WineHQ database hacked, passwords stolen

Summary: Malicious hackers exploit vulnerabilities in phpmyadmin to gain access to WineHQ’s database. Usernames and passwords were stolen.

Add WineHQ to the list of open-source projects struggling to contain a serious security breach.

WineHQ, which manages software that’s used to run Windows applications on Linux, BSD, Solaris and Mac OS X, confirmed the breach and warned that the intruders were able to hijack usernames and passwords.

“What we know at this point that someone was able to obtain unauthorized access to the phpmyadmin utility. We do not exactly how they obtained access; it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin,” according to Jeremy White of Codeweavers, a company that sells a supported version of Wine.

White said the company had “reluctantly provided access to phpmyadmin to the appdb developers” which offered a prime target for hackers.

[ 'Kill tool' released for unpatched Apache server vulnerability ]

More from White’s statement:

We do not believe the attackers obtained any other form of access to the system.

On the one hand, we saw no evidence of harm to any database. We saw no evidence of any attempt to change the database (and candidly, using the real appdb or bugzilla is the easy way to change the database).

Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all of those emails, as well as the passwords. The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked.

This, I’m afraid, is a serious threat; it means that anyone who uses the same email / password on other systems is now vulnerable to a malicious attacker using that information to access their account.

We are going to be resetting every password and sending a private email to every affected user.

In recent months, hackers have broken into the Linux Foundation websites and the kernel.org Linux archive site.

Read More...

Oracle issues rare out-of-band update for Apache DDoS vulnerability

Oracle, the giant enterprise database company - and, of course, owner of the erstwhile Sun Microsystems - has just published an out-of-band security update.

This is only the fifth time Oracle has issued an alert outside its routine quarterly patch cycle since introducing its own version of Patch Tuesday at the start of 2005.

The update introduces an updated version of the Apache web server, httpd, to Oracle's Fusion Middleware and Application Server products. The former product includes Apache httpd 2.2; the latter includes Apache httpd 2.0.
 
Apache httpd was recently discovered to be vulnerable to an easily-exploited denial of service attack. The vulnerability, CVE-2011-3192, allowed even a single web client to trigger a huge number of simultaneous requests for large amounts of data. The flaw was exploited by sending a request for multiple parts of the same file at the same time.

(The Range feature of the HTTP protocol was intended to make it easy for web clients to restart interrupted downloads where they left off, or to permit large files to be fetched piecemeal and stitched together later. Apache httpd made it easy to misuse this feature by tolerating redundant Range requests which asked for many large and overlapping parts of a single file.)

Oracle doesn't say on its public-facing web pages exactly how it patched the flawed Apache versions in its products.

The Apache Software Foundation has actually issued two official patches for httpd 2.2 relevant to the so-called byte-range flaw. Version 2.2.20 came out at the end of August, but that patch was recently superseded by 2.2.21, which is effect a patch for the 2.2.20 patch. Apache describes 2.2.21 as "[including] fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive."

It's not clear whether Oracle's out-of-band fix includes the patch-to-the-patch, which appeared only three days ago.

And the previous official Apache httpd version, 2.0, hasn't been patched since May, when 2.0.64 came out. Oracle, one assumes, has done its own back-port of the fix it applied to 2.2.

The fact that a patch-to-the-patch was necessary will no doubt cause more conservative IT administrators to say, "See. I told you that patches should never be rushed."

In this case, however, I consider the glass half-full, not half-empty. I'd argue that the first patch greatly improved the situation, despite being imperfect. The second patch simply improved the improvement further.

However conservative you might be, if you're an Oracle user, this patch is definitely recommended in a hurry. The general unwillingness of Oracle to deviate from its once-every-three-months patch cycle spells one word, "Importance."
As Oracle itself points out, in bold characters:

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.

Sysadmins, there you have it. A little something for the weekend!

nb : nakedsecurity.sophos

Read More...

Apache Releases Version 2.2.21 With New Fix For Range Header Flaw

Two weeks after releasing a fix for the range-header denial-of-service flaw that was much-discussed on security forums and mailing lists, the Apache Software Foundation has pushed out another version of its popular Web server that includes a further fix for the same flaw.

Apache 2.2.21 has a patch for the CVE-2011-3192 vulnerability that the group previously fixed in late August with the release of version 2.2.20. The vulnerability is an old one that recently resurfaced after a researcher published an advisory on a modified version of the bug and also released a tool capable of exploiting the vulnerability.

The new version of Apache includes "further fixes to the handling of byte-range requests to use less memory, to avoid denial of service. This patch includes fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive," the Apache statement says.

The severity and validity ofthe bug was under debate for a while on Full Disclosure and other security lists, with many people pointing out the Michal Zalewski had surfaced the same issue several years earlier. However, Apache didn't fix the issue then, but did so last month after Kingcope published his research on a similar variant of the problem.

"This vulnerability concerns a 'Denial of Service' attack. This means that a remote attacker, under the right circumstances, is able to slow your service or server down to a crawl or exhausting memory available to serve requests, leaving it unable to serve legitimate clients in a timely manner. There are no indications that this leads to a remote exploit; where a third party can compromise your security and gain foothold of the server itself. The result of this vulnerability is purely one of denying service by grinding your server down to a halt and refusing additional connections to the server," Apache's latest advisory says.

Apache 2.2.21 also includes a fix for a second vulnerability, CVE-2011-3348, which is a separate denial-of-service flaw.

nb : threatpost Read More...

Solutions Now Available for Apache Killer

If you are a frequent reader of this blog, more or less you are already familiar with denial-of-service (DoS) attack. This attack typically targets a specific systems or servers and “floods” it with information in order to prevent legitimate users to access the information or service.

This time around, we have observed a DoS attack exploiting a specific vulnerability. This is different from the usual known methods for DoS. Denial-of-Service attacks are typically done by flooding the target site with traffic (SYN flood, UDP flood, ICMP flood). However, what makes this attack noteworthy is that it does not require a great amount of traffic. All the attacker has to do is send the especially-crafted HTTP request and the site will be rendered inaccessible.

We recently did a deeper analysis on the said vulnerability (CVE-2011-3192) found on certain versions of Apache HTTP Server that allows a remote attacker to conduct a denial-of-service attack by sending a small HTTP request.

The vulnerability exists in the byterange filter in Apache HTTP Server 1.3.x, 2.0.x through 2.0.64 and 2.2.x through 2.2.19. It can be exploited by a range header that expresses multiple overlapping ranges. The proof-of-concept for the exploit abusing this vulnerability was published in August. A tool that conducts DoS attacks by exploiting this vulnerability was later created, and dubbed as “Apache Killer”. Apache already patched this security hole last week.

A typical attack scenario exploiting this vulnerability involves the attacker sending an HTTP request with multiple range:bytes header to the Apache server.

Once the server receives the said request, it will create each bucket as a number of crafted range:bytes HTTP header items and insert bucket to bucket brigade. This will cause heightened memory consumption, and eventually, denial-of-service.


Web administrators using Apache HTTP Server are advised to apply the patch as soon as possible. And while patch management for vulnerability remediation can be a painful exercise for IT departments, Trend Micro Deep Security shields systems from threats that may leverage vulnerabilities in systems until a patch is available and deployed. Trend Micro provides protection against threats leveraging on this vulnerability through Deep Security, specifically rule VSU11-026 (1004782 – Apache httpd Range Header Remote Denial Of Service).

nb : trendmicro Read More...

NSA extends label-based security to big data stores

The U.S. National Security Agency is submitting a database it has developed for Apache open source development

The National Security Agency has submitted new label-based data store software, called Accumulo, to the Apache Software Foundation, in hopes that other parties will further develop the technology for use in secure systems.

"There is a need for a flexible, high performance distributed key/value store that provides expressive, fine-grained access labels," the developers stated on the proposal page submitted to Apache. "We have made much progress in developing this project over the past [three] years and believe both the project and the interested communities would benefit from this work being openly available and having open development."

[ Discover what's new in business applications with InfoWorld's Technology: Applications newsletter. | Discover the key technologies to speed archival storage and get quick data recovery in InfoWorld's Archiving Deep Dive PDF special report. ]

Based on Google BigTable design, Accumulo is a simple key/value data store, where providing the system with the key will return the data associated with that key. A distributed design, Accumulo can be run across multiple servers, making it a candidate for use in big data systems.

Plenty of NoSQL-based key/value data stores already exist, such as Cassandra and HBase. What sets Accumulo apart is the ability to tag each data cell with a label. Each key has a section called column visibility, which can store labels. The labels could be used to allow fine-grained access to the data, where an external server may access some cells of the data store, but not others, based on policy rules set in place and defined by a set of labels.

"The access labels in Accumulo do not in themselves provide a complete security solution, but are a mechanism for labeling each piece of data with the authorizations that are necessary to see it," the proposal stated.

Such label-based data storage could be the basis of secure data store-based systems, ones that could be used by health care, government agencies, and other parties with stringent security and privacy requirements, the developers state.

NSA's label-based approach to security resembles another open source project NSA developed and released in 2000, called SE Linux (Security Enhanced Linux). With SE Linux, administrators can create policies that dictate, in fine-grained detail, what actions each program on a computer can execute. Red Hat has integrated SE Linux into its Red Hat Enterprise Linux distribution.

Already the software was attracted "hundreds of developers," using the database, primarily within the NSA, according to the agency. The software itself has about 200,000 lines of code, most based on Java. In addition to the code, NSA pledges to post examples, documentation, and training materials on the Apache site.

The agency wants to build a wider base of both contributors and users.

The Apache Incubator is the entry point for new projects that developers hope to have Apache manage. Accumulo runs on top of a number of other Apache programs, namely the Hadoop distributed data platform, the Zookeeper distributed application configuration manager, and the Thrift services development tool.

nb : infoworld Read More...