Security
SELinuxDenyPtrace and security by default
The Unix process model gives each process its own address space and isolates processes from each other; one process cannot access another's memory unless the two have explicitly agreed to share it. This boundary should enable one process to keep secrets from another, but there is an exception: the walls between process can be breached with the ptrace() system call. With the goal of improving security, distributors have been making changes to make that wall harder to penetrate. But, as a discussion regarding security options in the upcoming Fedora 17 release shows, there is an ongoing tension between the goals of improving security and making a distribution that is useful to its users.ptrace() exists primarily to facilitate debugging; it is used by debuggers like gdb to stop and start a process, set breakpoints, and to examine and change memory contents. Other useful commands, like strace, also need ptrace() to function properly. The rules for ptrace() were designed in the era of relatively isolated, multi-user systems; their primary intent is to protect users from each other. So an unprivileged user is unable to use ptrace() on a process owned by a different user. But any user can employ ptrace() freely on his or her own processes.
As Dan Walsh has noted, the effects of this policy can be surprising for contemporary users:
In other words, anybody who can run code as a given user (through an exploit, say, or via a browser plugin) can use ptrace() to examine (and change) the behavior and memory of any other process owned by that user. The potential for the compromise of personal information is clear. How to solve that problem is, perhaps, a bit less so.
Dan's answer is a Fedora feature called SELinuxDenyPtrace. As one might expect from the name, this feature uses SELinux policy to disable access to the ptrace() command for all users. When Fedora's engineering steering committee (FESCO) approved this feature for the Fedora 17 release, most of its members were apparently under the impression that the feature would be turned off by default; indeed, the feature page still says:
Given that, a number of early testers of the upcoming Fedora 17 beta release have been surprised to discover that the feature is, instead, turned on by default. As a result, commands like gdb and strace fail to work. The KDE "DrKonqi" crash reporter is also broken by this setting. Needless to say, software development on such a system is a less enjoyable task. The resulting behavior is also simply surprising; as Mark Wielaard put it when he raised the issue:
Dan responded that "if you understand
what ptrace or gdb are, you probably can figure out how to turn this
feature off.
" Others, however, have argued that a Fedora install
should be useful to developers by default and that forcing developers to
figure out how to toggle an SELinux setting is a step in the wrong
direction. As of this writing, it appears that this argument has prevailed
and that ptrace() will be enabled by default in the Fedora 17
final release.
Should that happen, though, the question is likely to return in the Fedora 18 cycle. And Fedora is not alone in this quest; Ubuntu, too, has disabled the use of ptrace() by default, though the mechanism used in this case (the Yama security module) is different. Various other attempts to restrict the capabilities of running processes exist; these include Android's "every program gets its own user ID" model, reducing the set of available system calls with seccomp, and more. There appears to be little disagreement with the idea that we are surrounded by security threats and that our systems need to become more secure as a result. Protecting a single user's processes from each other is one way (out of many) to address those threats.
On the other hand, there is disagreement over the extent to which becoming more secure should inconvenience or disrupt the work of users. A powered-down machine is quite resilient against online attacks, but users tend to complain about how long it takes to get their work done on such a system. Security developers naturally tend to see the costs of their work as small, easily borne, and more than justified by the benefits; users, for whom the costs are much more immediate, tend to disagree. The result is a lot of tension surrounding security-related decisions.
To an extent, this tension can be a good thing; it can, in the long term, motivate the development of more useful and less intrusive security technologies. But it can frustrate users, who may feel that functionality is being taken from them for no good reason; it can also frustrate security developers who find their efforts to protect those users thwarted. Unfortunately, there is often no easy answer; security is a trade-off with both costs and benefits. So, while the default setting for deny_ptrace in Fedora 17 may have been pushed in the "convenience for users" direction, we can expect the wider discussion to be with us for some time.
Brief items
Security quote of the week
DRM is like the anti-theft sensors by the doors at the drugstore. The sensors go off all the time, but they still can’t stop a crafty teenager who knows how to remove a magnetic tag — nor can they stop criminals who break in and steal directly from the till. Similarly, DRM prevents a lot of legitimate, noncriminal usage while remaining unable to stop actual, intentional piracy, or its crafty teenage equivalent: someone with internet access and the ability to type “remove DRM” into Google.
Remote root hole in Samba
The Samba team has announced the release of versions 3.6.4, 3.5.14 and 3.4.16 containing a fix for a remote code execution vulnerability. "As this does not require an authenticated connection it is the most serious vulnerability possible in a program, and users and vendors are encouraged to patch their Samba installations immediately." Distributor updates should start showing up in the near future.
Update: the Samba 4 alpha releases are vulnerable as well; 4.0alpha19 has been released with a fix.
AT&T Microcell FAIL (FailOverflow)
The FailOverflow site has an amusing look inside an AT&T microcell box which, naturally, runs Linux. "The backdoor uses simple UDP packets to transmit requests and receive responses. There are a number of operations supported, but the most useful one is called ‘BackdoorPacketCmdLine’. Yes. It’s actually called ‘Backdoor’. This command lets you execute any linux command. Execution is performed using the backticksh function." This port turns out to be globally accessible. (Thanks to Paul Wise).
Wheeler: Insecure open source software libraries?
David A. Wheeler cautions against the practice of using bundled libraries. This is probably is not news to many LWN readers, but it does serve as a reminder. "An advantage of OSS is that many people can review the software, find problems (including vulnerabilities), and fix them… but this advantage is lost if the fixed versions are not used!"
Medical device hack attacks may kill, researchers warn (BBC News)
GNOME foundation executive director Karen Sandler makes an appearance in a BBC News article about the security risks of medical implants:
Unfortunately, she told the BBC, the implant's maker would not reveal its software. Its reassurances about the code's integrity did not help.
"Knowing what I know about software I'm sure it'll have bugs," she said.
Ms Sandler was also worried about the fact that increasing numbers of implants broadcast information all the time. That wireless link was a step too far for her.
LWN has covered several talks (1, 2) that Sandler has given on this topic as well.
New vulnerabilities
chromium: multiple vulnerabilities
| Package(s): | chromium | CVE #(s): | CVE-2011-3066 CVE-2011-3067 CVE-2011-3068 CVE-2011-3069 CVE-2011-3070 CVE-2011-3071 CVE-2011-3072 CVE-2011-3073 CVE-2011-3074 CVE-2011-3075 CVE-2011-3076 CVE-2011-3077 | ||||||||||||||||
| Created: | April 11, 2012 | Updated: | October 26, 2012 | ||||||||||||||||
| Description: | Versions of the chromium browser prior to 18.0.1025.151 suffer from multiple information disclosure, code execution, and denial of service vulnerabilities. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
drupal7-ctools: cross-site scripting
| Package(s): | drupal7-ctools | CVE #(s): | |||||||||
| Created: | April 9, 2012 | Updated: | April 11, 2012 | ||||||||
| Description: | From the Drupal advisory:
This suite is primarily a set of APIs and tools to improve the developer experience. It also contains a module called the Page Manager whose job is to manage pages. In particular it manages panel pages, but as it grows it will be able to manage far more than just Panels. The module doesn't appropriate filter user signatures when rendering comments. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "post comments" and a site must use Chaos tool suite to render comments. Versions affected: Chaos tool suite 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. | ||||||||||
| Alerts: |
| ||||||||||
inspircd: code execution
| Package(s): | inspircd | CVE #(s): | CVE-2012-1836 | ||||||||||||
| Created: | April 10, 2012 | Updated: | July 20, 2015 | ||||||||||||
| Description: | From the CVE entry:
Heap-based buffer overflow in dns.cpp in InspIRCd 2.0.5 might allow remote attackers to execute arbitrary code via a crafted DNS query that uses compression. | ||||||||||||||
| Alerts: |
| ||||||||||||||
openstack-keystone: denial of service
| Package(s): | openstack-keystone | CVE #(s): | CVE-2012-1572 | ||||
| Created: | April 9, 2012 | Updated: | April 11, 2012 | ||||
| Description: | From the Red Hat bugzilla:
A vulnerability in how Keystone handles extremely long passwords was discovered. When Keystone is validating a password, glibc allocated space on the stack for the entire password. If the password is long enough, stack space can be exhausted which will lead to a crash. A remote attacker could use this to cause a crash in Keystone by submitting a long password when attempting to log into an existing account; an attacker must know an existing account name to attempt the login with for this attack to be successful. | ||||||
| Alerts: |
| ||||||
puppet: multiple vulnerabilities
| Package(s): | puppet | CVE #(s): | CVE-2012-1906 CVE-2012-1986 CVE-2012-1987 CVE-2012-1988 CVE-2012-1989 | ||||||||||||||||||||||||||||
| Created: | April 11, 2012 | Updated: | August 15, 2012 | ||||||||||||||||||||||||||||
| Description: | Puppet contains a set of vulnerabilities that can enable arbitrary file overwrite via Mac OS X package files (CVE-2012-1906), enable reading of arbitrary files (CVE-2012-1986), perform denial of service attacks (CVE-2012-1987), execute arbitrary code (CVE-2012-1988), or overwrite arbitrary files via symbolic links (CVE-2012-1989). | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
python-paste-script: insecure root GID accessible files
| Package(s): | python-paste-script | CVE #(s): | CVE-2012-0878 | ||||||||||||||||||||||||
| Created: | April 9, 2012 | Updated: | August 28, 2012 | ||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
A security flaw was found in the way Paster, a pluggable command-line frontend, when started as root (for example to have access to privileged port) to serve a web based application, performed privileges dropping upon startup (supplementary groups were not dropped properly regardless of the UID, GID specified in the .ini configuration file or in the --user and --group CL arguments). A remote attacker could use this flaw for example to read / write root GID accessible files, if the particular web application provided remote means for local file manipulation. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
samba: remote code execution
| Package(s): | samba | CVE #(s): | CVE-2012-1182 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 11, 2012 | Updated: | March 11, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | All versions of samba prior to 3.6.3 or 4.0alpha19 contain a vulnerability whereby an unauthenticated attacker can execute remote code as the root user. See this advisory for more information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
sectool: privilege escalation
| Package(s): | sectool | CVE #(s): | CVE-2012-1615 | ||||
| Created: | April 9, 2012 | Updated: | April 11, 2012 | ||||
| Description: | Installing sectool will grant users new permissions. See the Red Hat bugzilla for details. | ||||||
| Alerts: |
| ||||||
taglib: multiple vulnerabilities
| Package(s): | taglib | CVE #(s): | CVE-2012-1108 CVE-2012-1107 CVE-2012-1584 | ||||||||||||||||
| Created: | April 9, 2012 | Updated: | June 25, 2012 | ||||||||||||||||
| Description: | From the Red Hat bugzilla [1], [2], [3]:
1) It was reported that, when parsing an Ogg file, a specially crafted Ogg file with control over the "vendorLength" field could cause a string allocation with that size. Control over the "commentFields", which is the number of times that "commentLength" is read, would allocate a string of size "commandLength", which could cause an application linked to taglib to crash. This has been fixed in upstream git. (CVE-2012-1108) 2) It was reported that a specially crafted ape media file with the sampleRate set to "0" could lead to an application crash due to a division by zero error. This has been fixed in upstream git. (CVE-2012-1107) 3) It was reported that taglib suffers from an integer overflow flaw when parsing file header fields. A file with a crafted header could cause a large allocation and crash the application. This has been corrected in git. (CVE-2012-1584) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
tiff: code execution
| Package(s): | tiff libtiff | CVE #(s): | CVE-2012-1173 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 5, 2012 | Updated: | April 23, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | An integer overflow bug in the TIFF library is possibly exploitable (via a crafted image file) for the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
virtualbox: multiple unspecified vulnerabilities
| Package(s): | virtualbox | CVE #(s): | CVE-2010-4414 CVE-2012-0105 CVE-2012-0111 | ||||||||
| Created: | April 10, 2012 | Updated: | October 10, 2012 | ||||||||
| Description: | From the CVE entries:
Unspecified vulnerability in Oracle VM VirtualBox 4.0 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Extensions. (CVE-2010-4414) Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization 4.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Windows Guest Additions. (CVE-2012-0105) Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization 4.1 allows local users to affect confidentiality and integrity via unknown vectors related to Shared Folders. (CVE-2012-0111) | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>