Fedora and "strong" passwords
February 4, 2015
Passwords are an ever-present annoyance when dealing with computers. Because they may need to be typed frequently, there is a tendency toward making them simple, but that has a large impact on the security provided by the password. Forcing users to provide "strong" passwords at install time, both for root and normal users, makes sense to some from a security perspective. To others, however, it is paternalistic and doesn't take into account users' knowledge of the risks the system will be exposed to. That debate is currently playing out in the Fedora community.
The debate flared up most recently on the fedora-test mailing list, but its roots go back further than that. The underlying problem is that the SSH daemon (sshd) is enabled after the Anaconda installer runs. It is configured such that root logins are permitted using a password, so any internet-accessible system could have its root password guessed in a brute force attack. One way to reduce the chances of that are to enforce setting a stronger root password.
Currently, Anaconda complains if a "weak" password is entered, but the installing user can click twice to confirm and use such a password. However, Anaconda developer Brian C. Lane notified testers on January 28 that Anaconda would no longer accept weak passwords and those less than eight characters long.
And on the bright side, you don't have to click done twice anymore :)
That change was driven by a suggestion to turn off root login over SSH by Prasad J. Pandit (aka P J P) back in November on the fedora-devel mailing list. In that discussion, the idea was largely met with approval, though some were not convinced that doing so really provided much in the way of added security. There was also talk of ways to get a user's SSH key added to the install, so that instead of blocking all root logins, it would only block password-based logins.
But there were also complaints that root is not the only user affected by brute force password-guessing attacks. Other accounts may not be as obvious, but if they have weak passwords, they can easily fall prey as well. Forcing installing users to create a user account that could be used for SSH purposes if root access were disabled was also seen as suboptimal. There are plenty of use cases where local user accounts are not needed or wanted.
Pandit created a Fedora feature page for the change, which was originally targeted for Fedora 22. When Fedora program manager Jaroslav Reznik brought up the change on fedora-devel in early January, though, there was considerably more dissension. As Stephen Gallagher pointed out, disabling root login over ssh may make sense for workstations, but doesn't for (typically headless) servers. Others, of course, disagreed.
A summary of the arguments for and against was posted by Pandit, but seemingly didn't change any minds. Part of the problem is that the proposal has a larger scope than simply changing the default value for the "PermitRootLogin" sshd configuration parameter. In fact, it looks at two different ways to solve the problem and makes assumptions about changes that will be made in Anaconda to support the feature, but doesn't really make them explicit. That is not really the right way to get changes into Fedora, as Adam Williamson explained:
In a project like Fedora, it doesn't always work out well to do things the way this Change seems to be going: think of one change you want to do, write up a Change for it, realize that lots of other things would have to be done to make the change viable, and just write those things into the Change as bullet points, and assume that somehow they'll be made to happen if the change is approved.
So, Pandit took the issue to the Anaconda mailing list. The discussion there quickly turned to the password-strength requirement in the installer. The idea of turning off password-based SSH logins is popular, but there is no mechanism to provide a key to Anaconda as part of the installation process. So Lane suggested the change to require longer and stronger (as measured by libpwquality) passwords.
Some were willing to live with the change, even though they may do many installs for testing purposes, but others were not so sure. Williamson, who is part of Fedora Quality Assurance (QA), complained that it would make his job harder:
Chris Murphy piled on: "I dislike this feature so much I'd rather read of
some small corner of the Internet [burning] because one of our users had
too much gin one night while configuring Fedora, used 12345 as their
root password, and the computer was made part of a giant botnet
overnight.
" Murphy suggested that "baby sitting
" users
who choose not to set a strong password is not appropriate.
In what seems like a unilateral decision, though, Lane described the change, shortly before notifying the testers that Anaconda would be changing. He also had a suggestion for those who would be affected:
Instead I propose that we increase our minimum password length to 8 characters, and disallow weak passwords. The initial pain of creating a throw-away password for your vm can be mitigated by running pwgen and writing down a nice looking one on a sticky note :)
Lane's suggestion, which runs counter to password best practices, only solves part of the problem, though. Even if someone generates a throwaway password to put on their sticky note, they may have to type it in many, many times. As Williamson put it:
So far at least, though, the Anaconda change seems to be here to stay. The notification mail set off some howls of discontent (which Williamson worked hard to tamp down) in the fedora-test mailing list. It seems possible that the whole issue will end up on Fedora Engineering Steering Committee's (FESCo's) plate at some point in the near future.
Pandit has pushed the SSH configuration change back to Fedora 23 because the user interface (UI) changes in Anaconda can't be done in the time frame needed for Fedora 22. There has been discussion of providing a way for installing users to enable root SSH logins from the Anaconda UI, but that is still a ways off. The feature also still needs to pass FESCo muster.
Providing better default security for new and/or non-savvy users is certainly a good thing. But not allowing more technical users to knowingly bypass those measures is sure to irritate them. Erecting barriers (or speed bumps) in the way of more testing seems a bit short-sighted as well. While stronger passwords do provide a measurable increase in the security of the system, it would seem that some accommodation for those who want to avoid those requirements could be made.
Brief items
Security quotes of the week
In contrast in crypto it's "Use ECC!" / "No, use RSA with an 8K key!" / "No, use AES-GCM!" / "No, use Poly1305-AES" / "No, use ECC but only with My Pet Curve!" / "No, use Ed25519" / "Camellia! Gost! Twofish! SEED! LIONs and Tigers and BEARs, oh my!", ignoring the fact that an attacker won't care what you do since they're exploiting a buffer overflow in some ancillary support library that you don't even know exists.
New vulnerabilities
bugzilla: command injection
| Package(s): | bugzilla | CVE #(s): | CVE-2014-8630 | ||||||||||||||||||||
| Created: | February 2, 2015 | Updated: | February 16, 2015 | ||||||||||||||||||||
| Description: | From the Mageia advisory:
Some code in Bugzilla does not properly utilize 3 arguments form for open() and it is possible for an account with editcomponents permissions to inject commands into product names and other attributes. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
clamav: heap overflow
| Package(s): | clamav | CVE #(s): | CVE-2014-9328 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 2, 2015 | Updated: | February 13, 2015 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the ClamAV 0.98.6 release announcement:
Fix a heap out of bounds condition with crafted upack packer files. This issue was discovered by Sebastian Andrzej Siewior. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
drupal7-context: open redirect
| Package(s): | drupal7-context | CVE #(s): | CVE-2015-1051 | ||||||||
| Created: | January 29, 2015 | Updated: | February 4, 2015 | ||||||||
| Description: | From the Red Hat bugzilla entry:
It was reported that Context UI module wasn't checking for external URLs in the HTTP GET destination parameter when redirecting users that are activating/deactivating the Context UI inline editor dialog, thereby leading to an Open Redirect vulnerability. This vulnerability is mitigated by the fact that the victim must have the permission "administer contexts" and that Context UI module must be enabled. | ||||||||||
| Alerts: |
| ||||||||||
hivex: privilege escalation
| Package(s): | hivex | CVE #(s): | CVE-2014-9273 | ||||||||||||||||||||||||||||||||||||
| Created: | February 2, 2015 | Updated: | August 4, 2015 | ||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
lib/handle.c in Hivex before 1.3.11 allows local users to execute arbitrary code and gain privileges via a small hive files, which triggers an out-of-bounds read or write. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
java: unspecified vulnerability
| Package(s): | java-1_7_0-openjdk | CVE #(s): | CVE-2015-0400 | ||||||||||||||||||||
| Created: | February 2, 2015 | Updated: | February 4, 2015 | ||||||||||||||||||||
| Description: | From the CVE entry:
Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Libraries. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2014-7822 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 29, 2015 | Updated: | February 11, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the way the Linux kernel's splice() system call validated its parameters. On certain file systems, a local, unprivileged user could use this flaw to write past the maximum file size, and thus crash the system. (CVE-2014-7822, Moderate) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
krb5: multiple vulnerabilities
| Package(s): | krb5 | CVE #(s): | CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 4, 2015 | Updated: | March 9, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Multiple vulnerabilities have been found in krb5, the MIT implementation of Kerberos: CVE-2014-5352: Incorrect memory management in the libgssapi_krb5 library might result in denial of service or the execution of arbitrary code. CVE-2014-9421: Incorrect memory management in kadmind's processing of XDR data might result in denial of service or the execution of arbitrary code. CVE-2014-9422: Incorrect processing of two-component server principals might result in impersonation attacks. CVE-2014-9423: An information leak in the libgssrpc library. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libmspack: denial of service
| Package(s): | libmspack | CVE #(s): | CVE-2014-9556 | ||||||||||||||||||||||||||||||||
| Created: | February 2, 2015 | Updated: | March 16, 2015 | ||||||||||||||||||||||||||||||||
| Description: | From the SUSE bugzilla:
Jakub Wilk originally reported to the Debian BTS a problem with cabextract on a specially crafted cab file, causing cabextract to hang forever. The problem is actually in the embedded copy of libmspack, see [1]. Libmspack, a library to provide compression and decompression of some file formats used by Microsoft, is used in many project (or embedded there like also Clamav). This issue can cause a remotely exploitable denial-of-service condition due to clamav thread hanging forever while scanning the file. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773041 | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
libvirt: information leak
| Package(s): | libvirt | CVE #(s): | CVE-2015-0236 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 2, 2015 | Updated: | February 17, 2015 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
mariadb: unspecified vulnerability
| Package(s): | mariadb mysql | CVE #(s): | CVE-2015-0391 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 4, 2015 | Updated: | August 20, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
patch: multiple vulnerabilities
| Package(s): | patch | CVE #(s): | CVE-2014-9637 CVE-2015-1196 CVE-2015-1395 | ||||||||||||||||||||||||||||||||||||||||
| Created: | February 2, 2015 | Updated: | April 6, 2015 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
CVE-2014-9637: It was reported that a crafted diff file (attached) can make patch to eat memory and later segfault. CVE-2015-1395: It was reported that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch. CVE-2015-1196: From the CVE entry: GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
rubygem-passenger: insecure use of temporary files
| Package(s): | rubygem-passenger | CVE #(s): | CVE-2014-1831 CVE-2014-1832 | ||||
| Created: | February 3, 2015 | Updated: | February 4, 2015 | ||||
| Description: | From the Red Hat bugzilla:
An upstream commit to the Passenger rubygem indicated that versions 4.0.5 and later are affected by a temporary file flaw described as follows: " Phusion Passenger creates a "server instance directory" in /tmp during startup, which is a temporary directory that Phusion Passenger uses to store working files. This directory is deleted after Phusion Passenger exits. For various technical reasons, this directory must have a semi-predictable filename. If a local attacker can predict this filename, and precreates a symlink with the same filename that points to an arbitrary directory with mode 755, owner root and group root, then the attacker will succeed in making Phusion Passenger write files and create subdirectories inside that target directory. The following files/subdirectories are created:
* control_process.pid If you happen to have a file inside the target directory called `control_process.pid`, then that file's contents are overwritten. These files and directories are deleted during Phusion Passenger exit. The target directory itself is not deleted, nor are any other contents inside the target directory, although the symlink is. " It is fixed in upstream version 4.0.33. | ||||||
| Alerts: |
| ||||||
thunderbird: code execution
| Package(s): | thunderbird | CVE #(s): | CVE-2014-8635 | ||||||||||||
| Created: | January 30, 2015 | Updated: | February 4, 2015 | ||||||||||||
| Description: | From the CVE entry: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | ||||||||||||||
| Alerts: |
| ||||||||||||||
unzip: unspecified impact
| Package(s): | unzip | CVE #(s): | CVE-2014-9636 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 29, 2015 | Updated: | March 29, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry:
It was reported that OOB access (both read and write) issues exist in test_compr_eb (extract.c) that can result in application crash or other unspecified impact. This vulnerability can be triggered via crafted zip archives with extra fields that advertise STORED method compression (i.e. no compression) and have uncompressed field sizes smaller than the corresponding compressed field sizes. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
virtualbox: two largely unspecified denial of service flaws
| Package(s): | virtualbox | CVE #(s): | CVE-2015-0377 CVE-2015-0418 | ||||||||||||||||
| Created: | January 29, 2015 | Updated: | February 4, 2015 | ||||||||||||||||
| Description: | From the Debian advisory:
Two vulnerabilities have been discovered in VirtualBox, a x86 virtualisation solution, which might result in denial of service. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
vlc: multiple vulnerabilities
| Package(s): | vlc | CVE #(s): | CVE-2014-9625 CVE-2014-9626 CVE-2014-9627 CVE-2014-9628 CVE-2014-9629 CVE-2014-9630 | ||||||||||||||||
| Created: | February 2, 2015 | Updated: | February 4, 2015 | ||||||||||||||||
| Description: | From the Debian and SUSE advisories:
CVE-2014-9625: On 32 bit builds, parsing of update status files with a size of 4294967295 or more lead to an integer truncation in a call to malloc and a subsequent buffer overflow. CVE-2014-9626: The MP4 demuxer, when parsing string boxes, did not properly check the length of the box, leading to a possible integer underflow when using this length value in a call to memcpy(). This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution via crafted MP4 files. CVE-2014-9627: The MP4 demuxer, when parsing string boxes, did not properly check that the conversion of the box length from 64bit integer to 32bit integer on 32bit platforms did not cause a truncation, leading to a possible buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution via crafted MP4 files. CVE-2014-9628: The MP4 demuxer, when parsing string boxes, did not properly check the length of the box, leading to a possible buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution via crafted MP4 files. CVE-2014-9629: The Dirac and Schroedinger encoders did not properly check for an integer overflow on 32bit platforms, leading to a possible buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
vorbis-tools: denial of service
| Package(s): | vorbis-tools | CVE #(s): | CVE-2014-9640 | ||||||||||||||||||||||||||||
| Created: | January 30, 2015 | Updated: | February 9, 2015 | ||||||||||||||||||||||||||||
| Description: | From the CVE entry: oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>