| |
mark :: blog
Secunia released a security summary report for 2007 and surprisingly
gave a count for Red Hat for the year at over 600 vulnerabilities. I
had no idea how they got to this number, it certainly doesn't match
our own publicly available metrics at
http://www.redhat.com/security/data/metrics
Using our public tool, for every Red Hat product and service, for 2007
we issued 306 advisories to fix 404 vulnerabilities. Of those 404
vulnerabilities 41 were critical (on the scale used by Microsoft and
Red Hat).
Most people are not going to be using every Red Hat product, so taking
just Enterprise Linux product you find 348 vulnerabilities, of which 27
were critical. A given user is going to only be vulnerable to the issues that affect
the products and packages they have installed. Using the scripts on
our pages you can figure it out for your own circumstances. But as an
example, the default installation of Red Hat Enterprise Linux 4 AS had
172 vulnerabilities of which 4 were critical.
The Secunia report does actually make it clear you can't use their
vulnerability count as a method of comparing platforms, in part due to the
differences in methodology of the vendors, but I'm sure this won't stop
some press from jumping to conclusions if they don't read the actual report.
I've asked Secunia how they got to their number of vulnerabilities, but in the
meantime, a raw count of vulnerabilities is only a small part of the
overall risk exposure in using a product. I've got some more reports that go
into this in more detail for two years of Enterprise Linux 4 and Enterprise Linux
5.0 to 5.1.
Update: Coverage of this: ZDNet
Update: Secunia told me that they treat each advisory separately; so for example
yesterday we issued updates for some moderate severity issues in
the Apache Web server, but we did separate advisories for each affected
product: Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, v2.
So in this case the same Apache vulnerability would be counted 6 times.
A year ago I published a table of
Security Features in
Red Hat Enterprise Linux and Fedora Core. Since then we've released
two more Fedora versions, and a Red Hat Enterprise Linux, so it's time to
update the table.
Between releases there are lots of changes made to improve security and I've not
listed everything; just a high-level overview of the things I think are most
interesting that help mitigate security risk. We could go into much more
detail, breaking out the number of daemons covered by the SELinux default
policy, the number of binaries compiled PIE, and so on.
1 Since June 2004, 2 Since September 2004, 3 Selected Architectures
Late last month I spent a day with the Red Hat Magazine team talking
about vulnerability response. The first video
is now available and talks about the role of Red Hat in dealing
with vulnerabilities in third party software. The video was shot in
my home office which explains the calming green paint; it's hard to
get too stressed in a pale green room.
Red Hat Enterprise Linux 5.1 was released today, around 8 months since the
release of 5.0 in March 2007. So let's use this opportunity to take a quick
look back over the vulnerabilities and security updates we've made in that time,
specifically for Red Hat Enterprise Linux 5 Server.
The graph below shows the total number of security updates issued for Red Hat
Enterprise Linux 5 Server up to and including the 5.1 release,
broken down by severity. I've split it into two columns, one for the packages
you'd get if you did a default install, and the other if you installed every
single package (which is unlikely as it would involve a bit of manual effort
to select every one). So, for a given installation, the number
of packages and vulnerabilities will be somewhere between the two extremes.
So for all packages, from release up to and including 5.1, we shipped 94 updates
to address 218 vulnerabilities. 7 advisories were rated critical, 36 were
important, and the remaining 51 were moderate and low.
For a default install, from release up to and including 5.1, we shipped 60
updates to address 135 vulnerabilities. 7 advisories were rated critical, 26
were important, and the remaining 27 were moderate and low.
- These figures include ten updates we released on the day we shipped 5.0. This was
because we froze package updates some months before releasing the product. Only
one of those updates was rated critical, an update to Firefox.
- The six other critical updates were:
- Three more updates to Firefox (May, July, October)
where a malicious web site could potentially run arbitrary code as the
user running Firefox. Given the nature of the flaws, ExecShield
protections in RHEL5 should make exploiting these memory flaws
harder.
- An update to the Kerberos telnet deamon (April)
A remote attacker who can access the telnet
port of a target machine could log in as root without requiring a
password. None of the standard protection mechanisms help prevent
exploitation of this issue, however the krb5 telnet daemon is not
enabled by default in Enterprise Linux 5 and the default firewall rules
block remote access to the telnet port. This flaw did not affect the
more common telnet daemon distributed in the telnet-server
package.
- An update to Samba (May) where
a remote attacker could cause a heap overflow. In addition to
ExecShield making this harder to exploit, the impact of any sucessful
exploit would be reduced as Samba is constrained by an SELinux targeted
policy (enabled by default).
- An update to the PCRE library (November). This
was labelled critical because the Konqueror web browser uses PCRE to handle
regular expressions in JavaScript, and therefore a user browsing a malicious
site in Konqueror could trigger this issue. (Konqueror is not part of
a default install, but I've left this issue as critical in the results).
- Updates to correct all of these critical issues were available via Red Hat
Network within a day of the issues being public.
Red Hat Enterprise Linux 5 shipped with a number of security technologies
designed to make it harder to exploit vulnerabilities and in some cases block
exploits for certain flaw types completely. For the period of this study there
were two flaws blocked that would otherwise have required critical updates:
- A stack buffer overflow flaw in the RPC library in Kerberos.
This flaw was blocked by FORTIFY_SOURCE which removed the possibility of remote
code execution. We still issued an update,
as a remote attacker could trigger this flaw and cause Kerberos to crash.
- Another flaw in Kerberos, this time due to the free of an invalid
pointer. This flaw was blocked by glibc, although a remote attacker could still
cause
a crash, so we
issued an update.
This data is interesting to get a feel for the risk of running Enterprise Linux
5 Server, but isn't really useful for comparisons with other versions or
distributions -- for example, a default install of Red Hat Enterprise 4AS did
not include Firefox. You can get the results I presented above for yourself by
using our public security
measurement data and tools, and run your own metrics for any given Red Hat
product, package set, timescales, and severities.
Back in
August I found that many of the Common Vulnerability Scoring
System (CVSS) scores that the National Vulnerability Database (NVD)
assigned to vulnerabilities affecting open source software were incorrect.
Since then I've been sending in corrections on a monthly basis,
taking into account the worst possible score across all affected
platforms (and not how Red Hat products were affected specifically).
For the five months May to September 2007 I looked at 178
vulnerabilities (across all Red Hat products and services). Only 80
were accurate. Corrections were submitted to NVD and they fixed the
incorrect CVSS scores on the remaining 98 vulnerabilities. 
So, before the corrections, there were 65 issues rated "High" out
of 178. After the corrections there are actually only 17 rated
"High". Fortunately the number of corrections needed each month
seems to be decreasing, but we'll continue to send in corrections
every month. Even with the corrections, the
severity rating for a given vulnerability may well vary for the
version each vendor ships; so you need to be careful if you are basing
your risk assesments soley on the accuracy of third-party severity ratings.
Favourite purchase of 2007: A Fujitsu ScanSnap S510 scanner with auto-document feed. It's not a
cheap scanner, but I've been drowning recently under a sea of
paperwork and clipped articles, and it sounded pretty neat: scanning both sides of A4 and quickly. The scanner comes
with a ton of Windows software: a driver, some OCR stuff, a full version of Acrobat, business card scanner, organisers, and a gadzillion menu entries for all those things. But it is pretty amazing to watch as you feed in a few hundred pages of A4 and within minutes you have a fully-searchable PDF file out.
So in two days I've scanned just under 2000 pages; some of it
into nice fully-searchable PDF files, and some (the stuff I know I want to be able to see in 10+ years time) in jpeg. I've now got an overheated shredder and little shredded bits of paper everywhere.
Although the scanner doesn't work out-of-the-box with current Linux distributions, it just needs a single line adding to a configuration file and then works perfectly with Red Hat Enterprise Linux (I tried RHEL 5 Client as well as Fedora 7). I've sent it to the maintainer so hopefully future updates to Sane will be able to handle the scanner without any editing.
So if you've got a Fujitsu ScanSnap S510 scanner (I keep typing SnapScan for some reason), and you've got sane-backends installed then the
following will get it up and running:
# echo "usb 0x04c5 0x1155" >> /etc/sane.d/fujitsu.conf
Then you can use any scanning front-end, or from the command line say you wanted to scan at 150dpi colour, double-sided, then use "scanimage -L" to figure out where your scanner is, and replace the 005:004 below with the location:
# scanadf --device fujitsu:libusb:005:004 --source "ADF Duplex" --mode Color -v --resolution 150 --y-resolution 150
The National Vulnerability Database (NVD)
assign a severity rating to every vulnerability; "High", "Medium", or "Low".
The rating is determined by ranges of CVSS (Common Vulnerability Scoring System)
v2 scores. I've not been a big fan of CVSS: I don't think it works particularly
well when applied to software that is shipped by multiple vendors, or
for open source software and libraries that don't know all the possible
use-cases of their software.
Even though I'm not a fan, NVD publish a CVSS score for every issue,
security companies are using those scores in their vulnerability feeds to
customers, and people are using them for metrics. So it's important that
these scores are accurate.
I decided to take a look at how accurate the CVSS scores were, so for every
vulnerability we fixed in any Red Hat product for June 2007 examined the CVSS
score given by NVD. For each one figuring out if the CVSS base metrics were
correct, and where they were not submitting the correction back to NVD. This
analysis of the vulnerabilities was based on their possible worst-case threat to
all platforms (I didn't adjust the CVSS scores for how the issues affected Red
Hat products specifically).
There were 39 total vulnerabilities for which unfortunately only 8 scores were
accurate. I submitted corrections to NVD and they fixed the CVSS scores on the
remaining 31 vulnerabilities.
20 vulnerabilities ended up moving down in ranking, 6 vulnerabilities
moved up, and 5 stayed the same (although the CVSS score changed).
Before the corrections there were 14 issues rated "High" out of 39,
after the corrections there are just 3 rated "High".
Those corrections are now live in the NVD, and I really appreciate how quick the
folks behind NVD were at checking and making the changes. I've submitted to
them corrections for a couple more months too, and I'll write about those when
there complete. Unfortunately it does take a lot of time to investigate each
issue and do the corrections, so it will limit how far back into 2007
we can correct.
Last month I read a blog entry from
hadess via Fedora Planet about hardware to let you run homebrew
applications on Nintendo DS. There is a ton of homebrew applications
available, but as of yet no jabber client.
My home automation system is all based around XMPP, with a standard Jabber
server to which all the home automation systems connect to share messages. I
wrote it like this so that it would be easy to just take some existing Jabber
client for a platform and be able to come up with a nice looking front end with
minimal effort.
I found Iksemel, a portable
C XML parser and protocol library that looked perfect, and it only
took a couple of hours to have it ported on the NDS, and a couple
more hours to get it working with PAlib for wifi. It's not a generic
Jabber chat client, but it wouldn't take too much work to make it into
one (although I didn't bother with encryption support so you won't be
able to use it with Google talk servers for example). Anyway, the code
might save someone a few hours, so I've made the source available.
I've included a copy of Iksemel, so if you want to build this yourself
all you need is a working development environment: devkitpro and PAlib. This
still needs some work, I need to integrate a library to handle displaying
images from the network (when the phone rings it can pop up the callers
picture or a streaming picture from one of the cameras when the doorbell
is pushed)
Although Red Hat is well known for Red Hat Enterprise Linux we actually have a large number of other supported products, both layered on top of Enterprise Linux (like Red Hat Application Stack) and stand-alone (like Red Hat Directory Server). The majority of these products are serviced through the Red Hat Network and get our security advisories in a standard way and are included in the Security Response Team metrics. But our analysis scripts were not particularly consistent in dealing with product names.
Common Platform Enumeration (CPE) is a naming scheme designed to combat these inconsistencies, and is part of the 'making security measurable' initiative from Mitre. From today we're supporting CPE in our Security Response Team metrics: we publish a mapping of Red Hat advisories to both CVE and CPE platforms (updated daily) and you can use CPE to filter the metrics. Some examples of CPE names:
cpe://redhat:enterprise_linux:5:server/firefox -- the Firefox browser package on Red Hat Enterprise Linux 5 server.
cpe://redhat:enterprise_linux:3 -- Red Hat Enterprise Linux 3
cpe://redhat/xpdf -- the xpdf package in any Red Hat
product.
cpe://redhat:rhel_application_stack:1 -- Red Hat Application Stack
version 1
For the past 12 months I've been keeping metrics on the types of issues that get
reported to the private Apache Software Foundation security alert
email address. Here's the summary for Jul 2006-Jun 2007 based
on 154 reports:
User reports a security vulnerability
(this includes things
later found not to be vulnerabilities)
| 47 (30%) |
|
User is confused because they visited a site "powered by Apache"
(happens a lot when some phishing or spam points to a site that is
taken down and replaced with the default Apache httpd page) | 39 (25%) |
|
User asks a general product support question
| 38 (25%) |
|
User asks a question about old security vulnerabilities
| 21 (14%) |
|
User reports being compromised, although non-ASF software was at fault
(For example through PHP, CGI, other web applications) | 9 (6%) |
|
That last one is worth restating: in the last 12 months no one who
contacted the ASF security team reported a compromise that was
found to be caused by ASF software.
|
|
|
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
pics from my twitter:
popular tags:
[all],
apache,
apachecon,
apacheweek,
cve,
cvss,
fedora,
financial,
geocaching,
ha,
metrics,
microsoft,
nashville,
north carolina,
red hat summit,
redhat,
security,
trips
|
|
