uncompiled.com

The Defense Information Systems Agency, an agency that’s already among the government leaders in cloud computing, is considering offering platform-as-a-service to other military agencies to complement the infrastructure-as-a-service that it already offers via its Rapid Access Computing Environment (RACE) private cloud.

Today, the PaaS offering is an early-stage pilot designed to meet a request from the Air Force, but a broader pilot is forthcoming. “The Air Force came to us and said, we not only want you to manage the infrastructure, but also the middleware,” Alfred Rivera, DISA’s director of computing services, said in a speech Wednesday at DISA’s Customer and Industry Forum in Washington, D.C.

As part of the PaaS offering, DISA would not just provide the servers themselves, but also the operating system stack and all support services below the application layer, including patching and managing the IT infrastructure.

More broadly, this new PaaS pilot is only one of several cloud computing and shared service projects DISA has in the works. There’s also a planned Microsoft SharePoint 2010 deployment, virtualized web-based versions of Microsoft Office apps hosted in DISA’s cloud, and a number of other services on the way. For example, Rivera said that DISA is also considering ways that it could potentially manage applications that don’t even necessarily reside in DISA data centers — IT service management as a service, he called it.

DISA’s VOffice pilot, disclosed earlier this summer, is now up to 1,000 users who have access to web-based versions of Microsoft Word, PowerPoint, Excel, and OneNote hosted in DISA’s cloud. It’s an effort that’s drawn the interest of the office of the Secretary of Defense, and will go into production in January, Rivera said.

The agency also plans to offer SharePoint as a service to other military agencies, with deployment of SharePoint 2010 slated to begin in January 2011.

RACE is also due for some upgrades and improvements, Rivera said. Deployment on the Department of Defense’s classified SIPRNet — which has seen a lot of demand, according to Rivera — is slated to begin by the end of September. Also coming are refinements to the RACE portal, integration with DISA’s configuration management system, and some automated security accreditation processes.

Eventually, DISA could even begin offering its services outside the Department of Defense. According to Rivera, DISA has had related discussions with the inter-agency Cloud Computing Advisory Council and agencies like the Department of State to discuss the possibilities, but for now, RACE’s access-control mechanism, which requires a military smartcard, remains a barrier.

DISA’s cloud push isn’t over, by a long shot. “We’re in the beginning stages, but this certainly allows you to move toward leveraging technology and processing speed without having to build the network and the infrastructure yourself,” DISA director Lt. Gen. Carroll Pollett said in an interview.

Source

Cyber terrorists have a number of ways to mount a major cyber attack on U.S. Internet infrastructure due to the general instability of its base, the director of the agency in charge of protecting the federal government’s IT network said Wednesday.

“With decades of IT infrastructure built to support changing technologies, there is little ability to baseline the entire infrastructure within the United States,” said Randy Vickers, director of the United States Computer Emergency Readiness Team (US-CERT), in an interview Wednesday. “This variety of platforms and applications provides many possible vectors by which to attack infrastructure.”

Vickers is scheduled to join other IT leaders from government agencies for a panel to discuss the threat of cyber war and how to deter it at the Black Hat security conference in Las Vegas on Thursday.

US-CERT is a division of the Department of Homeland Security (DHS) responsible for responding to and defending against cyber attacks for the federal government’s IT infrastructure. It also is in charge of sharing information and collaborating with state and local governments as well as the private sector to protect critical infrastructure in the U.S.

Vickers said that critical infrastructure is not likely to become less prone to attacks anytime soon. He cited ongoing changes in the IT landscape — such as cloud computing and an increasingly mobile workforce — as conditions that only open up infrastructure to more threats.

“The environment is only going to increase in complexity, and as more threat capabilities are developed the risk to our information infrastructure that we are so heavily dependent upon also increases,” he said.

To achieve its goal to keep an eye on federal networks, the DHS is currently deploying an intrusion-detection and security system called EINSTEIN 2, Vickers said. The system is currently operational at 12 of 19 federal agencies, providing US-CERT with, on average, visibility into more than 278,000 indicators of potentially malicious activity per month, he said.

EINSTEIN 2 should be fully deployed at the federal government by the end of the year, after which the DHS will take security to the next level with EINSTEIN 3, Vickers said.

EINSTEIN 3, developed by the National Security Agency, is the third phase of the Comprehensive National Cybersecurity Initiative (CNCI), and will provide intrusion prevention on top of EINSTEIN 2′s intrusion-detection capability, he said. The first phase of the system — EINSTEIN 1 — is currently in deployment as system that gathers information about network traffic.

US-CERT first revealed details about EINSTEIN 3 in March. At the time, the DHS said the system will do real-time, deep packet inspection and make decisions based on threats by examining network traffic at the edge of federal agency networks.

This activity will redirect agency Internet traffic to DHS cybersecurity systems, which will determine which traffic might be associated with cyber threats and how to respond, they said. The DHS worked with a commercial Internet service provider to do a test deployment of EINSTEIN 3 earlier this year. Vickers said these types of private-public partnerships will continue as the federal government continues to work to secure its network infrastructure against cyber attacks.

“At the end of the day, the architecture for the dot-gov’s cyber perimeter defense will be hybrid of government and private technologies,” he said.

Source

LAS VEGAS–A security researcher has found a slew of fundamental problems with the way that modern browsers are designed and built, leading to serious questions about the security of these applications and the way that they handle SSL sessions.

The research, done by Robert Hansen of SecTheory, shows that browsers such as Firefox, Internet Explorer and Chrome have a number of architectural problems that can essentially negate the security that SSL is meant to provide for sensitive Web transactions. The techniques that Hansen has developed, which he demonstrated at the Black Hat conference here Thursday, give an attacker the ability to do any number of nasty things to a target machine, including forcing the download of an executable file, overwriting the URL field in the browser and overwrite secure HTTPS cookies with non-secure cookies.

In all, Hansen found 24 problems before he decided to stop looking. “I had basically had to stop the research because there were just too many issues. I didn’t have time to deal with anymore,” Hansen said.

A big part of the problem, Hansen said in an interview, is that browsers don’t enforce policies that would isolate the tabs in an open browser from one another. This allows an attacker who can control one of the tabs, say a normal non-SSL session, to also affect content in the other tabs, even if they’re using SSL. Hansen identified several techniques that enable him to watch an SSL-protected session and glean a lot of information about what the user is doing, based on timing certain parts of the Web session and knowing how long it takes for part of a site to load. He also can tell whether a user is logged in on a given site and use a specific technique to log the user out so he can then watch the login operation and steal the credentials.

“When you look at it, what does SSL really offer? What this means is that for the average user, against a determined adversary, there really is no protection,” said Hansen, who presented his findings at the Black Hat conference here Thursday. “People give SSL and TLS a lot of credit, when it shouldn’t have any at all.”

SSL is the main transport security used by millions of Web sites to protect data being sent from browsers to Web servers. It’s been shown to be vulnerable to a number of different attacks, including several man-in-the-middle attacks, which could be used in conjunction with some of Hansen’s techniques to completely compromise a supposedly secure Web session.

“The most important thing is that if an attacker can map out the domain ahead of time, he can get a really good feel for how the site is built,” Hansen said. “If there’s a side channel, I can force them to precache some of the content on the page so that I don’t see that again when they reload the page. Then, the only thing you’re seeing are the things that are interesting to the attacker. You can map out the user’s flow around the site and the attacker can force the user to make an SSL connection to them so they can tell which SSL and HTTP headers are being sent in which direction. It’s about narrowing down the number of bytes that are interesting.”

As troubling as the problems that Hansen found are, he emphasized that they don’t mean that the sky is falling.

“You still need to be a man in the middle first and there are probably easier ways to attack people once you are, but there are a lot of issues here,” he said. “If there was better jitter and padding in SSL, a lof of this wouldn’t even be possible.”

Source

The U.S. Department of Homeland Security sent its highest-ranking official ever to speak at the Black Hat conference this week, and its Deputy Secretary Jane Holl Lute ended up fielding a few tough questions from skeptical computer security professionals in attendance.

During a question-and-answer session at the end of her Wednesday keynote address, one attendee asked if we should expect the DHS to give cybersecurity the same kind of treatment it’s given air travel with the Transportation Security Administration. “Why should we believe that DHS, going forward, is going to protect cyber in something other than the same way?” he asked, scoring the loudest applause of the session with the question. “Now as the TSA slows down the air travel, DHS will slow down the commerce.”

The undersecretary disagreed with this characterization of the TSA, but conceded that there is a “tension” in the DHS’ mission. “We want to keep out people who might be dangerous, but we want to expedite legitimate trade and travel.”

“We happen to believe that we can achieve our security, we can protect our rights, we can protect commerce and lawful interchange,” she said. “We can have all of these things, but we need to engage in a debate about how we will prioritize and how we will strike the balance.”

Security experts such as Bruce Schneier have long slammed the TSA’s procedures, saying that they are ineffective and poorly thought out. Schneier calls U.S. airport screenings “security theater.”

Some have also criticized the DHS as slow in its response to cyber-incidents. As industrial systems were being targeted with the Stuxnet worm two weeks ago, it took DHS’ Industrial Control Systems Computer Emergency Response Team five days to push out a public alert. Critics say that was too long.

Hitting on a theme of her keynote, Lute called for real dialogue between government and industry and said she hoped that her department could be a “portal for that debate.”

“You know, societies used to have conversations with themselves through their governments. In that respect, we’re not talking to each other any more,” she said. “In many respects we’re throwing assertions back and forth at each other and seeing who has the more clever report, who has thought of the newer idea.”

Hitting on another theme that the government’s response to cyberthreats has been more rhetorical than practical, another attendee asked if Lute thought the U.S. would be able to secure computer systems without first experiencing a cyberdisaster, equivalent to the Sept. 11 terrorist attacks. “In Homeland Security, at the water cooler, do your peers say, ‘It’s just a matter of time before something horrible happens and that’s when we’re going to need to do what we actually need to do, instead of just talking about what needs to be done?”

“I’m a person who believes that this country can protect itself,” Lute said. “I don’t know what’s inevitable, and I think that anybody who lived through the events of 1989 [when the Berlin Wall fell] or who lived through the events of 2001 has lost the right to say that anything is impossible.”

Source

Police have expanded their use of powers to force suspects to decrypt files by 50 per cent in the last year, figures released today reveal.

In the 12 months to March 31 this year, government officials approved 38 notices under Part III of the Regulation of Investigatory Powers Act, compared to 26 in the previous year.

The powers, known as section 49 notices, require suspects to hand over passwords or make files intelligible to investigators on threat of a two-year jail sentence, or five years where national security is concerned.

As well as obtaining more section 49 notices, police also expanded the range of crimes they were used to investigate.

In 2008/09 they were served in relation to counter-terrorism, possiession of indecent images of children and “domestic extremism” (a case involving activist attacks on animal testing labs). In the last 12 months, however, RIPA Part III was used to demand decryption in cases of insider dealing, illegal broadcasting, theft, excise duty evasion and aggravated burglary, the Chief Surveillance Commissioner Sir Christopher Rose said in his annual report.

Investigations into indecent images of children remained the “main reason” section 49 notices were served, he added.

Of the 17 notices obtained this year that have so far been served, six suspects complied and seven did not. The remainder are still being processed. One person suspected of possessing indecent images of children has been convicted for failing to hand over passwords.

The compliance rate was up on last year, the first full year since the powers were activated, when 11 out of 15 suspects served with a section 49 notice did not make their files intelligible to investigators.

Sir Christopher noted the discrepancy between 38 approvals granted by the National Technical Assistance Centre (NTAC) and the number of notices actually served. NTAC is a unit at GCHQ, the Cheltenham code-breaking agency.

“Notices, once approved, should be served without delay,” Sir Christopher said. “If delays continue, I will require an explanation.”

Last year The Register reported the case of the first man known to have been jailed for failing to hand over encryption keys to the police. “JFL” was a schizophrenic software developer initially charged with explosives offences that were later dropped. He was sectioned under the Mental Health Act during his prison sentence.

Source

The Homeland Security Department recently announced an initiative aimed at creating a more secure system of online identification. According to its Web site, the National Strategy for Trusted Identities in Cyberspace seeks to “improve cyberspace for everyone — individuals, private sector and governments — who conducts business online.”

That’s certainly a noble goal. But the very existence of NSTIC begs two very important questions: Does protecting me and my fellow citizens while we transact business online fall within the department’s areas of responsibility? And does DHS truly believe it can do what the private sector, driven by a clear and compelling profit motive, has yet to successfully accomplish?

The answer to both questions is a resounding no. DHS should focus on doing what its name implies — protecting the homeland — and resist the urge to demote itself into the role of national cyber mall cop.

I say this not to demean the department, which shoulders a weighty load in addressing the manifold threats to our shores in this age of terrorism, but because any effort by DHS to create a voluntary trusted identity program is doomed to fail.

The recent experience and backlash associated with Real ID — rebuffed by the general public and legislatively rejected by 11 states before being scrapped — and high-tech passports — subject to ongoing criticism for their security vulnerabilities — demonstrate that the public is uneasy at best and at worst dead set against any attempts by the federal government to centralize identification in any form. Another national identification storm cloud is gathering on the horizon in the form of the Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment provision of pending immigration reform. With every attempt at using technology to track citizens, George Orwell’s shadow grows longer.

Conspiracy theories aside, lessons learned from the evolution of Social Security numbers into a de facto national financial credential — in spite of being prohibited by the law that created them for any use other than the management of Social Security benefits — should be enough to remind us of what can happen with a national identification program even when it is conceived with the best of intentions.

Of course, DHS would not be the first organization to fail at creating a broadly successful universal digital identifier. Devices such as smart cards and tokens have been in use for years and are effective for managing identity-based access to secure enterprise systems. But such technology works best in a single organization because cost and management issues temper their advantages in broader applications.

At the consumer level, where individuals might be using multiple identities for a broad range of applications, any secure identity system would need to take into account the highly complex vagaries of human behavior. Doing so successfully in the private sector would be a feat with a multibillion-dollar payday — and there’s plenty of money and brainpower being spent on that effort already.

Consider, too, the challenges DHS faces in successfully launching a trusted identity program when the agency lacks the trust of the general public. In the Ponemon Institute’s annual Privacy Trust Study of the United States Government, DHS ranked 70th among the 75 federal agencies studied. The Citizenship and Immigration Services agency and Customs and Border Protection agency, both of which are part of DHS, ranked 74th and 75th, respectively.

If DHS believes that a more secure online experience will enhance homeland defense, that goal would be better served by the creation of an educational program that makes people more aware of how to safely conduct online activities. When you get beyond the Beltway, you find that too many people are making unsafe decisions online not because the technologies and techniques are lacking but because they simply don’t know any better. If left to persist, public ignorance will be the downfall of any trusted identity strategy.

Source

“I believe if you set it up correctly, the cloud can be as secure as anything else,” says the CTO of a financial services startup. “But we don’t want to have to waste time communicating to potential customers that the public cloud is secure. It’s a conversation you don’t want to have.”

As a result, this CTO’s company, which had deployed its applications on top of Amazon’s Web service offering, is bugging out of the public cloud and into a private co-location facility. While he believes his team can configure the Amazon service to be just as secure as the on-site option, and the cloud’s low startup costs and rapid deployment benefits are attractive, he had to ask: Could the model cost us business?
No matter how many times public cloud providers assert–often correctly–that data is well-protected on their servers, they just can’t shake the insecurity rap. And that means CIOs need to ask not just whether the cloud makes business sense, but whether their customers will see it that way. They may not: Security tops the list of cloud worries in every InformationWeek Analytics cloud survey we’ve deployed. In our 2010 Cloud GRC Survey of 518 business technology professionals, for example, respondents who use or plan to use these services are more worried about the cloud leaking information than they are about performance, maturity, vendor lock-in, provider viability, or any other concern.

That doesn’t mean businesses are shunning the cloud. Of those respondents who do use or plan to use these providers, within the next two years, 20% say up to half of their IT services will come from the cloud; an additional 45% say a quarter of their IT services could be delivered that way. The benefits, such as lower deployment costs and faster time to market, are just too attractive, particularly in today’s business climate of stagnant budgets and staffing uncertainty. Still, your customers have legitimate questions about running applications in the cloud, whether on infrastructure-as-a service (IaaS) or platform-as-a-service (PaaS) environments. IT must help the business be prepared with good answers to the two main questions we raise, and others specific to the product. It may make the difference between winning business and losing confidence.

First, customers will look for assurance that an application that runs on PaaS is as secure as an application that runs behind an on-premises firewall. The answer will normally be “No–unless it is.” It’s an irritating response, but that’s because cloud security is frustrating. Here’s the breakdown.

A Web application you develop and deploy in a PaaS environment is no more–and no less–secure than a Web app you develop and deploy yourself. The basic principles of secure application development don’t change because of the cloud. “Cross-site scripting is still cross-site scripting. There’s not much difference whether it’s in-house or PaaS,” says Brian Chess, chief scientist and co-founder of Fortify Software, an application security testing company. The upshot? Developers must be trained to write secure software, regardless of where that software runs. Applications must be tested regularly to ensure that the inevitable vulnerabilities are found and remediated. Building and running an application on top of Windows Azure, Google App Engine, or Engine Yard doesn’t excuse an organization from following these principles.

Source

Computers in Iran have been hardest hit by a dangerous computer worm that tries to steal information from industrial control systems.

According to data compiled by Symantec, nearly 60 percent of all systems infected by the worm are located in Iran. Indonesia and India have also been hard-hit by the malicious software, known as Stuxnet.

Looking at the dates on digital signatures generated by the worm, the malicious software may have been in circulation since as long ago as January, said Elias Levy, senior technical director with Symantec Security Response.

Stuxnet was discovered last month by VirusBlokAda, a Belarus-based antivirus company that said it found the software on a system belonging to an Iranian customer. The worm seeks out Siemens SCADA (supervisory control and data acquisition) management systems, used in large manufacturing and utility plants, and tries to upload industrial secrets to the Internet.

Symantec isn’t sure why Iran and the other countries are reporting so many infections. “The most we can say is whoever developed these particular threats was targeting companies in those geographic areas,” Levy said.

The U.S. has a long-running trade embargo against Iran. “Although Iran is probably one of the countries that has the worst infections of this, they are also probably a place where they don’t have much AV right now,” Levy said.

Siemens wouldn’t say how many customers it has in Iran, but the company now says that two German companies have been infected by the virus. A free virus scanner posted by Siemens earlier this week has been downloaded 1,500 times, a company spokesman said.

Earlier this year, Siemens said it planned to wind down its Iranian business — a 290-employee unit that netted €438 million (US$562.9 million) in 2008, according to the Wall Street Journal. Critics say the company’s trade there has helped feed Iran’s nuclear development effort.

Symantec compiled its data by working with the industry and redirecting traffic aimed at the worm’s command and control servers to its own computers. Over a three-day period this week, computers located at 14,000 IP addresses tried to connect with the command and control servers, indicating that a very small number of PCs worldwide have been hit by the worm. The actual number of infected machines is probably in the 15,000 to 20,000 range, because many companies place several systems behind one IP address, according to Symantec’s Levy.

Because Symantec can see the IP address used by machines that try to connect with the command and control servers, it can tell which companies have been infected. “Not surprisingly, infected machines include a variety of organizations that would use SCADA software and systems, which is clearly the target of the attackers,” the company said in its blog post Thursday.

Stuxnet spreads via USB devices. When an infected USB stick is viewed on a Windows machine, the code looks for a Siemens system and copies itself to any other USB devices it can find.

A temporary workaround for the Windows bug that allows Stuxnet to spread can be found here.

Source

There’s a new kid in town when it comes to open source code in the cloud. It’s Rackspace’s OpenStack, based on both Rackspace’s and NASA Nebula’s existing cloud engines. Wasn’t there already sufficient open source code in play? Why do we need this initiative on top of those already afoot? Actually, we need 3-4 such initiatives.

Rackspace convened a group of interested companies the week of July 12 and asked them if they would help build a stack of open source software that would power a more uniform, future cloud environment. This move had one target, Amazon Web Services EC2, which has run away with the cloud infrastructure market.

Isn’t there already open source code opening up EC2? There is, from Eucalyptus Systems, which did a sterling job of duplicating basic Amazon functionality in its set of compatible interfaces. The Eucalyptus interfaces duplicate basic Amazon functionality, such as ‘load this workload onto a virtual server,’ and then builds them out into cloud infrastructure — for the enterprise private cloud. Eucalyptus Enterprise Edition is a commercial product meant to capitalize on what Eucalyptus open source code created.

The Rackspace initiative is different, and Eucalyptus Systems CEO Marten Mickos said as much when he responded to an InformationWeek query. It “aims at a cloud with a million nodes. It is an entirely non-commercial initiative,” he said. By “aimed at a million nodes,” he means OpenStack, unlike Eucalyptus, is a code project aimed at major cloud suppliers of the future (which, of course, will be commercial initiatives). The project itself isn’t aimed at producing code to be sold as a commercial product so much as providing a cloud infrastructure to be shared across many cloud suppliers.

I found Thorsten von Eicken, CTO of RightScale, which front ends both Rackspace and EC2, the most zeroed in on this new development. In a July 18 blog, he said: “RackSpace has committed itself to a true open source project, meaning that it’s not just source code thrown over the wall into the open, but also an open design process, an open development process and an open community.”

The Rackspace-sponsored meeting lead to a session on OpenStack requirements, with Rick Clark, senior manager of software product development at Rackspace, “managing the requirements gathering very openly,” wrote von Eicken. “I expect we will see a good number of companies contributing code to this project.”

The companies participating at what Rackspace termed its Design Summit were: AMD, Intel, Dell, Citrix Systems, NTT Data, RightScale, Zenoss, Autonomic Resources, SoftLayer, Opscode, CloudSwitch, Cloudscaling, Cloud.com, Cloudkick, enStratus, FathomDB, iomart Group, Limelight, Nicira, Peer 1, Puppet Labs, Riptano, Scalr, Sonian, Spiceworks and Zuora.

The strength of this group is that it has the expertise to cover many bases. The weakness is that it may or may not have the ability to keep a strict focus, keep members engaged, keep code coming over a long period of time. Even if it meets those goals, it may not appeal to all cloud suppliers, who for reasons of their own may adopt a more Amazon-like approach or simply their own approach.

This is open source by and for the benefit of a group of vendors, who wish to supply components to the future cloud and know they will not be able to do so if Amazon’s EC2 is the only player. That’s a little different from the wide open Linux project, which attracted skilled developers whose efforts were then adopted by thousands of other skilled developers on an independent basis. Whatever OpenStack produces, there’s no guarantee that a majority of open source developers, nevermind a majority of cloud suppliers, will adopt it.

But we need the OpenStack project. The open source projects keep Amazon honest, keep it innovating and pushing the cloud frontier forward rather than letting others get there first. We need an alternative to Amazon as well, lest the dominant supplier become so dominant that it can dictate the market. We need more than one alternative.

We now have Eucalyptus and OpenStack injecting code directly to the future cloud market, with different target users in mind. One way to insure we don’t end up in a cloud era that resembles the age of IBM mainframe domination or Microsoft desktop domination is to create and sustain these alternatives.

“Having many fragmented cloud efforts doesn’t really help build a compelling alternative to Amazon,” warns von Eicken.

That’s right, but in the long run, the cloud isn’t just one thing. There will be many variations to the sets of services that it offers and business models that it employs. These services will be built out more rapidly if providers can share infrastructure components and customers can move with ease from one cloud to another.

By putting its weight behind this stack, Rackspace at a stroke has generated a possible basis for competition with EC2 — a future environment shared across a wide range of providers. Whether that eventuality ever materializes remains to be seen, but I see no technical barrier standing in the way.

“The bottom line is, we believe this to be a potentially game changing event,” wrote von Eicken. If the desire to produce code by this set of vendors is matched by a desire to use the code by an even broader one, then, yes, we will have just witnessed a game changing event.

For more thoughts on open source in cloud computing, see Zenoss engineer Mark Hinkle’s presentation on Linux, Open Source and Socialized Software at the O’Reilly Open Source Conference in Portland, Ore.

Source

===================================================================
Mac OS X WebDAV kernel extension local denial-of-service
July 26, 2010
CVE-2010-1794
===================================================================

==Description==

“Web-based Distributed Authoring and Versioning, or WebDAV, is a set
of extensions to the Hypertext Transfer Protocol that allows computer
users to edit and manage files collaboratively on remote World Wide
Web servers.” [1]

Mac OS X supports WebDAV shares natively as a filesystem, implemented
as a kernel extension. Local users can mount WebDAV shares using the
“mount_webdav” utility included in most default installations.

The WebDAV kernel extension is vulnerable to a denial-of-service issue
that allows a local unprivileged user to trigger a kernel panic due to
a memory overallocation. This vulnerability has been verified with
proof-of-concept code. The vulnerable code is in the webdav_mount()
function, and reads as:

MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen,
M_TEMP, M_WAITOK);

“args” is a user-controlled struct provided as an argument to a
request to mount a WebDAV share, and there is no checking of the
“pa_socket_namelen” field. If a user were to issue a mount request
with a very large value for this field, this will trigger a kernel
panic, since in BSD-based kernels (such as XNU), MALLOC() with
M_WAITOK will result in a panic when the requested memory cannot be
allocated.

==Notes on Disclosure==

My disclosure of this issue prior to an official fix is not meant to
be taken as a statement against Apple’s management of security issues.
Local denial-of-service issues are by nature low impact – many
security teams do not regard these as security-relevant at all. I
believe the chances of exploitation of this in real life are
practically non-existent. Given that the vulnerability resides in an
open source kernel extension, I chose to disclose this issue so that
concerned administrators can apply a fix immediately, while the rest
of us can benefit from a little increased awareness of potentially
unsafe memory allocation situations. Apple’s security team was
contacted prior to disclosure, and I’m sure they’ll incorporate a fix
in a future release.

==Solution==

The WebDAV kernel extension can be obtained online [2]. The following
patch can be applied to this extension, after which it should be
recompiled to replace the existing extension at
/System/Library/Extensions/webdav_fs.kext:

— webdav_fs.kextproj.orig/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 09:51:09.000000000 -0400
+++ webdav_fs.kextproj/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 10:32:43.000000000 -0400
@@ -319,6 +319,12 @@ static int webdav_mount(struct mount *mp
}

/* Get the server sockaddr from the args */
+ if(args.pa_socket_namelen > NAME_MAX)
+ {
+ error = EINVAL;
+ goto bad;
+ }
+
MALLOC(fmp->pm_socket_name, struct sockaddr *,
args.pa_socket_namelen, M_TEMP, M_WAITOK);
error = copyin(args.pa_socket_name, fmp->pm_socket_name,
args.pa_socket_namelen);
if (error)

==Credits==

This vulnerability was discovered by Dan Rosenberg (dan.j.rosenberg () gmail com).

==References==

CVE identifier CVE-2010-1794 has been assigned to this issue by Apple.

[1] http://en.wikipedia.org/wiki/WebDAV
[2] http://opensource.apple.com/source/webdavfs/webdavfs-293/webdav_fs.kextproj/webdav_fs.kmodproj/

Source