Security
One year of RHEL4 security
Red Hat Magazine is carrying an article by Mark J. Cox looking at the security record of the Red Hat Enterprise Linux 4 release in its first year. It certainly will be interesting reading for RHEL users, who can get a sense for how Red Hat views the security performance of its flagship distribution. One need not be an RHEL customer, however, to find items of interest in this report.RHEL 4 marks the beginning of Red Hat's classification scheme for vulnerabilities. Severity classifications are an acknowledgment of an important aspect of Linux security: large numbers of advisories and updates are issued, but very few of the problems being fixed constitute real threats for most users. Every temporary file vulnerability should be fixed, for example, but it is a rare system which is compromised by way of a temporary file exploit. Red Hat's classifications can help to focus administrators' minds on the important problems. Perhaps more importantly, the classifications should help "analysts" and other commenters to look beyond the sheer volume of advisories and look at the ones which really matter.
Red Hat defines a "critical" vulnerability in this way:
By this definition, there were 19 critical vulnerabilities disclosed for RHEL 4 in its first year. The list of involved packages is interesting: HelixPlayer, mozilla, firefox, kdelibs, lynx, gaim, kopete, thunderbird, and mod_auth_pgsql. All but one of the critical vulnerabilities, in other words, were in complex, graphical clients (though classifying lynx as such is a bit of a stretch). As a result of this distribution, a default RHEL server installation suffered from zero critical vulnerabilities in it first year. Workstation installations, instead, had a fair number.
Red Hat claims to have issued updates for all critical vulnerabilities within two days of their public disclosure.
The report also looks at exploits - the company is aware of 28 publicly-circulating exploits for software shipped in RHEL 4. It is claimed that the security technologies packaged with RHEL 4, including the "Exec-Shield" stack protection and address randomization techniques, impede or block about half of those. The "Lupper" worm could get past those barriers, but would be unable to execute its payload as a result of the SELinux policies in effect. The report does acknowledge, however, that a modified version of the worm would have been able to circumvent SELinux.
Anybody wanting to poke holes in this report could certainly do so. Not everybody will agree with how Red Hat classifies all of its vulnerabilities. It would be nice if that classification - or the entire report - could be done by an impartial outside party. One might also note that the response time for older RHEL versions can be longer; consider a recent cron vulnerability which was fixed for RHEL 4 last October, but the RHEL 3 update only arrived last week. Since part of RHEL's claim to value is its long-term support, the idea that updates will be slower in coming as the distribution ages is a little disconcerting. (In fairness: the gap is much smaller for more important problems: the patches for the recent firefox vulnerability for RHEL 2, 3, and 4 all came out on the same day).
The important thing, however, is that this report got written and published at all. While most distributors make a strong effort on security, few of them take the time to look at their record and tell the world about it. Full disclosure does not stop with individual vulnerabilities; Linux users benefit from a view of the larger picture as well. Red Hat is to be commended for putting this information together; hopefully other distributors will follow suit.
Brief items
Sun's "open source DRM" specifications released
Sun has announced the release of the first set of specifications for its "open source DRM" effort. It is an exercise in Orwellian naming: we have "Project DReaM" for "DRM/everywhere available," a system called "Mother May I," and the whole thing is found at OpenMediaCommons.org. Nonetheless, they got Lawrence Lessig to add a favorable statement. Code for a prototype "conditional access system" implementation has been posted.A serious sendmail security hole
It's been a while since we had a good sendmail vulnerability...but we need wait no longer. Sendmail 8.13.6 has just been released in response to a security issue which could lead to a remote root exploit. This looks like a good one to fix in a hurry. Distributor updates have been seen so far from:
Xorg-server 1.0.2 security fix release
It would appear that one of the bugs found in the recent Coverity scan was a local root exploit in the X.org server (version 1.0.0 and later). The X11R6.9.0 and X11R7.0 releases are also vulnerable, though older releases are not. A 1.0.2 release has been made available with the fix; expect updates from distributors in the near future as well.
New vulnerabilities
beagle: untrusted search path vulnerability
| Package(s): | beagle | CVE #(s): | CVE-2006-1296 | ||||
| Created: | March 21, 2006 | Updated: | March 22, 2006 | ||||
| Description: | Untrusted search path vulnerability in Beagle 0.2.2.1 might allow local users to gain privileges via a malicious beagle-info program in the current working directory, or possibly directories specified in the PATH. | ||||||
| Alerts: |
| ||||||
cairo: denial of service
| Package(s): | cairo | CVE #(s): | CVE-2006-0528 | ||||||||||||
| Created: | March 21, 2006 | Updated: | March 31, 2006 | ||||||||||||
| Description: | The cairo library (libcairo), as used in GNOME Evolution and possibly other products, allows remote attackers to cause a denial of service (persistent client crash) via an attached text file that contains "Content-Disposition: inline" in the header, and a very long line in the body, which causes the client to repeatedly crash until the e-mail message is manually removed, possibly due to a buffer overflow, as demonstrated using an XML attachment. | ||||||||||||||
| Alerts: |
| ||||||||||||||
crossfire: buffer overflow
| Package(s): | crossfire | CVE #(s): | CVE-2006-1236 | ||||
| Created: | March 20, 2006 | Updated: | March 22, 2006 | ||||
| Description: | A buffer overflow has been discovered in the crossfire game which allows remote attackers to execute arbitrary code. | ||||||
| Alerts: |
| ||||||
curl: heap-based buffer overflow
| Package(s): | curl | CVE #(s): | CVE-2006-1061 | ||||||||||||||||
| Created: | March 21, 2006 | Updated: | June 28, 2006 | ||||||||||||||||
| Description: | Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
drupal: multiple vulnerabilities
| Package(s): | drupal | CVE #(s): | CVE-2006-1225 CVE-2006-1226 CVE-2006-1227 CVE-2006-1228 | ||||
| Created: | March 17, 2006 | Updated: | March 22, 2006 | ||||
| Description: | The Drupal Security Team discovered several vulnerabilities in Drupal,
a fully-featured content management and discussion engine.
| ||||||
| Alerts: |
| ||||||
flash-plugin: arbitrary code execution
| Package(s): | flash-plugin | CVE #(s): | CVE-2006-0024 | ||||||||||||
| Created: | March 16, 2006 | Updated: | March 22, 2006 | ||||||||||||
| Description: | The Macromedia Flash Player plugin has an arbitrary code execution vulnerability that may be triggered by opening a maliciously created Macromedia Flash file. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ilohamail: missing input sanitizing
| Package(s): | ilohamail | CVE #(s): | CVE-2005-1120 | ||||
| Created: | March 20, 2006 | Updated: | March 22, 2006 | ||||
| Description: | Ulf Härnhammar from the Debian Security Audit Project discovered that ilohamail, a lightweight multilingual web-based IMAP/POP3 client, does not always sanitize input provided by users which allows remote attackers to inject arbitrary web script or HTML. | ||||||
| Alerts: |
| ||||||
kernel-patch-vserver: missing attribute support
| Package(s): | kernel-patch-vserver util-vserver | CVE #(s): | CVE-2005-4347 CVE-2005-4418 | ||||
| Created: | March 21, 2006 | Updated: | March 22, 2006 | ||||
| Description: | Several vulnerabilities have been discovered in the Debian vserver support for Linux. Bjørn Steinbrink discovered that the chroot barrier is not set correctly with util-vserver which may result in unauthorized escapes from a vserver to the host system. (CVE-2005-4347) The default policy of util-vserver is set to trust all unknown capabilities instead of considering them as insecure. (CVE-2005-4418) | ||||||
| Alerts: |
| ||||||
PEAR-Auth: potential authentication bypass
| Package(s): | pear-auth | CVE #(s): | CVE-2006-0868 | ||||
| Created: | March 17, 2006 | Updated: | March 22, 2006 | ||||
| Description: | PEAR-Auth, versions 1.2.4 and before, did not correctly validate data passed to the DB and LDAP containers. A remote attacker could possibly exploit this vulnerability to bypass the authentication mechanism by injecting specially crafted input to the underlying storage containers. | ||||||
| Alerts: |
| ||||||
PeerCast: buffer overflow
| Package(s): | peercast | CVE #(s): | CVE-2006-1148 | ||||
| Created: | March 21, 2006 | Updated: | March 22, 2006 | ||||
| Description: | Multiple stack-based buffer overflows in the procConnectArgs function in servmgr.cpp in PeerCast before 0.1217 allow remote attackers to execute arbitrary code via an HTTP GET request with a long (1) parameter name or (2) value in a URL, which triggers the overflow in the nextCGIarg function in servhs.cpp. | ||||||
| Alerts: |
| ||||||
sendmail: remotely exploitable race condition
| Package(s): | sendmail | CVE #(s): | CVE-2006-0058 | ||||||||||||||||||||||||||||||||||||||||
| Created: | March 22, 2006 | Updated: | March 24, 2006 | ||||||||||||||||||||||||||||||||||||||||
| Description: | Sendmail suffers from a race condition which may be exploitable by a remote attacker to run arbitrary code as root. Sendmail 8.13.6 contains a fix for the problem. See this CERT advisory for (a little) more information. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
snmptrapfmt: temporary file vulnerability
| Package(s): | snmptrapfmt | CVE #(s): | CVE-2006-0050 | ||||
| Created: | March 22, 2006 | Updated: | March 22, 2006 | ||||
| Description: | The snmptrapfmt utility contains a temporary file vulnerability which could be exploited by a local attacker to overwrite files. | ||||||
| Alerts: |
| ||||||
wzdftpd: missing input sanitizing
| Package(s): | wzdftpd | CVE #(s): | CVE-2005-3081 | ||||
| Created: | March 17, 2006 | Updated: | March 22, 2006 | ||||
| Description: | "kcope" discovered that the wzdftpd FTP server lacks input sanitizing for the SITE command, which may lead to the execution of arbitrary shell commands. | ||||||
| Alerts: |
| ||||||
xorg-x11-server: privilege escalation
| Package(s): | xorg-x11-server | CVE #(s): | CVE-2006-0745 | ||||||||||||
| Created: | March 20, 2006 | Updated: | March 22, 2006 | ||||||||||||
| Description: | Coverity scanned the X.Org source code for problems and reported their findings to the X.Org development team. Upon analysis, Alan Coopersmith, a member of the X.Org development team, noticed a couple of serious security issues in the findings. In particular, the Xorg server can be exploited for root privilege escalation by passing a path to malicious modules using the -modulepath command line argument. Also, the Xorg server can be exploited to overwrite any root writable file on the filesystem with the -logfile command line argument. See this bulletin for more details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
xpvm: insecure temp file
| Package(s): | xpvm | CVE #(s): | CAN-2005-2240 | ||||
| Created: | March 16, 2006 | Updated: | March 22, 2006 | ||||
| Description: | The xpvm graphical console and monitor for PVM has an insecure temporary file vulnerability. Local attackers can create or overwrite arbitrary files with the privilege of the user who is running xpvm. | ||||||
| Alerts: |
| ||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>