User: Password:
Subscribe / Log in / New account


Red Hat and IBM get certified

Red Hat and IBM recently announced that Red Hat Enterprise Linux 5 (RHEL5) has earned the highest level of security certification achievable by commercial off-the-shelf operating systems. The certification is applicable when RHEL5 is running on IBM hardware, but all of the software is freely available, which may reduce the worries of customers regardless of which hardware they are considering running Linux on. The Fedora and CentOS distributions will immediately benefit, because they use the same software and SELinux policies, but other distributions can use the information as well.

The certification that RHEL5 achieved comes from one of the most acronym-dense regions of the internet, which is, perhaps, unsurprising for a partnership between industry and the US government. Here is how the press release puts it:

[RHEL5] has been approved by the National Information Assurance Partnership for Common Criteria Evaluation & Validation Scheme [NIAP-CCEVS] at Evaluation Assurance Level 4 (EAL4+) for Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP), and Role-Based Access Control Protection Profile (RBAC).

The NIAP is overseen by the US National Security Agency (NSA) and exists to create and administer certification programs like CCEVS.

The various protection profiles list the security requirements that need to be met to be certified. CAPP is concerned mostly with standard UNIX-style users and permissions, with some audit requirements thrown in. LSPP and RBAC are concerned with the security capabilities provided by SELinux along with auditing requirements. The profiles document the behavior that is expected while the testing verifies that the system does indeed behave that way.

These kinds of certifications are nice, in a checkbox kind of way. There are many organizations that cannot or will not buy products that are not certified for a particular level and protection profile. Windows Server has been certified at EAL4, so filling in this checkbox for Linux may well remove a barrier to Linux adoption in some places. Obtaining certification at this level is great deal of work; Red Hat and IBM are to be commended for spending the time and money to get to this point.

That being said, what does an EAL4+ mean for the security of servers that run RHEL5? As we said in late 2003, when (pre-Novell) SuSE teamed up with IBM to get an EAL2+ certification, the answer is, unfortunately, not much. It would seem that EAL4+ is a big step up from EAL2+, which it is, but not in the kinds of protections it provides. The EAL level is completely driven by how much testing and documentation go into the certification; how much "assurance" there is that the profile is met. The same profile (CAPP) was used in both.

In addition, the protection profiles are limited to:

a level of protection, which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well-funded attackers to breach system security.

This puts most, if not all, interesting security threats outside of the scope of the testing. Adding two additional protection profiles, as was done this time, is certainly significant, but they still operate under the "no hostiles" caveat.

Kernel hacker James Morris comments on the certification:

A lot of people thought it would be outright impossible to get an open source OS certified at this level. Not only were they wrong, but we've done it in a way which makes it part of the mainline kernel, upstream userland, and integrated into standard distributions. It is not some out-dated, incompatible and outrageously expensive fork of the OS, as has historically been the case with trusted OSes. "Military-strength" security is just now just another feature you get as standard in Linux, and it receives the same testing and community benefits as the rest of the OS.

Evidently, "military strength" security is only able to resist its own users making mistakes rather than a concerted effort by an enemy, but this is still a marvelous accomplishment.

Perhaps the most unfortunate part of this certification process is that it is likely to vastly underestimate the abilities of an SELinux equipped system. It would be very interesting to see what kind of protection profile could actually be accommodated by RHEL5; it is likely to be much stronger than any we have seen from CCEVS. But, given that customers are typically interested in the checkbox much more than security, we will probably never know.

Comments (5 posted)

New vulnerabilities

apache2: information disclosure

Package(s):apache CVE #(s):CVE-2007-1862
Created:June 20, 2007 Updated:February 18, 2008
Description: From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users."
Fedora FEDORA-2008-1711 httpd 2008-02-15
Fedora FEDORA-2007-0704 httpd 2007-06-26
Mandriva MDKSA-2007:127 apache 2007-06-19

Comments (2 posted)

evolution-data-server: malicious server arbitrary code execution

Package(s):evolution-data-server CVE #(s):CVE-2007-3257
Created:June 18, 2007 Updated:November 7, 2007
Description: From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array."
Gentoo 200711-04 evolution-data-server 2007-11-06
Gentoo 200707-03 evolution 2007-07-02
SuSE SUSE-SA:2007:042 evolution,evolution-data-server 2007-07-05
Debian DSA-1325-1 evolution 2007-06-29
Fedora FEDORA-2007-594 evolution-data-server 2007-06-27
Fedora FEDORA-2007-595 evolution-data-server 2007-06-27
Mandriva MDKSA-2007:136 evolution 2007-06-26
Red Hat RHSA-2007:0510-01 evolution-data-server 2007-06-25
Red Hat RHSA-2007:0509-01 evolution 2007-06-25
Debian DSA-1321-1 evolution-data-server 2007-06-23
Ubuntu USN-475-1 evolution-data-server 2007-06-21
Fedora FEDORA-2007-0464 evolution-data-server 2007-06-16

Comments (1 posted)

gd: denial of service

Package(s):gd CVE #(s):CVE-2007-2756
Created:June 14, 2007 Updated:February 28, 2008
Description: Libgd2 has a denial of service vulnerability involving the incorrect validation of PNG callback results. If an application that is linked against libgd2 is used to process a specially-crafted PNG file, a denial of service involving CPU resource consumption can be caused.
Red Hat RHSA-2008:0146-01 gd 2008-02-28
Slackware SSA:2007-178-01 gd 2007-06-27
SuSE SUSE-SR:2007:013 squirrelmail, OpenOffice_org, Blackdown JDK/JRE, gnash, libpng, python, pulseaudio, gd, otrs, net-snmp 2007-06-22
Mandriva MDKSA-2007:124 tetex 2007-06-13
Mandriva MDKSA-2007:123 libwmf 2007-06-13
Mandriva MDKSA-2007:122 gd 2007-06-13
Arch Linux ASA-201701-1 libwmf 2017-01-01

Comments (none posted)

iscsi-initiator-utils: denial of service

Package(s):iscsi-initiator-utils CVE #(s):CVE-2007-3099 CVE-2007-3100
Created:June 14, 2007 Updated:June 20, 2007
Description: The iscsid SCSI management daemon has two denial of service vulnerabilities. The first involves checking the client's uid on the listening socket instead of the newly accepted connection, this allows anyone to to perform management operations on the iSCSI initiator and crash iscsid. The second vulnerability involves the iscsid logging mechanism. Logs are sent to a shared memory area and a child process feeds them to syslog. The memory is protected by a semaphore wet to mode 0666, allowing arbitrary access to the semaphore. Random users can lock up the semaphore and iscsid will block and hang on the next attempt to send a log message.
Debian DSA-1314-1 open-iscsi 2007-06-19
Fedora FEDORA-2007-0543 iscsi-initiator-utils 2007-06-18
Red Hat RHSA-2007:0497-01 iscsi-initiator-utils 2007-06-14
Fedora FEDORA-2007-590 iscsi-initiator-utils 2007-06-13
Fedora FEDORA-2007-589 iscsi-initiator-utils 2007-06-13

Comments (none posted)

libexif: integer overflow

Package(s):libexif CVE #(s):CVE-2007-4168 CVE-2006-4168
Created:June 15, 2007 Updated:July 3, 2007
Description: An integer overflow flaw was found in the way libexif parses EXIF image tags. If a victim opens a carefully crafted EXIF image file it could cause the application linked against libexif to execute arbitrary code or crash.
SuSE SUSE-SA:2007:039 libexif 2007-07-03
Fedora FEDORA-2007-614 libexif 2007-06-27
Ubuntu USN-478-1 libexif 2007-06-26
Gentoo 200706-09 libexif 2007-06-26
Fedora FEDORA-2007-605 libexif 2007-06-25
rPath rPSA-2007-0131-1 libexif 2007-06-25
Foresight FLEA-2007-0028-1 libexif 2007-06-22
Mandriva MDKSA-2007:128 libexif 2007-06-19
Debian DSA-1310-1 libexif 2007-06-16
Red Hat RHSA-2007:0501-01 libexif 2007-06-14

Comments (none posted)

libphp-phpmailer: command execution

Package(s):libphp-phpmailer CVE #(s):CVE-2007-3215
Created:June 20, 2007 Updated:June 25, 2009
Description: libphp-phpmailer does not do sufficient input validation, enabling shell command injection attacks.
Ubuntu USN-791-1 moodle 2009-06-24
Debian DSA-1315-1 libphp-phpmailer 2007-06-19

Comments (none posted)

mplayer: buffer overflow

Package(s):mplayer CVE #(s):CVE-2007-2948
Created:June 20, 2007 Updated:July 25, 2007
Description: The CDDB code in mplayer suffers from "insufficient boundary checks," leaving it exposed to buffer overruns.
Gentoo 200707-07 mplayer 2007-07-24
SuSE SUSE-SR:2007:014 MPlayer, madwifi, samba, cups, libexif, evolution, mutt, avahi 2007-07-20
Mandriva MDKSA-2007:143 mplayer 2007-07-10
Debian DSA-1313-1 mplayer 2007-06-19

Comments (none posted)

phpPgAdmin: cross-site scripting

Package(s):phppgadmin CVE #(s):CVE-2007-2865 CVE-2007-5728
Created:June 18, 2007 Updated:January 21, 2009
Description: A cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the server parameter.
Debian DSA-1693-1 phppgadmin 2008-12-27
Debian DSA-1693-2 phppgadmin 2009-01-21
SuSE SUSE-SR:2007:024 cacti, openldap2, phpPgAdmin, ruby, perl, rubygem-activesupport, yast2-core, librpcsecgss, liblcms 2007-11-22
Fedora FEDORA-2007-1013 phpPgAdmin 2007-07-11
Fedora FEDORA-2007-0469 phpPgAdmin 2007-06-16

Comments (none posted)

phprojekt: multiple vulnerabilities

Package(s):phprojekt CVE #(s):CVE-2007-1575 CVE-2007-1639 CVE-2007-1638 CVE-2007-1576
Created:June 20, 2007 Updated:June 20, 2007
Description: There is a long list of vulnerabilities in PHProjekt prior to version 5.2.1; they can be exploited (by an authenticated user) for SQL injection attacks, arbitrary PHP code execution, and cross-site scripting.
Gentoo 200706-07 phprojekt 2007-06-19

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds