 www.centos.org Forum Index CentOS 6 - Security Support  Workstations remotely vulnerable, servers exposed to DOS attacks
|
 Bottom  Previous Topic  Next Topic |
|
|
|
|
|---|
Topic options
Threaded
Newest First| Poster | Thread |
|---|
|
Workstations remotely vulnerable, servers exposed to DOS attacks | #1 |
|
|---|---|---|---|
|
Jr Board Member
 
Joined: 2011/3/29
From Slovenia
Posts: 43
|
I don't see any special warnings on the CentOS web page or in the forum so I thought I'd post this here for the sake of the less experienced users.
I hope everybody is aware that CentOS 6.0 is not receiving any security updates. The situation is ongoing ever since RHEL 6.1 came out, May 19, 2011. This ie. leaves all C6 workstations which use stock Firefox 3.6.x open to several remote vulnerabilities, leading to Firefox crash or arbitrary code execution. Upstream security advisory here, published 2011-06-21 and here, published 2011-08-16. And as of yestarday, all C6 servers running Apache aren't getting a crucial security fix. Latest Apache available in C6 is vulnerable to a DOS attack, an attack tool is circulating in the wild. Upstream security advisory here, published 2011-08-31. Just a head's up to everybody. In my opinion, CentOS 6.0 without custom updates should not be used in any kind of live environment at the moment. Act now if you haven't already. |
||
Posted on: 2011/9/1 20:59
  |
 |
||
lightdot
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #2 |
|
|---|---|---|---|
|
Moderator
Joined: 2007/10/22
From ~/Earth/UK/England/Suffolk
Posts: 9138
|
Quote:
I shall politely ask you to refrain from spreading such FUD. There is the continuous release [cr] repository which provides all security updates, bug fixes and patches prior to the official release of CentOS 5.7. Please now go and make a study of the CentOS mail archives. |
||
Posted on: 2011/9/2 17:11
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #3 |
|
|---|---|---|---|
|
Moderator
Joined: 2009/9/24
From Brighton, UK
Posts: 6376
|
Quote:
Is there an equivalent for CentOS 6.0? |
||
|
_________________
Linux/VoIP Systems Administrator |
|||
Posted on: 2011/9/2 18:21
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #4 |
|
|---|---|---|---|
|
Moderator
Joined: 2006/9/3
From California, US
Posts: 6921
|
Quote:
Not yet. The last time the 6.0/cr was mentioned was in this post by Karanbir Singh on the centos-devel mailing list. Now it is not clear which comes first, the 6.0/cr or the 6.1 release.  |
||
Posted on: 2011/9/2 19:02
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #5 |
|
|---|---|---|---|
|
Jr Board Member
Joined: 2011/3/29
From Slovenia
Posts: 43
|
Quote:
I shall politely ask you to refrain from spreading such FUD. There is the continuous release [cr] repository which provides all security updates, bug fixes and patches prior to the official release of CentOS 5.7. Please now go and make a study of the CentOS mail archives. My best guess is that you have misread or misplaced my post, otherwise I can't imagine why would you be mentioning CentOS 5.7 when I'm clearly talking specifically about CentOS 6 and posting in the CentOS 6 section of the forum. I chuckled a bit when you sent me to make a study of CentOS mail archives (which I assure you, is equally misguided as the rest of your post), but I guess that's understandable if you thought that I'm needlessly flaming CentOS. Hell, I'd be less polite that you were, so that's ok. But I do believe that you're wrong and politely ask you to retract your statement that I'm spreading FUD. All the statements in my opening post are correct and easily verified by any interested party. I'm not here to pick a bone or to start a mile long worthless thread about the current state of CentOS in general. I know that the developers are working hard and god knows I understand how time flies by. But that doesn't change the reality of things. I'm concerned that not enough users will read this forum. I wish there would be a general warning in a prominent place, like on the first page of centos.org or within C6 release notes. Nothing earth breaking, just a simple note that currently no updates are issued for C6 and perhaps some of the most crucial vulnerabilities stated. That would be the responsible thing to do, wouldn't it? |
||
Posted on: 2011/9/3 3:55
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #6 |
|
|---|---|---|---|
|
Moderator
Joined: 2006/9/3
From California, US
Posts: 6921
|
I believe you are correct, lightdot, in what you are saying. Alan must have misread your post. Humans make mistakes (who's song was this? Billy Joel?) And yes, CentOS has problems.
Speaking of the cr repo for 6.0, Karanbir Singh posted this a short while ago[1] : Quote:
We will see how that goes... (1) http://lists.centos.org/pipermail/centos/2011-September/117161.html |
||
Posted on: 2011/9/3 13:36
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #7 |
|
|---|---|---|---|
|
Professional Board Member
Joined: 2006/12/30
From Colorado, USA
Posts: 457
|
Just to clarify, that means that until further notice,
#yum update Will always return with no packages to update? If so, is that until v6.1 is released, or will security patches start to trickle in? |
||
Posted on: 2011/9/4 3:32
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #8 |
|
|---|---|---|---|
|
Jr Board Member
Joined: 2007/4/13
From
Posts: 48
|
Quote:
In my opinion, CentOS 6.0 without custom updates should not be used in any kind of live environment at the moment. Let's not go overboard. There are cases where having vulnerable services or applications is not a major issue (because services such as Apache are only made available to more or less trusted parties for instance) and there are boxes which do not even have anything as easily exploited as Firefox installed. Keep in mind the boxes which have received the upstream updates in a timely fashion were vulnerable to these issues before the updates were released and that they're vulnerable to other issues right now. You can't rely on software like Firefox to be imprevious to exploitation unless you disable lots of features. |
||
Posted on: 2011/9/4 6:01
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #9 |
|
|---|---|---|---|
|
Professional Board Member
Joined: 2005/12/19
From /earth/usa/nj
Posts: 1483
|
Quote:
vonskippy wrote: Correct, or at least until 6.1 is released. As per post 2 and post 4, once the Continuous Release (CR) repo is established for CentOS6 and you enable the repo (i.e., install the release package), the advance 6.1 updates will become available as they are built. After the CR repo is enabled, you will also receive advance updates for future point updates (i.e., 6.2, 6.3, ...). So for both CentOS 5 and 6, you will need to take a one-time action to enable the CR repo. The availability of the CentOS 6 CR repo will be announce much like the one for CentOS 5 was. |
||
Posted on: 2011/9/4 17:49
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #10 |
|
|---|---|---|---|
|
Jr Board Member
Joined: 2007/7/10
From
Posts: 33
|
h_fat wrote:
Quote: In my opinion, CentOS 6.0 without custom updates should not be used in any kind of live environment at the moment. I couldn't agree more. A number of the vulnerabilities (both server and desktop based) have easy to find exploits available on the web. This very serious problem isn't mentioned anywhere on the web site. In fact, the front page states opposite: "Since upstream has a 6.1 version already released, we will be using a Continous Release repository for 6.0 to bring all 6.1 and post 6.1 security updates to all 6.0 users, till such time as CentOS-6.1 is released itself." "CentOS has numerous advantages over some of the other clone projects including: ... quickly rebuilt, tested, and QA'ed errata packages" For a distro which prides Enterprise in it's title, this is extremely irresponsible. I still don't understand why the CentOS devs don't seriously accept offers of assistance, or behave in a more transparent manner. It seems like they are more interested in an ego trip than a reputable, secure product. |
||
Posted on: 2011/9/19 16:56
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #11 |
|
|---|---|---|---|
|
Jr Board Member
Joined: 2007/7/10
From
Posts: 33
|
CR repository is now available for 6.0 which has many of the critical updates, apparently all should be up in a few days. Still a bit sad that centos isn't secure by default, requiring additional configuration to get many critical fixes. All too little, all too late I think.
https://www.centos.org/modules/newbb/viewtopic.php?topic_id=33458&forum=53 http://wiki.centos.org/AdditionalResources/Repositories/CR |
||
Posted on: 2011/9/27 3:37
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #12 |
|
|---|---|---|---|
|
Newbie
Joined: 2011/12/12
From
Posts: 2
|
I'd love to see some updates.
I'm an information security professional and one of my top pet peeves is no security updates! CentOs bills the project as free enterprise level Linux. Indeed, were any enterprise product to not release security updates, said product owner would quickly be out of business due to litigation! There are vulnerabilities from 2009 in the current release! I don't gripe without documentation, attached is an OpenVAS scan of a virtual machine in my test lab. I'll be passing said report around during our weekly meeting, as there has been some interest in CentOs. I sincerely doubt our clients will be interested in it. They'll just go with RHEL and a contract. |
||
Posted on: 2011/12/12 2:34
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #13 |
|
|---|---|---|---|
|
Newbie
Joined: 2011/12/12
From
Posts: 2
|
Well, couldn't upload the file, as the directory permissions on the server are wrong to permit it.
From the folks with "enterprise class" software. I'll be nice and await an official response before I put a web block on CentOs's sites. |
||
Posted on: 2011/12/12 2:52
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #14 |
|
|---|---|---|---|
|
Moderator
Joined: 2009/9/24
From Brighton, UK
Posts: 6376
|
If you're just running openvas/nessus and taking any vulnerabilities that they find at face value then you need to investigate further. A large number of nessus tests just examine the reported version number of the product as reported in the service banner and this leads to a lot of false positives. Redhat backport security fixes to the older releases and keep the version numbers the same so a check that says to itself "are you running 5.0.0 of this product, oh dear there's a problem" will give a false positive on RHEL based systems where the fix from 6.0.0 has been backported while they still ship 5.0.0 of the product.
You need to grab a CVE number then run and even then you cannot tell if it's a false positive for sure. Next step is to google CVE-xxx-xxx +site:redhat.com and see if there is a RH bugzilla entry about that CVE. Many times this will say "CVE-xxx-xxx is not applicable to the version shipped with RHEL x because..." |
||
|
_________________
Linux/VoIP Systems Administrator |
|||
Posted on: 2011/12/12 9:16
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #15 |
|
|---|---|---|---|
|
Professional Board Member
Joined: 2009/3/23
From Netherlands
Posts: 701
|
Amazing how some 'security professionals' fall into this little gotcha time and time again. You'd expect a 'professional' to obtain some background knowledge on the OS he (or she) is auditing. Like the documented fact that CentOS is a clone of RHEL. Like the documented fact that RHEL backports fixes.
Imagine the embarrassment when this guy has all of his clients go RHEL on these findings, only to have to confess later on that his software comes back with the exact same findings on RHEL as on CentOS. In the process damaging RHEL's reputation (with his clients) as he now is about to do CentOS's. Just because he's clueless. I'd advise his clients to go with a different 'security professional'. Ignorance is no excuse for incompetence. And arrogance does not compensate that. On top of that he's hijacking another poster's thread, against forum rules, which he probably also did not read. Right. |
||
Posted on: 2011/12/16 9:07
|
|
||
|
Re: Workstations remotely vulnerable, servers exposed to DOS attacks | #16 |
|
|---|---|---|---|
|
Moderator
Joined: 2007/10/22
From ~/Earth/UK/England/Suffolk
Posts: 9138
|
This thread is now both redundant and obsolete.
To stop further hijackings, it is now locked. Thank you, René, for clarifying the situation for those who fail to do their "homework". |
||
Posted on: 2011/12/16 23:48
|
|
||
 Top Previous Topic Next Topic |
 |
|
You cannot start a new topic.