| |
mark :: blog :: security
From time to time I publish metrics on vulnerabilities that affect
Red Hat Enterprise Linux. One of the more interesting metrics looks at
how far in advance we know about the vulnerabilities we fix, and from where
we get that information. This post is abstracted from the upcoming "4 years of Enterprise Linux 4"
risk report
For every fixed vulnerability across every package and every
severity in Enterprise Linux 4 AS in the first 4 years of its life, we
determined if the flaw was something we knew about a day or more in advance of
it being publicly disclosed, and how we found out about the flaw.
For vulnerabilities which are already public when we first hear about them
we still track the source as it's a useful internal indicator on where the
security
response team
should focus their efforts.
So from this data, Red Hat knew about 51% of the security vulnerabilities that
we fixed at least a day in advance of them being publicly disclosed. For those
issues, the average notice was 21 calendar days, although the median
was much lower, with half the private issues having advance notice of 9
days or less.
Red Hat Enterprise Linux 5.3 was released today, around 8 months since the
release of 5.2 in May 2008. So let's use this opportunity to take a quick
look back over the vulnerabilities and security updates we've made in that time,
specifically for Red Hat Enterprise Linux 5 Server.
The chart below shows the total number of security updates issued for Red Hat
Enterprise Linux 5 Server as if you installed 5.2, up to and including the 5.3
release, broken down by severity. I've split it into two columns, one for the
packages you'd get if you did a default install, and the other if you installed
every single package (which is unlikely as it would involve a bit of manual
effort to select every one). So, for a given installation, the number of
packages and vulnerabilities will probably be somewhere between the two.
So for a default install, from release of 5.2 up to and including 5.3, we shipped 45
advisories to address 127 vulnerabilities. 7 advisories were rated critical, 21
were important, and the remaining 17 were moderate and low.
For all packages, from release of 5.2 to and including 5.3, we shipped 61 advisories
to address 181 vulnerabilities. 7 advisories were rated critical, 28 were
important, and the remaining 26 were moderate and low.
The 7 critical advisories were for just 3 different packages:
- Five updates to Firefox (July, July, September, November, December)
where a malicious web site could potentially run arbitrary code as the user
running Firefox. Given the nature of the flaws, ExecShield protections in RHEL5
should make exploiting these memory flaws harder.
- An update to Samba
(May), where a
remote attacker who can connect and send a print request to a Samba server could
cause a heap overflow. The Red Hat Security Response Team believes it would
be hard to remotely exploit this issue to execute arbitrary code due to the
default enabled SELinux targeted policy and the default enabled SELinux memory
protection tests. We are not aware of any public exploit for this issue.
- An update to OpenSSH
(August),
provided to mitigate an intrusion into certain Red Hat computer systems. The
attacker was able to sign a small number of tampered packages but they were not
distributed on the Red Hat Network. We classified this update as critical to ensure
any tampered packages would be replaced with official packages.
Although not of critical severity, also of interest during this period
were the spoofing attacks on DNS servers. We provided an update to BIND
(July) adding
source port randomization to help mitigate these attacks.
Updates to correct all of these critical vulnerabilities (as well as migitate
the BIND issue) were available via Red Hat
Network either the same day, or one calendar day after the issues were
public.
In fact for Red Hat Enterprise Linux 5 since release and to date, every
critical vulnerability has had an update available to address it available from
the Red Hat Network either the same day or the next calendar day after the issue
was public.
To compare this with the last updates we need to take into account that the
time between each update is different. So looking at a default installation
and calculating the number of advisories per month gives the following
chart:
Red Hat Enterprise Linux 5 shipped with a number of security technologies
designed to make it harder to exploit vulnerabilities and in some cases block
exploits for certain flaw types completely. For 5.2 to 5.3 there
were two flaws blocked that would otherwise have required updates:
- A double-free
flaw in unzip.
The glibc
pointer checking
limited the exploitability of
this issue to just a crash of unzip, a client application, which does not
have security implications. No security update was needed.
- Two format
string flaws in c++filt. The format string protection
caused these issues to have no security implications. No security
update was needed.
This data is interesting to get a feel for the risk of running Enterprise Linux
5 Server, but isn't really useful for comparisons with other versions,
distributions, or operating systems -- for example, a default install of Red Hat
Enterprise Linux 4AS did not include Firefox, but 5 Server does. You can use
our public security
measurement data and tools, and run your own custom metrics for any given
Red Hat product, package set, timescales, and severity range of interest.
See also:5.1 to 5.2
risk report
Secunia collect some very interesting information about the patch
state of Windows systems. Their results from 20,000 machines published
yesterday were that over 98% of PCs were
insecure, having at least one out-of-date application installed.
Actually this isn't surprising and is exactly what I'd expect;
it's all down to third party applications.
Let's say you're browsing the web. It's more than likely that at
some point you'll want to view some PDF files, watch some Flash
content, or play a Java game. Those tasks are all dealt with by third
party applications, although to the end user it's all part of the
browser experience. Since your system is only as secure as its
weakest link, you need to manage security updates for those third
party applications just as carefully as you manage security updates
for the rest of your system. That's why Adobe Reader, Java, Flash,
and all the myriad of other applications you've installed in order to
make your system useful have their own update mechanisms. Some
applications on Windows will 'phone home' when they are run and check
to see if they need to be updated, others deploy services that sit in
the background looking for updates from time to time, others even
check every time your system starts. Many don't get automated updates
at all.
How do you deal with all that risk? I believe it's possible by
providing an OS distribution which includes all the bits you'll
likely need to make a useful computing environment, thereby taking
away that update uncertainty. Red Hat ship several PDF viewers in our
distributions for example, but we also ship (in an Extras channel)
Adobe Reader. Our Security Response Team are monitoring for security
issues in everything we ship, all the third party applications,
and providing a single point of contact, a single
notification system, and a single way to get the updates.
If Microsoft knew that say 25% of all their users installed
Firefox, wouldn't they be better bundling it and providing their
centralised automated updates for it, to reduce their customers
overall risk? They do already bundle some third party applications, although it's
been with mixed success as we found 3 years ago when they
didn't
provide security fixes for bundled Flash (ZDNet
coverage).
This is, in part, why you've not seen me respond recently to the
Vista security reports which compare vulnerability counts. In these
reports they use a cut-down minimal Red Hat Enterprise Linux
installation in order to make it look more like Windows for the
comparisons. But this is completely backwards -- the fact that we're
including and fixing the flaws using a common process in so much
third party software is actually helping reduce the risk and protect
real customers. For example we could easily cut our vulnerability
count by shipping only one PDF viewer instead of four. But if we know
that these other viewers are going to get installed by the customer
anyway all we've done is to hide the vulnerability count elsewhere,
and you've made the customers overall risk increase.
So it may seem counter-intuitive but we should ship as much third
party applications (that we know people use) as we can, because a
single managed security update and notification process will decrease
a users overall risk. The fewer third party applications that users
have to get from elsewhere and install and manage for themselves the better
in my opinion.
I've not posted to my blog in some months as things have been quite
busy at work; in fact as of today we provide security response
services for 85 released Red Hat product versions. We handle, triage,
and investigate around 50 vulnerabilities a month. To cope with this,
the Red Hat Security Response Team has staff in 6 countries.
There are plenty of new products to come, so we're currently hiring
for another engineer to join the response team. The full job details
are here:
https://redhat.ats.hrsmart.com/cgi-bin/a/highlightjob.cgi?jobid=3685
Although the location is specified as the Czech Republic there is
actually no specific restriction on the location of this position, and
the candidate could be located at any one of the world-wide Red Hat
offices, or potentially even remote.
If you are interested please submit your resume through the online
application process, or feel free to mail me with questions.
ZoneMinder is an amazing Linux video camera
security and surveillance application I use as part of my home automation
system. ZoneMinder prior to version 1.23.3 contains unescaped
PHP exec() calls which can allow an authorised remote user the ability to run
arbitrary code as the Apache httpd user (CVE-2008-1381)
CVSS
v2 Base Score 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
This is really a moderate severity flaw because you need a remote attacker who
has the ability to start/stop/control ZoneMinder, and you really should protect
your ZoneMinder installation so you don't allow arbitrary people to control your
security system. (Although I think at least one distributor package of
ZoneMinder doesn't protect it by default, and you can find a few unprotected
ZoneMinder consoles using a web search).
I discovered this because when we went on holiday early in April I forgot to
turn down the heating in the house. Our heating system is controlled by
computer and you can change the settings locally by talking to a Jabber heating
bot (Figure 1). But remotely over the internet it's pretty locked down and the only thing
we can access is the installation of ZoneMinder. So without remote shell access,
and with an hour to spare at Heathrow waiting for the connecting flight to
Phoenix, I figured the easiest way to correct the temperature was to find a
security flaw in ZoneMinder and exploit it. The fallback plan was to explain to
our house-minder how to change it locally, but that didn't seem as much fun.
So I downloaded ZoneMinder and took a look at the source. ZoneMinder is a
mixture of C and PHP, and a few years ago I found a buffer overflow in one of
the C CGI scripts, but as I use Red Hat Enterprise Linux exploiting any new
buffer overflow with my ZoneMinder compiled as PIE definately wouldn't be
feasible with just an hours work. My PHP and Apache were up to date too. So I
focussed on the PHP scripts.
A quick grep of the PHP scripts packaged with ZoneMinder found a few cases where
the arguments passed to PHP exec() were not escaped. One of them was really
straightforward to exploit, and with a carefully crafted URL (and if you have
authorization to a ZoneMinder installation) you can run arbitrary shell code as
the Apache httpd user. So with the help of an inserted semicolon and one reverse shell
I had the ability to remotely turn down the heating, and was happy.
I notified the ZoneMinder author and the various vendors shortly after and
updates were released today (a patch is also
available)
Figure 1: Local heating control
It sometimes seems like the Security Response Team at Red Hat are
pushing security updates every day, but actually a default
installation of Enterprise Linux 4 AS was vulnerable to only 7
critical security issues in the first three years since release. But to
get a picture of the risk you need to do more than count
vulnerabilities.
My full
risk report was published yesterday in Red Hat Magazine and
reveals the state of security since the release of Red Hat Enterprise
Linux 4 including metrics, key vulnerabilities, and the most common
ways users were affected by security issues.
"Red Hat knew about 49% of the security
vulnerabilities that we fixed in advance of them being publicly
disclosed. For those issues, the average notice was 21 calendar days,
although the median was much lower, with half the private issues
having advance notice of 8 days or less."
Last Friday, just as I was finishing work for the day, an email
appeared in my mailbox from the UK CPNI announcing a public remote
code execution flaw in Apache on HP-UX. As Chair of the Apache
Software Foundation Security Team I knew there were no outstanding remote code
execution flaws in Apache HTTP server (in fact we've not had a remote
code execution flaw for many years) so I was expecting to invoke the
Red Hat Critical Action Plan which would have meant a rather long
weekend for me, my team, and various development and quality engineering staff.
First thing to do was to find the original source of the advisory,
as co-ordination centres and research firms are known to often play the
Telephone game, with advisory texts mangled beyond recognition. Following
the links led to the actual
advisory on the HP site. This describes the vulnerability as follows:
But then they give the CVE name for the flaw, CVE-2007-6388,
which is a known public flaw fixed last month in various
Apache versions from the ASF and in updates from various vendors
that ship Apache (including Red Hat).
This flaw is a cross-site scripting flaw in the mod_status module.
Note that the server-status page is not enabled by default and it is
best practice to not make this publicly available.
I wrote mod_status over 12 years ago and so I know that this flaw is exactly
how the ASF describes it; it definitely can't let a remote attacker execute
arbitrary code on your Apache HTTP server, under any circumstances.
I fired off a quick email to a couple of contacts in the HP security
team and they confirmed that the flaw they fixed is just the cross-site
scripting flaw, not a remote code flaw. The CVSS ratings they give in
their advisory are consistent with it being a cross-site scripting flaw
too.
So happy with a false alarm we cancelled our Critical Action Plan and
I went off and had a nice weekend
practicing
taking panoramas without a tripod ready for an upcoming holiday. My first
attempt came out better than I expected:
Secunia released a security summary report for 2007 and surprisingly
gave a count for Red Hat for the year at over 600 vulnerabilities. I
had no idea how they got to this number, it certainly doesn't match
our own publicly available metrics at
http://www.redhat.com/security/data/metrics
Using our public tool, for every Red Hat product and service, for 2007
we issued 306 advisories to fix 404 vulnerabilities. Of those 404
vulnerabilities 41 were critical (on the scale used by Microsoft and
Red Hat).
Most people are not going to be using every Red Hat product, so taking
just Enterprise Linux product you find 348 vulnerabilities, of which 27
were critical. A given user is going to only be vulnerable to the issues that affect
the products and packages they have installed. Using the scripts on
our pages you can figure it out for your own circumstances. But as an
example, the default installation of Red Hat Enterprise Linux 4 AS had
172 vulnerabilities of which 4 were critical.
The Secunia report does actually make it clear you can't use their
vulnerability count as a method of comparing platforms, in part due to the
differences in methodology of the vendors, but I'm sure this won't stop
some press from jumping to conclusions if they don't read the actual report.
I've asked Secunia how they got to their number of vulnerabilities, but in the
meantime, a raw count of vulnerabilities is only a small part of the
overall risk exposure in using a product. I've got some more reports that go
into this in more detail for two years of Enterprise Linux 4 and Enterprise Linux
5.0 to 5.1.
Update: Coverage of this: ZDNet
Update: Secunia told me that they treat each advisory separately; so for example
yesterday we issued updates for some moderate severity issues in
the Apache Web server, but we did separate advisories for each affected
product: Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, v2.
So in this case the same Apache vulnerability would be counted 6 times.
A year ago I published a table of
Security Features in
Red Hat Enterprise Linux and Fedora Core. Since then we've released
two more Fedora versions, and a Red Hat Enterprise Linux, so it's time to
update the table.
Between releases there are lots of changes made to improve security and I've not
listed everything; just a high-level overview of the things I think are most
interesting that help mitigate security risk. We could go into much more
detail, breaking out the number of daemons covered by the SELinux default
policy, the number of binaries compiled PIE, and so on.
1 Since June 2004, 2 Since September 2004, 3 Selected Architectures
Late last month I spent a day with the Red Hat Magazine team talking
about vulnerability response. The first video
is now available and talks about the role of Red Hat in dealing
with vulnerabilities in third party software. The video was shot in
my home office which explains the calming green paint; it's hard to
get too stressed in a pale green room.
|
|
|
tags:
all,
apache,
apachecon,
apacheweek,
bryce,
cve,
fedora,
financial,
fudcon,
geocaching,
gps,
ha,
jabber,
metrics,
microsoft,
nashville,
north carolina,
oscon,
red hat summit,
security,
trips
|
|
