State-of-the-art study of Linux-related vulnerabilities, malware and cyber-attacks Prepared By: Mike Sues Michael J. Enos Director of Business Development Solana Networks (613)720‐6382 www.solananetworks.com Prepared For: DRDC Valcartier 2459 Boulevard Pie-XI Nord, Val-Belair QC G3J 1X5 Contract Scientific Authority: Mario Couture DRDC – Valcatier Research Centre Contract Number: W7701-4501243894 DRDC-RDDC-2015-C254 The scientific or technical validity of this Contract Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of the Department of National Defence of Canada © Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2015 © Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2015 Abstract……….…….……. The objective of this work is to conduct a preliminary study of the Linux operating system’s Vulnerabilities, Malware and Cyber-Attacks (VMA). The study should yield reports providing a comprehensive list of VMAs for selected Linux distributions and software applications, a complete analysis of listed VMAs, and a repository containing all VMAs that can be found on the Internet. i Table of contents Abstract……….…….……. .............................................................................................................. i Table of contents ............................................................................................................................ iii List of tables ............................................................................................................................... xviii 1 Introduction ............................................................................................................................... 1 2 Red Hat Linux Vulnerabilities .................................................................................................. 3 2.1 Tmpwatch Arbitrary Command Execution Vulnerability ............................................. 3 2.2 Multiple Vendor Mail Replay-To Field Vulnerability .................................................. 4 2.3 Roaring Penguin PPPoE Denial of Service Vulnerability ............................................. 5 2.4 Shadow-utils /etc/default Temp File Race Condition Vulnerability ............................. 6 2.5 Rdist /tmp File Race Condition Vulnerability ............................................................... 7 2.6 Getty_ps /tmp File Race Condition Vulnerability ......................................................... 8 2.7 Sdiff /tmp File Race Condition Vulnerability ............................................................... 9 2.8 Inn /tmp File Race Condition Vulnerability ................................................................ 10 2.9 Wu-ftpd /tmp File Race Condition Vulnerability ........................................................ 11 2.10 Gpm /tmp File Race Condition Vulnerability ............................................................. 12 2.11 Mgetty /tmp File Race Condition Vulnerability .......................................................... 13 2.12 Linuxconf /tmp File Race Condition Vulnerability ..................................................... 14 2.13 Squid /tmp File Race Condition Vulnerability ............................................................ 15 2.14 Arpwatch /tmp File Race Condition Vulnerability ...................................................... 16 2.15 Man –S Heap Overflow Vulnerability ......................................................................... 17 2.16 Linux Man Malicious Cache File Creation Vulnerability ........................................... 18 2.17 Linux Man Page Source Buffer Overflow Vulnerability ............................................ 19 2.18 Multiple Linux Vendor Expect Insecure Library Loading Vulnerability .................... 20 2.19 Multiple Linux Vendor TCLTK Unsafe Library Searching Vulnerability .................. 21 2.20 Lpd Remote Command Execution via DVI Printfilter Configuration Error ............... 22 2.21 PAM Authentication Execution Path Timing Information Leakage Weakness .......... 23 2.22 Util-linux File Locking Race Condition Vulnerability ................................................ 24 2.23 Unix and Unix-based select() System Call Overflow Vulnerability ........................... 25 2.24 ncurses TERMCAP Buffer Overflow Vulnerability ................................................... 26 2.25 Multiple Vendor lpr Format String Vulnerability ....................................................... 27 2.26 dvips Arbitrary Command Execution Vulnerability .................................................... 28 2.27 YPServ Remote Network Information Leakage Vulnerability ................................... 29 2.28 ISC BIND 9 Large RRSIG RRsets Remote Denial of Service Vulnerability ............. 30 2.29 ISC BIND CVE-2014-8500 Remote Denial of Service Vulnerability ........................ 31 2.30 X.Org X Server CVE-2014-8101 Out of Bounds Read Multiple Remote Denial of Service Vulnerabilities ................................................................................................ 32 2.31 RPM CVE-2013-6435 Remote Code Execution Vulnerability ................................... 33 2.32 libxml2 Invalid XPath Multiple Memory Corruption Vulnerabilities ......................... 34 ii 2.33 libpng Memory Corruption and Memory Leak Vulnerabilities .................................. 35 2.34 XML Security Library 'xslt.c' Arbitrary File Access Vulnerability ............................ 36 2.35 Libpng 1-bit Interlaced Images Information Disclosure Vulnerability ....................... 37 2.36 GNU gzip LZW Compression Remote Integer Overflow Vulnerability ..................... 38 2.37 Libpng Library Uninitialized Pointer Arrays Memory Corruption Vulnerabilities .... 39 2.38 Linux Kernel CVE-2014-5045 Local Privilege Escalation Vulnerability ................... 40 2.39 OpenSSL CVE-2014-3470 Denial of Service Vulnerability ....................................... 41 2.40 HawtJNI CVE-2013-2035 Local Privilege Escalation Vulnerability .......................... 42 2.41 Squid CVE-2014-3609 Remote Denial of Service Vulnerability ................................ 43 2.42 GNU glibc Multiple Integer Overflow Vulnerabilities ............................................... 44 2.43 GNU glibc CVE-2015-0235 Remote Heap Buffer Overflow Vulnerability ............... 45 2.44 OpenSSL CVE-2014-3566 Man In The Middle Information Disclosure Vulnerability ................................................................................................................ 46 2.45 GNU Bash CVE-2014-6277 Incomplete Fix Remote Code Execution Vulnerability ................................................................................................................ 47 2.46 Samba 'AndX' Request CVE-2012-0870 Heap Based Buffer Overflow Vulnerability ................................................................................................................ 48 2.47 Linux Kernel ‘clock_gettime()’ Local Denial of Service Vulnerability ...................... 49 2.48 Red Hat Network Configuration Client Insecure File Permissions Vulnerability ....... 50 2.49 GNU Bash CVE-2014-7169 Incomplete Fix Remote Code Execution Vulnerability ................................................................................................................ 51 2.50 OpenSSL CVE-2014-0224 Man in the Middle Security Bypass Vulnerability .......... 52 2.51 GNU Libtasn1 CVE-2014-3468 Remote Code Execution Vulnerability .................... 53 2.52 GNU Libtasn1 'asn1_read_value_type()' Function Denial of Service Vulnerability .. 54 2.53 GNU Libtasn1 CVE-2014-3467 Multiple Denial of Service Vulnerabilities .............. 55 2.54 GNU glibc Dynamic Linker '$ORIGIN' Local Privilege Escalation Vulnerability .... 56 2.55 Linux Kernel SSID Buffer Overflow Vulnerability .................................................... 57 2.56 Xen Instruction Emulation During VM Exits Denial of Service Vulnerabilities ........ 58 2.57 Linux Kernel NFS File Locking Local Denial of Service Vulnerability ..................... 59 2.58 Xen 'x86_64 __addr_ok()' Local Denial Of Service Vulnerability ............................. 60 2.59 Linux Kernel SCTP Remote Denial of Service Vulnerability ..................................... 61 2.60 Linux Kernel '/proc/PID/io' Local Information Disclosure Vulnerability ................... 62 2.61 Red Hat Enterprise Linux NFSv4 Mount Local Denial of Service Vulnerability ....... 63 2.62 PCSC-Lite 'PCSCD' Daemon Unspecified Local Buffer Overflow Vulnerability ...... 64 2.63 Xen 'get_free_port()' Denial of Service Vulnerability ................................................. 66 3 Linux Firefox Vulnerabilities ................................................................................................. 67 3.1 Miscellaneous memory safety hazards ........................................................................ 67 3.2 Miscellaneous memory safety hazards ........................................................................ 68 3.3 Use after free mutating DOM during SetBody ............................................................ 69 3.4 Buffer underflow when generating CRMF requests .................................................... 70 3.5 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater ..................... 71 3.6 Crash during WAV audio file decoding .....................................................................