linux-insecurity
Differences
This shows you the differences between two versions of the page.
Previous revision | |||
— | linux-insecurity [2021-01-15 21:17:45] (current) – [Screen locking] jenda | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Linux insecurity ====== | ||
+ | |||
+ | People are often surprised when they discover that I regard Linux as an insecure operating system. Let's see why. | ||
+ | |||
+ | <note warning> | ||
+ | * exploitable applications running without sandbox | ||
+ | * fail-deadly design | ||
+ | * no privacy policy and data management | ||
+ | </ | ||
+ | |||
+ | ===== Links ===== | ||
+ | |||
+ | * https:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * https:// | ||
+ | |||
+ | ===== Remote code execution ===== | ||
+ | |||
+ | RCE is the worst bug that can happen to an operating system. Let's see some of the bugs that allowed attacker to execute arbitrary code on your machine. The list is not comprehensive, | ||
+ | |||
+ | I will probably stop updating this, as it is getting long, and it seems to fulfill the intended illustration purposes and it is now just copy-pasting debian-security mailing list, so subscribe that if you want further updates. | ||
+ | |||
+ | ==== Shellshock (CVE-2014-6271) ==== | ||
+ | |||
+ | Who: Anyone who can send you a DHCP offer (e.g. ISP, attacker on shared WiFi etc.) | ||
+ | |||
+ | Discoverability: | ||
+ | |||
+ | Availability: | ||
+ | |||
+ | ==== Debian OpenSSL RNG (CVE-2008-0166) ==== | ||
+ | |||
+ | Who: anyone who can get access to your SSH public key or anyone who can try 2^14 SSH handshakes with your server. | ||
+ | |||
+ | Discoverability: | ||
+ | |||
+ | Availability: | ||
+ | |||
+ | ==== libpng buffer overflow (CVE-2011-2690, | ||
+ | |||
+ | Who: anyone who can make you open a PNG image (webpage, e-mail, instant message avatar, file browser previews...) | ||
+ | |||
+ | Discoverability: | ||
+ | |||
+ | Availability: | ||
+ | |||
+ | ==== p7zip buffer overflow (CVE-2015-1038) ==== | ||
+ | |||
+ | Who: anyone who can make you open a compressed file (webpage, e-mail...) | ||
+ | |||
+ | Discoverability: | ||
+ | |||
+ | Availability: | ||
+ | |||
+ | ==== glibc getaddrinfo buffer overflow (CVE-2015-7547) ==== | ||
+ | |||
+ | Who: [[https:// | ||
+ | |||
+ | Discoverability: | ||
+ | |||
+ | Availability: | ||
+ | |||
+ | ==== | ||
+ | |||
+ | **Other fun bugs:** | ||
+ | |||
+ | ==== FFmpeg file leak (CVE-2016-1898) ==== | ||
+ | |||
+ | Who: [[https:// | ||
+ | |||
+ | Discoverability: | ||
+ | |||
+ | Availability: | ||
+ | |||
+ | Remarks: This and the " | ||
+ | |||
+ | ==== OpenSSH private key leak (CVE-2016-0777) ==== | ||
+ | |||
+ | Who: [[http:// | ||
+ | |||
+ | Discoverability: | ||
+ | |||
+ | Availability: | ||
+ | |||
+ | ---- | ||
+ | |||
+ | As you can see, Linux system with a standard set of most popular applications was exploitable all the time. And as nothing has changed, I believe it is exploitable right now. Many security researchers are right now hunting for security bugs not to report them, but to sell them to blackhats, governments and companies like HackingTeam. And they are successful. | ||
+ | |||
+ | Workaround: run exploitable (read: all) applications in sandboxes. Unfortunately sandboxes are not implemented in Linux either (you can use SELinux or separate user, but you still face local privilege escalation exploits like CVE-2008-0600 and no isolation in X11 server). You can use user-friendly virtualization like QubesOS and hope there are not too many bugs like CVE-2015-3456, | ||
+ | |||
+ | ===== Bad design ===== | ||
+ | |||
+ | Several other bugs show that Linux was not designed with security in mind. What does that mean? For example in railway security, if something fails, the failure must lead into a "more secure" | ||
+ | |||
+ | Note that these bugs are given only as an example - fixing them is not a solution. They demonstrate that the entire design/ | ||
+ | |||
+ | ==== Screen locking ==== | ||
+ | |||
+ | One would expect that crash of a screen locker will lead to an ununlockable session. Nope, it leads to fully unlocked session without any password entered. | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | < | ||
+ | |||
+ | [[https:// | ||
+ | ==== Tor ==== | ||
+ | |||
+ | Another example of fail-deadly (instead of fail-safe) is configuration of Tor. This is usually done in a way that we set proxy to use it and optionally create an user/ | ||
+ | |||
+ | ==== Leaking clipboard ==== | ||
+ | |||
+ | There is absolutely no protection of the clipboard. Accidental pastes of confidential information into webpages or IRC client happen without warning. Right design would be to flag applications with various security levels and require authorization to transfer clipboard from the more secure to the less secure. | ||
+ | |||
+ | I have configured my system to automatically discard clipboard contents after two minutes. It does not completely prevent such leaks, but is sufficient in most cases. | ||
+ | |||
+ | ==== GUI disaster ==== | ||
+ | |||
+ | Okay, so let's implement a warning window. But please don't do it as a pop-up that has some default action button selected! I'm typing on the keyboard and right before I'm about to hit specebar, the popup shows. And I activate the button with spacebar without noticing what was the message! | ||
+ | |||
+ | Security timeouts like in Firefox should be present. | ||
+ | |||
+ | ==== Example: Terminator shortcuts ==== | ||
+ | |||
+ | By default, the Terminator terminal emulator has " | ||
+ | |||
+ | ==== Surprise execution of internet-downloaded scripts ==== | ||
+ | |||
+ | Another example of opaque design where user can be tricked into accidentally executing malicious code is a bug that existed in older Debian versions. Its manifestation follows: | ||
+ | |||
+ | * Download untrusted .zip file from the internet | ||
+ | * Open it in Squeeze (default archive manager) | ||
+ | * It contains several files, including python scripts. Click on one. A pop-up window appears with options [Extract] [Open] [Cancel]. | ||
+ | * Click [Open] expecting a text editor showing the source. | ||
+ | * Instead, the Python interpreter is launched and the script gets executed! Surprise!! | ||
+ | |||
+ | Another similar bug was seen being exploited in the wild: the target user was known to use Midnight Commander (mc). When file.pdf was selected and Enter pressed, the PDF viewer was launched (similar with JPG, ODT etc.). However, if the file had eXecutable bit set, pressing Enter would execute it using the system default interpreter (which would of course fail in case of a standard PDF file). So an ext2-formatted flash drive (to allow us to set permissions, | ||
+ | |||
+ | Both users affected by these bugs were long-term professional Linux users, so it's not the case of some socially-engineered BFU. | ||
+ | |||
+ | Files from untrusted sources should have a flag set. They should not be run without a warning. | ||
+ | |||
+ | ===== Privacy leakage ===== | ||
+ | |||
+ | Privacy policy and information management enforced on applications are simply missing. One would say that spying is domain of proprietary applications working for their vendor, but in Linux we see open source applications can be high-quality spies too. This can be attributed to programmers that simply don't care or in more paranoid version to intentional malice. | ||
+ | |||
+ | ==== Leaking files ==== | ||
+ | |||
+ | Let's put confidential things like RAM contents and terminal printouts to the storage! [[https:// | ||
+ | |||
+ | ==== Leaking network ==== | ||
+ | |||
+ | An application should never! send anything to the network without an explicit user consent. [[:et|This simply does not apply in Linux.]] Many, many, many popular applications are listening to the world, checking updates, sending your traffic etc. by default and sometimes even without any settings to stop! | ||
+ | |||
+ | There is no application firewall available for Linux and iptables probably don't allow you to match by executable name. | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | Workaround: run it under another user or virtual machine and firewall it. | ||
+ | |||