Previously we have seen how we can build kernel modules for CentOS (or RHEL) out of tree (Part 1; May 30th, 2008) or as DKMS modules (Part 2; July 18th, 2008). In this final part we will look at building kmod kernel modules packaged in RPM format and again we will use the coretemp module as an example.

The first thing we need to do is make sure we have all the kernel-devel packages installed for the currect kernel, including any xen and PAE variants. Next create a working directory containing the project source code and Makefile and create the Kbuild file by copying the Makefile. Finally, create a bzip2 compressed tarball of the source directory and copy the compressed tarball to the /SOURCES directory within your build environment.

Now we make a copy the kmodtool script (located at /usr/lib/rpm/redhat/kmodtool) called kmodtool-coretemp in the SOURCES directory and edit it to include any dependencies for our kmod RPM package (thanks to Johnny Hughes for the tip). Creating a custom kmodtool script isn't strictly needed for building kmod packages if you don't need to specify any dependencies but I was unable to find a convenient way to pass package dependencies from the SPEC file to the kmodtool build script. Below is an excerpt of my kmodtool-coretemp script showing an additional dependency for lm_sensors >= 2.10.2 which may be obtained from ATrpms.

Finally we make a SPEC file for the project named coretemp-kmod.spec file in the /SPECS directory of our build environment:

Now we're ready to build our kmod packages using rpmbuild:

which will produce a set of kmod-coretemp RPMs in your /RPMS directory under the appropriate architecture. Additionally, our SPEC file allows us to specify from the command line at build time which kernel version to build against (e.g, --define 'kversion 2.6.18-92.el5') or which kernel-variant kmod packages to build (e.g, --define 'kvariants ""' would only build the base kernel package).

kmod coretemp packages for CentOS 5 may be downloaded below and installed with rpm:

Alan has kindly updated the CentOS Wiki page on building kernel modules and I'd like to thank both Alan Bartlett and Akemi Yagi for helpful discussions, testing and encouragement whilst preparing this series of articles.

Mozilla have just released a new version of their Thunderbird email client that fixes a number of security issues:

• MFSA 2008-34 Remote code execution by overflowing CSS reference counter
• MFSA 2008-33 Crash and remote code execution in block reflow
• MFSA 2008-31 Peer-trusted certs can use alt names to spoof
• MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
• MFSA 2008-26 Buffer length checks in MIME processing
• MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
• MFSA 2008-24 Chrome script loading from fastload file
• MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

Users are advised to upgrade immediately.

In a major collaborative effort over 80 vendors simultaneously released patches to their DNS software to address a critical vulnerability. DNS, the Domain Name System, forms the basis of how today's Internet works by translating domain names into IP addresses and vice versa. Without DNS you wouldn't be able to type a domain name (such as bbc.co.uk for example) into a web browser and reach that site.

The current flaw in DNS potentially allows hackers to poison the DNS system and redirect users to malicious sites rather than the site they intended to visit. The researcher that discovered the flaw, Dan Kaminsky, had attempted to keep technical details of the vulnerability secret until next month in order to give system administrators time to patch their servers against the flaw. However, details of the vulnerability were revealed yesterday before many systems have been patched.

In a worst case scenario a major ISPs DNS servers could be subverted redirecting a major site such as Google to a malicious site designed to infect visitors PCs with malware. Such a scenario could result in hudreds of thousands of computers being infected in a very short period of time. With such rewards on offer you can bet the bad guys will be all over this in a flash.

What should you do?

Users are strongly advised to test their DNS servers now to see if they're vulnerable. Dan Kaminsky has a "Check My DNS" applet available on his site here.

If your DNS servers are vulnerable you should contact your ISP (or whoever provides your DNS) and inform them, plus ask them when they intend to patch their servers.

If your DNS servers are vulnerable then you can use the freely available DNS servers provided by OpenDNS until your normal servers can be patched. Windows users should go to Control Panel > Network Connections and right click on the connection and select "Properties". Then select Internet Protocol (TCP/IP) and click Properties. Select "Use the following DNS server addresses" and enter the following two IP addresses for the Preferred and Alternate DNS servers, respectively: 208.67.222.222 and 208.67.220.220. Linux users should edit the nameserver values in /etc/resolv.conf

Additionally, if you use a home router to automatically assign network settings then you should also update the DNS server settings in your router.

Users are then advised to retest to ensure their DNS servers are no longer vulnerable.

In an earlier article (Part 1; May 30th, 2008) I described how to build kernel modules for CentOS (or RHEL) out of tree and used the coretemp module as an example. My good friend and colleague, Alan Bartlett, had persuaded me to investigate packaging kernel modules, so herein we are going to look at how to package kernel modules in RPM format using the coretemp module as an example. I'd like to thank Alan for his technical assistance and encouragement without which this article wouldn't have been written.

There are two methods we can employ to build kernel module RPMs - DKMS and kmod. In this article we will look at Dynamic Kernel Module Support (DKMS) and in part 3 we will use kmod.

DKMS must be installed from RPMForge together with the necessary development packages.

We start by creating the necessary directory structure and copying the module source code and Makefile to that directory:

Next create a dkms.conf file for the project and save it to /usr/src/coretemp-1.00/

Now we are ready to invoke DKMS to add the coretemp module to the DKMS tree and build our RPM package:

Finally copy the created RPMs to somewhere safe and remove the coretemp module from the DKMS tree:

Now we can install our newly created coretemp RPM as normal:

In part 3 I will describe how to build coretemp as a kmod kernel module RPM package for CentOS (or RHEL) and will make the RPMs available for download.

Mozilla have released security updates to both version 2 (2.0.0.16) and version 3 (3.0.1) of their popular Firefox web browser.

Firefox version 2 will be supported until December 2008 so users are encouraged to upgrade to version 3 if they have not already done so.

Adobe have recently released a security bulletin for Acrobat (and Acrobat Reader) affecting the latest versions of both 7 and 8.

Nothing new there, so why the rant?

Well, firstly the security update is not picked up through the application's builtin update feature (Help menu > Check for Updates) so unless you happen to regularly follow security blogs, how are end users supposed to know it's been released. Secondly, the download is in the form of a Microsoft .msi file and how many end users would know what to do with one of these? Finally, after successfully updating a system there doesn't appear to be any easily visible record that the patch has been applied making it difficult for system administrators to track which systems have been updated and which haven't.

With the current trend of exploiting vulnerabilities in 3rd party applications (Adobe Acrobat) and browser plugins (Adobe Flash), software vendors need to do more to ensure they deliver software updates in a timely and coherent fashion. In short, they need to do more to ensure end user systems stay fully patched.

End users, and home users in particular, don't always have system administrators to look after their machines, ensuring that all the relevent security patches have been applied and the Bad Guys know this and take advantage by targeting these applications and browser plugins. All it takes is for one email with a link to a malicious PDF file hosted on some website, click on it and you're infected.

Delivering updates

One way to address the paradigm of delivering software updates might be for Microsft to open up their Microsoft Updates site to 3rd party software vendors and allow them to automatically deliver their updates through that system thus ensuring that all users receive them. A "one-stop-shop" for updates really is what's needed as it's no longer reasonable to expect users to go trawling the web in search of the security updates they need. Software with an automatic update feature built in was a step in the right direction, but as Adobe have just shown it's not infallible and only works when they deliver all updates through that mechanism.

In the meantime, services such as Secunia's Online Software Inspector provide a valuable service to end users for ensuring that their systems are kept up to date.

F-Secure have just released version 3 of their Rescue CD. The rescue CD is a Linux-based LiveCD ISO image built on Knoppix version 5.3.1 that you can use to boot an infected system, scan all the hard drives and automatically rename any infected files with the .virus extension.

One of the main advantages of such tools is that booting from a LiveCD allows the efficient detection and removal of rootkit-protected malware whereas normal booting of a system would render these malware otherwise undetectable to anti-virus products.

The new version supports online virus definition updates if a network connection is present (requires dhcp), or manual updating from a USB drive. Windows FAT and NTFS partitions are supported thanks to an updated NTFS driver (NTFS-3G 1.2506) and the ability to detect MBR viruses is also supported.

This is a useful addition to any system administrator's toolbox and comes highly recommended.

Today Mozilla released an all new version 3 of their open source Firefox web browser. After nearly 3 years in development the new browser version contains many new features and improvements to speed, security and memory usage.

Mozilla are also aiming to break the Guinness World Record for the most software downloaded in 24 hours and are hoping for 5 million downloads on the day of release. In comparison, version 2 of Firefox managed 1.6 million downloads on the day it was originally released, 24 October, 2006.

Firefox 3 was made available for general release at 6pm (BST) and in the first couple of hours after release Mozilla's download site was either very slow or unreachable most likely due to extraordinarily heavy demand - a good sign that they may reach their target number of downloads. Firefox 3 is available for for all popular operating systems, including Linux, Mac OS, as well as Windows 2000, XP and Vista.

There are a number of reasons why you may wish to build Linux kernel modules. For example, you may need a driver that isn't present in the current kernel, or you may want to apply a patch to an existing driver that adds functionality or fixes an bug. There are a number of ways you can tackle such issues:

• Build a new kernel based on the upstream vanilla sources that contain the required driver version
• Rebuild your current distro kernel with a patch applied

Both of these methods require you to build a complete custom kernel which you then become responsible for maintaining. However, many drivers will build out of tree and may be loaded into your currently running kernel. This approach has a number of advantages in that you don't need to compile a complete kernel, you can continue to run your stable distro kernel and you don't have to worry about maintaining your own custom kernel.

Building modules out of tree

As an example, I'm going to build the coretemp module for CentOS 5 used for monitoring the core temperature from inside Intel Core series processors as this driver didn't make it into the 2.6.18 series kernel used in CentOS 5.

First we need to create a project directory and src directory in that:

and place your module source file in /src

Next we create a top level Makefile in the project directory ~/coretemp/

and a Makefile in ~/coretemp/src/

Since coretemp isn't a module provided in the CentOS 5 kernel it makes sense to install our newly built module to /lib/modules/{uname -r}/extra.

So now we can build our new kernel module (you can build the module as a regular user, but make install will need root privileges):

and finally run depmod, load the module with modprobe and check it's loaded:

So let's have a look at coretemp in action, shown here monitoring all 4 cores of an Intel Q6600 quad core processor:

In part 2 I'll describe how to build dkms enabled kernel modules for CentOS/RHEL and package these in RPM format for distribution.

A critical bug has been found in the Pseudo Random Number Generator (PRNG) used in OpenSSL in debian Linux and it's derivative (e.g, Ubuntu etc) that renders random numbers predictable. The bug was introduced into debin unstable on September 17th, 2006 and has since propogated into the stable branch. All keys generated on affected systems should be considered compromised.

http://www.debian.org/security/2008/dsa-1571

http://www.ubuntu.com/usn/USN-612-1

I don't use debian (or Ubuntu), so how does this affect me?

The impact of this vulnerability is far reaching and goes way beyond debian-based systems. The vulnerability directly affects all debian-based systems using OpenSSL generated keys (OpenSSH, OpenVPN, website and mail server authentication by SSL/TLS, etc) and potentially affects anyone using SSL-based security or encryption.

OpenSSH

If you have a Linux server, then you almost certainly have SSH configured by default for remote access. If you use public/private key authentication and users have generated keys on affected systems, then brute-forcing those keys to gain remote access is trivial and there are already scripts available in the wild. The same applies to OpenVPN. The important facor here is the system the keys were generated on, not whether your server is running debian or other affected Linux distribution.

Additionally, all DSA keys that were ever used on a vulnerable debian-based system for signing or authentication should also be considered compromized due to a known attack on DSA keys.

System administrators are advised to conduct a full audit of all key pairs and regenerate new keys where appropriate.

SSL-encrypted websites and mail servers

Users of debian-based systems running SSL encrypted websites or mail servers using SSL/TLS certificates generated on affected systems should generate new certificates immediately. Additionally, if you have had your certificates signed by Root Certificate Authorities (eg, Twarte, VeriSign etc), then you will need to generate new certificates and get these resigned.

By definition, the public key is publicly known, and therefore it is trivial to generate a matching private key. It then becomes trivial to launch man-in-the-middle style attacks against encrypted or secured transactions such as credit card or other banking transactions or to obtain users login credentials. The potential for exploitation is huge and has the potential to affected all users of the Internet.

If you are at all unsure about how to generate new keys or certificates, please do not hesitate to contact us and we will be happy to assist in generating new OpenSSL keys or certificates for you.

Last week Grisoft, the makers of the popular AVG Anti-Virus program, released version 8 of their free product.

Users are recommended to upgrade, and the new version can be downloaded here

As Grisoft state, "AVG Anti-Virus Free Edition is only available for single computer use for home and non commercial use."

Sometimes those of us working in the Information Security (InfoSec) business feel like it's nothing but doom and gloom, and for the most part, that's probably not an unrealistic synopsis. So here's a little lighthearted weekend reading:

The six dumbest ideas in computer security

"Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible - which is another way of saying "trying to ignore reality." Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don't fully understand the situation, but other times it's just a bunch of savvy entrepreneurs with a well-marketed piece of junk they're selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.

For your convenience, I've listed the dumb ideas in descending order from the most-frequently-seen. If you can avoid falling into the the trap of the first three, you're among the few true computer security elite."

A couple of weeks back we promised that we would publish an article on spam telling you everything you need to know to take back control of your inbox.

"More and more frequently I get asked by clients what they can do about the amount of spam they are receiving. To know the answer, we need to understand a little about what spam is, why we get it and things we can do to minimise or irradicate it."

"Here at Pendre we have developed a custom spam filtering system on our email servers that blocks, on average, 99.6% of spam before it ever reaches you. This is the ideal situation as you no longer have to waste time and bandwidth downloading the spam or spend time checking for messages that have been incorrectly marked as spam. And if you are concerned about false positives, i.e. us falsely blocking messages that you do want to receive, you can add senders email addresses (or domains) to our whitelists so they will never be spam filtered and will guarantee delivery every time. So if your current email provider isn't providing a satisfactory solution, feel free talk to us about moving your email onto our servers and benefit from our highly efficient spam filtering."

Well, we've kept our promise. Read the full article here.

Today we saw yet another major spam run of the storm worm. Messages typically referred to a funny postcard (or ecard) and provided a link of the form http://ip_address contained within the message body. Clicking on the link would take a user to a website that will infect their computer with the storm worm virus. Users are reminded never to click on links in emails.

Our email servers at Pendre successfully filtered these spam messages based on body checks for raw dotted quad ip addresses, a technique regularly used by storm worm and other such spam. As such, users of Pendre email servers were not at risk. Anti-Virus detection of these new storm worm variants is now reasonably good.

There is currently a local privilege escalation flaw in the current Linux Kernel, affecting all kernels from 2.6.17 to 2.6.24.1 inclusive.

Exploit code for this vulnerability is available in the wild:

This vulnerability is not remotely exploitable so an attacker would first have to gain local access, however this could present significant risks for system administrators in shared environments with multiple system accounts.

Patches should be available shortly from distribution vendors and system administrators are advised to upgrade their kernel as soon as these become available.