|
|
Subscribe / Log in / New account

Security

Long-lived security holes

It is time, once again, to look at quick distributor response to security holes - or the lack thereof. We could start by poking fun at the distributors which have taken over a week to fix the latest kernel vulnerability - but we won't. The updates probably should have come out more quickly, but, in the end, it was a local denial-of-service vulnerability; it was not the top priority for a lot of administrators.

Let's look, instead, at a fix that took a little longer. Red Hat, Fedora, and Whitebox recently sent out advisories for a buffer overrun in the libpng library; this problem could be exploited by way of a hostile image to run arbitrary code on a victim's system. These distributors are thus running just a little behind Debian, which sent out its advisory on December 19, 2002.

In fact, Red Hat had issued an advisory as well. It just turns out that the problem had not actually been fixed. As a result, Red Hat users were vulnerable to attackers wielding evil PNG images for over two years. This is not the quick response time that is a source of such pride for the free software community.

Of course, one should note that, as far as anybody can tell, not a single Red Hat user suffered any sort of compromise as a result of this unfixed bug. It almost certainly could have remained unfixed for another two years without ill effect. Perhaps the world isn't quite as dangerous as we sometimes think.

The truth of the matter is that our community finds (and fixes) dozens of vulnerabilities every year which are unlikely to ever be exploited. These fixes add to the load of already overworked system administrators and give ammunition to "alert counters" who like to claim that Linux is less secure than other operating systems. Perhaps it is time to come out and admit that many of the patches issued every year are not actually all that important.

System administrators already prioritize updates as they come in. Remotely exploitable holes (should) get fixed in a hurry. Vulnerabilities like this week's aspell hole - a buffer overflow caused by words more than 256 bytes long - can be allowed to sit for a while. It would be nice if distributors could help out by explicitly noting the importance of every update. If the truly serious fixes came with a bright red flag, they might stand out from the noise and be applied more quickly.

There are some obvious problems with this idea. Some truly serious vulnerabilities are not seen as such when they are originally fixed. In certain litigious countries, nobody wants to be exposed to lawsuits from users who were broken into by way of a "non-urgent" vulnerability. These issues would need to be addressed, but the fact remains: we are not necessarily helping ourselves by treating all updates as if they were equally important.

Comments (14 posted)

New vulnerabilities

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Mandrake MDKSA-2004:153 aspell 2004-12-20
OpenPKG OpenPKG-SA-2004.042 aspell 2004-09-15
Gentoo 200406-14 aspell 2004-06-17

Comments (none posted)

dhcp: buffer overflows

Package(s):dhcp CVE #(s):CAN-2004-0460 CAN-2004-0461
Created:June 23, 2004 Updated:July 14, 2004
Description: Two separate buffer overflows have been found in versions 3.0.1rc12 and 3.0.1rc13 of the ISC DHCP server. These overflows can be exploited by a remote attacker to cause a denial of service, or, potentially, to execute arbitrary code. DHCP servers should not be exposed to the Internet, but this problem is worth fixing regardless. See this CERT advisory for more information.
Alerts:
OpenPKG OpenPKG-SA-2004.031 dhcpd 2004-07-08
Fedora FEDORA-2004-190 dhcp 2004-06-23
SuSE SuSE-SA:2004:019 dhcp 2004-06-22
Mandrake MDKSA-2004:061 dhcp 2004-06-22

Comments (none posted)

racoon: improper certificate validation

Package(s):racoon ipsec-utils CVE #(s):
Created:June 23, 2004 Updated:June 23, 2004
Description: The racoon tool found in ipsec-tools (through version 0.3.3) fails to perform proper authentication, enabling a potential man-in-the-middle attack.
Alerts:
Gentoo 200406-17 ipsec-tools 2004-06-22

Comments (none posted)

rlpr: format string vulnerability

Package(s):rlpr CVE #(s):CAN-2004-0393 CAN-2004-0454
Created:June 21, 2004 Updated:June 21, 2004
Description: rlpr contains format string and buffer overflow vulnerabilities which could potentially be exploited by a remote attacker to execute arbitrary code.
Alerts:
Debian DSA-524-1 rlpr 2004-06-19

Comments (none posted)

sup: format string vulnerability

Package(s):sup CVE #(s):CAN-2004-0451
Created:June 21, 2004 Updated:June 21, 2004
Description: sup contains a format string vulnerability which could be used by a remote attacker to cause arbitrary code to run on the server.
Alerts:
Debian DSA-521-1 sup 2004-06-18

Comments (none posted)

super: format string vulnerability

Package(s):super CVE #(s):CAN-2004-0579
Created:June 21, 2004 Updated:June 21, 2004
Description: A format string vulnerability has been found in super; this hole can be exploited by a local user to obtain root access.
Alerts:
Debian DSA-522-1 super 2004-06-19

Comments (none posted)

usermin: information disclosure and denial of service

Package(s):usermin CVE #(s):
Created:June 21, 2004 Updated:June 21, 2004
Description: Versions of the usermin utility prior to 1.080 suffer from two vulnerabilities: a failure to sanitize email which could lead to information disclosure, and one which allows an attacker to lock out an account.
Alerts:
Gentoo 200406-15 usermin 2004-06-18

Comments (none posted)

www-sql: buffer overflow

Package(s):www-sql CVE #(s):CAN-2004-0455
Created:June 21, 2004 Updated:June 21, 2004
Description: www-sql contains a buffer overflow which can be exploited by a local user to execute arbitrary code.
Alerts:
Debian DSA-523-1 www-sql 2004-06-19

Comments (none posted)

Events

ESORICS 2004

The 9th European Symposium on Research in Computer Security is happening September 13 to 15 in Sophia Antipolis, France. The preliminary program has been posted; click below for the details.

Full Story (comments: none)

RAID 2004

The Seventh International Symposium on Recent Advances in Intrusion Detection is scheduled for September 15 to 17 in Sopia Antipolis, France, immediately after ESORICS 2004. Speakers include Bruce Schneier; click below for the program.

Full Story (comments: none)

Usenix Security Symposium

Registration is now open for the Usenix Security Symposium, happening in San Diego on August 9 to 13.

Full Story (comments: none)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds