User: Password:
Subscribe / Log in / New account


Two years of RHEL4 risk

April 25, 2007

This article was contributed by Jake Edge.

A recently released report on the security track record of Red Hat Enterprise Linux 4 (RHEL4) sets out to quantify the risks that an administrator would have faced when using the distribution. It takes a comprehensive look at all of the vulnerabilities that were classified as 'critical' in the two years since RHEL4 was released. A measure of pride is evident in the recognition that there were only three critical vulnerabilities in the default server install, a rather nice accomplishment; the study itself is an even better result and it should set the bar for other similar studies in the future.

In stark contrast to almost daily studies that purport to 'prove' that Redmond's latest offering is vastly superior to Linux in the security arena, the RHEL study simply looks at the reported vulnerabilities in that distribution and leaves any comparisons for others. The study mainly focuses on the critical vulnerabilities, but it does look at the 'Vulnerability Workload Index' for a server install with all available packages. This index is meant to give a rough measure of the amount of work an administrator would need to do to keep a system free from all vulnerabilities. The most interesting conclusion that can be drawn from the graph is that the overall workload is pretty flat, there are certainly peaks, but it is neither increasing nor decreasing over time. Because the software released with RHEL4 is, of course, getting older and the upstream projects are likely to be releasing newer versions, a case could be made either way regarding increasing stability vs. more security issues found over time and it would appear that the two roughly balance each other.

Flaws that get the 'critical' designation are those that can lead to a system compromise in an automatic way without any user action. These are the kinds of bugs that could be exploited by worms to invade and propagate. The critical designation has been stretched to cover web browser bugs that are exploited when a user visits a site with malicious code. The vast majority of critical bugs fall into the latter category and that difference leads to 60 flaws in a system with all packages installed, 50 of which can be traced to Mozilla products or the HelixPlayer plugin.

The study goes into the 60 critical flaws in some depth, categorizing them by type and reporting on the so-called 'days of risk' (number of days after a vulnerability report before a fix is available). All critical flaws were fixed within two calendar days and 60% were fixed on the same day. The riskiest packages are also listed using a weighted score based on the number and severity of bugs in that package with various Mozilla projects coming out on top. Interestingly, the kernel dropped from #1 last year to #4 in the current report.

The risk to a system is not only a function of the vulnerabilities in the packages it has installed; exploits 'in the wild' also factor into it. The report looks in detail at exploits for 37 vulnerabilities, many of which are, unsurprisingly, either browser or 'user complicit' exploits. Triggering a user complicit exploit requires convincing a user to perform some action with a malicious file; because administrators should be wary of such things or even of running a browser from a privileged account, the impact of those exploits are limited. The seven kernel and six server exploits represent a more dangerous class, with system compromise a distinct possibility. None of the kernel exploits were remote and all were either denial of service or privilege escalation bugs. Each of the server application exploits could lead to compromise of the non-root user that runs the service.

It is interesting to note that SELinux and Exec-Shield are specifically mentioned as either eliminating or reducing the impact of eleven of these exploits. Both of these security tools are installed by default with RHEL4 and are targeted at stopping or reducing the effectiveness of just these kinds of attacks. Exec-Shield uses address space randomization and protection against executing code from the stack to avoid executing arbitrary code in the presence of a buffer overflow or similar flaw. The SELinux policy that ships with RHEL4 restricts users and processes to only that set of resources they need for their normal function and that can reduce the kinds of problems an exploited process can cause. While they are no substitute for correctly written code, these technologies are clearly helpful to reduce security threats; with luck other techniques will come along that continue this kind of work.

This is the second report on RHEL4 security; the first covers the first year of release. Based on a comment on his original article, the author is planning a four year retrospective on RHEL3 in November which should be interesting as well. The comment indicates only six critical vulnerabilities in the RHEL3 default install in its three and a half years.

It is difficult to put a label on the level of 'security risk' that a particular system has, but RHEL4 would seem to have a fairly low risk overall. If one keeps up with the patches and is reasonably cognizant of security practices, the chances for a system compromise are low. This is a real accomplishment by the Red Hat team and should be a feather in the cap for Linux in general. No software is perfect and an operating system or distribution is just a collection of software so vigilance is required. Without examining our track record, it is difficult to gauge progress and this kind of report is an excellent way to track that progress; hopefully other distributions will follow suit.

Comments (1 posted)

New vulnerabilities

3proxy: buffer overflow

Package(s):3proxy CVE #(s):CVE-2007-2031
Created:April 23, 2007 Updated:April 25, 2007
Description: The 3proxy development team reported a buffer overflow in the logurl() function when processing overly long requests. A remote attacker could send a specially crafted transparent request to the proxy, resulting in the execution of arbitrary code with privileges of the user running 3proxy. This has been fixed in the 3proxy 0.5.3i bugfix release.
Gentoo 200704-17 3proxy 2007-04-22

Comments (none posted)

aircrack-ng: remote execution of arbitrary code

Package(s):aircrack-ng CVE #(s):CVE-2007-2057
Created:April 23, 2007 Updated:May 23, 2007
Description: Jonathan So reported that the airodump-ng module does not correctly check the size of 802.11 authentication packets before copying them into a buffer. A remote attacker could trigger a stack-based buffer overflow by sending a specially crafted 802.11 authentication packet to a user running airodump-ng with the -w (--write) option. This could lead to the remote execution of arbitrary code with the permissions of the user running airodump-ng, which is typically the root user.
Debian-Testing DTSA-35-1 aircrack-ng 2007-05-16
Debian DSA-1280-1 aircrack-ng 2007-04-24
Gentoo 200704-16 aircrack-ng 2007-04-22

Comments (none posted)

blender: user-assisted remote execution of arbitrary code

Package(s):blender CVE #(s):CVE-2007-1253
Created:April 24, 2007 Updated:April 25, 2007
Description: Stefan Cornelius of Secunia Research discovered an insecure use of the "eval()" function in A remote attacker could entice a user to open a specially crafted Blender file (.kmz or .kml), resulting in the execution of arbitrary Python code with the privileges of the user running Blender.
Gentoo 200704-19 blender 2007-04-23

Comments (1 posted)

clamav: several vulnerabilities

Package(s):clamav CVE #(s):CVE-2007-1745 CVE-2007-1997
Created:April 20, 2007 Updated:May 9, 2007
Description: The chm_decompress_stream function in libclamav/chmunpack.c leaks file descriptors, which has unknown impact and attack vectors involving a crafted CHM file. (CVE-2007-1745)

Integer signedness error in the (1) cab_unstore and (2) cab_extract functions in libclamav/cab.c might allow remote attackers to execute arbitrary code via a crafted CHM file that contains a negative integer, which passes a signed comparison and leads to a stack-based buffer overflow. (CVE-2007-1997)

Mandriva MDKSA-2007:098 clamav 2007-05-08
Debian DSA-1281-1 clamav 2007-04-25
Gentoo 200704-21 clamav 2007-04-24
Trustix TSLSA-2007-0013 clamav, freeradius, freetype 2007-04-20
SuSE SUSE-SA:2007:026 clamav 2007-04-20

Comments (none posted)

Courier-IMAP: remote execution of arbitrary code

Package(s):courier-imap CVE #(s):
Created:April 23, 2007 Updated:April 25, 2007
Description: CJ Kucera has discovered that some Courier-IMAP scripts don't properly handle the XMAILDIR variable, allowing for shell command injection. A remote attacker could send specially crafted login credentials to a Courier-IMAP server instance, possibly leading to remote code execution with root privileges.
Gentoo 200704-18 courier-imap 2007-04-22

Comments (2 posted)

opera: several vulnerabilities

Package(s):opera CVE #(s):CVE-2007-1115 CVE-2007-1563 CVE-2007-2022
Created:April 24, 2007 Updated:April 25, 2007
Description: Opera 9.20 fixes several vulnerabilities. See the Opera changelog for details.
SuSE SUSE-SA:2007:028 opera 2007-04-24

Comments (none posted)

postgresql: privilege escalation

Package(s):postgresql CVE #(s):CVE-2007-2138
Created:April 24, 2007 Updated:June 18, 2007
Description: PostgreSQL 8.2 and all back versions are vulnerable to a privilege escalation exploit in SECURITY DEFINER functions.
Debian DSA-1311-1 postgresql-7.4 2007-06-17
Debian DSA-1309-1 postgresql-8.1 2007-06-16
Fedora FEDORA-2007-0174 postgresql 2007-06-03
Fedora FEDORA-2007-565 postgresql 2007-06-06
Fedora FEDORA-2007-566 postgresql 2007-06-06
Gentoo 200705-12 postgresql 2007-05-10
Red Hat RHSA-2007:0336-01 postgresql 2007-05-08
Red Hat RHSA-2007:0337-01 postgresql 2007-05-03
Ubuntu USN-454-1 postgresql-8.1, postgresql-8.2 2007-04-26
Trustix TSLSA-2007-0015 postgresql 2007-04-27
Mandriva MDKSA-2007:094 postgresql 2007-04-25
rPath rPSA-2007-0081-1 postgresql 2007-04-24

Comments (none posted)

sqlite: buffer overflow

Package(s):sqlite CVE #(s):CVE-2007-1888
Created:April 19, 2007 Updated:April 25, 2007
Description: The sqlite lightweight DBMS has a buffer overflow vulnerability that may be used by context-dependent attackers to execute arbitrary code by using an empty value for the in parameter.
Mandriva MDKSA-2007:091 sqlite 2007-04-18

Comments (1 posted)

webcalendar: cross-site scripting

Package(s):webcalendar CVE #(s):CVE-2006-6669
Created:April 23, 2007 Updated:April 25, 2007
Description: A cross-site scripting (XSS) vulnerability in export_handler.php in WebCalendar 1.0.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter.
Debian DSA-1279-1 webcalendar 2007-04-22

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds