Category Archives: security - Page 2

Invitation to the OWASP Kraków meeting

OWASP logoI’ll have 40 – minute talk on this OWASP meeting – so If You’re interested in system level security, resources management, network isolation and restricting shell access – come, listen and have a talk with us :)

There’ll be also discussion about current situation regarding to NSA, Prism & Snowden and Wojciech Dworakowski’s presentation about new edition of OWASP top 10.

Register now ;)

 

Apache SSL cipher / protocol hardening

While preparing to the RHCE exam I rechecked my standard SSL configurations and came to conclusion, that I should probably update my SSLCipherSuite value. I also updated SSLProtocol and switched SSLHonorCipherOrder in the way that the server’s preference of SSLCipherSuite is used instead of the browser’s:

As You can see I also disabled SSLv3 in the SSLProtocol. Why? Because even IE8 on Windows XP uses TLSv1 :) You could also enter +TLSv1.1 or even +TLSv1.2 when using appropriate version of OpenSSL.

Read more at http://httpd.apache.org/docs/trunk/mod/mod_ssl.html

After applying changes make sure that new config will pass SSL tests https://www.ssllabs.com/ssltest/index.html

CVE-2013-2094 – local root exploit for kernels 2.6.37 – 3.8.8 (and 2.6.32 on RHEL/CentOS)

Here is more info: http://www.reddit.com/r/netsec/comments/1eb9iw/sdfucksheeporgs_semtexc_local_linux_root_exploit/c9ykrck

This is tagged as CVE-2013-2094: https://bugzilla.redhat.com/show_bug.cgi?id=962792

Exploit: http://fucksheep.org/~sd/warez/semtex.c

Just run it like below to check If You’re affected:

So remember, that:

is just workaround for this particular exploit and is not a solution. Patch is available here: https://patchwork.kernel.org/patch/2441281/ ; You can also apply this one: https://bugzilla.redhat.com/show_bug.cgi?id=962792#c13

Update: kernel update fixing this issue is ready at RHEL network: http://rhn.redhat.com/errata/RHSA-2013-0830.html