Red Hat and IBM recently announced that Red Hat Enterprise Linux 5 (RHEL5) has earned the highest level of security certification achievable by commercial off-the-shelf operating systems. The certification is applicable when RHEL5 is running on IBM hardware, but all of the software is freely available, which may reduce the worries of customers regardless of which hardware they are considering running Linux on. The Fedora and CentOS distributions will immediately benefit, because they use the same software and SELinux policies, but other distributions can use the information as well.
The certification that RHEL5 achieved comes from one of the most acronym-dense regions of the internet, which is, perhaps, unsurprising for a partnership between industry and the US government. Here is how the press release puts it:
The NIAP is overseen by the US National Security Agency (NSA) and exists to create and administer certification programs like CCEVS.
The various protection profiles list the security requirements that need to be met to be certified. CAPP is concerned mostly with standard UNIX-style users and permissions, with some audit requirements thrown in. LSPP and RBAC are concerned with the security capabilities provided by SELinux along with auditing requirements. The profiles document the behavior that is expected while the testing verifies that the system does indeed behave that way.
These kinds of certifications are nice, in a checkbox kind of way. There are many organizations that cannot or will not buy products that are not certified for a particular level and protection profile. Windows Server has been certified at EAL4, so filling in this checkbox for Linux may well remove a barrier to Linux adoption in some places. Obtaining certification at this level is great deal of work; Red Hat and IBM are to be commended for spending the time and money to get to this point.
That being said, what does an EAL4+ mean for the security of servers that run RHEL5? As we said in late 2003, when (pre-Novell) SuSE teamed up with IBM to get an EAL2+ certification, the answer is, unfortunately, not much. It would seem that EAL4+ is a big step up from EAL2+, which it is, but not in the kinds of protections it provides. The EAL level is completely driven by how much testing and documentation go into the certification; how much "assurance" there is that the profile is met. The same profile (CAPP) was used in both.
In addition, the protection profiles are limited to:
This puts most, if not all, interesting security threats outside of the scope of the testing. Adding two additional protection profiles, as was done this time, is certainly significant, but they still operate under the "no hostiles" caveat.
Kernel hacker James Morris comments on the certification:
Evidently, "military strength" security is only able to resist its own users making mistakes rather than a concerted effort by an enemy, but this is still a marvelous accomplishment.
Perhaps the most unfortunate part of this certification process is that it is likely to vastly underestimate the abilities of an SELinux equipped system. It would be very interesting to see what kind of protection profile could actually be accommodated by RHEL5; it is likely to be much stronger than any we have seen from CCEVS. But, given that customers are typically interested in the checkbox much more than security, we will probably never know.
|Created:||June 20, 2007||Updated:||February 18, 2008|
|Description:||From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users."|
|Created:||June 18, 2007||Updated:||November 7, 2007|
|Description:||From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array."|
|Created:||June 14, 2007||Updated:||February 28, 2008|
|Description:||Libgd2 has a denial of service vulnerability involving the incorrect validation of PNG callback results. If an application that is linked against libgd2 is used to process a specially-crafted PNG file, a denial of service involving CPU resource consumption can be caused.|
|Package(s):||iscsi-initiator-utils||CVE #(s):||CVE-2007-3099 CVE-2007-3100|
|Created:||June 14, 2007||Updated:||June 20, 2007|
|Description:||The iscsid SCSI management daemon has two denial of service vulnerabilities. The first involves checking the client's uid on the listening socket instead of the newly accepted connection, this allows anyone to to perform management operations on the iSCSI initiator and crash iscsid. The second vulnerability involves the iscsid logging mechanism. Logs are sent to a shared memory area and a child process feeds them to syslog. The memory is protected by a semaphore wet to mode 0666, allowing arbitrary access to the semaphore. Random users can lock up the semaphore and iscsid will block and hang on the next attempt to send a log message.|
|Package(s):||libexif||CVE #(s):||CVE-2007-4168 CVE-2006-4168|
|Created:||June 15, 2007||Updated:||July 3, 2007|
|Description:||An integer overflow flaw was found in the way libexif parses EXIF image tags. If a victim opens a carefully crafted EXIF image file it could cause the application linked against libexif to execute arbitrary code or crash.|
|Created:||June 20, 2007||Updated:||June 25, 2009|
|Description:||libphp-phpmailer does not do sufficient input validation, enabling shell command injection attacks.|
|Created:||June 20, 2007||Updated:||July 25, 2007|
|Description:||The CDDB code in mplayer suffers from "insufficient boundary checks," leaving it exposed to buffer overruns.|
|Package(s):||phppgadmin||CVE #(s):||CVE-2007-2865 CVE-2007-5728|
|Created:||June 18, 2007||Updated:||January 21, 2009|
|Description:||A cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the server parameter.|
|Package(s):||phprojekt||CVE #(s):||CVE-2007-1575 CVE-2007-1639 CVE-2007-1638 CVE-2007-1576|
|Created:||June 20, 2007||Updated:||June 20, 2007|
|Description:||There is a long list of vulnerabilities in PHProjekt prior to version 5.2.1; they can be exploited (by an authenticated user) for SQL injection attacks, arbitrary PHP code execution, and cross-site scripting.|
Page editor: Jake Edge
Next page: Kernel development>>
Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds