm, postgresql, samba, phpMyAdmin, viewvc 2009-10-26

Comments (none posted)

sahana: file exposure vulnerability

Package(s):sahana CVE #(s):
Created:October 27, 2009 Updated:October 28, 2009
Description: From the Fedora bug report:

The first issue would allow an attacker to touch/modify any file on the system. Essentially the issue is that get, post, and requests aren't sanitized or unescaped.

Alerts:
Fedora FEDORA-2009-10718 sahana 2009-10-27
Fedora FEDORA-2009-10822 sahana 2009-10-27

Comments (none posted)

slim: current directory exposure in default path

Package(s):slim CVE #(s):
Created:October 27, 2009 Updated:October 28, 2009
Description: From the Fedora bug report:

The SLiM display manager includes the current directory in it's default path which opens up users to trojan attacks and other unexpected behavior. It should be removed from the default config.

Alerts:
Fedora FEDORA-2009-10475 slim 2009-10-14
Fedora FEDORA-2009-10461 slim 2009-10-14

Comments (none posted)

systemtap: multiple DOS vulnerabilities

Package(s):systemtap CVE #(s):CVE-2009-2911
Created:October 27, 2009 Updated:October 28, 2009
Description: From the Fedora bug report:

Multiple denial of service flaws were found in the SystemTap instrumentation system, when the --unprivileged mode was activated:

a, Kernel stack overflow allows local attackers to cause denial of service or execute arbitrary code via long number of parameters, provided to the print* call.

b, Kernel stack frame overflow allows local attackers to cause denial of service via specially-crafted user-provided DWARF information.

c, Absent check(s) for the upper bound of the size of the unwind table and for the upper bound of the size of each of the CIE/CFI records, could allow an attacker to cause a denial of service (infinite loop).

Alerts:
Fedora FEDORA-2009-10719 systemtap 2009-10-27
Fedora FEDORA-2009-10849 systemtap 2009-10-27

Comments (none posted)

viewvc: multiple vulnerabilities

Package(s):viewvc CVE #(s):CVE-2009-3618 CVE-2009-3619
Created:October 26, 2009 Updated:October 28, 2009
Description:

From the Tenable advisory:

Update of viewvc to version 1.0.9 fixes a cross-site scripting (XSS) problem and enhances filtering of illegal characters when displaying error messages (CVE-2009-3618, CVE-2009-3619).

Alerts:
SuSE SUSE-SR:2009:017 php5, newt, rubygem-actionpack, rubygem-activesupport, java-1_4_2-ibm, postgresql, samba, phpMyAdmin, viewvc 2009-10-26

Comments (none posted)

wordpress: denial of service

Package(s):wordpress CVE #(s):
Created:October 27, 2009 Updated:October 28, 2009
Description: From the Fedora bug report:

A denial of service (resource exhaustion) flaw was found in the way WordPress used to handle HTTP headers, contained in the "trackback" message, sent to WordPress. A local, unprivileged user could sent a specially-crafted trackback message to running instance of WordPress, leading to its crash.

Alerts:
Fedora FEDORA-2009-10793 wordpress 2009-10-27
Fedora FEDORA-2009-10795 wordpress 2009-10-27

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds