For the past four years the SANS Institute has partnered
with the FBI’s National Infrastructure Protection Center to compile and publish
its list of the most commonly exploited IT security vulnerabilities. This list
is regularly updated and revised. Earlier, I
examined the latest Windows threats from the list. Now I’ll cover the top 10
Linux/Unix threats.

It’s important to recall that, unlike the ever-growing list
of new exploits found in operating systems and applications, the SANS-FBI list
prioritizes them according to the actual number of attacks seen by the
organizations surveyed.

  1. The
    top Linux/UNIX threat continues to be the Internet’s most popular DNS
    server software, BIND (Berkeley Internet Name Domain). Buffer overruns and
    cache poisoning are common attack vectors, and the various exploits mainly
    succeed because administrators fail to upgrade BIND to more secure
    versions or are running the BIND daemon (“named”) unnecessarily—it
    should not be enabled except on specified DNS servers. The BIND team is
    quick to patch vulnerabilities so it’s the responsibility of
    administrators to keep up with the patches if they choose to run BIND.
  2. Next
    on the list is the generic Linux/UNIX Web server, which includes Apache
    and other servers. Threat management mostly consists of updating to fix
    newly discovered vulnerabilities. SANS recommends the use of open source
    vulnerability scanners such as Nessus
    or SARA to assist in security management.
    You can also harden a Web server by removing all unused features and
    software since this reduces the number of potential new vulnerabilities.
  3. The
    third-rated vulnerability is the password (and other authentication
    methods). Weak user passwords, especially weak administrator-level
    passwords, continue to plague the security of Linux/UNIX systems. Be
    especially careful to identify and remove any default user accounts and
    passwords.
  4. Fourth
    are version-control systems, specifically the most popular, Concurrent
    Versions System (CVS) and Subversion, which have known vulnerabilities and
    have anonymous access to online databases. The best defense is proper
    configuration and frequent patching/updates.
  5. E-mail
    services are the fifth most common attack vectors. Sendmail is still the
    most widely used mail transport agent (MTA) on Linux/UNIX, and it has a
    number of vulnerabilities. Qmail, Courier, Exim and Postfix are newer
    alternatives with their own vulnerabilities. Frequent patching and proper
    configuration are the best defense. One of the big problems is that
    Sendmail is very complex, so simpler MTAs were created, while add-ons were
    quickly developed and added to provide the functionality of Sendmail.
    Since these are third-party enhancements, it is very difficult to track
    new vulnerabilities in all of these add-ons.
  6. It
    should come as no surprise that a remote network management tool poses
    considerable risks to networks, and SNMP, which is usually enabled by
    default, comes in as the sixth most commonly exploited weakness. Disable
    SNMP if possible; otherwise run SNMPv3 and make certain you keep SNMP 1
    and 2 patched if you are forced to use those.
  7. Multiple
    vulnerabilities in the OpenSSL encryption tool library makes this number
    seven on the list. The best defense is a properly configured firewall and
    a periodically patched version of SSL.
  8. Enterprise
    NIS and NSF Servers that haven’t been configured properly are the next
    biggest threat. Patch, disable any unnecessary daemons, and beef up your
    firewall to protect against this, the number eight threat.
  9. Databases
    are designed to be accessed but vulnerabilities can sometimes let remote
    attackers exploit the open nature of these applications to piggy-back
    their way into a network. Patching and proper configuration are the best
    ways to combat this threat, which is rated number nine.
  10. Kernel
    vulnerabilities round out the list at the tenth position. Protection is a
    highly complex problem and specific to each vendor and version.

Final word

Although the two lists (Windows and Linux/UNIX) are each
listed in order of decreasing threat levels, there is no correlation between
the two lists; that is, there is no analysis provided as to which OS is more
secure or whether a vulnerability being sixth on the Linux/UNIX list is
responsible for as many successful attacks by percentage, as the number six
threat on the Windows top 10 list.

This is not a tool for determining which OS to use; rather,
it is a guide to know which threats deserve the most attention within each
category, so don’t read too much into the lists. If you use them the way they
are intended, then they can be extremely helpful.

Also watch for …

  • Following
    Microsoft’s lead, Oracle has announced that it will send out update
    bulletins on a schedule, but Oracle will do it quarterly. Initially, this
    has been set for 2005 as January 18, April 12, July 12, and October 18.
  • Unless
    something changes, look for Microsoft to end support for NT 4.0 at the
    close of 2004. That includes security hot fix updates and paid incident
    support for Windows
    NT Server    . NT Workstation 4 support has already ended.