Security
Mozilla PiCL and multi-level security
Firefox users have been able to synchronize various browser features between multiple desktops and mobile devices for several years: bookmarks, history, preferences, and even installed add-ons. But that synchronization comes with a risk; the data stored remotely on the synchronization server must be protected—some of it has privacy implications, while other data (such as saved passwords) pose much greater problems if stolen. Mozilla only stores encrypted data on the server, but it is still working to make improvements. It recently began to publicize its plans for the future of the Firefox Sync service, called "Profile in the Cloud" (PiCL). The plan calls for a number of changes to the security architecture. One is a move away from requiring full-strength cryptographic keys, while another is the ability to separate high-value and low-value data for separate classes of security.
Mozilla developer Brian Warner posted a blog entry about PiCL on July 23. The architecture document on the Mozilla wiki provides an overview of the revised system, which will evidently add to the data types currently synchronized by Firefox Sync (including WebRTC bridging providers, social API preferences, and file storage). Warner's post, however, focuses on the security model.
The biggest user-visible change is likely to be the dropping of Firefox Sync's existing credentials (a username, email address, and separate encryption key) in favor of a simpler email-address–plus–password approach. But the real magic takes place behind the scenes: PiCL will offer multiple security levels and will better protect the cryptographic key that protects user data, but users will only need to remember their chosen password.
Currently, Firefox Sync randomly generates a full-strength cryptographic key on the browser, encrypts user data with it, and uploads the encrypted file to the Sync server. The key itself is stored on the user's computer, not the server. In addition, users also set up an account on the Firefox Sync server, using an email address and a user-selected password. This email/password combination is only used to completely reset an account if the key is lost.
Building levels
The revised plan as described by Warner rearranges the pieces somewhat. Users will still set up an account using their email address and a selected password, although the account setup system will make use of Mozilla's Persona, which did not exist when the current Firefox Sync system was rolled out. But, more importantly, the email/password pair will be used to derive encryption keys. Yes, there are keys, plural: for starters, one (known as kA) corresponds to the "class A" or low-value data set and one (kB) corresponds to the "class B" or high-value data set.
An important facet of the new design is that it offers users the choice between two storage options: class A data can be recovered by Mozilla, while class B data cannot. Users can choose which synchronization data is assigned to which class; Mozilla may default to saving passwords as class B and everything else as class A, but that decision is not yet final. Users can also change their minds after the initial setup, and move data from one class to another. In addition to this feature, the plan also takes steps to make brute-force attacks against account passwords as expensive as possible, even in the event of compromised servers at Mozilla.
The higher-security kB key is created client side by the browser, which then sends a verification code—but not kB itself—to the PiCL server. The server, in turn, creates kA when it creates the user's account, which is what allows class A data to be recovered in the event that the user forgets his or her password. Warner describes the key-generation and account-setup process on the Mozilla wiki. Among the salient points is that kB, even though it is derived from a user-selected password, must be strengthened as much as possible to make it resistant to brute-force guessing. PiCL does this by salting and then stretching the email/password pair on the client side. Warner cites Password-Based Key Derivation Function 2 (PBKDF2, from RFC 2898), which is computationally expensive, and scrypt, which is memory-expensive, as the stretching techniques. There are some initial parameters for the stretching algorithms under discussion, but they do not appear to be final as of now.
Naturally, even after stretching, kB will not be as random as the cryptographically strong key currently used by Firefox Sync, but the overall PiCL system takes more effort to protect kB against discovery. For comparison, the Firefox Sync system relays the user's key to each synchronized client using the J-PAKE protocol, meaning it is stored locally on multiple devices as well as occasionally being sent across the network. It is not sent in the clear, of course, but it is sent, so there are always possible attack vectors. In contrast, kB does not leave the local machine, and is never stored on any device.
In a synchronization session, the client proves to the server that it possesses kB using the Secure Remote Password (SRP) protocol. The client prompts the user for the email/password combination, derives kB, then calculates an SRP verifier code to send to the server. The server can then send encrypted class B data back to the client to use or modify as desired.
The situation for class A data is much simpler, as the server generates and possesses kA. The current plan is to use kA and kB to derive several distinct AES HMAC encryption keys (using HKDF, the HMAC-based Key Derivation Function), one for each type of data stored (e.g., passwords or preferences). Whether kA or kB is used to create the per-datatype key depends on the class in which the user wishes to save the data. Encrypting each type (e.g., bookmarks, passwords, or history) separately permits the user to have a change of heart about whether a particular data type should be saved in class A or class B.
Architecture and trade-offs
PiCL also differs from Firefox Sync in that it uses two separate servers: a keyserver, which stores kA and the kB verification code for each account, and a storage server which retains the actual encrypted data. The benefit is that both the keyserver and the storage server must be compromised for an attacker to gain access to any data, and if that happened, only the class A data would be revealed. This, Warner notes, makes class A data no more vulnerable than any "service provider holds everything" scenario, while also offering a higher level of protection with class B. Another benefit is that an attacker compromising the storage server alone would not be able to steal any keys.
Warner also points out the known vulnerabilities of the system. A user's email provider, for instance, can intercept the account-setup and account-reset emails, and obtain access to class A data. For that matter, the email provider can fake the entire password-reset process and hide that fact from the user. As for class B data, even though kB is never sent over the network (nor are the password and salt that generates it), the keyserver does retain a copy of the kB verifier code, so an attacker could attempt to guess the password by brute force. Furthermore, an attacker that compromises the keyserver can perform this attack offline. The password-stretching process is meant to make this attack as expensive as possible, but ultimately if you choose a guessable password you will make the attacker's life easier.
PiCL is still under heavy development; Warner asked for feedback on the keyserver protocol in his blog post. But there are already several features of note. First, the ability to separate high-value and low-value data will likely garner fans, especially among those who have lost an irrecoverable Firefox Sync password previously. Interestingly enough, some earlier draft documents on the wiki discuss even more security levels, so Mozilla clearly sees this as a feature desired by its users.
Second, separating the keyservers and storage servers on Mozilla's end does offer some additional protections, although it does so at the cost of additional complexity. Mozilla can presumably afford to manage this complexity, but one of the nicest features of Firefox Sync is that it is possible to run a private synchronization server. It will be harder for self-hosting users to take advantage of the split-server model. Finally, it is an interesting question (probably open for lengthy debate) whether or not the stretched-password kB key in PiCL is more secure than the random key in Firefox Sync. One is more random and thus harder to guess, but it is also transmitted over the network and stored. Since users cannot memorize the random Firefox Sync key, it must be stored—but that makes it more vulnerable to theft. The one thing everyone will agree with is that the two systems illustrate the classic security/convenience trade-off.
The name "Profile in the Cloud" certainly suggests the ability to synchronize lots and lots more data, and "the cloud" is not exactly synonymous with secure storage of private data. Thus, it will be interesting to watch where PiCL heads next. Perhaps simply forcing users to actively think about security "classes" will, if nothing else, raise awareness of the risks of storing personal information remotely.
Brief items
Security quotes of the week
We've seen this trick before. In a case EFF handled in 2009, Boston College police used the fact that our client worked on a Linux operating system with "a black screen with white font" as part of a basis for a search warrant. Luckily the Massachusetts Supreme Court tossed out the warrant after EFF got involved, but who knows what would have happened had we not been there.
Cameron, through a series of inane and grandstanding statements and pronouncements both deeply technically clueless and shamelessly politically motivated, has been channeling Napoleon by placing the clown prince crown on his own head.
Laughing at his antics would be a terrible mistake. For his wet dream of Internet censorship poses an enormous risk not only to the UK, but to other nations around the world who might seek comfort in his idiocy for their own censorship regimes (already, calls have been made in Canada to emulate Cameron's proposed model).
Janik: Tor exit node for less than a week
On his blog, Tim Janik reports on his efforts to run a Tor exit node. Unfortunately, he was shut down quickly—because of the terms of service of his server provider. "It turned out the notice had a twist to it. It was actually my virtual server provider who sent that notice on behalf of a complaining party and argued that I was in violation of their general terms and conditions for purchasing hosting services. Checking those, the conditions read: "Use of the server to provide anonymity services is excluded." Regardless of the TMG [German telecommunications law], I was in violation of the hosting provider’s terms and conditions which allowed premature termination of the hosting contract. At that point I had no choice but stopping the Tor services on this hosting instance."
Ubuntu's forums return
Canonical has announced the return of the Ubuntu forums to normal service; there is also a detailed description of how the system was compromised. "In summary, the root cause was a combination of a compromised individual account and the configuration settings in vBulletin, the Forums application software. There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings." It all started with a cross-site scripting attack.
Now That It’s in the Broadband Game, Google Flip-Flops on Network Neutrality (Wired)
Wired has a report on Google's response [PDF] to Douglas McClendon's complaint about "servers" being prohibited on Google Fiber. The response, which was ordered by the US Federal Communications Commission (FCC), states that Google Fiber can prohibit servers by noting, in part, that other providers' Terms of Service do likewise. But that flies in the face of earlier support for network neutrality as espoused by the company. "But, it turns out that Google's real net neutrality policy is that big corporate services like YouTube and Facebook shouldn't get throttled or banned by evil ISPs like Verizon, but it's perfectly fine for Google to control what devices citizens can use in their homes. We, it seems, are supposed to be good consumers of cloud services, not hosting our own Freedom Boxes, media servers, small-scale commercial services or e-mail servers."
New vulnerabilities
389-ds-base: information disclosure
| Package(s): | 389-ds-base | CVE #(s): | CVE-2013-2219 | ||||||||||||||||||||||||
| Created: | July 31, 2013 | Updated: | July 31, 2013 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
It was discovered that the 389 Directory Server did not honor defined attribute access controls when evaluating search filter expressions. A remote attacker (with permission to query the Directory Server) could use this flaw to determine the values of restricted attributes via a series of search queries with filter conditions that used restricted attributes. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
bind9: denial of service
| Package(s): | bind9 | CVE #(s): | CVE-2013-4854 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 29, 2013 | Updated: | August 19, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and 9.9.4b1, and DNSco BIND 9.9.3-S1 before 9.9.3-S1-P1 and 9.9.4-S1b1, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query with a malformed RDATA section that is not properly handled during construction of a log message, as exploited in the wild in July 2013. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
fdupes: file permission overwrite
| Package(s): | fdupes | CVE #(s): | |||||||||||||
| Created: | July 31, 2013 | Updated: | July 31, 2013 | ||||||||||||
| Description: | From the Red Hat bugzilla:
A SUSE bug report noted a problem with how fdupes is used in the %fdupes RPM macro. When there are two files with identical content that differs in owner/group/permissions, the %fdupes macro overwrites one of the files with a link that effectively gives both files the same owner/group/permissions. If one of the files has tighter permissions than the other, this could result in one of the files having more relaxed permissions than appropriate. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gnupg: information leak
| Package(s): | gnupg | CVE #(s): | CVE-2013-4242 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 30, 2013 | Updated: | June 10, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Yarom and Falkner discovered that RSA secret keys could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
java-1_6_0-ibm: multiple unspecified vulnerabilities
| Package(s): | java-1_6_0-ibm | CVE #(s): | CVE-2013-3009 CVE-2013-3011 CVE-2013-3012 CVE-2013-4002 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 26, 2013 | Updated: | October 7, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the SUSE bug reports: Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3011 and CVE-2013-3012. (CVE-2013-3009) Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3009 and CVE-2013-3012. (CVE-2013-3011) Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3009 and CVE-2013-3011. (CVE-2013-3012) Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect availability via unknown vectors. (CVE-2013-4002) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
java-1_7_0-ibm: multiple unspecified vulnerabilities
| Package(s): | java-1_7_0-ibm | CVE #(s): | CVE-2013-3006 CVE-2013-3007 CVE-2013-3008 CVE-2013-3010 | ||||||||
| Created: | July 26, 2013 | Updated: | July 31, 2013 | ||||||||
| Description: | From the SUSE bug reports: Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3008. (CVE-2013-3006) Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 6.0.1 before 6.0.1 SR6 and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3006. (CVE-2013-3007) Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3006. (CVE-2013-3008) Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 6.0.1 before 6.0.1 SR6 and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3007. (CVE-2013-3010) | ||||||||||
| Alerts: |
| ||||||||||
lcms2: denial of service
| Package(s): | lcms2 | CVE #(s): | CVE-2013-4160 | ||||||||||||||||||||
| Created: | July 30, 2013 | Updated: | May 5, 2016 | ||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that Little CMS did not properly verify certain memory allocations. If a user or automated system using Little CMS were tricked into opening a specially crafted file, an attacker could cause Little CMS to crash. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
mysql: multiple vulnerabilities
| Package(s): | mysql-5.5, mysql-dfsg-5.1 | CVE #(s): | CVE-2013-2162 CVE-2013-3783 CVE-2013-3793 CVE-2013-3809 CVE-2013-3812 | ||||||||||||||||||||
| Created: | July 26, 2013 | Updated: | August 14, 2013 | ||||||||||||||||||||
| Description: | From the Debian and Ubuntu bug reports:
CVE-2013-2162: The file "/etc/mysql/debian.cnf", which contains plain text credentials for the "debian-sys-maint" mysql user, is created in an insecure manner during the package installation phase. This can lead a non-privileged local user to disclose its content and use this special account to perform administration tasks. CVE-2013-3783: Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Parser. CVE-2013-3793: Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language. CVE-2013-3809: Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Audit Log. CVE-2013-3812: Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Replication. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
openafs: two encryption flaws
| Package(s): | openafs | CVE #(s): | CVE-2013-4134 CVE-2013-4135 | ||||||||||||||||
| Created: | July 25, 2013 | Updated: | July 31, 2013 | ||||||||||||||||
| Description: | From the Scientific Linux advisory: OpenAFS uses Kerberos tickets to secure network traffic. For historical reasons, it has only supported the DES encryption algorithm to encrypt these tickets. The weakness of DES's 56 bit key space has long been known, however it has recently become possible to use that weakness to cheaply (around $100) and rapidly (approximately 23 hours) compromise a service's long term key. An attacker must first obtain a ticket for the cell. They may then use a brute force attack to compromise the cell's private service key. Once an attacker has gained access to the service key, they can use this to impersonate any user within the cell, including the super user, giving them access to all administrative capabilities as well as all user data. Recovering the service key from a DES encrypted ticket is an issue for any Kerberos service still using DES (and especially so for realms which still have DES keys on their ticket granting ticket). (CVE-2013-4134) The -encrypt option to the 'vos' volume management command should cause it to encrypt all data between client and server. However, in versions of OpenAFS later than 1.6.0, it has no effect, and data is transmitted with integrity protection only. In all versions of OpenAFS, vos -encrypt has no effect when combined with the -localauth option. (CVE-2013-4135) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
phpmyadmin: multiple vulnerabilities
| Package(s): | phpmyadmin | CVE #(s): | CVE-2013-4995 CVE-2013-4996 CVE-2013-4998 CVE-2013-5000 CVE-2013-5002 CVE-2013-5003 | ||||||||||||||||||||||||||||||||
| Created: | July 30, 2013 | Updated: | July 30, 2014 | ||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
* XSS due to unescaped HTML Output when executing a SQL query (CVE-2013-4995). * 5 XSS vulnerabilities in setup, chart display, process list, and logo link. If a crafted version.json would be presented, an XSS could be introduced (CVE-2013-4996). * Full path disclosure vulnerabilities (CVE-2013-4998, CVE-2013-5000). * Self-XSS due to unescaped HTML output in schema export (CVE-2013-5002). * SQL injection vulnerabilities, producing a privilege escalation (control user) (CVE-2013-5003). | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
rubygem-passenger: insecure temporary directory usage
| Package(s): | rubygem-passenger | CVE #(s): | CVE-2013-4136 | ||||||||||||||||||||
| Created: | July 31, 2013 | Updated: | August 23, 2013 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was reported [1],[2] that Phusion Passenger would reuse existing server instance directories (temporary directories) which could cause Passenger to remove or overwrite files belonging to other instances. This has been corrected in upstream version 4.0.8 via two fixes (the initial fix and a regression fix; both are required to fully fix the issue). This is an issue similar to CVE-2013-2119. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2013-4927 CVE-2013-4929 CVE-2013-4930 CVE-2013-4931 CVE-2013-4932 CVE-2013-4933 CVE-2013-4934 CVE-2013-4935 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 29, 2013 | Updated: | September 30, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
The Bluetooth SDP dissector could go into a large loop (CVE-2013-4927). The DIS dissector could go into a large loop (CVE-2013-4929). The DVB-CI dissector could crash (CVE-2013-4930). The GSM RR dissector (and possibly others) could go into a large loop (CVE-2013-4931). The GSM A Common dissector could crash (CVE-2013-4932). The Netmon file parser could crash (CVE-2013-4933, CVE-2013-4934). The ASN.1 PER dissector could crash (CVE-2013-4935). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>