I found multiple vulnerabilities in software from Schneider Electric, used to monitor industrial monitoring devices. It reveals a very poor security design.
The editor was informed and I am waiting for its acknowledgement. I will disclose more details once the issues are patched.
A big change on Security Focus is going to happen. Except the vulnerability database, most of its content and resources are going to move to Symantec. RIP.
Nessus 4.2 is out.
I tried it out and I must say that the new UI is great. I am not a big fan of Flash and I regret this choice. However, the design is excellent, all options are accessible in a logical way. Instead of spreading over the options like it used to be, they come to you in the right order.
I also appreciate that the server and the client set-up are now unified thanks to the web interface (you can access it from localhost or from the network indifferently).
The report section has also been greatly improved.
So, if you were already an Nessus user, it is worth upgrading.
Talking about the set-up, there is an up-to-date package for openSUSE (of course, there are a lot less dependencies than before).
A security advisory on OpenSSL has recently been published. Details are there and there.
It is vulnerable to a MiTM attack where the attacker can intercept and retrieve the credential to a trusted HTTPS website, by intercepting the session cookie sent back to the client.
A proof of concept of an attack against Twitter was made.
Fine. But so far, the answer was to just disable any renegociation.
This actually causes some issues with SSL session timeout and totally broke client authentication.
I got into problems because of the latter. I am using client authentication for some location of my web server, and I recently could not connect anymore to these with the following log in apache :
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:Exit: error in SSLv3 read client hello A [Tue Nov 24 16:56:15 2009] [error] [client x.x.x.x] Re-negotiation handshake failed: Not accepted by client!?
I first was not aware of the openssl patch and tried almost anything possible. My focus was, of course, on the certificate and the client.
But, a nice guy on IRC #suse, Stittel, had a good hunch and suggested me to look at the CVE-2009-3555 fix.
After more tests, it was quickly confirmed to work well with older versions of OpenSSL (as shipped in Debian Lenny).
Finally, I downgraded the OpenSSL version on my openSUSE box to a version prior to the CVE-2009-3555 fix and it just worked fine.
Then, I dig into it and found a lot of interesting reports there and there. So far it is a real mess.
In short, the breakage will stay as long as browsers don’t also include a patch to avoid renegotiation.
So far, I could not find a browser that does include a patch.
If anyone reading it knows a version that does it, please let me know.
Meanwhile, you have actually the choice between :
As my server is not very exposed, I chose the latter, but that’s not satisfying. It is not recommended, but if like me you need to use client authentication with mod_ssl on openSUSE 11.2, do :
% zypper install --from repo-oss openssl openssl-certs libopenssl0_9_8 libopenssl0_9_8-32bit
where repo-oss is the alias to the 11.2 release (without updates) on your system.
What a brutal way to fix an issues without much notification and consideration to the users ! Even the log message is wrong and just confusing the administrator…
PS 1 : thanks again to Stittel for the good hint (I hope you will come by here) and to the always nice and helpful #suse channel in general ;)
PS 2 : bug reported on openSUSE bugzilla
I am using the 2.6.30 kernel sources from Kernel:linux-next and noticed that it has not yet been patched against the ’sock_sendpage()’ NULL Pointer Dereference vulnerability.
The threat is serious as it could allow a local user to gain root privileges.
Those who compile their own 2.6.x kernel should apply this patch (from Linus, check there for more info) .
Within your kernel source folder :
$ patch -u -p0 < sock_sendpage.patch
I hope an official patch will be released soon for all kernels. I did not check if the 11.1 kernel has already been patched or not.
I will post later a few examples of network attacks. But, before that, I want to clarify what I call a network attack.
I see many people making a confusion about the use of this term, even among professional or specialized journalists. Whenever there is a hack originated from the Internet, they call it a network attack.
This is a true misunderstanding of the reality. We will see why when a website is hacked, or a domain name spoofed, we can’t call it a network attack.
First of all, we need to have a good picture of the way the protocols of the Internet are organized.
We can visualize it with the OSI concept, whose scheme is below :
This model offers 7 layers to contain all protocols involved in the data transportation, from the system or the program of a local computer to its peer on the other side of the network.