LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Distributions page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Risk Report: Five years of Red Hat Enterprise Linux 4

[Posted June 2, 2010 by ris]

Red Hat has published [PDF] a white paper covering the state of security for the first five years of Red Hat Enterprise Linux 4. "Red Hat Enterprise Linux 4 was released on February 15th, 2005. This report takes a look at the state of security for the first five years from release. We look at key metrics, specific vulnerabilities, and the most common ways users were affected by security issues. We will show some best practices that could have been used to minimize the impact of the issues and also take a look at how the included security innovations helped."
(Log in to post comments)

Risk Report: Five years of Red Hat Enterprise Linux 4

Posted Jun 2, 2010 20:37 UTC (Wed) by boerner (guest, #4247) [Link]

Surprising they used Adobe InDesign to layout the document. You would think they could just use Publican:

https://fedorahosted.org/publican/

Risk Report: Five years of Red Hat Enterprise Linux 4

Posted Jun 3, 2010 6:59 UTC (Thu) by mjcox@redhat.com (guest, #31775) [Link]

Previous years reports have used Publican and published in HTML, and I'll try to get folks to go back to that for the 6 year report (this one doesn't even have PDF clickable urls)

Risk Report: Five years of Red Hat Enterprise Linux 4

Posted Jun 3, 2010 17:34 UTC (Thu) by loevborg (guest, #51779) [Link]

There's no requirement for a free software company exclusively to use free software for all they do. InDesign is an excellent piece of software and probably much more capable than the free software alternatives (though Scribus is good as well).

Risk Report: Five years of Red Hat Enterprise Linux 4

Posted Jun 3, 2010 17:41 UTC (Thu) by boerner (guest, #4247) [Link]

I never said it was a requirement :-)

I was just surprised because the output of Publican is of a high quality and can be formatted as HTML or PDF fairly easily. If something works, don't fix it.

As Mr. Cox from Red Hat has weighed in (in regard to un-clickable HTML links) about the possibility of reverting to Publican next year, I feel my comment was well received. It was never meant to be a slight against InDesign.

Eating their own dogfood

Posted Jun 4, 2010 10:28 UTC (Fri) by eru (subscriber, #2753) [Link]

The straightforward document we are discussing could equally well have been created with OpenOffice.org. Whether InDesign is more capable is beside the point, when that capability is not needed.

I think when a company sells or supports products in a certain field, it decreases confidence, if they don't "eat their own dogfood". So yes, a free software company should use only free software when suitable free software exists for the task, like in this case.

Eating their own dogfood

Posted Jun 4, 2010 20:34 UTC (Fri) by jrn (subscriber, #64214) [Link]

> I think when a company sells or supports products in a certain field, it decreases confidence, if they don't "eat their own dogfood".

Eh, maybe, but that doesn't mean it's always a good idea.

In fact, it's probably best for a company to include some people that use the product, some who use the competition, so they don't lose touch with their potential users.

Risk Report: Five years of Red Hat Enterprise Linux 4

Posted Jun 2, 2010 23:06 UTC (Wed) by spender (subscriber, #23067) [Link]

Some comments:

Section 3 Threats:
"Exec-Shield is a project which includes support for the No eXecute (NX) memory permission, simulating NX via segment limits"
'Approximating' would be the more appropriate term here, as on systems without NX support exec-shield provides only a best-effort approximation of NX. I've enumerated the ways many times before, and not even including the exec-shield vulnerabilities I reported to Ingo in 2005, it is different from real NX (and from a proper NX 'simulator' like PaX) in the following ways:
* a PT_GNU_STACK marking causes not only the stack to be executable, but the entire userland address space
* 'quantum-like' security: in the case of PIE main executables, the .data and .bss sections of all but the highest mapped ELF object will not be NX. Which object will that be? It's impossible to know a priori due to ASLR, runtime shared object loading, and the mixture of bottom-up ascii-armor area allocation/top-down other allocation. Subsequent execs will generally produce different memory layouts with a different single object with a protected .bss and .data, and n - 1 unprotected ones.
* in the non-PIE main executable case, unless all shared objects can fit and are loaded below the main executable, the .data and .bss sections of the main executable will not be NX. The quantum security applies here as well.

Section 3.1.4 PHP Exploits:
"In each case the default SELinux targeted policy for the Apache HTTP Server would restrict what a successful exploit is able to do."
To what extent a successful exploit is restricted I imagine is intentionally left vague, as this certainly doesn't include preventing kernel exploits in general (as last year should have sufficiently proven).

Section 3.1.5 Servers and services exploits:
"These are the most serious threats."
I'd question this evaluation. Is everyone reporting to RedHat when their server is compromised? Is CVE-2008-1891 ("An exploit for a Ruby WEBrick flaw. A remote attacker could read arbitrary CGI files, but only if the files were being served from a NTFS or FAT file system.") a more serious threat than a PHP exploit followed up by a local kernel exploit?

Section 2.2 Critical Flaws:
"Vulnerabilities rated “critical severity” are the ones that can pose the most risk to an organization. By definition, a critical vulnerability is one that could potentially be exploited remotely and automatically by
a worm. However we also stretch the definition to include those flaws that affect web browsers or plug-ins where a user only needs to visit a malicious (or compromised) website in order to be exploited."
What's the significance of a single vulnerability that can be exploited remotely and automatically? A vulnerability is a stepping stone, not a destination. Using two exploits for two "important" vulnerabilities gets you to the same place as a single "critical" vulnerability. Table 4 shows that no kernel vulnerabilities were classified as critical. Anyone with experience with metasploit or the commercial tools from Immunity or CORE knows that multiple exploits can be trivially chained together automatically.

On a side note, a flawed but interesting investigation would be to pool the public sources for exploits that offer download counts and compare the download counts against the severity classification for the vulnerability it exploited.

One final thing to think about (from Mark J. Cox's blog):
http://www.awe.com/mark/blog/20100216.html
Was 2009 really "the year of kernel NULL pointer dereference flaw"? Would the same attention have been paid if exploits hadn't been released publicly? Did NULL pointer dereference vulnerabilities suddenly appear in the kernel in 2009, or did one individual and two guys from Google just decide to publish some information?

-Brad

Risk Report: Five years of Red Hat Enterprise Linux 4

Posted Jun 7, 2010 21:38 UTC (Mon) by eparis123 (guest, #59739) [Link]

One example of chaining 'trivial' exploits together was the latest Apache breach.

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds