Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sun Security Patch Introduces Security Hole

Posted by CowboyNeal on from the patches-for-patches dept.

Rich0 writes "Sun is announcing that their 'Security Hardening Package' for their Cobalt RaQ 4 Linux servers allows remote users to execute arbitrary code. Ironically, the solution is to remove the package, potentially removing protection from other compromises. There's a CERT advisory, as well as an article posted on Extremetech." Yikes, one would hope there's a forthcoming patch in the works.

13 of 265 comments (clear)

  1. Big Honking Deal! by svvampy · · Score: 4, Insightful

    Bugs happen every day.

    Patches are generated in response to those bugs

    Patches sometimes generate further bugs

    Sometimes these bugs involve security. D'oh

    profit?

  2. Yet Another Reason No One Takes Linux Seriously by SuperDuG · · Score: 5, Funny
    Well take a look people...

    MS: doesn't release bug fixes because their are no bugs. Only security updates and service packs to appease people.

    Sun: releases a bug fix with an even bigger bug.

    Linux: released bug fixes quickly.

    And that's it, linux will forever be in last because of the fact they can't follow simple rules. You would think that everyone had a copy of Linux's source the way bugs are spotted and fixed so quick .. sheesh. Perhaps we should try and sell the source of linux to India?

    PS - that was sarcasm ...

    --
    Ignore the "p2p is theft" trolls, they're just uninformed
    1. Re:Yet Another Reason No One Takes Linux Seriously by haggar · · Score: 4, Insightful

      It was a patch for Linux. So, as you see, Linux is gaining momentum, after all (according to your logic)?!

      --
      Sigged!
  3. Man speaking to cylist by roadside by kfg · · Score: 5, Funny

    "What on *earth* are you doing there?"

    "I'm ripping the patch off this inner tube."

    "You're taking the patch off? Whatever for?"

    "Well, you see, it's got this big hole in it."

    "Ummmmmmmmm, are you *sure* you know what you're doing?"

    "Don't worry, I can patch the patch when I get home and then nail it back on."

    KFG

  4. we cobalt owners call this par for the course by kraksmoka · · Score: 5, Informative
    as a proud owner/admin of a Cobalt Raq2, i'd like to announce that this is not the end of the world to us, no matter how bad it looks on the front page of /.

    that particular machine runs a custom rolled distro of Red Hat 6.2 and has been known to be very reliable, and have mild issues from updates. every one of the holes it covers has some sort of workaround, which those admins have probably employed already.

    i'd like to take this opportunity to complement the Cobalt Raq Users List members as well. without people like bruce timberlake, jeff lasman, steve werby (a /. contributor) and a whole host of others (can't name everyone) the raq has a vibrant community of admins willing to help even the newbiest of owners.

    my machine runs on a lovely 64-bit mipsel processor from MIPS and is one of the dutch (sun bought cobalt a while back, it started on the other side of the pond) original models. they are tremendously power efficient, quiet and dependable boxen. mine uses a dinosauric 2.0 kernel and modified red hat 5.1 , and runs php 4.1.2/mysql like a champ.

    not only that, but the cobalt raq IS a web appliance. In other words, its not really meant to do all that out of the box (back then anyway). today's raqs run a full gamut of oss and free software, and come pre-installed with everything you need as a webmaster.

    it is an oustanding machine for NT admins to learn how to switch over, with the cushion of a working system to learn from.

    yes, sun doesn't always get it right, but they put their backs into it so to speak, and it is not unusual for a Cobalt engineer to post solutions (even unofficial ones) to the list.

    for all you cobalt users out there, you know what i'm saying, and if you're not on the list, you're missing out.

    this post has voided your warranty. peace.

    --
    "You never want a serious crisis to go to waste." - Rahm Emanuel
  5. There is a patch already by lifeless · · Score: 5, Informative

    Has *anyone* actually read the SUN announcement.

    I quote:
    ===
    5. Resolution

    This issue is addressed in the following releases:

    Intel

    * http://ftp.cobalt.sun.com/pub/packages/raq4/eng/Ra Q4-en-Security-2.0.1-SHP_REM.pkg or later
    ===

    1. Re:There is a patch already by mccalli · · Score: 5, Informative
      It's not a resolution - it's a removal procedure for the flawed patch. There's no replacement in functionality for the original.

      Cheers,
      Ian
      (Raq 4 owner)

  6. Re:Wow! by mentin · · Score: 4, Insightful
    Microsoft is the only company I've heard of who has recommended not to trust software signed by them.

    What Microsoft is saying is simply "some time ago we signed and released a piece of code. this code has bugs. don't download it. yes, it is signed but so what? don't download it anyway."

    Say I have a 3-year old PGP distribution signed by PGP Corp. It is signed. But it has known bugs (discovered long after signing). Should I install it? No. The fact that it is signed does not mean anything beyond simple fact that it was produced by particular person/corporation.

    By the way, do you know any other vendor who has been signing their software as long as MS?

    I remember Apple updates simpy downloaded unsigned code from their web server, without verifying any signature at all. So a man-in-the-middle could inject trojan.

    Linux ISO-files usually are "protected" by MD5 hash. So if you sit in the middle and can modify both ISO file and MD5 hash, you can do whatever you want with this distribution.

    --
    MSDOS: 20+ years without remote hole in the default install
  7. Exploits out in the wild, first victims show up by decarelbitter · · Score: 4, Informative

    Exploits for this vulnerability are already all over the internet, and the first boxes have been hacked. Just yesterday I read in a newsgroup that a Dutch ISP had a box cracked, probably because of this hole. So if you own a RaQ please take some extra care and look twice if you're safe.

  8. Patch Testing by anonymous+cupboard · · Score: 4, Insightful
    During a release test, you run through everything so all possible interactions are checked. This takes some time. A patch is something that gets rushed out to cure a problem in the field. It gets checked to see whether it fixes the bug but there is usually insufficient time to run it through a complete regression test. End result is that patches may introduce bugs.

    Another issue is that sometimes to fix a bug, a newer version of a code block may be used (like taking a Linux 2.5.x solution back to fix a bug in 2.4.x). This code block may have unwanted functionality (because it has been inadequately tested).

    Now all the above goes for commercial software, where there is a formal testing and 'fixit' budget. It therefore goes for free software too. Although individual teams are well motivated to sort out their software, it is more difficult to organise proper testing across teams.

    In this case, we are lucky as a single team are working on this and it was sorted out quickly. Somehow some closed source developers don't seem to be so good about quick releases of their patches, and when they do, they still contain as many bugs (IE patches anyone?).

  9. Re:Wow! by Black+Copter+Control · · Score: 5, Insightful
    The problem isn't just that you can't trust a specicificpiece of bad software. It's that -- because of the rather cockeyed way that microsoft did their DLL 'support' -- there's no way that you can just pull trust for that piece of code, or otherwise prevent it from being downloaded without removing trust for everything made by microsoft.. This leaves users in the rather wierd position of either not being able to download *any* MS active-X control (for fear that it could be the bad one) or leave themselves open to the possibility of somebody trojaning in the bad 'trusted' control and then owning your machine up kazoo..

    The problem with this Cobolt 'security' release is one of a flawed implementation. Microsoft's bug was one of tragically bad design. The latter is much harder to work around.

    --
    OS Software is like love: The best way to make it grow is to give it away.
  10. The point: Closed source == No workaround by Morgaine · · Score: 4, Informative

    I think people may have missed the point of this article, which is that Sun say that there is no workaround for the hole.

    If it is true that the vulnerability is caused by a flaw in the input validation of a CGI (common gateway interface) script, and yet there is no workaround other than removing the Security Hardening Package, this implies that the CGI validation script (overflow.cgi) is not available for modification, so regardless of what license this is under, it's effectively not open source, otherwise there would be a workaround.

    Well, we hardly need reminding of that in this forum, but perhaps somebody should make this point to ExtremeTech and to Sun. The CERT advisory rather oddly avoids this point as well, despite identifying the flawed component. It probably just shows that a company's inflexible procedures (package updates in this case) can effectively close even a theoretically open platform like the RaQ.

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
  11. Official patch by almaw · · Score: 4, Informative

    Oh, please read the damned advisories before claiming things that aren't true...
    The official solution is not to remove the whole package, but to install this patch:

    http://ftp.cobalt.sun.com/pub/packages/raq4/eng/Ra Q4-en-Security-2.0.1-SHP_REM.pkg

    Note that it's a flaw in the admin site scripts that causes this problem. So if you don't use that and have disabled it, then no problem. :)