It's all over the mainstream media: the
CERT 2005
vulnerabilities list shows that "Unix/Linux" had three times as many
vulnerabilities as Windows. The security battle is over, and Windows has
won. Of course, if one actually
looks at the list, the story no
longer seems so clear.
Let's examine a few entries:
- There are four vulnerabilities in 4D Webstar, one in ADP elite, one in
Adrian Pascalau GIPTables, two in Alexander Barton nqIRCd, two in Alexis Sukrieh
Backup Manager, one in Alkalay.Net, one in Andrew Church IRC Services,
two in Appfluent Technology Database IDS, etc. Chances are that most
Linux systems out there are not affected in any way by any of these
vulnerabilities.
- Eight vulnerabilities are in proprietary Adobe products, which have
little to do with Linux.
- The Apache mod_ssl
SSLVerifyClient vulnerability is listed nine separate times. The
Apache SpamAssassin denial of service vulnerability appears three
times.
- Forty-one of the "Unix/Linux" vulnerabilities are in Apple software,
mainly OS X and Safari.
- Four are specific to the Astaro Security Linux distribution.
One could go on for some time, but your editor
chose to stop before finishing with the letter "A". The point should be
clear anyway: drawing any conclusions from the length of this list makes no
sense at all.
One might make a reasonable Linux vulnerabilities list by (1) removing
the large numbers of entries for BSD and proprietary Unix systems,
(2) removing duplicates, and (3) removing proprietary products
and other packages not normally shipped or installed with Linux
distributions. The resulting list would certainly be less than 20% of the
size of the version posted by CERT.
One might also be tempted to look at CERT's advisory list for 2005.
Of the alleged thousands of "Unix/Linux" vulnerabilities, exactly one (the
Snort Back
Orifice buffer overflow) merited an advisory from CERT. Every other
alert sent out in 2005 was for Windows and other proprietary products. It
might have been nice for CERT to mention this when it put up its list of
vulnerabilities.
One can also point out that most of the vulnerabilities were found as the
result of active auditing efforts; they were fixed before anybody exploited
them. Many of them are theoretical in nature, and many of them are only
exploitable by local users. All vulnerabilities are not created equal.
In the end, however, one fact remains: even a list which is 10% as long as
CERT's is too long. We can argue relative security all we want (and we
should dispute the outright silliness that results from CERT's list), but
Linux still is not as secure as we need it to be. When the length of that
list gets rather closer to zero, we'll be in a position to brag about the
security of Linux.
Comments (20 posted)
Brief items
Novell has
announced that it has released AppArmor as free software. AppArmor was developed by Immunix (which was acquired by Novell); it is a Linux security module which can be used to precisely control what specific applications can do. It looks somewhat similar to SELinux, but simpler and less ambitious in scope. The
OpenSUSE AppArmor detail page has more information, including an example configuration file.
Comments (8 posted)
New vulnerabilities
auth_ldap: format string vulnerability
| Package(s): | auth_ldap |
CVE #(s): | CVE-2006-0150
|
| Created: | January 10, 2006 |
Updated: | February 28, 2006 |
| Description: |
The auth_ldap package is an httpd module that allows user authentication
against information stored in an LDAP database. A format string flaw was
found in the way auth_ldap logs information. It may be possible for a
remote attacker to execute arbitrary code as the 'apache' user if auth_ldap
is used for user authentication. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bogofilter: buffer overflow
| Package(s): | bogofilter |
CVE #(s): | CVE-2005-4591
|
| Created: | January 11, 2006 |
Updated: | January 11, 2006 |
| Description: |
A buffer overflow was found in the UTF-8 handling code in bogofilter; it can be exploited via a malicious email message. |
| Alerts: |
|
Comments (none posted)
ethereal: denial of service
| Package(s): | ethereal |
CVE #(s): | CVE-2005-3313
|
| Created: | January 5, 2006 |
Updated: | January 11, 2006 |
| Description: |
Ethereal, a network traffic monitor has an IRC protocol dissector
vulnerability, remote attackers can cause a denial of service
by creating an infinite loop. |
| Alerts: |
|
Comments (none posted)
HylaFAX: input validation vulnerability
| Package(s): | hylafax |
CVE #(s): | CVE-2005-3538
CVE-2005-3539
|
| Created: | January 6, 2006 |
Updated: | January 17, 2006 |
| Description: |
The HylaFAX
4.2.4 release corrects issues with previous versions. HylaFAX runs the
notify script on untrusted user input. Furthermore, users can log in
without a password when HylaFAX is installed with the pam USE-flag
disabled. |
| Alerts: |
|
Comments (none posted)
mod_auth_pgsql: format string flaws
| Package(s): | mod_auth_pgsql |
CVE #(s): | CVE-2005-3656
|
| Created: | January 6, 2006 |
Updated: | February 28, 2006 |
| Description: |
The mod_auth_pgsql package is an httpd module that allows user
authentication against information stored in a PostgreSQL database.
Several format string flaws were found in the way mod_auth_pgsql logs
information. It may be possible for a remote attacker to execute arbitrary
code as the 'apache' user if mod_auth_pgsql is used for user
authentication. |
| Alerts: |
|
Comments (none posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
petris: buffer overflow
| Package(s): | petris |
CVE #(s): | CVE-2005-3540
|
| Created: | January 9, 2006 |
Updated: | January 11, 2006 |
| Description: |
Steve Kemp from the Debian Security Audit project discovered a buffer
overflow in petris, a clone of the Tetris game, which may be exploited
to execute arbitrary code with group games privileges. |
| Alerts: |
|
Comments (none posted)
pound: HTTP Request Smuggling Attack
| Package(s): | pound |
CVE #(s): | CVE-2005-3751
|
| Created: | January 10, 2006 |
Updated: | June 8, 2006 |
| Description: |
HTTP requests with conflicting Content-Length and Transfer-Encoding headers
could lead to HTTP Request Smuggling Attack, which can be exploited to
bypass packet filters or poison web caches. |
| Alerts: |
|
Comments (none posted)
smstools: format string attack
| Package(s): | smstools |
CVE #(s): | CVE-2006-0083
|
| Created: | January 9, 2006 |
Updated: | January 11, 2006 |
| Description: |
Ulf Harnhammar from the Debian Security Audit project discovered a
format string attack in the logging code of smstools, which may be
exploited to execute arbitrary code with root privileges. |
| Alerts: |
|
Comments (none posted)
VMware: arbitrary code execution
| Package(s): | vmware |
CVE #(s): | CVE-2005-4459
|
| Created: | January 9, 2006 |
Updated: | January 11, 2006 |
| Description: |
Tim Shelton discovered that vmnet-natd, the host module providing NAT-style
networking for VMware guest operating systems, is unable to process
incorrect 'EPRT' and 'PORT' FTP requests. Malicious guest operating
systems using the NAT networking feature or local VMware Workstation users
could exploit this vulnerability to execute arbitrary code on the host
system with elevated privileges. |
| Alerts: |
|
Comments (none posted)
xpdf: heap overflows
| Package(s): | xpdf gpdf kpdf poppler |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 11, 2006 |
Updated: | March 10, 2006 |
| Description: |
Xpdf, the associated poppler library, and other applications using that library are susceptible to a new set of buffer overflows discovered by Chris Evans and infamous41md. These overflows could be exploited, via a malicious PDF file, to execute arbitrary code on the target system. |
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 5, 2006 |
Updated: | November 30, 2006 |
| Description: |
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Next page:
Kernel development>>
