Digg this story   Add to del.icio.us  
United We Fall
Jon Lasser, 2002-06-05

The United Linux distribution will introduce thousands of open-source fans to the security nightmare of a software monoculture.

For economic, political, and social reasons, United Linux seems like a good idea, but it may well prove to be a security nightmare.

United Linux is a new distribution of Linux, announced last week, to be produced by Caldera, SuSE, Turbolinux and Conectiva, though more vendors may join the consortium before version 1.0 is released. Release of the first version is scheduled for the fourth quarter of this year, with a beta version expected in the prior quarter.

Companies using United Linux as the basis of their Linux distributions will include the United Linux CD, which will provide the base operating system, and optionally additional CDs providing their vendor-unique software. Although United Linux will include the base GNOME and KDE libraries, it is intended to be a server distribution, not a desktop distribution.

First, the good news: United Linux promises a number of features that may improve security. According to their white paper, the distribution will include IPSEC VPN capability, firewall capability (via standard IPTables), and an intrusion detection system based on the very capable Snort and ACID (Analysis Console for Intrusion Databases) packages.

In addition, United Linux promises cryptographic signatures on update packages. As all four Linux distributors in the consortium already use RPM, which easily enables GPG-signed packages, this is a no-brainer. Also good news is the fact that most services will be turned off by default, and that few services will run as root.

But all this good news is tempered by quite a bit of bad news. For starters, identical configurations, binary compatibility and identical libraries are good for hackers.

Identical configurations, if correct, present no security problem. But a misconfiguration, such as a Web permissions problem, when mandated by the core distribution, stands to hurt far more users, and much more quickly, than a similar error on any of the existing distributions.

Identical binary builds are an even more serious issue. Many exploits, such as buffer overflows, need to hard-code magic numbers like system calls and addresses that vary by Linux distribution, and by builds of the binaries.

This diversity of binaries, even when the sources are the same, has been a hidden strength of Linux: it means that exploits have to be customized not only for each distribution, but for each minor version as well, which is often enough to confound script kiddies and worms.

As United Linux will have identical binaries for base system software, an exploit that runs against one distribution built atop it will run against all other distributions.

Coordination Issues
That means if United Linux is successful, it will allow automated exploits to proceed with a ruthless efficiency, reminiscent of CodeRed, Nimda, and other worms targeting software monocultures. If Red Hat or Mandrake join the United Linux consortium, the risks would be even greater.

Another serious problem with United Linux will likely be coordination between vendors for security fixes. The four distributions that comprise United Linux have wildly different security records: SuSE and Connectiva seem quite responsive to security issues. TurboLinux has not released a security fix since January 24th, according to their security page, and the version of OpenSSH they released at that time is itself subject to current exploits.

If all vendors need to agree on a fix, and if all four distributions need to coordinate and approve fixes to the base operating system, it seems that the natural result will be to slow down the faster distributions, even if it does bring the slower players somewhat more up to speed. It's like not allowing the smartest kid in class to work to his potential, so that the slowest kid doesn't fall too far behind. (One way of mitigating this would be to have SuSE or Conectiva coordinate the security team, and allow their updates to the base distribution to go through without approval from the other vendors.)

Many other details remain to be seen: while the white paper specifies that security fixes will be announced via a mailing list and will be installed via automated system updaters, the update software is not specified. If the updater that United Linux ends up with does not check package signatures, a whole slew of boxes will suddenly be vulnerable to transparent proxy attacks.

Also questionable is United Linux's mandatory availability of SNMP (Simple Network Management Protocol) software. While most Linux distributions already include this, it is rarely installed by default. The default installation of SNMP is almost always insecure, and, in fact, unchanged SNMP community strings made number seven on SANS' list of the most serious Unix vulnerabilities. (This may not be an issue if United Linux does not require the installation of all software in the base distribution, but in that case I doubt it would become a serious influence on the Linux market).

While the costs and benefits of United Linux appear to be fairly well balanced, I believe that the unified binaries and system libraries across such a large number of systems will allow automated attacks against Linux systems to increase in prominence and effectiveness. Linux distributors might find, as Microsoft has, that ubiquity and consistency have their price.

SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:
Wilderbeast security 2002-06-05
United We Fall 2002-06-05
runix (1 replies)
United We Fall 2002-06-06
United We Fall 2002-06-06
Jocko Johnson
United We Fall 2002-06-06
Security Collaboration 2002-06-06
United We Fall 2002-06-06
United We Fall 2002-06-06
Lasser is barking up the wrong tree 2002-06-07
FudgeFactor7 (1 replies)
Can you bitch anymore!!! 2002-06-08
Clueless? Like for sure! 2002-06-10
Wrong Sector, Write Time
United We Fall 2002-06-11
United We Fall 2002-06-12


Privacy Statement
Copyright 2010, SecurityFocus