mark :: blog

01 Jun 2010: Five years of Red Hat Enterprise Linux 4

It came as no surprise when Microsoft admitted to quiet security patching. We knew many years ago that they did this: not counting extra vulnerabilities that were found internally or by researchers contracted to work for them. For closed source, single vendor software, this isn't too big of a deal - it's not like the user has a choice if they need to update some application to address one critical vulnerability or 20.

When you look back, before they admitted to this practice, Microsoft actively used vulnerability counts in reports as a tool to discredit the security of open source distributions. Famously even Steve Ballmer participated in counting vulnerabilities using candy.

In other news, the Red Hat Enterprise Linux 4 risk report we release each year has been published (PDF). This whitepaper looks at the state of security for the first five years of Red Hat Enterprise Linux 4 from its release on February 15th, 2005. It includes metrics, key vulnerabilities, and the most common ways users were affected by security issues.

"Red Hat knew about 52% of the security vulnerabilities that we fixed in advance of them being publicly disclosed. The average time between Red Hat knowing about an issue and it being made public was 22 days (median 10 days).... A default installation of Red Hat Enterprise Linux 4 AS was vulnerable to 14 critical security issues over the entire five years. "

Created: 01 Jun 2010
Tagged as: , , ,

6 comments (new comments disabled)

Title: Re: Five years of Red Hat Enterprise Linux 4
Posted by: Rakesh Pandit
Time: Tue, 01 Jun 2010 15:10

I have been reading these reports/comparisons since past few years (since I passed by school) and I couldn't agree more with your view. These reports published by Microsoft about comparisons are fluke and credibility becomes nullified with this statement given by Microsoft Official.

Title: Re: Five years of Red Hat Enterprise Linux 4
Posted by: Brad Spengler
Time: Tue, 01 Jun 2010 17:27

Pot, meet kettle.

Title: Re: Five years of Red Hat Enterprise Linux 4
Posted by: Brad Spengler
Time: Tue, 01 Jun 2010 18:58

BTW, as for your published report, there's this part: "The remainder (CVE-2009-3547, CVE-2009-2698, CVE-2009-2692, CVE-2009-1337, CVE-2006-3626, CVE- 2006-2451, CVE-2005-0736, CVE-2004-1235, and CVE-2005-0531) could work on any default, unpatched system. Four of those exploits need unpublished source code adjustments in order to work against a vulnerable Red Hat Enterprise Linux 4 kernel." Ignoring for a minute the conflation of vulnerabilities with exploits (you discuss CVEs and then mention exploits): what four exploits are you talking about? The reason I ask is that I developed many of those exploits, the initial versions of which weren't tested against all kernels, and many being initially stand-alone. They were all rewritten later (before your Feb 2010 cutoff date) and integrated into the Enlightenment exploit framework which fixed some issues like symbol parsing on the old 2.6.9 kernel used in RHEL4. There were also exploits written by others for the same vulnerabilities which weren't as rigorously tested as mine and would have failed on the RHEL4 kernel. Basically I question the "unpublished source code adjustments" bit as there were many different versions of the same exploit, so the exact exploit that was acquired and the date it was acquired on are important to establish this claim. Also, the report claims: "In each case the default SELinux targeted policy for the Apache HTTP Server would restrict what a successful exploit is able to do." Like launching kernel exploits that disabled SELinux? I thought we learned this lesson already. I can list all the major kernel vulnerabilities that SELinux was helpless to prevent, if you'd like. You even mentioned in your February blog post: "For Red Hat, interactions with SELinux prevented them being able to be easily mitigated, until the end of the year when we provided updates. Now, in 2010, the upstream Linux kernel and many vendors ship with protections to prevent kernel NULL pointers leading to privilege escalation." -Brad

Title: Re: Five years of Red Hat Enterprise Linux 4
Posted by: Mark Cox
Time: Tue, 01 Jun 2010 19:21

Hi Brad; for the claim "unpublished source code adjustments" for a given CVE we mean that we did not find, at the time of writing, any public exploit for that CVE that worked as published (or worked after some minor obvious adjustments). We did take into account your Enlightenment exploits. I'll have to get back to you after going through the notes from the last few years reports about which exact ones are which though: if you end up fixing any of those 4 exploits, we'll include that in the next update.

Title: Re: Five years of Red Hat Enterprise Linux 4
Posted by: Mark Cox
Time: Wed, 02 Jun 2010 14:04

As a quick followup based on the notes I have and some testing Eugene tried this morning, these are the vulnerabilities that have no public exploits that work by default on RHEL4: CVE-2009-1337 (won't work by default as it needs root to set suid_dumpable to 1 or 2 from 0 default), CVE-2006-3626 (only exploits are for a.out and rhel4 kernel doesn't have a.out support), CVE-2005-0531, CVE-2009-3547 (recent englightment). For a given kernel version any one working exploit for any one CVE can be enough though :)

Title: Re: Five years of Red Hat Enterprise Linux 4
Posted by: Brad Spengler
Time: Wed, 02 Jun 2010 13:31

Thanks for the info, it looks correct to me. -Brad

Hi! I'm Mark Cox. This blog gives my thoughts and opinions on my security work, open source, fedora, home automation, and other topics.