Security
The CERT vulnerability list
It's all over the mainstream media: the CERT 2005 vulnerabilities list shows that "Unix/Linux" had three times as many vulnerabilities as Windows. The security battle is over, and Windows has won. Of course, if one actually looks at the list, the story no longer seems so clear.Let's examine a few entries:
- There are four vulnerabilities in 4D Webstar, one in ADP elite, one in
Adrian Pascalau GIPTables, two in Alexander Barton nqIRCd, two in Alexis Sukrieh
Backup Manager, one in Alkalay.Net, one in Andrew Church IRC Services,
two in Appfluent Technology Database IDS, etc. Chances are that most
Linux systems out there are not affected in any way by any of these
vulnerabilities.
- Eight vulnerabilities are in proprietary Adobe products, which have
little to do with Linux.
- The Apache mod_ssl
SSLVerifyClient vulnerability is listed nine separate times. The
Apache SpamAssassin denial of service vulnerability appears three
times.
- Forty-one of the "Unix/Linux" vulnerabilities are in Apple software,
mainly OS X and Safari.
- Four are specific to the Astaro Security Linux distribution.
One could go on for some time, but your editor chose to stop before finishing with the letter "A". The point should be clear anyway: drawing any conclusions from the length of this list makes no sense at all.
One might make a reasonable Linux vulnerabilities list by (1) removing the large numbers of entries for BSD and proprietary Unix systems, (2) removing duplicates, and (3) removing proprietary products and other packages not normally shipped or installed with Linux distributions. The resulting list would certainly be less than 20% of the size of the version posted by CERT.
One might also be tempted to look at CERT's advisory list for 2005. Of the alleged thousands of "Unix/Linux" vulnerabilities, exactly one (the Snort Back Orifice buffer overflow) merited an advisory from CERT. Every other alert sent out in 2005 was for Windows and other proprietary products. It might have been nice for CERT to mention this when it put up its list of vulnerabilities.
One can also point out that most of the vulnerabilities were found as the result of active auditing efforts; they were fixed before anybody exploited them. Many of them are theoretical in nature, and many of them are only exploitable by local users. All vulnerabilities are not created equal.
In the end, however, one fact remains: even a list which is 10% as long as CERT's is too long. We can argue relative security all we want (and we should dispute the outright silliness that results from CERT's list), but Linux still is not as secure as we need it to be. When the length of that list gets rather closer to zero, we'll be in a position to brag about the security of Linux.
Brief items
Novell releases AppArmor
Novell has announced that it has released AppArmor as free software. AppArmor was developed by Immunix (which was acquired by Novell); it is a Linux security module which can be used to precisely control what specific applications can do. It looks somewhat similar to SELinux, but simpler and less ambitious in scope. The OpenSUSE AppArmor detail page has more information, including an example configuration file.
New vulnerabilities
auth_ldap: format string vulnerability
| Package(s): | auth_ldap | CVE #(s): | CVE-2006-0150 | ||||||||||||||||
| Created: | January 10, 2006 | Updated: | February 28, 2006 | ||||||||||||||||
| Description: | The auth_ldap package is an httpd module that allows user authentication against information stored in an LDAP database. A format string flaw was found in the way auth_ldap logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if auth_ldap is used for user authentication. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
blender: integer overflow
| Package(s): | blender | CVE #(s): | CVE-2005-4470 | ||||||||||||||||||||
| Created: | January 6, 2006 | Updated: | June 15, 2006 | ||||||||||||||||||||
| Description: | Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
bogofilter: buffer overflow
| Package(s): | bogofilter | CVE #(s): | CVE-2005-4591 | ||||
| Created: | January 11, 2006 | Updated: | January 11, 2006 | ||||
| Description: | A buffer overflow was found in the UTF-8 handling code in bogofilter; it can be exploited via a malicious email message. | ||||||
| Alerts: |
| ||||||
ethereal: denial of service
| Package(s): | ethereal | CVE #(s): | CVE-2005-3313 | ||||||||
| Created: | January 5, 2006 | Updated: | January 11, 2006 | ||||||||
| Description: | Ethereal, a network traffic monitor has an IRC protocol dissector vulnerability, remote attackers can cause a denial of service by creating an infinite loop. | ||||||||||
| Alerts: |
| ||||||||||
HylaFAX: input validation vulnerability
| Package(s): | hylafax | CVE #(s): | CVE-2005-3538 CVE-2005-3539 | ||||||||||||
| Created: | January 6, 2006 | Updated: | January 17, 2006 | ||||||||||||
| Description: | The HylaFAX 4.2.4 release corrects issues with previous versions. HylaFAX runs the notify script on untrusted user input. Furthermore, users can log in without a password when HylaFAX is installed with the pam USE-flag disabled. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mod_auth_pgsql: format string flaws
| Package(s): | mod_auth_pgsql | CVE #(s): | CVE-2005-3656 | ||||||||||||||||||||||||
| Created: | January 6, 2006 | Updated: | February 28, 2006 | ||||||||||||||||||||||||
| Description: | The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database. Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
nbd: arbitrary code execution
| Package(s): | nbd | CVE #(s): | CVE-2005-3534 | ||||||||
| Created: | January 6, 2006 | Updated: | March 7, 2011 | ||||||||
| Description: | Kurt Fitzner discovered that the NBD (network block device) server did not correctly verify the maximum size of request packets. By sending specially crafted large request packets, a remote attacker who is allowed to access the server could exploit this to execute arbitrary code with root privileges. | ||||||||||
| Alerts: |
| ||||||||||
petris: buffer overflow
| Package(s): | petris | CVE #(s): | CVE-2005-3540 | ||||
| Created: | January 9, 2006 | Updated: | January 11, 2006 | ||||
| Description: | Steve Kemp from the Debian Security Audit project discovered a buffer overflow in petris, a clone of the Tetris game, which may be exploited to execute arbitrary code with group games privileges. | ||||||
| Alerts: |
| ||||||
pound: HTTP Request Smuggling Attack
| Package(s): | pound | CVE #(s): | CVE-2005-3751 | ||||||||
| Created: | January 10, 2006 | Updated: | June 8, 2006 | ||||||||
| Description: | HTTP requests with conflicting Content-Length and Transfer-Encoding headers could lead to HTTP Request Smuggling Attack, which can be exploited to bypass packet filters or poison web caches. | ||||||||||
| Alerts: |
| ||||||||||
smstools: format string attack
| Package(s): | smstools | CVE #(s): | CVE-2006-0083 | ||||||||
| Created: | January 9, 2006 | Updated: | January 11, 2006 | ||||||||
| Description: | Ulf Harnhammar from the Debian Security Audit project discovered a format string attack in the logging code of smstools, which may be exploited to execute arbitrary code with root privileges. | ||||||||||
| Alerts: |
| ||||||||||
VMware: arbitrary code execution
| Package(s): | vmware | CVE #(s): | CVE-2005-4459 | ||||
| Created: | January 9, 2006 | Updated: | January 11, 2006 | ||||
| Description: | Tim Shelton discovered that vmnet-natd, the host module providing NAT-style networking for VMware guest operating systems, is unable to process incorrect 'EPRT' and 'PORT' FTP requests. Malicious guest operating systems using the NAT networking feature or local VMware Workstation users could exploit this vulnerability to execute arbitrary code on the host system with elevated privileges. | ||||||
| Alerts: |
| ||||||
xpdf: heap overflows
| Package(s): | xpdf gpdf kpdf poppler | CVE #(s): | CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 11, 2006 | Updated: | March 10, 2006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Xpdf, the associated poppler library, and other applications using that library are susceptible to a new set of buffer overflows discovered by Chris Evans and infamous41md. These overflows could be exploited, via a malicious PDF file, to execute arbitrary code on the target system. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin | CVE #(s): | CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 | ||||||||||||||||||||||||||||||||||||||||
| Created: | January 5, 2006 | Updated: | November 30, 2006 | ||||||||||||||||||||||||||||||||||||||||
| Description: | xpdf has a number of integer overflows. A remote attacker can trick a user into opening a maliciously crafted pdf file, allowing the attacker to execute code with the privileges of the local user. This also affects the Poppler library, cupsys and tetex-bin. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>