Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and EditorialsSo what was different in 2000?. The end of the year has come, and with it, an opportunity to look back on the year from a security perspective. After examining many potential topics and discarding them, the question was asked, what has changed the most since 1999? From the perspective of writing this column, the sheer volume of information that is being reported stands out as the largest change. It is amazing to look back on some of the LWN Security Summaries from 1999 and find some that display in a single page view or contain no more than six paragraphs of information. It seemed worthwhile to see if we couldn't produce some rough numbers to illustrate this change. To do so, we looked at two pieces of information: the number of open source software vulnerability reports covered and the size of the LWN Security Summary. Starting with the first item, we quickly scanned through old issues and estimated the number of new vulnerabilities we reported each month for both 1999 and 2000. Lacking a proper database, we make no claims for absolute accuracy. We excluded vulnerabilities in commercial software and web scripts, since our coverage of those issues was not consistent between 1999 and 2000. Given those parameters, we found that the average number of vulnerabilities reported per month in 1999 was 13.67, while the equivalent number in 2000 was 26.41, almost exactly double. For the second item, we found the average size of a security summary in 1999 to be around 6.2KB, while in 2000, the average was 16.1KB, an even larger growth. Of course, although sizes are easy to calculate accurately, they are less reliable as an indication of increased activity; maybe we are just getting more loquacious. Nonetheless, our rough numbers strongly back up the assertion that security activity has more than doubled over the past year. Why? Well, like most statistics, you can use them to bolster just about any theory you might have, but our personal guess is that the increase is a simple demonstration of the result of more eyes on the code. Linux and free software is gaining in popularity, more and more people are using and scrutinizing the software, therefore more problems are being found and reported. However, it does give us a kind of scary feeling about 2001 ... NSA security-enhanced Linux available. The U.S. National Security Agency has made its security-enhanced version of Linux available for download. The site describes what has been done, though in fairly abstract terms. It's available under the GPL, of course. (See also: Ted Ts'o's comments on Slashdot on this release). Stephen Smalley also posted an excellent short summary of the features of the Flask architecture, used by Security-Enhanced Linux, and a comparison with RSBAC (Rule Set Based Access Control) for Linux, another Open Source security extension. "RSBAC appears to have similar goals to the Security-Enhanced Linux. Like the Security-Enhanced Linux, it separates policy from enforcement and supports a variety of security policies. RSBAC uses a different architecture (the Generalized Framework for Access Control or GFAC) than the Security-Enhanced Linux, although the Flask paper notes that at the highest level of abstraction, the the Flask architecture is consistent with the GFAC. However, the GFAC does not seem to fully address the issue of policy changes and revocation, as discussed in the Flask paper." Vendor security information update. Spurred by this excellent post by Matt Power (Bindview) to BugTraq this past week, the security links listed in our right-hand column have had a major overhaul. BSD information has been added, now that our BSD coverage is officially included, and a new section with pointers to web pages that contain subscription information for security and security announcement lists for various distributions is now available as well. The security of RSA's SecurID token emulator is challenged. SecurID from RSA is a proprietary two-factor Authentication process, utilizing a combination of a password and a security card, on which RSA has based products for remote access and e-business. A SecurID module is available for Apache, for example. This week, I.C. Wiener published a SecurID token emulator, prompting a discussion on BugTraq of the implications. Adam Shostack commented that such code has been in the wild since 1996 and that its current publication will have the value of allowing a real test of the assertion that the numbers on the SecurID card do not reveal sufficient information to determine the card's secret. Group crafts rating system for server security (CNet). A new, 71-member organization, the Center for Internet Security, plans to build benchmarks and rating methodologies in order to provide "a "security ruler" defining a minimum level of security and then incrementally greater levels of security from which an organization can choose the desired level of security for its systems". Their plans are covered in this CNet article. Note that the benchmarks are to be released to the public domain.It will be interesting to see how this venture does. The center itself is not-for-profit, so we presumably shouldn't see expensive fees for getting products or systems "rated" by the center. On the other hand, members of the center will be the ones reviewing and approving new benchmarks and ratings as they come out, so it may well be difficult to both move forward in a timely manner and prevent bias toward member products. Security Reportsdialog lockfile symlink vulnerability. Matt Kraai reported a symlink problem with the manner in which dialog handles lockfiles. The Debian advisory below is the first and only reference to the problem we have found so far.This week's updates: More stunnel vulnerabilities. More stunnel vulnerabilities have been reported, in addition to the ones discussed last week. One such vulnerability involves the logging of the stunnel process id to a non-existent directory. More stunnel updates are being released to address these additional problems.One additional stunnel vulnerability that apparently does not impact Linux or BSD systems is the reported weak encyrption vulnerability. This week's updates: halflifeserver. Multiple buffer overflows and format string vulnerabilities have been reported in the halflifeserver. This week's updates:Kerberized telnetd. Telnetd's allowance of arbitrary environment variables and a buffer overflow in the kerberos v4 library combined to allow a local root exploit on NetBSD. Note that this problem has not been confirmed on other BSD or Linux systems.This week's updates: cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesGnuPG web of trust circumvention. A couple of new GnuPG security problems were covered in last week's LWN Security Summary. A security patch against gnupg-1.0.4 was also issued.Note that the discussion last week mentioned two vulnerabilities but only discussed one of them, a problem with trust circumvention. Also fixed with the security patch was a problem with detached signatures, which could cause false-positive verfications. This week's updates: Previous updates:ProFTPD memory leak. Last week, we mentioned a potential memory lead in ProFTPD. After further discussion on the list, the official position is that the bug is not reproduceable.BSD ftpd single byte buffer overflow. A one-byte buffer overflow was reported last week in the ftpd server provided with BSD.This week's updates: Previous updates:
DNS-based IRC server denial-of-service vulnerabilities. Check the December 14th LWN Security Summary for the original report of denial-of-service vulnerabilities and more in multiple IRC clients, including BitchX 1.0c17-2 and earlier.This week's updates: Previous updates:
ethereal buffer overflow. Check the November 23rd LWN Security Summary for the initial report of this problem. An update to ethereal 0.8.14 should fix this problem.This week's updates: Previous updates:ResourcesICMP Usage In Scanning. Ofir Arkin has released version 2.5 of his ICMP Usage In Scanning research paper. EventsRAID 2001 - Call for Papers. The Call for Papers for the Fourth International Symposium on the Recent Advances in Intrusion Detection (RAID 2001) has been released. The event will be held October 10-12, 2001, in Davis, CA, USA. Upcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
December 28, 2000
LWN Resources | ||||||||||||||||||