Avian influenza. Review of *nix vulnerabilities in 2015

According to cvedetails.com, more than 1,305 vulnerabilities have been found in the Linux core since 1999. Sixty-eight of these were in 2015. Most of them don't cause many problems (they are marked as Local and Low), and some may cause problems only if they are attached to certain applications or OS settings. In reality these numbers are not that big, but the core is not the entire OS. There are also vulnerabilities found in GNU Coreutils, Binutils, glibs and, of course, user applications. Let's take a look at the most interesting of the bunch.

Vulnerabilities in the Linux core

OS: Linux
Level: Medium, Low
Vector: Remote
CVE: CVE-2015-3331, CVE-2015-4001, CVE-2015-4002, CVE-2015-4003
Exploit: concept, https://lkml.org/lkml/2015/5/13/740, https://lkml.org/lkml/2015/5/13/744

The vulnerability found in the "__driver_rfc4106_decrypt" function of the "arch/x86/crypto/aesni-intel_glue." file in the Linux core in June is related to the fact that use of RFC4106 for x86 processors that support the AES AES-NI command system extension (suggested by Intel, Intel Advanced Encryption Standard Instructions), in certain cases calculates buffer addresses incorrectly. If IPsec tunnel is set to use this mode (AES – CONFIG_CRYPTO_AES_NI_INTEL algorithm), the vulnerability may lead to damaged memory content, emergency shutdowns and, potentially, remote execution of CryptoAPI code. The most notably interesting thing is that this problem might appear by itself in fully legal traffic without any external intrusion. As of the moment of publication, this problem has been removed.

Five vulnerabilities have been identified in the "Linux 4.0.5 ozwpan" driver, which has an experimental status. Four of these vulnerabilities allow for the launch of a DoS attack by shutting down the core sending specially executed packets. This problem is connected to buffer overflow due to the incorrect processing of sign integers, where calculations between "required_size" and "offset" in "memcpy" returned a negative figure, and as a result the data was copied in heap. It is found in the "oz_hcd_get_desc_cnf" function in "drivers/staging/ozwpan/ozhcd.c" and in the "oz_usb_rx" and "oz_usb_handle_ep_data" functions of the "drivers/staging/ozwpan/ozusbsvc1.c" file. In other vulnerabilities there are possible divisions by 0, along with system looping and the possibility of reading from areas beyond the border of the allocated buffer.

The ozwpan driver, one of the new editions to Linux, can be linked to existing wireless devices compatible with Ozmo Devices (Wi-Fi Direct) technology. It provides for the use of the USB host controller, but the tricky thing is that instead of a physical connection, the periphery interacts via Wi-Fi. The driver accepts network packets of the "0x892e" (ethertype) type, then it deconstructs them and transfers them to different parts of the USB functionality. It is still rarely used, so it can be disabled by unloading the "ozwpan.ko" module.

Linux vulnerability statistics

Linux vulnerability statistics

Linux Ubuntu

OS: Linux Ubuntu 12.04-15.04 (core before June 15, 2015)
Level: Critical
Vector: Local
CVE: CVE-2015-1328
Exploit: https://www.exploit-db.com/exploits/37292/

Critical vulnerability in the OverlayFS file system lets users get root rights in Ubuntu systems, where OverlayFS partition mounting by unprivileged users is allowed. The default settings required for vulnerability exploitation are used in all Ubuntu 12.04-15.04 legs. OverlayFS itself appeared in the Linux core rather recently, starting from "3.18-rc2" (2014), this is the SUSE development to replace UnionFS and AUFS. OverlayFS allows for the creation of a virtual multi-layer file system that connects several parts of other file systems. FS is created from the lower and upper layers, each of which is attached to different catalogs. The lower layer is only used for the reading of any Linux-supported FS, including network ones. The upper layer is usually available for recording and overlays the lower layer data if the files are duplicated.

It is used in Live distributives, container virtualization systems and for the organization of containers operations for several desktop applications. User namespaces allow for the creation of container-specific sets of user and group IDs in containers. The vulnerability is caused by incorrect scans of access rights during the creation of new files in the lower FS catalog. If the core is assembled with the "CONFIG_USER_NS=y" parameter (inclusion of user namespaces), and an "FS_USERNS_MOUNT" flag is indicated during mounting, OverlayFS may be mounted by a regular user in another namespace, including where root rights operations are permitted. In this case, operations with root rights files executed in such namespaces get the same privileges as during the execution of actions with the lower-lying FS. It is therefore possible to mount any FS partition and view or modify any file or catalog.

From the moment of publication, a core update with the corrected OverlayFS module from Ubuntu has become available. So, if the system is updated, there shouldn't be any problems. When updating is impossible, a temporary measure could be to stop using OverlayFS by deleting the "overlayfs.ko" module.

Vulnerabilities in main applications

OS: Linux
Level: Critical
Vector: Local, Remote
CVE: CVE-2015-0235
Exploit: https://www.qualys.com/research/security-advisories/exim_ghost_bof.rb

A dangerous vulnerability in the standard GNU glibc library, which is a main part of Linux OS, and in certain versions of Oracle Communications Applications and Oracle Pillar Axiom, identified during a code audit by hackers from Qualys. It has since received the code name GHOST. This vulnerability is related to buffer overflow inside the "__nss_hostname_digits_dots()" function, which is used to acquire node names by such "glibc" functions as "gethostbyname()" and "gethostbyname2()" (hence the name GetHOST). To exploit the vulnerability, one needs to cause buffer overflow with an inadmissible host name argument in an application that executes name permissions via DNS. Theoretically, this vulnerability can be exploited in any application that uses the network to some extent. It can be activated locally or remotely and lets random code be executed.

The most interesting thing is that the bug was corrected back in May 2013 and a patch was presented between "glibc" releases 2.17 and 2.18, but the problem was not classified as a security patch, so they did not pay any attention to it. As a result, many distributives became vulnerable. From the start it was reported that the very first vulnerable version was version 2.2 (November 10, 2000), but it might actually stretch all the way back to version 2.0. RHEL/CentOS 5.x-7.x, Debian 7 and Ubuntu 12.04 LTS were also exposed to vulnerabilities, among others. Corrections for these are now available. Hackers themselves offered a utility that explains the nature of these vulnerabilities and helps users check their systems. Everything is fine in Ubuntu 12.04.4 LTS:

Please subscribe to read full article

1 year

for only $300

With subscription you are free to read all of the materials of Hackmag.com.
Read more about the project

Please subscribe to view comments

Only subscribers can participate in the discussions. You may login in to your account or sign up to Hackmag and pay a subscription to access the discussions.