Security
ClamAV 0.98.3 adds features and asks for statistics
The latest update to the ClamAV open-source antivirus scanner, has been released, bringing with it IPv6 support, improved performance, and an option to contribute virus-detection statistics back to the project. Although virus scanning is a comparatively rare task on Linux desktops, it still remains an important issue for those on other operating systems. Thus, a quality open-source program like ClamAV provides a useful alternative to the proprietary offerings, whether it is deployed on a mail server or run on individual Windows desktop machines.
The new release is numbered 0.98.3, and arrived on May 7. Source is available for download from SourceForge, as are Windows binaries for the ClamAV engine and its official Windows front-end Immunet. There are also unofficial Linux builds available for a variety of distributions.
The release announcement highlights a few functional changes outside of the core virus-recognition task. This includes the fact that ClamAV is now fully compatible with IPv6 addressing. The various components of a ClamAV deployment (such as the clamd scanning daemon, the freshclam virus-database updater, and clamdtop monitoring program) can run over TCP sockets, but adding support for IPv6 has been a slow and piecemeal process, starting with ClamAV 0.94 back in 2008. Its completion in 0.98.3 hopefully means that the feature will be subjected to more rigorous testing.
ClamAV relies on hash functions to test possible virus payloads against its database of known malware. The new release moves from internal implementations of the various hash functions to using the implementations supplied by the OpenSSL library. The OpenSSL implementations are said to amount to a 70% performance speed-up, which is certainly a welcome improvement, but the change also makes OpenSSL a hard dependency. The ClamAV license has also been updated to include a GPL exception permitting the binary to be linked with OpenSSL. Such exceptions are not out of the ordinary (particularly for OpenSSL), but are still noteworthy for anyone who redistributes ClamAV.
The third major change in the new release is an option for users to submit virus-detection statistics back to the project. The feature is opt-in; it must be activated by supplying the appropriate (non-default) parameter to either the clamscan program or clamd daemon. The statistics collected cover the number and names of viruses identified, plus the sizes and hashes of files scanned. Collecting this type of information should, in theory, allow ClamAV to grow as a project; rather than rely solely on external information sources, it can analyze the threats its own users encounter.
Collecting virus-detection numbers is only part of that process, however. In February, the project launched another initiative to collect the actual signatures of viruses caught by ClamAV. Signatures contributed (through a web submission form, not as email attachments, for obvious reasons) by the community will be included in subsequent updates to ClamAV's virus database.
There are also several new features in ClamAV 0.98.3's virus-detection capabilities. The first of these is support for scanning additional raw disk image formats; new is support for master boot record (MBR), GUID Partition Table (GPT), and Apple Partition Map (APM) disks, though only those with 512-byte sectors. There is also improved detection of malware scripts embedded within image files, and the closing of a nasty bug through which a specially-crafted icon in a Windows Portable Executable (PE) file could be used to crash clamscan or clamd.
Finally, ClamAV has added initial support for working with OpenIOC files. OpenIOC is an XML-based format for storing and reporting security threat information (the acronym in the name stands for "Indicators of Compromise"). The OpenIOC format can be used to record a variety of different security issues; ClamAV's support at this time is limited to extracting file hashes from any virus-detection incidents. The extracted information is then added to ClamAV's own signature database. OpenIOC support is marked as experimental; it is not clear whether the ClamAV project has any interest in doing more than reading OpenIOC files.
On the whole, version 0.98.3 is another small but stable update from ClamAV. It is good to see the project take steps toward assembling its own virus database information; if done correctly that is certainly a valuable contribution that the ClamAV community can add. ClamAV's parent company Sourcefire was acquired by Cisco in July 2013; at the time the project made an announcement to reassure users that the acquisition would not weaken the project's commitment to the open-source community. So far, it seems to be a positive move for the project, as stable releases of both the software and virus database continue.
Those of us who live and work entirely within the sphere of Linux and free software can, at times, forget how important virus-scanning programs are to others, merely because of how much more prevalent viruses are on Windows machines. But, as Linux is often the operating system that dominates the server room, projects like ClamAV are critical even if most of the virus they stop are targeting someone else.
Brief items
Security quotes of the week
The court recognized what some European legislators call "the right to be forgotten"—the idea of giving ordinary citizens more control over their personal data, including its deletion.
Worse. Even though the pursuit of this obsession with surveillance in the name of security is rendering our critical infrastructure insecure by design, making massive denial of service attacks and infrastructure attacks possible, any such attacks will be interpreted as a rationale to double-down on the very surveillance-friendly policies that make them possible. It's a self-reinforcing failure mode, and the more it fails the worse it will get. Sort of like the war on drugs, if the war on drugs had the capability to overflow and reprogram your next car's autopilot and drive you into a bridge support, or to fry your insulin pump, or empty your bank account, or cause grid blackouts and air traffic control outages. Because that's what the internet of things means: the secret police have installed locks in everything and the criminals are now selling each other skeleton keys.
In admitting that the NSA has no way of knowing what Snowden did, [former NSA head Keith] Alexander is admitting that all this talk of the infallible audit system is all smoke and mirrors. And, because of that, the claims that we can trust the NSA not to abuse its systems are equally untrustworthy.
Defeating memory comparison timing oracles (Red Hat Security Blog)
Over at the Red Hat Security Blog, Florian Weimer looks at timing oracles in memory comparison functions and how to stop them. Timing oracles can allow attackers to extract keys or other secret data by timing code that compares input data to the secret. "Of course, there are other architectures (and x86 implementations), so we will have to perform further research to see if we can remove the timing oracle from their implementations at acceptable (read: zero) cost. For architectures where super-scalar, pipelined implementations are common, this is likely the case. But the GNU C library will probably not be a in a position to commit to an oracle-free memcmp by default (after all, future architectures might have different requirements). But I hope that we can promise that in -D_FORTIFY_SOURCE=2 mode, memcmp is oracle-free."
Linux gets fix for code-execution flaw (Ars Technica)
Ars Technica takes a look at serious bug in the Linux kernel that was introduced in 2009. "The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device." This flaw has been identified as CVE-2014-0196. The LWN vulnerability report is here.
RFC 7258
The Internet Engineering Task Force has adopted RFC 7258, titled "Pervasive monitoring is an attack." It commits the IETF to work against pervasive monitoring (PM) in the design of its protocols going forward. "In particular, architectural decisions, including which existing technology is reused, may significantly impact the vulnerability of a protocol to PM. Those developing IETF specifications therefore need to consider mitigating PM when making architectural decisions. Getting adequate, early review of architectural decisions including whether appropriate mitigation of PM can be made is important. Revisiting these architectural decisions late in the process is very costly."
New vulnerabilities
abrt: could not be used by server systems
| Package(s): | abrt | CVE #(s): | |||||
| Created: | May 14, 2014 | Updated: | May 14, 2014 | ||||
| Description: | From the Red Hat bugzilla:
The ABRT polkit policy is completely desktop-centric and expects that the admin user is logged in an active local session (ie: a seat in logind parlance, with a monitor and keyboard). This prevents use of ABRT when logged in via ssh (and using pkttyagent as your polkit agent) or via Cockpit. The <allow_any> tag in polkit policy applies to non-local sessions. It should be set to something other than 'no' unless the action directly affects hardware of the login seat. | ||||||
| Alerts: |
| ||||||
android-tools: code execution
| Package(s): | android-tools | CVE #(s): | CVE-2014-1909 | ||||||||||||
| Created: | May 13, 2014 | Updated: | February 16, 2015 | ||||||||||||
| Description: | From the Red Hat bugzilla:
Joshua J. Drake of droidsec.org discovered a stack-based buffer overflow flaw in the ADB client code: http://www.droidsec.org/advisories/2014/02/04/two-s... Connecting to a malicious ADB server could result in arbitrary code execution. A patch is available from the above link. | ||||||||||||||
| Alerts: |
| ||||||||||||||
fish: insecure tmpfile use
| Package(s): | fish | CVE #(s): | CVE-2014-3219 | ||||||||||||||||
| Created: | May 8, 2014 | Updated: | October 9, 2014 | ||||||||||||||||
| Description: | From the Red Hat bugzilla entry:
another symlink-based vulnerability More information can be found in this oss-sec post. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: two vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2014-0181 CVE-2014-3122 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 12, 2014 | Updated: | December 8, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program. (CVE-2014-0181) From the Red Hat bugzilla: Linux kernel kernel's Memory Management Unit(MMU) is vulnerable to a crash caused by unlocked memory pages. It could occur during the memory page migration or while cleaning the swap cache pages. An unprivileged user/program could use this flaw to crash the system kernel, resulting in DoS. (CVE-2014-3122) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2014-1737 CVE-2014-1738 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 13, 2014 | Updated: | May 22, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Matthew Daley discovered that missing input sanitizing in the FDRAWCMD ioctl and an information leak could result in privilege escalation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ldns: information disclosure
| Package(s): | ldns | CVE #(s): | CVE-2014-3209 | ||||||||
| Created: | May 12, 2014 | Updated: | May 14, 2014 | ||||||||
| Description: | From the Mageia advisory:
ldns-keygen creates a private key with the default permissions according to the users umask, which in most cases will cause the private key to be world-readable. | ||||||||||
| Alerts: |
| ||||||||||
libxfont: multiple vulnerabilities
| Package(s): | libxfont | CVE #(s): | CVE-2014-0209 CVE-2014-0210 CVE-2014-0211 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 14, 2014 | Updated: | November 25, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the X.Org Security Advisory:
- CVE-2014-0209: integer overflow of allocations in font metadata file parsing When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap. Affected functions: FontFileAddEntry(), lexAlias() - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data. Affected functions: _fs_recv_conn_setup(), fs_read_open_font(), fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(), fs_read_list(), fs_read_list_info() - CVE-2014-0211: integer overflows calculating memory needs for xfs replies These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer. Affected functions: fs_get_reply(), fs_alloc_glyphs(), fs_read_extent_info() | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libxml2: denial of service
| Package(s): | libxml2 | CVE #(s): | CVE-2014-0191 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 12, 2014 | Updated: | April 1, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substitution in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
miniupnpc: denial of service
| Package(s): | miniupnpc | CVE #(s): | CVE-2014-3985 | ||||||||||||||||||||||||||||||||
| Created: | May 13, 2014 | Updated: | January 17, 2017 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Appears to be a DoS crash vector that can be triggered by something on the network. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
openssh: two vulnerabilities
| Package(s): | openssh | CVE #(s): | CVE-2010-4478 CVE-2010-4755 | ||||
| Created: | May 12, 2014 | Updated: | May 14, 2014 | ||||
| Description: | From the CVE entries:
OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252. (CVE-2010-4478) The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) | ||||||
| Alerts: |
| ||||||
owncloud: remote users can mount the local file system
| Package(s): | owncloud | CVE #(s): | CVE-2014-2585 | ||||
| Created: | May 14, 2014 | Updated: | May 14, 2014 | ||||
| Description: | From the CVE entry:
ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote authenticated users to mount the local filesystem in the user's ownCloud via the mount configuration. | ||||||
| Alerts: |
| ||||||
python-eyeD3: insecure tmpfile use
| Package(s): | python-eyeD3 | CVE #(s): | CVE-2014-1934 | ||||||||||||||||
| Created: | May 8, 2014 | Updated: | December 2, 2014 | ||||||||||||||||
| Description: | From the Novell bugzilla entry: Jakub Wilk reported a problem with python-eyeD3 on the Debian Bug Tracking system. eyeD3/tag.py creates temporary files in an insecure way. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
xen: code execution
| Package(s): | xen | CVE #(s): | CVE-2014-3124 | ||||||||||||||||||||||||
| Created: | May 12, 2014 | Updated: | May 14, 2014 | ||||||||||||||||||||||||
| Description: | From the CVE entry:
The HVMOP_set_mem_type control in Xen 4.1 through 4.4.x allows local guest HVM administrators to cause a denial of service (hypervisor crash) or possibly execute arbitrary code by leveraging a separate qemu-dm vulnerability to trigger invalid page table translations for unspecified memory page types. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>