January 13, 2006

Linux Advisory Watch - January 13, 2006

Author: Benjamin D. Thomas

This week, perhaps the most interesting articles include hylafax, hal, poppler,
pdftohtml, libpaperl, xpdf, gpdf, and apache2. The distributors include Gentoo
and Mandriva.IPv6 approach for TCP SYN Flood attack over VoIP, Part IV
By: Suhas Desai

6. IPv6 Approaches

Service Providers are scrambling to offer voice, video, data and innovative
services such as gaming, interactive TV and messaging, on a single pipe. At
the same time, network equipment is being upgraded to IPV6.But some Real-Time
IPV6 Security overwhelms performance due to the application intelligence which
is the rapid inspection of VoIP signaling SIP, H.323 and audio packets, and
the prompt opening and shutting of pinholes to allow the passage of valid
voice traffic over wireless networks.

A firewall enabled for application filtering and IPv6 can drop application
performance by a staggering 90 % or more compared to best case IPV4 results.

Given methods are used to IPv6 Application performance:

  • Emulate real application traffic -data, voice, video over tens of thousands
    of clients and/or servers.
  • Measure performance and Quality of Experience with Web pages/s, VoIP call
    set-up time, FTP file transfer rate and instant message passing with TCP SYN
    handshaking signals.

Multiply services over IPv4/v6 must address three additional challenges that
will impact network performance must be handled following DoS attacks. IPv6
approaches can handle these with Network tester configurations.

6.2 DoS Attacks

  • Must be filtered, including traditional layer 3-4 attacks such as TCP SYN
    Flood which is ported to IPv6.
  • ICMPv6 attacks
  • Application layer attacks (such as SIP setup/teardown flood and RTP stream
    Insertion).
  • Application attacks are particularly effective because they degrade the
    CPU performance.

6.3 VoIP Attack Vulnerability

VoIP attack vulnerability simulates DoS attacks to measure impact on VoIP
with:

  • Traditional DoS attacks (TCP SYN flood, ping of Death)
  • VoIP voice insertion-simulate rogue RTP streams.
  • VoIP DoS simulates bursts of call setups and teardowns on the same addresses

6.4 Performance Challenges

6.4.1
Longer IPv6 addresses:

Firewall rule sets and ACL must work IPv6 addresses. It can degrade performance.

6.4.2
IPv6 variable-length headers:

Parsing more complex encryption and authentication header sections must be
parsed and filtered and it may also need to perform encryption/decryption or
calculation of message authentication codes to be filter on application-layer
headers and content.

6.4.3
IPv6 DoS attacks

IPv6/v4 and IPv4/v6 tunneling can hide application-layer attacks within complex
handcrafted TCP SYN packets.

6.5 Triple-Play Methodology

It is a new approach needed to ensure that application aware devices do not
become bottlenecks:

6.5.1
Real-Time Application Performance.

6.5.2
Add DoS attacks over IPv6 including SIP setup-teardown attacks. Quantify the
reduction in application performance.

Read Article:
http://www.linuxsecurity.com/content/view/121205/49/


   Gentoo
  Gentoo: HylaFAX Multiple vulnerabilities
  6th, January, 2006
HylaFAX is vulnerable to arbitrary code execution and unauthorized
access vulnerabilities.
 
    Mandriva
  Mandriva: Updated HAL packages fixes
card reader bug
  5th, January, 2006
HAL in Mandriva 2006 doesn't correctly handle card readers advertising
themselves as SCSI removable disk, which was preventing HAL from correctly
creating entries in fstab when the user inserts a memory card. Updated
packages have been patched to address this issue.
 
  Mandriva: Updated poppler packages fix
several vulnerabilities
  5th, January, 2006
Heap-based buffer overflow in the StreamPredictor function in
Xpdf 3.01 allows remote attackers to execute arbitrary code via a PDF
file with an out-of-range numComps (number of components) field. (CVE-2005-3192)
Heap-based buffer overflow in the JPXStream::readCodestream function in
the JPX stream parsing code (JPXStream.c) for xpdf 3.01 and earlier allows
user-complicit attackers to cause a denial of service (heap corruption)
and possibly execute arbitrary code via a crafted PDF file with large
size values that cause insufficient memory to be allocated.
 
  Mandriva: Updated pdftohtml packages
fix several vulnerabilities
  5th, January, 2006
Heap-based buffer overflow in the StreamPredictor function in
Xpdf 3.01 allows remote attackers to execute arbitrary code via a PDF
file with an out-of-range numComps (number of components) field. (CVE-2005-3192)
Heap-based buffer overflow in the JPXStream::readCodestream function in
the JPX stream parsing code (JPXStream.c) for xpdf 3.01 and earlier allows
user-complicit attackers to cause a denial of service (heap corruption)
and possibly execute arbitrary code via a crafted PDF file with large
size values that cause insufficient memory to be allocated.
 
  Mandriva: New libpaper1 packages provide
libpaper1 to x86_64 platform
  5th, January, 2006
Corporte Desktop 3.0/x86_64 did not ship with the libpaper1
library which prevented the included gpdf and kpdf programs from working.
This update provides libpaper1.
 
  Mandriva: Updated xpdf packages fix several
vulnerabilities
  5th, January, 2006
Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF
and DCTStream::readBaselineSOF functions in the DCT stream parsing code
(Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to
cause a denial of service (heap corruption) and possibly execute arbitrary
code via a crafted PDF file with an out-of-range number of components
(numComps), which is used as an array index. (CVE-2005-3191)
 
  Mandriva: Updated gpdf packages fix several
vulnerabilities
  5th, January, 2006
Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF
and DCTStream::readBaselineSOF functions in the DCT stream parsing code
(Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to
cause a denial of service (heap corruption) and possibly execute arbitrary
code via a crafted PDF file with an out-of-range number of components
(numComps), which is used as an array index. (CVE-2005-3191)
 
  Mandriva: Updated apache2 packages fix
vulnerabilities
  5th, January, 2006
A flaw was discovered in mod_imap when using the Referer directive
with image maps that could be used by a remote attacker to perform a cross-
site scripting attack, in certain site configurations, if a victim could
be forced to visit a malicious URL using certain web browsers(CVE-2005-3352).