|
Security
ByNathan Willis
April 24, 2013
Ubuntu has started outlining its plans for supporting third-party
applications on mobile devices. The larger plan involves enabling
independent developers to deliver their apps to phone and tablet
users, but without going through the lengthy process currently used
for maintaining packages in the desktop and server repositories.
Consequently, new measures are planned to protect system security from
potentially malicious applications. The blueprint is based on
AppArmor, but it attempts to address several distinctions in the
mobile device platform that AppArmor on desktops usually ignores.
The primary motivator for the new security work is that on desktop systems,
the user session has historically been treated as "trusted"; Unix-like
systems sport mechanisms that programs could use to attack other
programs, but in practice programs have generally been trusted not to
do so. Perhaps this is because the vast majority of desktop software
on Linux systems is delivered through distribution (or
project-specific) software repositories, which by and large have
established review processes in place—or else the software in
question is compiled locally, which places more of the burden for
watching out for security issues on the user or administrator.
But mobile Linux systems are different. Casual phone users are
less likely to be security-conscious developers or longstanding
participants in the (at times) wild open source community. A far
higher percentage of mobile phones apps are deployed as third-party apps
on Linux desktop applications. Android copes
with this distinct risk profile by several means, including
restricting apps to its application sandbox and running each app as a
separate user, but also by developing its own services for
inter-process communication (IPC) and similar features.
The Ubuntu mobile platform, however, is intended to stay as close
as possible to the system stack used on desktops and servers.
Creating a separate IPC mechanism, permission system, and storage
system solely for mobile devices is out of the question. The Ubuntu
Security Team has published a specification
outlining both the security risks found in the desktop environment,
and how it plans to compensate for those risks on mobile devices.
The risks and requirements
The basic requirements needed from the "application confinement"
framework (as it is called) include the ability to pre-define filesystem
locations that the app can access, the ability to restrict Internet
access, and the ability to log events for debugging and auditing
purposes. AppArmor already meets
those requirements, and it offers several additional options, such as
the ability to restrict things like library loading, capabilities, and certain
privileged operations.
But AppArmor does not currently address some other important system
components, such as D-Bus, the GConf or GSettings configuration
storage frameworks, or the display server. D-Bus runs several IPC
"buses," including the privileged system bus and the user session bus.
But on desktop systems it does not enforce any restrictions on
using the session bus, so malicious apps could potentially send harmful
messages to other programs. GConf generally uses a single settings
database for all applications associated with a user account, and
GSettings has a similar per-user settings database. The X display
server features several mechanisms that a malicious app could use to
sniff data from other applications, such as the clipboard,
screenshots, input events, drag-and-drop, and the XSETTINGS
configuration framework.
Many desktop systems also take a lax approach to environment
variables, such as allowing applications to load arbitrary modules by
setting a special environment variable. Applications can also
send signals to other processes (such as SIGTERM), and potentially
discover information about other processes through /proc.
The specification also notes that the GNOME Keyring and Ubuntu Online
Accounts programs are both potential security risks, since they store
user credentials of various types, but both respond to queries from
other applications over D-Bus.
And they have a plan
The risks posed by X constitute a challenge on
their own. Obviously, the display server issues fall under
Ubuntu's plans to develop its own Mir
display server and Unity-Next graphical shell. The application
confinement specification notes in brief that Mir should prevent
arbitrary applications from taking screenshots and from sniffing input
events belonging to other applications, and that Mir will not support
XSETTINGS. Mir will also utilize AppArmor policy rules to limit access to the
clipboard and to drag-and-drop events.
Many of the other challenges will be addressed through AppArmor
profiles, though some necessitate changes to AppArmor or to the system
frameworks involved. Each app will be shipped with its own AppArmor
profile, which will enumerate its permissions. The app
launcher will handle loading the AppArmor profile, configuring the
environment, and launching the app (as well as cleaning up after the
app shuts down). This process also requires some changes to
AppArmor, since the way it currently works, all profiles are loaded at
system start-up. The launcher process will also remain alive to
monitor running apps, shutting them down if they violate CPU or memory
limits, or cause an AppArmor failure event. The specification notes
that cgroups were considered for this resource-monitoring task, but
that they were not deemed a good fit for the mobile use-case.
The Ubuntu SDK is intended to help developers create
these per-app AppArmor profiles; there will be some
sort of review
process involved which will hopefully catch security violations,
but it is still in development. Ultimately, though, the purpose of
the confinement scheme is to make the app review process short, but
still provide end users with improved security.
To that end, Ubuntu is working on adding
D-Bus monitoring to AppArmor policies. Apps will not be allowed to
access D-Bus services that belong to the system; there is a blacklist
including com.canonical.*, net.launchpad.*,
org.gnome.*, org.gtk.*, and other reserved
namespaces. Access to GConf and GSettings will be blocked by
default. Since GConf has been deprecated in favor of GSettings, it
will not receive any further work, but the plan is to develop a
fine-grained access mechanism for GSettings. Each app will be allowed
to access only specific, whitelisted GSettings paths.
The current plan for environment variable handling is for each
AppArmor profile to specify which environment variables the app is
authorized to change, and to either deny the app from launching if it
attempts to set other environment variables, or to "scrub" those
variables before launch. Similarly, AppArmor profiles will whitelist
which signals an app is allowed to send. AppArmor will also get
support for using the PID variable in profile rules, so
profiles will restrict apps to reading only the information in their
own /proc/PID directory.
The plan is for Ubuntu Online Accounts to gain AppArmor
integration; initially this will be boolean support—an app will
either be allowed to access online accounts, or it will not—but
support for finer-grained access in later releases is planned,
which will enable restricting access on the basis of each configured
account. The plan for GNOME Keyring is less clear. Initially, it, too, will be subject
to coarse, boolean access restrictions (which will default to "no
access"). Apps will also be restricted so that those with GNOME
Keyring access will only be permitted to read credentials that the app
itself has stored. But the specification says that it is possible that
fine-grain access may be added later, perhaps prompting the user when
an app requests access to a credential stored by a different
application.
The specification also lays out a plan for confining an app's
access to the filesystem. Each app will have its own private
directory for storing data and settings, in
~/.confined/foo. For access to other data in the
filesystem, apps will first need permission for the specific data type
in their AppArmor profile (e.g., "Photos", "Contacts", "Music", and so
on). When the app requests a file, a separate file-chooser process
will launch, allowing the user to select the file; this selection
will then be returned to the app over D-Bus. The point of this setup
is to force file-selection to be run past the user, so that
unauthorized access will not go unnoticed. But the specification
points out that exactly how the selected file gets returned may depend
on the file type; the details have yet to be fleshed out.
All in all, the Ubuntu application confinement scheme is designed
to be "lightweight"; a decision that the wiki says rules out several
other possible sandboxing mechanisms, such as LXC containers and
virtualization. It is also interesting to note how the decision to
run all programs as the same user drives many of the engineering
decisions which follow. Android, by comparison, creates a separate
user for each app. The Ubuntu application confinement scheme does
not use separate user IDs, which in turn is what necessitates setting
up security mechanisms to restrict signals, environment variables,
D-Bus, and the GConf and GSettings configuration systems.
An interesting thought experiment is to consider that all of the
risks that these well-known frameworks present on mobile devices also
exist on desktops and servers. But users and administrators are
accustomed to them, perhaps in large part because third-party binary
applications are relatively scarce on desktops and servers. Although
if Linux were to ever "hit it big" in the traditional,
world-marketshare-domination sense, that could change. That might
make much of the AppArmor work in Ubuntu's application confinement
plan considerably more widely applicable.
Comments (10 posted)
Brief items
We should consider that if the architecture of a system, even a mostly
*technically* secure system, is optimized for surveillance to the
company's benefit - it *will* almost certainly be forced to hand your
data over when ordered. Simply because it *is able to do so* at all,
we've learned that the law in the US is interpreted to suggest that such
companies must and they must do so silently. And it seems to be the case
that when the US has no legal recourse, it may use other methods for
jurisdictions beyond their direct legal reach. It might happen through
legal means, it might happen through general blackhattery, it might
happen through kidnapping a family member - compliance is possible and
there exists a case where compliance *will* happen.
— Jacob Appelbaum
I think you can safely say I’m incandescent with rage. BRING ME THE SEVERED
HEAD OF RUPERT MURDOCH!
— Cory
Doctorow gets a DMCA takedown notice from Fox
W3C is not developing a new DRM system, nor are we embracing DRM as an
organization. We do acknowledge that some in industry demand content
protection and that DRM use is currently widespread. We also know that
others find DRM anathema to the Open Web. In building the Open Web, we do
not equate "open" content with material that must be available free of
charge.
— W3C
on the Encrypted
Media Extensions
Comments (8 posted)
New vulnerabilities
icedtea-web: multiple vulnerabilities
| Package(s): | icedtea-web |
CVE #(s): | CVE-2013-1926
CVE-2013-1927
|
| Created: | April 18, 2013 |
Updated: | May 2, 2013 |
| Description: |
From the Red Hat advisory:
It was discovered that the IcedTea-Web plug-in incorrectly used the same
class loader instance for applets with the same value of the codebase
attribute, even when they originated from different domains. A malicious
applet could use this flaw to gain information about and possibly
manipulate applets from different domains currently running in the browser.
(CVE-2013-1926)
The IcedTea-Web plug-in did not properly check the format of the downloaded
Java Archive (JAR) files. This could cause the plug-in to execute code
hidden in a file in a different format, possibly allowing attackers to
execute code in the context of web sites that allow uploads of specific
file types, known as a GIFAR attack. (CVE-2013-1927) |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java-1.7.0-openjdk |
CVE #(s): | CVE-2013-0401
CVE-2013-1488
CVE-2013-1518
CVE-2013-1537
CVE-2013-1557
CVE-2013-1558
CVE-2013-1569
CVE-2013-2383
CVE-2013-2384
CVE-2013-2415
CVE-2013-2417
CVE-2013-2419
CVE-2013-2420
CVE-2013-2421
CVE-2013-2422
CVE-2013-2423
CVE-2013-2424
CVE-2013-2426
CVE-2013-2429
CVE-2013-2430
CVE-2013-2431
CVE-2013-2436
|
| Created: | April 18, 2013 |
Updated: | May 6, 2013 |
| Description: |
From the Red Hat advisory:
Multiple flaws were discovered in the font layout engine in the 2D
component. An untrusted Java application or applet could possibly use these
flaws to trigger Java Virtual Machine memory corruption. (CVE-2013-1569,
CVE-2013-2383, CVE-2013-2384)
Multiple improper permission check issues were discovered in the Beans,
Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2013-1558, CVE-2013-2422, CVE-2013-2436, CVE-2013-1518,
CVE-2013-1557)
The previous default value of the java.rmi.server.useCodebaseOnly property
permitted the RMI implementation to automatically load classes from
remotely specified locations. An attacker able to connect to an application
using RMI could use this flaw to make the application execute arbitrary
code. (CVE-2013-1537)
Note: The fix for CVE-2013-1537 changes the default value of the property
to true, restricting class loading to the local CLASSPATH and locations
specified in the java.rmi.server.codebase property. Refer to Red Hat
Bugzilla bug 952387 for additional details.
The 2D component did not properly process certain images. An untrusted Java
application or applet could possibly use this flaw to trigger Java Virtual
Machine memory corruption. (CVE-2013-2420)
It was discovered that the Hotspot component did not properly handle
certain intrinsic frames, and did not correctly perform access checks and
MethodHandle lookups. An untrusted Java application or applet could
use these flaws to bypass Java sandbox restrictions. (CVE-2013-2431,
CVE-2013-2421, CVE-2013-2423)
It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO
component did not protect against modification of their state while
performing certain native code operations. An untrusted Java application or
applet could possibly use these flaws to trigger Java Virtual Machine
memory corruption. (CVE-2013-2429, CVE-2013-2430)
The JDBC driver manager could incorrectly call the toString() method in
JDBC drivers, and the ConcurrentHashMap class could incorrectly call the
defaultReadObject() method. An untrusted Java application or applet could
possibly use these flaws to bypass Java sandbox restrictions.
(CVE-2013-1488, CVE-2013-2426)
The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly
invoke the system class loader. An untrusted Java application or applet
could possibly use this flaw to bypass certain Java sandbox restrictions.
(CVE-2013-0401)
Flaws were discovered in the Network component's InetAddress serialization,
and the 2D component's font handling. An untrusted Java application or
applet could possibly use these flaws to crash the Java Virtual Machine.
(CVE-2013-2417, CVE-2013-2419)
The MBeanInstantiator class implementation in the OpenJDK JMX component did
not properly check class access before creating new instances. An untrusted
Java application or applet could use this flaw to create instances of
non-public classes. (CVE-2013-2424)
It was discovered that JAX-WS could possibly create temporary files with
insecure permissions. A local attacker could use this flaw to access
temporary files created by an application using JAX-WS. (CVE-2013-2415)
Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website. |
| Alerts: |
|
Comments (none posted)
java: multiple unspecified vulnerabilities
| Package(s): | java-1.6.0-sun |
CVE #(s): | CVE-2013-1491
CVE-2013-1540
CVE-2013-1563
CVE-2013-2394
CVE-2013-2418
CVE-2013-2432
CVE-2013-2433
CVE-2013-2435
CVE-2013-2439
CVE-2013-2440
|
| Created: | April 19, 2013 |
Updated: | April 24, 2013 |
| Description: |
From the Red Hat advisory:
-
CVE-2013-1491: Oracle JDK: unspecified sanbox bypass (CanSecWest 2013, 2D)
-
CVE-2013-1540: Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
-
CVE-2013-1563: Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Install)
-
CVE-2013-2394: Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
-
CVE-2013-2418: Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
-
CVE-2013-2432: Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
-
CVE-2013-2433: Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
-
CVE-2013-2435: Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
-
CVE-2013-2439: Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Install)
-
CVE-2013-2440: Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | linux |
CVE #(s): | CVE-2012-6544
CVE-2012-6545
CVE-2012-6548
|
| Created: | April 19, 2013 |
Updated: | April 24, 2013 |
| Description: |
From the Ubuntu advisory:
-
Mathias Krause discovered information leaks in the Linux kernel's Bluetooth
Logical Link Control and Adaptation Protocol (L2CAP) implementation. A
local user could exploit these flaws to examine some of the kernel's stack
memory. (CVE-2012-6544)
-
Mathias Krause discovered information leaks in the Linux kernel's Bluetooth
RFCOMM protocol implementation. A local user could exploit these flaws to
examine parts of kernel memory. (CVE-2012-6545)
-
Mathias Krause discovered an information leak in the Linux kernel's UDF
file system implementation. A local user could exploit this flaw to examine
some of the kernel's heap memory. (CVE-2012-6548)
|
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2013-1827
|
| Created: | April 24, 2013 |
Updated: | April 24, 2013 |
| Description: |
From the CVE entry:
net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | |
| Created: | April 24, 2013 |
Updated: | April 24, 2013 |
| Description: |
From the Red Hat Bugzilla entry:
Linux kernel built with Function Tracers(CONFIG_FUNCTION_TRACER) &
Stack Tracers(CONFIG_STACK_TRACER) support is vulnerable to a NULL pointer
deference flaw. It occurs while writing to `set_ftrace_pid' or
`set_graph_function' files used by kernel tracers.
A privileged(CAP_SYS_ADMIN) user could use this flaw to crash the system
resulting in DoS. |
| Alerts: |
|
Comments (none posted)
mysql: multiple unspecified vulnerabilities
Comments (none posted)
owncloud: multiple vulnerabilities
| Package(s): | owncloud |
CVE #(s): | |
| Created: | April 24, 2013 |
Updated: | April 25, 2013 |
| Description: |
From the OwnCloud release notes:
-
XSS vulnerability in jPlayer (oC-SA-2013-014)
-
PovstgreSQL: Insecure database password generator (oC-SA-2013-015)
|
| Alerts: |
|
Comments (none posted)
tinc: code execution
| Package(s): | tinc |
CVE #(s): | CVE-2013-1428
|
| Created: | April 23, 2013 |
Updated: | April 24, 2013 |
| Description: |
From the Debian advisory:
Martin Schobert discovered a stack-based vulnerability in tinc, a virtual
private network daemon.
When packets are forwarded via TCP, packet length is not checked against
the stack buffer length. Authenticated peers could use this to crash the
tinc daemon and maybe execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
xen: denial of service
| Package(s): | xen |
CVE #(s): | CVE-2013-1917
CVE-2013-1919
|
| Created: | April 18, 2013 |
Updated: | May 6, 2013 |
| Description: |
From the Debian advisory:
CVE-2013-1917:
The SYSENTER instruction can be used by PV guests to accelerate
system call processing. This instruction, however, leaves the EFLAGS
register mostly unmodified. This can be used by malicious or buggy
user space to cause the entire host to crash.
CVE-2013-1919:
Various IRQ related access control operations may not have the
intended effect, potentially permitting a stub domain to grant its
client domain access to an IRQ it doesn't have access to itself.
This can be used by malicious or buggy stub domains kernels to mount
a denial of service attack possibly affecting the whole system. |
| Alerts: |
|
Comments (none posted)
xorg-server: information disclosure
| Package(s): | xorg-server |
CVE #(s): | CVE-2013-1940
|
| Created: | April 18, 2013 |
Updated: | April 24, 2013 |
| Description: |
From the Debian advisory:
David Airlie and Peter Hutterer of Red Hat discovered that xorg-server,
the Xorg X server was vulnerable to an information disclosure flaw
related to input handling and devices hotplug.
When an X server is running but not on front (for example because of a VT
switch), a newly plugged input device would still be recognized and
handled by the X server, which would actually transmit input events to
its clients on the background.
This could allow an attacker to recover some input events not intended
for the X clients, including sensitive information. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
