July 09, 2002, 12:00 AM — Recently, a number of pretty devastating security problems have been
discovered. First, a bug in Apache was discovered that allows a remote
attacker to run code of their choice as the Web server user. This means
that, depending what you are running Apache as, the cracker could get on
as 'web', 'www-data', 'nobody', etc....
Depending on whom you ask, this vulnerability is not exploitable on
Linux, only BSD and Windows. However, GOBBLES, the security group that
proved it was exploitable on BSD (while others claimed it wasn't), hints
that they have a Linux-specific exploit as well. Upgrading to Apache
1.2.26 or 2.0.39 will solve this problem.
Next, we had a hole in OpenSSH that, under certain conditions, can leave
you vulnerable to a root compromise. You are only vulnerable if running
versions prior to 3.4 and have one or both of the following in your
Upgrading to OpenSSH 3.4 will fix this bug. The new version not only
fixes those bugs, but also enables Privilige Separation by default. This
new feature runs as much of the server as possible as a dummy user
(sshd), thus any vulnerabilities that are found should grant access to
the system as the sshd user in a chroot'ed jail at worst. This is good.
Both of these vulnerabilities were discovered by Internet Security
Systems (ISS). Unfortunately, ISS released details about the Apache bug
with no honest attempt to provide the Apache team a chance to fix it.
Worse yet, the patch that ISS supplied did not fix the problem. ISS
contacted the OpenSSH team, who decided to fix up the Privilige
Separation code, but ISS unfortunately decided, again, that the
limelight was more important than giving vendors the appropriate time to
fix the problem. ISS released their findings five days before OpenSSH
had scheduled the updated code's release. OpenSSH released the fix
minutes thereafter, but the extra time to get PrivSep working across the
board was lost.
In spite of ISS's irresponsible disclosure, both OpenSSH and Apache
had fixes out as fast as lightening. Linux distributions were close
behind, making RPMs and .debs available for users to upgrade.
As we speak, at least one Apache worm is on the loose, attacking Apache
Web servers that have not been upgraded. That this worm is barely making
a dent is a testament both to the speed of the Apache team and the
security-minded nature of Unix administrators. I've always said, Unix is
more securable than Windows.
The last vulnerability that's recently reared its ugly head is in DNS
resolver libraries. In this case, a malicious DNS server out on the
Internet could send you an invalid DNS response that will crash or
compromise your software.