Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture
Technically, it’s a cuttlefish and not a squid. But it’s still nice art. I posted a photo of a real striped pyjama squid way back in 2006.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
The original article/video can be found at Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture
Applied Cryptography on Elementary
In the episode that aired on May 9th, about eight or nine minutes in, there’s a scene with a copy of Applied Cryptography prominently displayed on the coffee table. This isn’t the first time that my books have appeared on that TV show.
The original article/video can be found at Applied Cryptography on Elementary
SSL: Another reason not to ignore IPv6, (Fri, May 17th)
Currently, many public web sites that allow access via IPv6 do so via proxies. This is seen as the “quick fix”, as it requires minimum changes to the site itself. As far as the web application is concerned, all incoming traffic is IPv4.
The most obvious issue here is logging, in that the application only “sees” the proxies IP address, unless it inspects headers added by the proxy, which will no point to (unreadable?) IPv6 addresses.
But there is another issue: SSL Certificates. If only IPv6 connections are passed via the proxy, you will end up with two different certificate: One for the proxy, and one for the web application (or the IPv4 proxy). It may also happen that the IPv6 and IPv4 site are considered two different hosts on the web server, requiring distinct configurations.
For example, at this point, “www.socialsecurity.gov” uses two different certificates. One for IPv6 and one for IPv4. The IPv6 certifiate is expired, while the IPv4 certificate is valid. This is in particularly painful as some simple comand line tools, like “openssl s_client' are still not able to work over IPv6. For my test, I used gnutls-cli, which works similar to openssl s_client but supports IPv6.
Excerpt from the result:
gnutls-cli -p 443 --x509cafile /opt/local/share/ncat/ca-bundle.crt www.socialsecurity.gov Processed 291 CA certificate(s). Resolving 'www.socialsecurity.gov'... Connecting to '2001:1930:c01::aaaa:443'... [...] - subject `C=US,ST=maryland,L=baltimore,O=social security administration,OU=diias,OU=Terms of use at www.verisign.com/rpa (c)05,CN=www.socialsecurity.gov', issuer `C=US,O=VeriSign, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)10,CN=VeriSign Class 3 Secure Server CA - G3', RSA key 1024 bits, signed using RSA-SHA1, activated `2012-04-05 00:00:00 UTC', expires `2013-04-29 23:59:59 UTC', SHA-1 fingerprint `3286afd908f256947b396dbae88d37b111c9aaaf' [...] - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** Verifying server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate.
Next, lets try IPv4. A disadvantage of gnutls-cli is that you are not able to force an IPv4 connection, so I will just fall back to openssl here:
$ openssl s_client -connect www.socialsecurity.gov:443 -CAfile /opt/local/share/ncat/ca-bundle.crt [....] subject=/C=US/ST=maryland/L=baltimore/O=social security administration/OU=diias/OU=Terms of use at www.verisign.com/rpa (c)05/CN=www.socialsecurity.gov issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 [...]
$ openssl x509 -in /tmp/ssa.gov -text
[...]
Validity
Not Before: Apr 22 00:00:00 2013 GMT
Not After : Apr 30 23:59:59 2017 GMT
Subject: C=US, ST=maryland, L=baltimore, O=social security administration, OU=diias, OU=Terms of use at www.verisign.com/rpa (c)05, CN=www.socialsecurity.gov
—— Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The original article/video can be found at SSL: Another reason not to ignore IPv6, (Fri, May 17th)
VU#774103: Linux kernel perf_swevent_enabled array out-of-bound access privilege escalation vulnerability
Vulnerability Note VU#774103
Linux kernel perf_swevent_enabled array out-of-bound access privilege escalation vulnerability
Original Release date: 17 May 2013 | Last revised: 17 May 2013
Overview
The Linux kernel’s Performance Events implementation is susceptible to an out-of-bounds array vulnerability that may be used by a local unprivileged user to escalate privileges.
Description
|
The Linux kernel’s Performance Events implementation is susceptible to an out-of-bounds array vulnerability that may be used by a local unprivileged user to escalate privileges. Additional analysis of the vulnerability may be found in the Red Hat bug report. A public exploit is available that has been reported to work against some Linux distributions. |
Impact
|
A local authenticated user may be able to exploit this vulnerability to escalate privileges. |
Solution
|
Apply an Update Red Hat, Debian, CentOS, and Ubuntu have all released patches. Users should receive the patches through their Linux distributions’ normal update process. Affected Distributions
Other distributions may be affected but were not confirmed at the time of publication. |
|
If you are unable to upgrade, please consider the following workaround. Red Hat has provided mitigation advice in Red Hat Knowledge Solution 373743. |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| CentOS | Affected | - | 17 May 2013 |
| Debian GNU/Linux | Affected | - | 17 May 2013 |
| Red Hat, Inc. | Affected | - | 17 May 2013 |
| Ubuntu | Affected | - | 17 May 2013 |
| Fedora Project | Unknown | - | 17 May 2013 |
| Slackware Linux Inc. | Unknown | - | 17 May 2013 |
| SUSE Linux | Unknown | - | 17 May 2013 |
If you are a vendor and your product is affected, let
us know.
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C |
| Temporal | 5.9 | E:ND/RL:OF/RC:C |
| Environmental | 4.4 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- https://rhn.redhat.com/errata/RHSA-2013-0830.html
- http://www.debian.org/security/2013/dsa-2669
- http://www.ubuntu.com/usn/usn-1825-1/
- http://www.ubuntu.com/usn/usn-1826-1/
- http://www.ubuntu.com/usn/usn-1827-1/
- http://www.ubuntu.com/usn/usn-1828-1/
- http://lists.centos.org/pipermail/centos-announce/2013-May/019729.html
- http://lists.centos.org/pipermail/centos-announce/2013-May/019733.html
- https://bugzilla.redhat.com/show_bug.cgi?id=962792
- https://bugzilla.redhat.com/show_bug.cgi?id=962792#c16
- https://bugzilla.redhat.com/show_bug.cgi?id=962799
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b0a873ebbf87bf38bf70b5e39a7cadc96099fa13
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/kernel/events/core.c?id=8176cced706b5e5d15887584150764894e94e02f
- http://packetstormsecurity.com/files/121616/semtex.c
- http://lkml.indiana.edu/hypermail/linux/kernel/1304.1/03652.html
- http://www.reddit.com/r/netsec/comments/1eb9iw/sdfucksheeporgs_semtexc_local_linux_root_exploit/c9ykrck
Credit
Tommi Rantala discovered this vulnerability.
This document was written by Jared Allar.
Other Information
-
CVE IDs:
CVE-2013-2094 -
Date Public:
14 May 2013 -
Date First Published:
17 May 2013 -
Date Last Updated:
17 May 2013 -
Document Revision:
26
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The original article/video can be found at VU#774103: Linux kernel perf_swevent_enabled array out-of-bound access privilege escalation vulnerability
