December 7, 2016

Apple updates OS X’s NTP server to address recently disclosed NTP vulnerabilities

12-54-on-digitial-clock-300px(LiveHacking.Com) – Apple has released a patch for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1 to update the included NTP server to  fix the recently disclosed  vulnerabilities. The standard, open source Network Time Protocol (NTP) daemon (ntpd) contains multiple vulnerabilities which were publicly disclosed a few days ago. The vulnerabilities not only affect OS X, but also other Unix-type operating systems like Linux and FreeBSD.

ntpd version 4.2.7 and before, have several to buffer overflow issues. If exploited they could allow malicious code to be executed. Also, ntp-keygen prior to version 4.2.7p230 has been found to use a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities affect ntpd acting as a server or client.

The full list of vulnerabilities is as follow:

  • CWE-332 – If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated.
  • CWE-338 – ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys.
  • CWE-121 – A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of thentpd process.
  • CWE-389 – A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker.

Apple’s release notes state that “a remote attacker may be able to execute arbitrary code” due to the vulnerabilities. The security bulletin goes on to say that “Several issues existed in ntpd that would have allowed an attacker to trigger buffer overflows. These issues were addressed through improved error checking.”

You can read more about APPLE-SA-2014-12-22-1 here and you can read CERT’s note on the issue here. You can download the latest (patched) version of NTP from here.

Shellshock: Code injection vulnerability found in Bash

bash-man-page(LiveHacking.Com) – A code injection vulnerability in the Bourne again shell (Bash) has been disclosed on the internet. If exploited then arbitrary commands can be executed, and where Bash is used in relation to a network service, for example in CGI scripts on a web server, then the vulnerability will allow remote code execution.

The problem resolves about the way that Bash processes environment variables used to export shell functions to other bash instances. Bash uses environment variables named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the process environment. The problem is that Bash does not stop after processing the function definition; it continues to parse and execute any shell commands following the function definition.

This means that shell commands can be tagged onto the end of environment variables and they will be executed by the shell. The vulnerability is deemed as critical because Bash is used widely on many types of UNIX-like operating systems including Linux, BSD, and Mac OS X.

The most prominent attack vector is via HTTP requests sent to CGI scripts executed by Bash. Also, if SSH has been configured to allow remote users to run a set of restricted commands, like rsync or git, this bug means that an attacker can use SSH to execute any command and not just the restricted command.

The initial bug was designated as CVE-2014-6271, and a patch was subsequently issued. However it was later discovered that the patch had an issue in the parser and did not fully address the problem. As a result a second CVE was assigned, CVE-2014-7169, to cover the remaining problems after the application of the first patch.

To test your system to see if your version of bash is vulnerable, run these two commands:

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo completed"
env X="() { :;} ; echo vulnerable" `which bash` -c "echo completed"

In either case, if the word “vulnerable” is displayed then your shell needs patching.

The United States Computer Emergency Readiness Team (US-CERT) has issued a statement: Bourne Again Shell (Bash) Remote Code Execution Vulnerability, along with the following alert: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169).

Red Hat has posted a special report on its security blog: Bash specially-crafted environment variables code injection attack. Akamai, a provider of cloud services, has also posted a blog post called Environment Bashing.

 

NVIDIA fixes root privilege escalation in its Linux drivers

(LiveHacking.com) — Over a month ago an anonymous coder sent a small C program to Dave Airlie, who maintains the Direct Rendering Manager (DRM) subsystem in the Linux kernel, that allows an attacker to gain root access to a Linux machine by exploiting a vulnerability in NVIDIA’s Linux drivers.

The exploit works by using a vulnerability in the /dev/nvidiao device which allows the VGA window to be moved around until it can read and write to somewhere useful in physical RAM. Then the exploit performs a root privilege escalation by writing directly to kernel memory.

Over a month passed since information about the vulnerability was submitted to NVIDIA and the graphics company has not responded. As a result Airlie has made the exploit public.

“I was given this anonymously, it has been sent to nvidia over a month ago with no reply or advisory and the original author wishes to remain anonymous but would like to have the exploit published at this time, so I said I’d post it for them,” wrote Dave Airlie in a post to a security mailing list.

NVIDIA has now released version 304.32 of its drivers for Linux, FreeBSD and Solaris. The updated driver contains a hotfix to block access to the registers involved in this attack. At the same time NVIDIA has also blocked access to some other registers which it identified as being susceptible to a similar type of attack.

The 295.71 driver is available for download at the NVIDIA FTP site:

32-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86/295.71/
64-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86_64/295.71/

Solaris: ftp://download.nvidia.com/solaris/295.71/

32-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86/295.71/
64-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86_64/295.71/

The 304.32 driver is also available for download at the NVIDIA FTP site:

32-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86/304.32/
64-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86_64/304.32/

Solaris: ftp://download.nvidia.com/solaris/304.32/

32-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86/304.32/
64-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86_64/304.32/

Details about the updated driver and the patches are available at: http://nvidia.custhelp.com/app/answers/detail/a_id/3140

System privilege escalation vulnerability found in XEN on 64-bit Intel hardware

(LiveHacking.Com) – Rafal Wojtczuk of Bromium, Inc. has found a new vulnerability that could possibility be exploited for local privilege escalation. The bug in several different operating systems and Hypevisors, like the XEN virtualization software, affects systems using 64-bit Intel CPU hardware. To exploit the vulnerability an attacker needs to create a special stack frame which will be executed by the kernel of the host operating system after a general protection fault. The problem is that the general protection fault will be handled before the stack switch, which means the exception handler will be run in the kernel of the host operating system using the specially created stack frame, in short – a privilege escalation.

The error only exhibts itself on Intel 64-bit CPUs. AMD CPUs are not affected. Also the vulnerability seems to exist only in the XEN hypervisor (or its variants). VMware is not vulnerable. According to Xen Security Advisory 7, the result of a successful exploitation is that administrators of guest OSes can gain control of the host OS.

Modern operating systems implement a rings model of security, where privileged operations are performed in RING 0 (the kernel). Most applications run in RING 3 and request access to RING 0 by making system calls. The calls put the CPU into the required privilege level and passes control to the kernel. By using the combination of a special stack frame and a general protection fault the attackers force the system to run their code in RING 0 rather than RING 3.

Microsoft released a patch for Windows a few days ago as part of June’s Patch Tuesday. According to Microsoft the fix changes the way that the Windows User Mode Scheduler handles a particular system request and the way that Windows manages BIOS ROM.

Vendor specific information on this vulnerability have been published by XenFreeBSD and Microsoft. Linux vendor Red Hat has also published two security advisories: RHSA-2012:0720-1 and RHSA-2012:0721-1.

On some operating systems, like FreeBSD, running the 32-bit variant of the OS on a 64 bit capable CPUs means the operating systems is not vulnerable.

Linux 2.6.39 Memory Handling Vulnerability

(LiveHacking.Com) – Exploits have started appearing that make it possible to gain root privileges on some versions of the Linux kernel due to a flaw in the  /proc/<pid>/mem handling. The vulnerability first came to light when Linus Torvalds released a Linux kernel update last week to fix the flaw and the subsequent analysis of the bug at  Nerdling Sapple.

The bug, which was discovered by Jüri Aedla, allows a local, unprivileged user to escalate their privileges. The problem is that write support to /proc/<pid>/mem was re-enabled in the kernel but with insufficient permissions checking. This means that all Linux kernels >=2.6.39 are vulnerable, up until the fix noted above.

Red Hat have released a small C program which will test a kernel to see if it is vulnerable. If you are not sure if you are running an affected kernel version compile and run the test from https://bugzilla.redhat.com/attachment.cgi?id=556461:

$ gcc -o test test.c
$ ./test
vulnerable

You can read Red Hat’s full security advisory here. Canonical, the makers of Ubuntu Linux, have also announced the release an update for Ubuntu 11.10. The fix can be applied using a standard system update followed by a reboot.

NSA Make an Initial Public Release of Security Enhanced Android

(LiveHacking.Com) – The National Security Agency, part of the United States Department of Defense which is responsible for the interception and decryption of foreign communications, has made an initial public release of Security Enhanced (SE) Android, a special version of the Linux based mobile device operating system created to identify and address critical gaps in its security.

The initial aim of the SE Android is to implement the SELinux access control policies, including the Mandatory Access Control (MAC) system. MAC defines and enforces a system-wide security policy which controls all processes, objects, and operations. This means that MAC can confine flawed and malicious applications, even ones that run as “root”, and can prevent privilege escalation.

As well as SELinux for Android, SE Android offer the following unique features:

  • Per-file security labeling support for yaffs2
  • Filesystem images (yaffs2 and ext4) labeled at build time
  • Kernel permission checks controlling Binder IPC
  • Labeling of service sockets and socket files created by init
  • Labeling of device nodes created by ueventd
  • Flexible, configurable labeling of apps and app data directories
  • Userspace permission checks controlling use of the Zygote socket commands
  • Minimal port of SELinux userspace
  • Small TE policy written from scratch for Android
  • Confined domains for system services and apps
  • Use of MLS categories to isolate apps

As part a presentation (PDF) given at the 2011 Linux Security Summit, Stephen Smalley of the NSA explained how with SELinux incorporated into Android the “Gingerbreak” vulnerability, which exploited a problem in the Android volume daemon ‘vold’, would have stopped the exploit six different ways and make the underlying vulnerability completely unreachable.

More details about SE Android including build instructions can be found on the project’s wiki.

PacketFence 3.1.0 Add New Features and Support for CentOS 6.2

(LiveHacking.Com) – Version 3.1.0 of PacketFence, the open source network access control (NAC) solution, has been released with new features, new hardware support, enhancements, bug fixes and updated translations. PacketFence allows network administrators to control access to the network based on defined policies. PacketFence includes a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner.

New features include the detection of rogue DHCP Servers, wireless profile provisioning for iPhone, iPods, and iPads devices and new graphs in the web admin UI. Enchantments include startup performance improvements, performance improvements to pfdhcplistener, CentOS 6.2 support and better support of WISPr (captive portal detection).

For more information read the release announcement. PacketFence 3.1.0 can be downloaded as source or packages for RHEL/CentOS 5 and 6 from here.

New Kernels for Ubuntu 10.04 LTS Fix Security Vulnerabilities

(LiveHacking.Com) – Unlike many Linux distributions, which are superseded almost daily, stable distributions from RedHat, CentOS and the Ubuntu LTS (Long Term Support) variants offer stability and a longer supported lifetime.

Ubuntu has just issued two new kernels for Ubuntu 10.04 LTS. The 10.04 release, which is available for both the server and the desktop, was released in April 2010 and will be supported until April 2013 (for the desktop) and until April 2015 for the server version.

The first new kernel is 2.6.32-35 a release of the default 2.6.32  kernel that used when Ubuntu 10.04 LTS was first released. The kernel has a number of security related fixes including:

  • The kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576)
  • Ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833)
  • Taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494)
  • /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495)
  • The Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497)
  • The EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695)
  • The IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699)
  • The perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an
  • attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905)
  • Long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928)
  • The kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188)
  • The CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191)
The other new kernel, 2.6.38-12, is backport of kernel 2.6.38 from Ubuntu 11.04 to the standard repository. This kernel also contains a number of security updates.

PacketFence 3 Adds New Hardware Support Plus New Features

(LiveHacking.Com) – A new major, production ready, version of PacketFence has been released. The new release brings new hardware support, several new features, various enhancements, and many important bug fixes.

PacketFence 3.0 is a free and open source network access control (NAC) solution, that allows network administrators to control access to the network based on defined policies. PacketFence includes a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner.

In version 3.0, the captive portal has been redesigned and complete guest management, including self-registration of devices by email activation or SMS and pre-registered guest creation by administrators, has been added. Also support for RedHat Enterprise Linux 6 / CentOS 6 support and Snort 2.9.x has been added.

The new hardware supported includes:

  • Avaya/Nortel switches now support the floating network device feature
  • Avaya Wireless Controller support
  • Dlink DWL Access-Point support
  • LG-Ericsson iPecs 4500 support for port-security and MAC Authentication / 802.1X
  • Netgear FGS Series support for port-security
More details about the release can be found in the release announcement and in the change log. It can be downloaded as source and as RPMs for RHEL6 or CentOS 6.

Linux Foundation Security Breach

(LiveHacking.Com) – The Linux Foundation has suffered a security breach on its Linux.com and LinuxFoundation.org websites. On September 8, 2011, it discovered a security breach that may have compromised the username, password, email address and other information of Linux.com users. The Linux Foundation thinks this latest breach is connected to the recent intrusion on kernel.org.

The Linux Foundation has sent emails to its users where it says:

You should consider the passwords and SSH keys that you have used on these sites compromised. If you have reused these passwords on other sites, please change them immediately.

The Linux Foundation, a non-profit organization setup to promote the growth of Linux, is currently auditing all its systems and has taken all its servers offline to do complete re-installs. The various Linux Foundation services will be put back up as they become available.

The Linux Foundation takes the security of its infrastructure and that of
its members extremely seriously and are pursuing all avenues to investigate
this attack and prevent future ones.