TLS record handling vulnerability in GnuTLS [MU-201202-01] [CVE-2012-1573]
ASN.1 length decoding vulnerability in Libtasn1 [MU-201202-02] [CVE-2012-1569]
Download The PGP Signed Text Version Of This Advisory
Note: Thanks to Red Hat Security Team for requesting the CVE IDs above.
There’s been a lot of debate recently about the impact of video apps on the network. According to Nielsen, Netflix alone now accounts for 20% of downstream traffic during peak times in the United States. In a previous blog Kowsik explained the behind-the-scenes interactions that are happening unbeknownst to you when you watch a Netflix movie. So that got us thinking – are all the popular video apps as network-intensive as Netflix? Are some video apps more user-friendly with their bandwidth consumption than others? Are some video apps more operator-friendly with their consumption of networking resources?
It’s cool that Charlie Miller fuzzed the iPhone and broke it, but the catch phrase for me was (paraphrased) “When I start the fuzzer, I want to get some sleep and when I wake up find tons of 0-days“. I remember watching the movie with my kids and it wasn’t that the factory made awesome chocolates, but the whole thing was automated with elves and such.
At Mu, we take testing IPv6 pretty seriously, especially since the IPv4 address space is vanishing faster than you say all octets of an IPv6 address. We released our first version of IPv6 test suite for fuzzing 3 years ago which includes coverage for fragmentation, various extension headers and and options. Most of the fun in fuzzing IPv6 happens with the extension headers which are much like IPv4 options, except it’s a chained linked-list like IKE payloads. In the one of the IPv6 test suites, we have more than 100,000 test cases that exercise various parts of the IPv6 capabilities!
If you’ve gone through my CanSecWest slides, I talk a lot about Field’s and how they are the fundamental units of protocols (network or file formats). The linkage information between the Field’s and across messages is a pretty powerful way to infer the cyclomatic complexity of the code that parses these messages. When generating test cases (fuzzing being one kind), we can leverage these structural and semantic linkages to generate systematic constraint violations that ultimately exercise the various branches taken in the parser.
While developing an implementation of IKE for our platform, I noticed an astonishing behavior in the servers I was testing against: Not a single IKE implementation, which included products from the biggest names in network infrastructure, were validating the Diffie-Hellman public keys that I sent. A consequence of this is that any deployment of these servers will allow the disclosure of secret information when a peer is in collusion with a passive attacker.
In the OOMPH blog I talked about specification coverage and how the effectiveness of attacks can be measured. Part of building object oriented mutations that mimic the design and interconnectedness of protocols, is to leverage attacks on referenced structures in related protocols. But how are protocols related?
As in Nada, Nothing. When I wrote the title, it sounded silly that something as simple as this would be a pattern, but the number of NULL-pointer DoS’ that this creates is pretty amazing. It’s a very effective pattern that is about removing mandatory elements/fields from a protocol and sending them off to /dev/null.
Protocols (in the loose sense of structured exchange of messages) are like russian dolls. Everything at some point is contained within everything else. The Nested TLV vulnerability pattern is probably more to do with binary protocols than ascii ones. You can think of each TLV as a rectangle from a bounds perspective.
In the quest to provide complete Attack Surface Coverage, we strive to identify patterns of abuse in protocols that we can replicate across other protocols and applications. We call them Vulnerability Patterns, because it abstracts the problem away from the programming language, the protocol or the one-off vulnerability in a particular version of a given product. It’s a powerful concept, especially if you can capture this pattern and apply it to every single place you see it. It’s no different from Design Patterns used in software engineering.
