Enterprise Linux 6.2 to 6.3 risk report
Red Hat Enterprise Linux 6.3 was released in June 2012, six months since the release of 6.2 in December 2011. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 6 Server.
Errata count
The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.2, up to and including the 6.3 release, broken down by severity. It's split into two columns, one for the packages you'd get if you did a default install, and the other if you installed every single package (which is unlikely as it would involve a bit of manual effort to select every one). For a given installation, the number of package updates and vulnerabilities that affected you will depend on exactly what you have installed or removed.
So, for a default install, from release of 6.2 up to and including 6.3, we shipped 44 advisories to address 122 vulnerabilities. 2 advisories were rated critical, 17 were important, and the remaining 25 were moderate and low.
Or, for all packages, from release of 6.2 up to and including 6.3, we shipped 88 advisories to address 233 vulnerabilities. 15 advisories were rated critical, 23 were important, and the remaining 50 were moderate and low.
Critical vulnerabilities
The 15 critical advisories addressed 36 critical vulnerabilities across 6 components:
- Five updates to Firefox (January 2012, February 2012, March 2012, April 2012, June 2012) where a malicious web site could potentially run arbitrary code as the user running Firefox.
- Five updates to Thunderbird (January 2012, February 2012, March 2012, April 2012, June 2012) where a malicious email message could potentially run arbitrary code as the user running Thunderbird.
- An update to the OpenJDK 6 Java Runtime (February 2012) where a malicious web site presenting a Java applet could potentially run arbitrary code as the user running a web browser.
- An update to the Kerberos telnet daemon (December 2011) where a remote attacker who can access the telnet port of a target machine could execute arbitrary code as root. Note that the krb5 telnet daemon is not enabled by default and the default firewall rules block remote access to the telnet port. This flaw did not affect the telnet daemon distributed in the telnet-server package.
- An update to Samba (April 2012) where a remote, unauthenticated attacker could send a specially-crafted RPC request that would cause the Samba daemon to crash or, possibly, execute arbitrary code as root.
- Two updates to PHP (February 2012, May 2012) where a remote attacker could execute arbitrary code with the privileges of the PHP interpreter. The flaw addressed by the second update only affected non-default (PHP CGI) configurations.
Updates to correct 34 of the 36 critical vulnerabilities were available via Red Hat Network either the same day or the next calendar day after the issues were public. The Kerberos telnet flaw was fixed in 2 calendar days as the issue was published on Christmas day. The second PHP flaw took 4 calendar days (over a weekend) as the initial fix released upstream was incomplete.
Other significant vulnerabilities
Although not in the definition of critical severity, also of interest during this period were a few flaws that were high risk or easily exploitable:
- Several flaws in RPM, fixed by RHSA-2012:0451 where a specially-crafted RPM package that, when queried or installed, would cause rpm to crash or, potentially, execute arbitrary code prior to any signature checking. We're not aware of any working exploits for these issues.
- A flaw in the Kernel, CVE-2012-0207, fixed by RHSA-2012:0350. A remote attacker who is able to send IGMP packets to a server could cause a denial of service (crash). We are aware of a public exploit which worked against unpatched Red Hat Enterprise Linux 6.
- A flaw in the Kernel, CVE-2012-0056, fixed by RHSA-2012:0052. A local unprivileged attacker could use this flaw to escalate their privileges to root. Public exploits for this issue exist, but we are not aware of any of them that worked against a default unpatched Red Hat Enterprise Linux 6 kernel due to PIE/ASLR protection. It is plausible that a brute-force exploit could be written that would work against unpatched Red Hat Enterprise Linux 6.
Previous update releases
To compare these statistics with previous update releases we need to take into account that the time between each update release can vary slightly. So looking at a default installation and calculating the number of advisories per month gives the following chart:
This data is interesting to get a feel for the risk of running Enterprise Linux 6 Server, but isn't really useful for comparisons with other major versions, distributions, or operating systems -- for example, a default install of Red Hat Enterprise Linux 6 Server does not include Firefox, but a default install of 5 Server does. You can use our public security measurement data and tools, and run your own custom metrics for any given Red Hat product, package set, timescales, and severity range of interest.
Comments