Daily Archives: March 6, 2016

glibc Security Vulnerability Patched

In late February security researchers announced the discovery of a critical a security vulnerability in the GNU C library (glibc). This is the same library in which the Ghost vulnerability was found last year.

Why Should This Issue Be Considered Important?
This issue is a stack based buffer overflow (defined) vulnerability of critical severity that affects a large number of Linux systems e.g.:

  • RedHat Enterprise Linux 6 (glibc version 2.12)
  • RedHat Enterprise Linux 7 (glibc version 2.17)
  • Debian squeeze (glibc version 2.11)
  • Debian wheezy (glibc version 2.13)
  • Debian Jessie (glibc version 2.19)

A complete list is available from this US-CERT vulnerability note.

As with the Ghost vulnerability the getaddrinfo() function (defined) is the source of the vulnerability. This newer vulnerability could allow an attacker to gain control over vulnerable systems as they connect to a DNS server under the control of an attacker.

Google researchers in their responsible disclosure (defined) of this vulnerability state that this flaw can exploited using sudo, curl and ssh (among others). Man-in-the-middle attacks (defined) and attacker controlled domain names are also mentioned as a means of exploiting this vulnerability within Google’s security advisory.

Since this is a stack based buffer overflow this overflows can be triggered using oversized UDP (defined) or TCP (defined) responses (larger than 2048 bytes) which are then immediately followed by a response which overflows the stack.

The above overflow could (for instance) be triggered by an attacker by having the target system perform a DNS (defined) lookup for a website domain under the control of the attacker. Further technical details exploiting this flaw are available from this message located on the glibc project mailing list.

Mitigating factors for this vulnerability include ASLR (defined), Moreover an option to use until you can apply the necessary security patch is limiting the response sizes accepted by the DNS resolver locally to 1024 bytes thus preventing the stack be based buffer overflows. Further mitigations are mentioned by Google (see the heading: Issue Summary) in their security advisory and by the glibc developers in their patch announcement for this vulnerability. A further defence in-depth (defined)(PDF) mitigation is provided by SANS Institute’s Johannes B. Ullrich in this forum thread.

How Can I Protect Myself from This Issue?

If your Linux device is found to be vulnerable continue to check for updates until one becomes available that resolves this issue. You can check for updates for your Linux device by using the Package Manager bundled with your Linux distribution (see this link (Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Specific information for some of the affected versions of Linux are provided below:

RedHat also highlights the need to patch/update containers (defined e.g. Docker containers) as well as verifying the fixes are installed across the containers running within large organizations.

Once the update is installed you will need to restart/reboot the Linux device to have the update take effect.

Update: 20th March 2016:
The glibc vulnerability affected VMware’s ESXi version 5.5 and 6.0 products (among the other products listed in this post). In order to address these issues, please refer to VMware’s security advisory to download the necessary updates.

Thank you.

=======================
Aside:
What is a library (when used in the context of computing)?
The general concept of a code library is defined here, only Windows systems use DLLs (defined) and so are not relevant for this discussion of Linux systems.
=======================

Blog Post Shout Out March 2016

With the growing prevalence of ransomware; it’s prudent to take steps to avoid becoming infected with this malware and losing your data as well as being able to recover quickly without paying the ransom.

For these reasons I wanted to provide a respectful shout-out to the following blog posts that provide practical advice to businesses and consumers/personal users on how to protect yourself from ransomware and the “Locky” variant of ransomware:

The Simple Way to Stop your Business from Being Extorted by Ransomware by Graham Cluley (writing for Bitdefender)

“Locky” ransomware – what you need to know by Paul Ducklin (Sophos Security)

Update: 12th March 2016:
Got ransomware? What are your options? by Paul Ducklin (Sophos Security)

Massive Volume of Ransomware by Rodel Mendrez (SpiderLabs) : Details how to defend against the Locky ransomware being spread using JavaScript within spam messages.

Further information/discussion on ransomware is provided in a previous blog post. I hope that you find the above posts useful. Thank you.

OpenSSH Releases v7.2 Security Update

On the 29th of February OpenSSH released version 7.2 of OpenSSH which further hardened it against the Logjam attack (by increasing the minimum modulus size supported for diffie-hellman-group-exchange to 2048 bits) as well as incorporating changes initially made available in mid-January with version 7.1p2

Why Should These Issues Be Considered Important?
Further hardening OpenSSH against Logjam is important for the reasons detailed in my previous blog post on that attack.

With version 7.1p2, experimental support for client-side (where a client is the name given to computer/device being used by a person to access a server) roaming support was disabled to resolve a high severity information disclosure issue. Roaming is the name given to the ability to resume an SSH (Secure Shell, defined) connection from where it left off should a client become disconnected suddenly.

While this issue is not easy to exploit (further details provided below in the heading “How Can I Protect Myself from These Issues”) it had the potential to allow an attacker who had compromised a legitimate SSH server to obtain the credentials (username and password) of the user attempting to access the server. If the attacker controlled server had SSH private keys stored in it’s memory the attacker could have also compromised further SSH accounts.

3 other low risk security vulnerabilities detailed in the release notes were also resolved within version 7.1p2. For version 7.2, the above mentioned roaming code was removed and 2 further security issues detailed in the release notes were resolved.

How Can I Protect Myself from These Issues?
The means of authentication to the SSH server prevents the exploitation of the information disclosure issue mentioned above (fixed in version 7.1p2) by means of a man-in-the-middle attack (defined). While you are working to deploy the patch for this issue, for versions 5.4 of OpenSSH and higher the roaming code can be disabled as follows (source):

  • adding ‘UseRoaming no’ to the global ssh_config(5) file
  • or to user configuration in ~/.ssh/config
  • by passing -oUseRoaming=no on the command line

Please upgrade to OpenSSH version 7.2 (the most recent at the time of writing) to resolve all of the security issues mentioned within this post.

Thank you.

Putty 0.67 Security Update Released

Yesterday an update to the open source Putty SSH client (Secure Shell, defined) for Windows was released (bringing it to version 0.67) resolving a high priority security issue and to “defend against malicious other processes reading sensitive data out of its memory” by setting it’s process ACL (defined) more restrictively.

This update also fixes other software bugs and it’s executable files and installer are now digitally signed (defined) using Authenticode. Full details of the changes in version 0.67 are available in the changelog.

The updated version is available for download from this page. Please ensure to only download Putty from the previously provided link since tampered versions have previously been made available in an effort to spread malware.

If you use Putty, please update as soon as possible to benefit from the security fixes version 0.67 includes as well as the general software bugs that were also addressed.

Thank you.

Drupal Releases Security Updates (Feb 2016)

The widely used website Content Management System (CMS)(defined) Drupal in late February released security updates for versions 6, 7 and 8.

10 security issues were addressed (of the severities listed below) by the released security updates:

  • 1x critical
  • 6x moderately critical
  • 3x less critical

Drupal users should upgrade to versions 6.38, 7.43 or 8.0.4 as appropriate. Further information and steps to install the updates are available in Drupal’s Security Advisory.

As noted by Drupal version 6 has reached its end of life (EOL) and will no longer receive security updates going forward. Further information is provided in this dedicated page.

Moreover, in early January an IOACtive senior security consultant Fernando Arnaboldi disclosed 3 security issues in a blog post. While these issues were responsibly disclosed to Drupal at the time of writing they have not addressed them. As advised within that blog post for those who administer Drupal installations they may wish to manually download updates for Drupal and its add-ons in order to work around these issues until they are addressed.

Thank you.