Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and editorialsThe "Hack PC Week" Linux server was compromised, much to the delight of anti-Linux activists everywhere. But before one takes this episode as a condemnation of Linux security in general, it is worthwhile to have a look at how the system was broken into. The following information was posted by the crackers on the PC Week forums; it got split up so one needs to read the first and second parts separately.The crack happened in two distinct steps. The first was getting to where an arbitrary program could be run on the server. The cracker (identified as "jfs") achieved this by expoiting a vulnerability in the "photoads" CGI script which was being used by PC Week to run advertisements on the target site. Nothing inherent in Linux or Apache was exploited to get in; the door was opened by a third-party, commercial package. Once able to run programs on the target system, the cracker needed root access. It turns out that the (Red Hat) system being used in the challenge was lacking a number of security updates. In particular, the update to cron, issued by Red Hat on August 25, had not been applied. Jfs simply needed to run a canned exploit program from the net, and root access was his. End of story. One clear conclusion is that the Linux system used in this challenge was not properly secured. A system being put on the front lines of a security challenge should at least have the security updates installed. And the inclusion of vulnerable, third-party software should only have been done with a great amount of thought. It might also be said that Linux systems are too hard to secure. If nothing else, Red Hat 6.0 is overdue for an update. The official updates to that release now make up a substantial portion of the whole distribution, far more than most users will want to dig through. Updates will always go unapplied; it is better to eliminate the need. Security ReportsLinux TCP stack problem found A bug in the 2.2 (and 2.3) kernel TCP stack has been found and posted. A suitably clever attacker could use it to bypass a number of address-based access control mechanisms. The bug has been tracked down and a fix exists; chances are a new 2.2 stable kernel will be released shortly.Certicom challenge cracked. A group led by INRIA in France has announced the cracking of the code put forward in Certicom's "ECC Challenge." $4000 of their prize money will be going to the Free Software Foundation. (Thanks to Stéfane Fermigier). A denial of service problem in ssh 1.2.27 has been announced. It's another /tmp link problem that allows a bad guy to make life obnoxious for local users. UpdatesHere are the security updates we have seen this week:
ResourcesThe Linux Administrator's Security Guide has moved to a new location on SecurityPortal.com.EventsTooRcon 2000, a security-oriented conference, has been announced; it will be happening September 1-3, 2000 in San Diego, California.Section Editor: Liz Coolbaugh |
September 30, 1999
|