Monday, 1 December 2003

On Debian's compromised servers

Debian (a Linux distro, if you've never heard of it) have posted a description of what led to some of their servers being compromised:

Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space. This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release.

A few things bear noting:

  • Linux does have security vulnerabilities. Natch.
  • This bug was not caught by many alleged millions of Linux developers inspecting the source code, it was caught after someone broke into a bunch of servers.
  • It took two months for Debian, allegedly one of the fastest at releasing new versions, to produce a downloadable source and binary update.
  • Kernel 2.4.22 was allowed to be released even though a known serious exploitable information disclosure and root compromise problem existed within it.
In this situation, Torvalds should have held back 2.4.22 until this fix could be included, IMO.

Also note that the patch has only been made available for kernel 2.4.18 on Debian, according to this message. I tried looking on to see if any other versions were available, but every page other than the front page comes up in Swedish under IE 6.0. Mozilla 1.4 works fine. Draw your own conclusions.

I don't see how this problem could ever have been rated anything less than Critical, even if not directly remotely exploitable.

(Via Ian.)

No comments: