Slashdot Mirror
Sun Security Patch Introduces Security Hole
Rich0 writes "Sun is announcing that their 'Security Hardening Package' for their Cobalt RaQ 4 Linux servers allows remote users to execute arbitrary code. Ironically, the solution is to remove the package, potentially removing protection from other compromises. There's a CERT advisory, as well as an article posted on Extremetech." Yikes, one would hope there's a forthcoming patch in the works.
I take back my first post thought.......I concede to defeat ...
---
You need to subscribe to security updates for *nix OS sites. I work in network security and get so many of these notifications that I needed a special email account to store these without filling/cluttering my real inbox. I laugh when the windows vs *nix debates come out on the issue of security. They both have downfalls. Even SSH had a security hole last year.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
Bugs happen every day.
Patches are generated in response to those bugs
Patches sometimes generate further bugs
Sometimes these bugs involve security. D'oh
profit?
... it's like putting a screen door on fort knox
Ignore the "p2p is theft" trolls, they're just uninformed
Don't try to always be like Microsoft. People just don't like copycats.
takes too much memory,
too slow
and now insecure...
Who really want to get all those features?
MS: doesn't release bug fixes because their are no bugs. Only security updates and service packs to appease people.
Sun: releases a bug fix with an even bigger bug.
Linux: released bug fixes quickly.
And that's it, linux will forever be in last because of the fact they can't follow simple rules. You would think that everyone had a copy of Linux's source the way bugs are spotted and fixed so quick .. sheesh. Perhaps we should try and sell the source of linux to India?
PS - that was sarcasm ...
Ignore the "p2p is theft" trolls, they're just uninformed
While you have a valid point. Microsoft is the only company I've heard of who has recommended not to trust software signed by them.
BugPosted by CowboyNeal on Friday December 13, @02:29AM
from the patches-for-patches dept.
Rich0 writes "Microsoft is announcing that their 'Security Hardening Package' for their Windows 2000 servers allows remote users to execute arbitrary code. Ironically, the solution is to remove the package, potentially removing protection from other compromises. There's a CERT advisory, as well as an article posted on Extremetech." Yikes, one would hope there's a forthcoming patch in the works.
FoundNews.com - get paid to blog.,
I would like to see your answer if this was a Microsoft bug. Everybody would laugh their asses off. Hypocrites. Everybody should see it as what it is: Sun tried to do security and they screwed up. Big time. *grrrrrr*
SUNs bug me. They are expensive, they don't run Windows well, and I can't custom build one.
Please explain why SUN is good for anyone?
"What on *earth* are you doing there?"
"I'm ripping the patch off this inner tube."
"You're taking the patch off? Whatever for?"
"Well, you see, it's got this big hole in it."
"Ummmmmmmmm, are you *sure* you know what you're doing?"
"Don't worry, I can patch the patch when I get home and then nail it back on."
KFG
that particular machine runs a custom rolled distro of Red Hat 6.2 and has been known to be very reliable, and have mild issues from updates. every one of the holes it covers has some sort of workaround, which those admins have probably employed already.
i'd like to take this opportunity to complement the Cobalt Raq Users List members as well. without people like bruce timberlake, jeff lasman, steve werby (a /. contributor) and a whole host of others (can't name everyone) the raq has a vibrant community of admins willing to help even the newbiest of owners.
my machine runs on a lovely 64-bit mipsel processor from MIPS and is one of the dutch (sun bought cobalt a while back, it started on the other side of the pond) original models. they are tremendously power efficient, quiet and dependable boxen. mine uses a dinosauric 2.0 kernel and modified red hat 5.1 , and runs php 4.1.2/mysql like a champ.
not only that, but the cobalt raq IS a web appliance. In other words, its not really meant to do all that out of the box (back then anyway). today's raqs run a full gamut of oss and free software, and come pre-installed with everything you need as a webmaster.
it is an oustanding machine for NT admins to learn how to switch over, with the cushion of a working system to learn from.
yes, sun doesn't always get it right, but they put their backs into it so to speak, and it is not unusual for a Cobalt engineer to post solutions (even unofficial ones) to the list.
for all you cobalt users out there, you know what i'm saying, and if you're not on the list, you're missing out.
this post has voided your warranty. peace.
"You never want a serious crisis to go to waste." - Rahm Emanuel
Has *anyone* actually read the SUN announcement.
a Q4-en-Security-2.0.1-SHP_REM.pkg or later
I quote:
===
5. Resolution
This issue is addressed in the following releases:
Intel
* http://ftp.cobalt.sun.com/pub/packages/raq4/eng/R
===
At least they make aware the glaring weakness in their merchandise. The fact that you have to remove the patch to get rid of the weakness, yet open up others is irrelevant. Any knobhead with an IQ higher than his inseam can figure out away to get around this security hole themselves.
Aside from that, every patch in and of itself is a glaring security hole. You don't think that by examining the code in the patch you can get a general idea for how the program itself works? That's how most weaknesses are found (by the slinky malicious cracker anyway).
It all comes down to the Admin. For if he is well-minded and concerned greatly with security, none of the security holes we learn about would have much chance of being used against you.
Of all the Universal Constants, here's one I know: Nice guys finish last
What Microsoft is saying is simply "some time ago we signed and released a piece of code. this code has bugs. don't download it. yes, it is signed but so what? don't download it anyway."
Say I have a 3-year old PGP distribution signed by PGP Corp. It is signed. But it has known bugs (discovered long after signing). Should I install it? No. The fact that it is signed does not mean anything beyond simple fact that it was produced by particular person/corporation.
By the way, do you know any other vendor who has been signing their software as long as MS?
I remember Apple updates simpy downloaded unsigned code from their web server, without verifying any signature at all. So a man-in-the-middle could inject trojan.
Linux ISO-files usually are "protected" by MD5 hash. So if you sit in the middle and can modify both ISO file and MD5 hash, you can do whatever you want with this distribution.
MSDOS: 20+ years without remote hole in the default install
Exploits for this vulnerability are already all over the internet, and the first boxes have been hacked. Just yesterday I read in a newsgroup that a Dutch ISP had a box cracked, probably because of this hole. So if you own a RaQ please take some extra care and look twice if you're safe.
Another issue is that sometimes to fix a bug, a newer version of a code block may be used (like taking a Linux 2.5.x solution back to fix a bug in 2.4.x). This code block may have unwanted functionality (because it has been inadequately tested).
Now all the above goes for commercial software, where there is a formal testing and 'fixit' budget. It therefore goes for free software too. Although individual teams are well motivated to sort out their software, it is more difficult to organise proper testing across teams.
In this case, we are lucky as a single team are working on this and it was sorted out quickly. Somehow some closed source developers don't seem to be so good about quick releases of their patches, and when they do, they still contain as many bugs (IE patches anyone?).
Need help treating your acne? Come here!
You see, the user is offered an option to "always trust vendor BlaBlaBla" (is it on by default? I think so, but I am not sure since I rarely use IE). So this is much more serious then just a bug in random package since it can be installed WITHOUT USER INTERACTION. If they took time making such a system when a web page author can install software on your machine automatically, why there is no revocation scheme which allows the vendor or MS to "distrust" buggy modules and propagate this change upon user machines?
The problem with this Cobolt 'security' release is one of a flawed implementation. Microsoft's bug was one of tragically bad design. The latter is much harder to work around.
OS Software is like love: The best way to make it grow is to give it away.
But is that a fire there next to your frying pan?
paintball
I think people may have missed the point of this article, which is that Sun say that there is no workaround for the hole.
If it is true that the vulnerability is caused by a flaw in the input validation of a CGI (common gateway interface) script, and yet there is no workaround other than removing the Security Hardening Package, this implies that the CGI validation script (overflow.cgi) is not available for modification, so regardless of what license this is under, it's effectively not open source, otherwise there would be a workaround.
Well, we hardly need reminding of that in this forum, but perhaps somebody should make this point to ExtremeTech and to Sun. The CERT advisory rather oddly avoids this point as well, despite identifying the flawed component. It probably just shows that a company's inflexible procedures (package updates in this case) can effectively close even a theoretically open platform like the RaQ.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
Bugs happen every day.
Are you insinuating we should just ignore bugs from now on? Especially one that "allows remote users to execute arbitrary code". Seems newsworthy to me, even if it's not a Microsoft bug.
Oh, please read the damned advisories before claiming things that aren't true...
a Q4-en-Security-2.0.1-SHP_REM.pkg
:)
The official solution is not to remove the whole package, but to install this patch:
http://ftp.cobalt.sun.com/pub/packages/raq4/eng/R
Note that it's a flaw in the admin site scripts that causes this problem. So if you don't use that and have disabled it, then no problem.
A maintainance release for Solaris 8 enabled additional features in BIND 8 which were known to be vulnerable at the time the maintainance release was shipped. Previous versions lacked the feature and thus the vulnerability.
Of course, this was much more dangerous than the current case because it had already been claim that Solaris 8 was not affected by that BIND bug.
http://www.trustworthycomputing.com
This is pure FUD. You don't have to turn on "Always trust Microsoft Corp" to donwload any control. For every control you decide whether you want to download it or not. Signature only verifies that it is coming from Microsoft, nothing more. You should decide yourself whether you want particular control or not. Signature verify the origin, not content.
Just like in Sun's situation: some fixes are broken, some are not. You decide install or not. You should know what you are installing - security vulnerability or a fix.
Microsoft's bug was one of tragically bad design.
Where is bad design? I am sure that if Sun signs their patches, both bad patch and a fix are signed by same key. A key per file is just stupid and does not make any sense. You don't want to turn your PKI infrastructure into file-recall infrastructure. When PGP found a bug in their software, they did not recall the public key used to sign previous builds. They simply released a fix, and singed it (probably by same key, but I can't verify this).
OK, happy Microsoft bashing.
MSDOS: 20+ years without remote hole in the default install
In september a few pages belonging to Norwegian police were hacked, among those www.okokrim.no - the unit that indicted Jon. They seem to have moved their sides to a Cobalt server, in New York, it seems ... Ready! Aim! Hack!
Anyone who's been a Sun administrator has seen Sun screwup patch packages (breaking something during the fix). This is not news. What is going to happen is that in a week or two (or months, depending on the severity or difficulty to fix), Sun will release yet another patch package that will resolve the issue.
So if you put it in, back it out. Devise your own workarounds if you think its a significant vulnerability. Security is established through design and monitoring. Firewalls, subnets, switches, ssh, checksums, login authentication, log monitoring. You can't rely on vendors to resolve your security issues. Companies can only fix the security holes that they are aware of. You're only screwed when you're stuck with an improperly designed legacy system or policies that can't be defended. But that's not Sun's fault.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Sun bugs do happen, but not that often. "Sun Security Patch Introduces Security Hole" is a pretty rare phenomenon, and even thou I don't use Sun gear, I do want to hear about it. Loud and Fast.
Have you ever actually managed a patching system for solaris? It's god aweful. At my last job I ended up writing a suite of scripts that managed all our patching and even then the patching was troublesome as numerous patches broke other things.
Sun currently has a bug in 108940-45 through -48 that they haven't fixed, and then they haven't made the last good version of the patch available.
As of two years ago sun had over 4GB of patches.
Half the problem is that everything is managed individually, so a lot of people don't actually patch until they have a direct need to do so, ie something doesn't work or they get attacked. It's too difficult to apply the latest patches and then make sure nothing was broken. I've been burned several times by sticking with the latest patches. It can easily take half of a full time employees time to keep a mmodestly sized network patched.
I'm not saying anyone is better off, but sometimes more is less.
-shane
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
If a piece of software doesn't work right or introduces severe security issues, simply remove it until it is corrected.
It's a good thing that OS developers are smart and would never be so stupid as to develop an OS that would require a high security risk software, like a browser, just to run. An OS has to be modular and highly configurable in order to do that, and that always makes more sense than a monolithic beast.
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
I leased a co-located RAQ4 for a year. In that time there were a few SSH/Apache bugs. The major linux distros came out with updated packages within a day or two of the bugs being made public. The patches from Sun for the RAQs took much longer - sometimes a month or more, during which time my RAQ was vulnerable - and there was little I could do about it.
I've now transitioned to a RH Linux 7.2 server, and no longer have any problems. Though my users do miss the nice RAQ web interface.
I would suggest that anyone thinking about getting this kind of server look into the track record of the company for fixing security bugs. In my experience, Sun is VERY slow with the Raq's, and I would never buy / lease one again.
There are workarounds though including removing the offending package. This is NOT Solaris, it's just a Linux distribution on the Cobalt RaQ. In my honest opinion though I would no longer recommend a Cobalt RaQ to anyone anymore since Sun bought the company. They have gone downhill and patches take months to come out. We didn't get a patch for the Apache ROOT EXPLOIT for over 2 months! Thankfully there is a dedicated community that helps to support the product and there was a workaround using the mod_blowchunks, or you could recompile Apache yourself, but then why pay $4k for an appliance if you're compiling shit? I could just get a $500 x86 box and install Debian on it. Anyway, when it comes time to replace the raq4's I guess we'll just have to hack together scripts to do everything the RaQ did as far as GUI administration or maybe try one of those packages.
Why would anyone want to slam sun?? Its not like they have tried to be monopolistic or anything. Well, they at least certainly haven't done anything Microsoftish.. I mean look at the wonderful job they have done with JAVA.
Note: To those of you who are looking for an argument I am being sarcastic. I run Linux; and hate ms/anyone else who doesn't embrace Open Source. Except China.
-=You might be a geek if your computer is worth more than your car=-
No, it would be more like this:
Rich0 writes "Steve Balmer from Microsoft is announcing that their 'Security Hardening Package' for their Windows 2000 servers to be released in March of 2003 includes a new feature that allows remote users to execute arbitrary code."
Repeal the DMCA!
I remember a patch for Solaris9 that deleted /)
your entire file system. (equiv. of rm -rf
Presumably an undefined variable in a shell script.
i.e. was something like rm -rf $OLD/
If anyone really wants details reply to this.
Sun OS.
You mean Solaris, right? SunOS rocked.
The "Security Hardening Package" makes security harder (to implement). For some reason, I'm suddenly reminded of Marvin Martian's "ACME Disintegrating Pistol".
Well excuuuse me! Ask a legitimate question, that is on topic, and I get attitude from moderators with too much power to fling around.
I hope someone patches your hole, because you were moderating out of your butt today, mods.
This is slashdot : trolls get's modded +5 Funny or +3 informative. It's better than TheRegister who's written directly in troll.
-Linux is SO fast it does an infinite loop in 5 seconds.
Isn't that this whole thing got started in the first place? Instead of a security patch they should release a "zero security" patch. If they're consistent, using the powers of reverse psychology it will be the most secure system ever developed.
that OS's commonly in use today were originally created for functionality and hardware support, not for "security", and that the foundational structure of these OS's (if not the code itself) predates the advent of the ubiquitous Internet. Trying to shoehorn security into them as an afterthought is often like trying to fit a round peg into a square hole.
The question is, will this unceasing paranoia about "security holes" lead to better software, or terrible software?
Yes there are secure OS's.
MVS or Windows (without a network card).
I so told you that Microsoft was a trend-setter.
You owe me a buck, man.
Keep your packets off my GNU/Girlfriend!
your right they dont back open source at ALL
nope not backing it at all
and well your at it do me a favor and call the gnome developers and ask them if sun has thrown any money their way.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
f#@$ GNOME, it's the biggest slowest piece of $#!T I've seen. And Sun did contribute towards it in the way of development you d!@$#ead.
Precisely. There is no way for a user to say that "this version is bad. don't even offer to install it". MS can't use a different signature, and the MS EULA may even make it illegal for a user to disect to file to find out if it's realy trustable. MS's signature system was designed by marketing. It didn't take into account the possibility that their own code might have to be marked as bad.
Bad design.. Nothing a user can (legally) do about it
OS Software is like love: The best way to make it grow is to give it away.
Here it is: Ø
If you find a bug or want additional features, just submit a report and we'll fix it and issue a patch.
Security hole introduces Security PATCHES
To the person who feels the need to Moderate me down to Bad Karma: DONT It is a bunch of shit. And stop fucking up my Karma!
---
And KDE is fast?!!
Dear Emily:
I recently read an article that said, "reply by mail, I'll summarize."
What should I do?
-- Doubtful
Dear Doubtful:
Post your response to the whole net. That request applies only to
dumb people who don't have something interesting to say. Your postings are
much more worthwhile than other people's, so it would be a waste to reply by
mail.
-- Emily Postnews Answers Your Questions on Netiquette
- this post brought to you by the Automated Last Post Generator...