[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED!

Subject: RE: [cobalt-security] Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED!
From: "Graeme Fowler" <graeme.fowler@xxxxxxxxxxxxxx>
Date: Fri, 16 Aug 2002 10:28:09 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Zeffie wrote:

> The recent RaQ4-en-Security-2.0.1-SHP.pkg allows a remote 
> attacker to cause system crashes.  To avoid this I suggest
> you disable the Scan Detection in Parameters by selecting
> "do nothing".  Else you might not be happy...

Not installing the recent SHP package can allow a remote attacker to cause system crashes. Go figure.

> I have written a small script that can reproduce the problem 
> consistently.

In about thirty seconds I could write a script which will cause a remote RaQ, hardened or not, to suffer resource exhaustion and die horribly. It's really not hard. You could always just prod ports 21/22/23/25/80/110 until the system suffers from "too many open files", or has too many FDs open. Do it long enough and the machine will crash.

Perhaps I have a different approach to security than most (and warning, analogy haters, as this is a long one):
I make sure my doors are locked and bolted, that nobody else has a copy of the key, and I then keep a watch of the door. If someone tries unlocking my wall I don't care; it has no locks to open.
If they look through the window in my door then fine, that's cool, that's what it's there for. But I saw them do it.
If they try to batter my door in or use a pick to open the lock then I note the damage and do something about it.
If they get in, I call the police.

Back in Cobalt land, that equates to:

1. Make sure you have the most recent versions or most secure versions of software offering publically available services.
2. Don't worry if someone tries to connect to port 8081/12345/31337/whatever - you aren't running things on those ports, right? And even if you are, they are *supposed to be there* for the public to see! If they're not supposed to be publically accessible, put some access controls on them (.htaccess, tcpwrappers, ipchains, whatever).
3. Examine your logs regularly
4. If you see someone trying to exercise a potential hole in one of your services, make a note, check for new versions, install them. As a last resort block them out.
5. Run something so *you know* if someone gets in.

You can install all the widgets, whistles and bells you want but there is NO alternative to keeping on top of your server(s) and logfiles. There are hundred and one ways to skin this particular cat; almost all of them have flaws and almost all of those flaws are capable of being worked around.

Anything that Sun, or any other third party can generate to assist you in this role is something to be thankful for. Just make a note of the potential pitfalls, work around them, and move on.

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC

Prev by Date: Re: [cobalt-security] Security Hardening Update 2.0.1 - thoughts
Next by Date: Re: [cobalt-security] Email Duplicating
Previous by thread: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED!
Next by thread: [cobalt-security] Email Duplicating

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index