LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The SANS top-20 list

[Posted December 7, 2005 by corbet]

SANS has posted a new version of its 20 most critical Internet security vulnerabilities list. As always, this list is a good starting point for those looking for potential security problems on their networks. Here are some highlights from the current version:

  • Five of the twenty items concern Windows and other Microsoft software.

  • There are ten vulnerabilities in "cross-platform applications" listed. Some of these (commercial DNS servers, for example) do not apply to most Linux systems. But others do, including anti-virus software (ClamAV in particular), PHP-based applications (several vulnerabilities), database managers, file-sharing applications, media players, and Mozilla-based browsers.

  • There are only two Unix-specific vulnerabilities, and one of those is a general item on Mac OS X. The other vulnerability is "configuration weaknesses," with an emphasis on SSH attacks.

Once upon a time, this list was evenly divided between Windows and Unix vulnerabilities. A casual reading of the current list suggests that things have shifted in favor of Unix-based systems. While it may be true that Unix-based systems are easier to keep secure on the net, there is still no reason to be overly complacent. A system compromised by way of a Firefox or PHP vulnerability is still compromised.

(Log in to post comments)

The SANS top-20 list

Posted Dec 8, 2005 9:54 UTC (Thu) by MortenSickel (subscriber, #3238) [Link]

I agree with your conclusion "While it may be true that Unix-based systems are easier to keep secure on the net, there is still no reason to be overly complacent." But you do not seem to really have read the article. The 20 points in the list are just headers with categories like "Internet explorer" and a pointer to a bigger or smaller set (24 CVE entries in the case of MSIE) of more or less grave vulnerabilities in one or more applications.

I had a quick look in the database category, that contains a list of vulnerabilities in oracle, mysql, postgresql and DB2. Whereas the bulletpoint "UNIX Configuration Weaknesses" more or less boils down to "All versions of UNIX are potentially at risk from improper and default configurations. All versions UNIX may be affected by accounts having weak or dictionary-based passwords for authentication.". Yeah, I think we all can agree on that...

In other words, to try to draw any conclusions from the 20 points on the first page is moot. M.

The SANS top-20 list

Posted Dec 8, 2005 10:53 UTC (Thu) by nix (subscriber, #2304) [Link]

Further, oddly, the suggestions of ways to resolve SSH problems does not mention turning off password authentication and relying entirely on SSH keys. Given that all attacks I've seen so far have either been buffer-overflow attacks against extremely old SSH releases or (the vast majority) dictionary attacks on systems still using password authentication, this seems a strange omission.

The SANS top-20 list

Posted Dec 8, 2005 13:33 UTC (Thu) by ranger (guest, #6415) [Link]

Further, oddly, the suggestions of ways to resolve SSH problems does not mention turning off password authentication and relying entirely on SSH keys.

Well, in the description, it says:

It is recommended to use public key authentication mechanism offered by most SSH implementations like OpenSSH to thwart such attacks.

The "How to protect ..." section says:

Consider using certificate based authentication.

So, depending on the interpretation of "public key" (does this include Kerberos?), "certificate based" (only PKI, or other methods?) and "use" ("allow" or "restrict to"), one could consider that it is covered, but it would have been nice to have it more explicit ...

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds