October 24, 2014

In brief: Red Hat gets EAL4+ Certification for Enterprise Linux 6

(LiveHacking.Com) – Red Hat Enterprise Linux 6 has been awarded the Common Criteria Certification at Evaluation Assurance Level 4+ (EAL4+) for the Operating System Protection Profile (OSPP) including extended modules for Advanced Management, Advanced Audit, Labeled Security, and Virtualization. EAL4+ is the highest level of assurance for an unmodified commercial operating system.

Used by the federal government and other organizations, the Common Criteria is an internationally recognized set of standards used to assess the security and assurance of technology products. The newly awarded certification proves to government agencies, financial institutions, and other security-sensitive markets that Red Hat Enterprise Linux 6 meets government security standards.

Part of the certification provides assurance that using RHEL 6 with the KVM hypervisor allows providers to host many guest operating systems on the same machine while keeping them separated from each other using Mandatory Access Control technology developed by the NSA.

“This is marks our 15th completed Common Criteria certification for Red Hat Enterprise Linux, earning Red Hat a place at the top of the list of the industry’s most certified operating systems. We’ve been deeply committed to security certifications so that customers can confidently turn to Red Hat for the expertise to deploy open source solutions at maximum security levels, and our work with Dell, HP, IBM and SGI on this certification reinforces that government customers can run Red Hat Enterprise Linux with confidence on a wide variety of hardware from many of the industry’s top providers,” said Paul Smith, vice president and general manager, Public Sector operations, Red Hat.

In brief: New version of popular Exim mail server plugs remote code execution flaw

(LiveHacking.Com) – A new version of the popular Exim mail server has been released to plug a critical  remote code execution flaw exposed when built with DKIM support, which is the default. Exim 4.80.2 is identical to 4.80 except for the fixes required to plug the security hole.

According to a posting made on the exim-announce mailing list, the issue (CVE-2012-5671) was found during an internal code review of an area of the Exim codebase relevant to another issue, namely DKIM signing and verification, which has been the subject of US-CERT VU#268267 and Common Weakness identifiers CWE-347 and CWE-326.

The security vulnerability can be exploited by anyone who can send email from a domain for which they control the DNS. The class of attack is known as a “heap-based buffer overflow”.

Builds of Exim which used the DISABLE_DKIM option are not vulnerable. The Exim team are confident that the next release of Exim will, eventually, be 4.82, and should include the various improvements made since 4.80. However that release will use the normal release candidate baking process.

The release is now available from the primary ftp sites:

Coverity releases open source library to help developers fix XSS issues in Java web applications

(LiveHacking.Com) – A new, open source library has been released to help developers easily fix cross-site scripting (XSS) security defects in Java web applications. The library, which gives developers a range of  free escaping and encoding functions, has been released by Coverity, a development testing company who invented a new way to test source code to reveal critical software defects.

The idea is that the new library will enable developers with limited security expertise to quickly fix XSS security defects in Java web applications. It does this by providing a set of functions for data escaping and encoding.

“Asking developers to write their own data escaping routines is a recipe for getting it wrong,” said Andy Chou, Coverity co-founder, CTO and head of the Security Research Laboratory. “The incomplete set of escapers in some libraries encourages developers to use the wrong ones. We need to empower developers to be part of the security solution with the right technologies and actionable information to help them fix defects quickly and without slowing them down. With the Coverity Security Library, developers now have a powerful and easy-to-use library to help them plug some of the most common security holes early in the development process when they are easiest to fix.”

The company has released the Coverity Security Library to the open source community on  GitHub and Maven as a standalone repository. The important question is why do developers need another security library?  Coverity’s answer is that many existing libraries are incomplete and the one that are complete are too  complex and inefficient. The end result was that Coverity couldn’t find a freely available library that it felt comfortable recommending to users.

Coverity is also looking for contributions from the community as it expands the library in the future. It hopes to earn the trust of users and believes that making the library available under a liberal BSD-like open source license will help increase the transparency.

Although the library is open source, the advantage for Coverity is that the library can also be used in conjunction with the Coverity® Security Advisor, a commercial product within the Coverity Development Testing Platform that can further analyze security defects and assist in finding fixes.

NVIDIA fixes root privilege escalation in its Linux drivers

(LiveHacking.com) — Over a month ago an anonymous coder sent a small C program to Dave Airlie, who maintains the Direct Rendering Manager (DRM) subsystem in the Linux kernel, that allows an attacker to gain root access to a Linux machine by exploiting a vulnerability in NVIDIA’s Linux drivers.

The exploit works by using a vulnerability in the /dev/nvidiao device which allows the VGA window to be moved around until it can read and write to somewhere useful in physical RAM. Then the exploit performs a root privilege escalation by writing directly to kernel memory.

Over a month passed since information about the vulnerability was submitted to NVIDIA and the graphics company has not responded. As a result Airlie has made the exploit public.

“I was given this anonymously, it has been sent to nvidia over a month ago with no reply or advisory and the original author wishes to remain anonymous but would like to have the exploit published at this time, so I said I’d post it for them,” wrote Dave Airlie in a post to a security mailing list.

NVIDIA has now released version 304.32 of its drivers for Linux, FreeBSD and Solaris. The updated driver contains a hotfix to block access to the registers involved in this attack. At the same time NVIDIA has also blocked access to some other registers which it identified as being susceptible to a similar type of attack.

The 295.71 driver is available for download at the NVIDIA FTP site:

32-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86/295.71/
64-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86_64/295.71/

Solaris: ftp://download.nvidia.com/solaris/295.71/

32-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86/295.71/
64-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86_64/295.71/

The 304.32 driver is also available for download at the NVIDIA FTP site:

32-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86/304.32/
64-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86_64/304.32/

Solaris: ftp://download.nvidia.com/solaris/304.32/

32-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86/304.32/
64-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86_64/304.32/

Details about the updated driver and the patches are available at: http://nvidia.custhelp.com/app/answers/detail/a_id/3140

VLC fixes a couple of security vulnerabilities and adds support for Retina display on the new MacBook Pro

VLC 2.0.2 “Twoflower”, which is being called “an important update”, has been released by the VLC project team to fix a series of regressions to the 2.0.x branch of VLC, to fix a couple of security vulnerabilities and to add support for Apple’s Retina Display (HiDPI) on the new MacBook Pros.

According to the release page, 2.0.2 fixes a couple of hundreds of bugs, and adds more than 500 commits on top of 2.0.1. These fixes include:

  • Fix video output for old graphic cards on Windows XP, which are using DirectX
  • Fix video output on old Macs, notably PowerPC and GMA950 intel Macs.
  • Fixes for splitted RAR, MKV segmented, mp4 and Real media files playback.
  • Fixes for subtitles auto-detection
  • Fixes on Qt, skins2 and web interfaces
  • Fixed crash when trying to open an Audio CD by drag & drop
  • Fixed a crash when attaching hard drives with multiple partitions while VLC is running

According to a blog post by VLC developer Felix Kühne, VLC 2.0.2 also includes the following security content:

  • Fixed Ogg Heap buffer overflow
  • Updated taglib (CVE-2012-2396)

CVE-2012-2396 describes how VLC 2.0.1 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a specially crafted MP4 file. More details on this can be found here where an exploit and POC are given.

More details about VLC 2.02 can be found in the release notes and it can be downloaded for Windows, Mac OS X and Linux here.

Maintenance and Security Update for WordPress

(LiveHacking.com) – The WordPress team has released WordPress 3.4.1 to fix an important information disclosure vulnerability, in addition to Cross-Site Scripting (XSS) and privilege escalation vulnerabilities.

According to the WordPress blog, this release also addresses 18 bugs with version 3.4, including:

  • Fixes an issue where a theme’s page templates were sometimes not detected.
  • Addresses problems with some category permalink structures.
  • Better handling for plugins or themes loading JavaScript incorrectly.
  • Adds early support for uploading images on iOS 6 devices.
  • Allows for a technique commonly used by plugins to detect a network-wide activation.
  • Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.

WordPress 3.4.1 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

System privilege escalation vulnerability found in XEN on 64-bit Intel hardware

(LiveHacking.Com) – Rafal Wojtczuk of Bromium, Inc. has found a new vulnerability that could possibility be exploited for local privilege escalation. The bug in several different operating systems and Hypevisors, like the XEN virtualization software, affects systems using 64-bit Intel CPU hardware. To exploit the vulnerability an attacker needs to create a special stack frame which will be executed by the kernel of the host operating system after a general protection fault. The problem is that the general protection fault will be handled before the stack switch, which means the exception handler will be run in the kernel of the host operating system using the specially created stack frame, in short – a privilege escalation.

The error only exhibts itself on Intel 64-bit CPUs. AMD CPUs are not affected. Also the vulnerability seems to exist only in the XEN hypervisor (or its variants). VMware is not vulnerable. According to Xen Security Advisory 7, the result of a successful exploitation is that administrators of guest OSes can gain control of the host OS.

Modern operating systems implement a rings model of security, where privileged operations are performed in RING 0 (the kernel). Most applications run in RING 3 and request access to RING 0 by making system calls. The calls put the CPU into the required privilege level and passes control to the kernel. By using the combination of a special stack frame and a general protection fault the attackers force the system to run their code in RING 0 rather than RING 3.

Microsoft released a patch for Windows a few days ago as part of June’s Patch Tuesday. According to Microsoft the fix changes the way that the Windows User Mode Scheduler handles a particular system request and the way that Windows manages BIOS ROM.

Vendor specific information on this vulnerability have been published by XenFreeBSD and Microsoft. Linux vendor Red Hat has also published two security advisories: RHSA-2012:0720-1 and RHSA-2012:0721-1.

On some operating systems, like FreeBSD, running the 32-bit variant of the OS on a 64 bit capable CPUs means the operating systems is not vulnerable.

Mozilla 13 Fixes Critical Security Vulnerabilities and Improves New Tab Page

(LiveHacking.Com) – The Mozilla foundation has released Mozilla 13 with some new features including redesigned Home and New Tab pages, the use of the SPDY by default and a series of performance improvements. The new release also fixes some Critical security vulnerabilities including two issues with the Mozilla updater and the Mozilla updater service which were introduced in Firefox 12 the Windows versions of the browser.

According to Mozilla Foundation Security Advisory 2012-35 Security researcher James Forshaw of Context Information Security discovered that Mozilla’s updater is able to load a local DLL file in a privileged context. He also discovered that the updater service is able to load an arbitrary local DLL file, which can then be run with the same system privileges used by the service. For a hacker to exploit these vulnerabilities they would need local file system access.

The other critical fixes were all memory related:

  • MFSA 2012-40 – Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover two heap buffer overflow bugs and a use-after-free problem. Affected components include Mozilla’s Unicode conversion functions, the nsFrameList and the nsHTMLReflowState. All three of these issues are potentially exploitable.
  • MFSA 2012-38 – Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free while replacing/inserting a node in a document. This use-after-free could possibly allow for remote code execution.
  • MFSA 2012-34 – Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be turned into a full exploit that allows arbitrary code execution.

SPDY

Along with the various UI changes, Firefox now supports SPDY by default to make browsing more secure. The SPDY, which is designed as a successor to HTTP, tried to reduces the amount of time it takes for web pages to load. The result is that when using services like Google and Twitter, users should notice faster page load times.

Security Update for WordPress 3.3

(LiveHacking.Com) – The WordPress team has released WordPress 3.3.2 to fix 6 security vulnerabilities including two cross-site scripting vulnerabilities and a privilege escalation. The fixed vulnerabilities come in two distinct parts. First, three external libraries included in WordPress received security updates and second, the WordPress core security team have fixed three further vulnerabilities.

The external libraries are all connected with the way WordPress uploads files. Plupload, which WordPress currently uses for uploading media, has been updated to  version 1.5.4. Plupload, which gives WordPress the ability to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, fixed a the way the Flash part of the library worked to avoid CSRF issues.

Two other Flash related libraries were also updated, SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins and SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

The other three vulnerabilities, which the WordPress core security team fixed, are:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
  • Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

WordPress 3.3.2 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

PHP 5.3.10 Fixes Critical Security Vulnerability

(LiveHacking.Com) – The PHP development team have released PHP 5.3.10 to fix a recently discovered remote code execution vulnerability. The vulnerability is a result of the hash table collisions CPU usage denial-of-service fix which was added to 5.3.9. For that fix the maximum possible number of input parameters was limited to 1000, but because of a bug in the implementation a remote attacker could send a large number of specially crafted POST requests, which could crash PHP or allow arbitrary code execution.

PHP 5.3.9 was released just over two weeks ago with over 90 bug fixes, some of which were security related. Among them was a fix for the hash table collisions problem that affected all the popular Web programming languages (including PHP, ASP.NET, Ruby and Python). At the end of last year, Alexander Klink and Julian Wälde revealed that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request. So it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition. PHP 5.3.10 fixes the fix for the fix!

The new version of PHP can be downloaded  here and it is recommended that all users to upgrade to the new version. The different Linux distributions have started to update their repositories: