From: William Knowles (wkC4I.ORG)
Date: Wed May 03 2000 - 02:28:03 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.zdnet.com/intweek/stories/news/0,4164,2558624,00.html

By Charles Babcock, Interctive Week
May 1, 2000 11:50 AM PT

A security hole has appeared in a recent version of Red Hat Linux, and
a security expert said it highlights a more general weakness in open
source code products: no quality assurance testing before hitting the
market. Officials at Red Hat disputed the assertion, but moved quickly
to close the hole.

The security opening came as a surprise to some Linux users, who have
considered the operating system (OS) either so well-designed or so
obscure that it didnt have the same security problems as Windows. Now
most parties agree that is not the case. The appearance of a security
issue at a time when users are still asking for more applications is
unlikely to bolster the fortunes of Linux stocks, which tumbled faster
and farther than general technology issues in April.

Quality assurance and security arent the only issues: Outside of a few
suites, there is a lack of widely available office software; consumer
versions of the OS are relatively untried; and open source codes
open-ended nature with many developers working on different parts of
the system
 makes some information technology (IT) managers nervous about its
predictability. Under an open source code approach, each development
group adds changes to the system on top of a shared, underlying kernel
or system core.

IT managers worry that variations in the OS will spring up between
competing versions which in addition to Red Hat now include Caldera
Systems, Corel, Debian, Lineo, Macmillan Software, MandrakeSoft, SuSE,
TurboLinux and Yellow Dog and that the inconsistencies may affect
performance or systems ability to work together.

For example, a backup software package from Legato Systems works
without adjustment on Caldera, MandrakeSoft and RedHat, but failed
when used on Debian systems, said Tom Stoddard, database administrator
at BFGoodrichs Avionics division in Grand Rapids, Mich. IT managers
want someone who is under a contractual agreement with them to be
responsible for the software they use, said Judith Hurwitz, president
of the Hurwitz Group.

Helpful or hazardous?

They also dont want to worry about security holes. But, noted David
Sifry, chief technology officer at Linuxcare, a San Francisco-based
technical support organization, "To think that Linux doesnt have bugs
is frankly ludicrous."

"Open source code is great for rapid development, but theres no
quality assurance role in the typical open source project the way
there is in commercial software. Its a hobby for people," said Chris
Rouland, director of the bug identification task force at security
package vendor Internet Security Systems.

Quality assurance checks are a battery of tests that commercial
software undergoes before being released to customers to stress a
products integrity and resilience in the face of unexpected events.

But in early April, Red Hat started shipping Red Hat 6.2 with an
updated clustering package, Piranha, with a default log-in and
password meant to help a systems administrator get Piranha up and
running remotely. After initially configuring a Piranha server, the
administrator was supposed to set a secret password for future use.

Users installing Red Hat 6.2 who selected the "install all" option
loaded Piranha onto their servers, giving an outsider with knowledge
of the default log-in and password on the server an automatic entry
point or "backdoor."

"Even if a user had no plans to use Piranha, the backdoor existed on
that machine [loaded with install all]. Red Hat did not document it,"
Rouland said.

Red Hats officials countered that the Piranha remote access, including
the log-in and default password, were described in the Red Hat 6.2
documentation. The company decided to give system administrators
automatic remote access because in many cases Piranha clusters are
initiated without monitors or keyboards attached to the servers.

"It may have been nave, but thats what we decided. It happened because
people said they wanted to configure Piranha over the Web," said Erik
Troan, director of engineering at Red Hat.

Troan disputed Roulands claim that more testing would have found the
opening. "It was a wrong judgment to include it [the log-in and
default password], but we shipped Red Hat 6.2 knowing it was there.
More testing would not have changed that."

Rouland said ISS rated the hole at its highest level, 5, because a
hacker using it could "execute arbitrary commands against the server"
and would likely be able to alter content being posted on a Web site.
The degree of mischief that could be committed would depend on the
privilege level set for the Web server, he said.

Linuxcares Sify said the exposure would have the most impact on
commercial Web servers, but their administrators were the ones least
likely to use "install all" upon installation. Systems administrators
dont load up their servers with extraneous software that wont help the
Web server do its job, he said.

Linux drives 29 percent of all Web servers, according to surveys by
Netcraft, but Red Hat said it doesnt know what percentage run on its
distribution.

*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]