For the past four years the SANS Institute has partnered with the FBI's National Infrastructure Protection Center to compile and publish its list of the most commonly exploited IT security vulnerabilities. This list is regularly updated and revised. Earlier, I examined the latest Windows threats from the list. Now I'll cover the top 10 Linux/Unix threats.
It's important to recall that, unlike the ever-growing list of new exploits found in operating systems and applications, the SANS-FBI list prioritizes them according to the actual number of attacks seen by the organizations surveyed.
- The top Linux/UNIX threat continues to be the Internet's most popular DNS server software, BIND (Berkeley Internet Name Domain). Buffer overruns and cache poisoning are common attack vectors, and the various exploits mainly succeed because administrators fail to upgrade BIND to more secure versions or are running the BIND daemon ("named") unnecessarily—it should not be enabled except on specified DNS servers. The BIND team is quick to patch vulnerabilities so it's the responsibility of administrators to keep up with the patches if they choose to run BIND.
- Next on the list is the generic Linux/UNIX Web server, which includes Apache and other servers. Threat management mostly consists of updating to fix newly discovered vulnerabilities. SANS recommends the use of open source vulnerability scanners such as Nessus or SARA to assist in security management. You can also harden a Web server by removing all unused features and software since this reduces the number of potential new vulnerabilities.
- The third-rated vulnerability is the password (and other authentication methods). Weak user passwords, especially weak administrator-level passwords, continue to plague the security of Linux/UNIX systems. Be especially careful to identify and remove any default user accounts and passwords.
- Fourth are version-control systems, specifically the most popular, Concurrent Versions System (CVS) and Subversion, which have known vulnerabilities and have anonymous access to online databases. The best defense is proper configuration and frequent patching/updates.
- E-mail services are the fifth most common attack vectors. Sendmail is still the most widely used mail transport agent (MTA) on Linux/UNIX, and it has a number of vulnerabilities. Qmail, Courier, Exim and Postfix are newer alternatives with their own vulnerabilities. Frequent patching and proper configuration are the best defense. One of the big problems is that Sendmail is very complex, so simpler MTAs were created, while add-ons were quickly developed and added to provide the functionality of Sendmail. Since these are third-party enhancements, it is very difficult to track new vulnerabilities in all of these add-ons.
- It should come as no surprise that a remote network management tool poses considerable risks to networks, and SNMP, which is usually enabled by default, comes in as the sixth most commonly exploited weakness. Disable SNMP if possible; otherwise run SNMPv3 and make certain you keep SNMP 1 and 2 patched if you are forced to use those.
- Multiple vulnerabilities in the OpenSSL encryption tool library makes this number seven on the list. The best defense is a properly configured firewall and a periodically patched version of SSL.
- Enterprise NIS and NSF Servers that haven't been configured properly are the next biggest threat. Patch, disable any unnecessary daemons, and beef up your firewall to protect against this, the number eight threat.
- Databases are designed to be accessed but vulnerabilities can sometimes let remote attackers exploit the open nature of these applications to piggy-back their way into a network. Patching and proper configuration are the best ways to combat this threat, which is rated number nine.
- Kernel vulnerabilities round out the list at the tenth position. Protection is a highly complex problem and specific to each vendor and version.
Although the two lists (Windows and Linux/UNIX) are each listed in order of decreasing threat levels, there is no correlation between the two lists; that is, there is no analysis provided as to which OS is more secure or whether a vulnerability being sixth on the Linux/UNIX list is responsible for as many successful attacks by percentage, as the number six threat on the Windows top 10 list.
This is not a tool for determining which OS to use; rather, it is a guide to know which threats deserve the most attention within each category, so don't read too much into the lists. If you use them the way they are intended, then they can be extremely helpful.
Also watch for …
- Following Microsoft's lead, Oracle has announced that it will send out update bulletins on a schedule, but Oracle will do it quarterly. Initially, this has been set for 2005 as January 18, April 12, July 12, and October 18.
- Unless something changes, look for Microsoft to end support for NT 4.0 at the close of 2004. That includes security hot fix updates and paid incident support for Windows NT Server. NT Workstation 4 support has already ended.