Enterprise Linux 5.9 to 5.10 risk report

Red Hat Enterprise Linux 5.10 was released this month (October 2013), ten months since the release of 5.9 in January 2013. So let’s use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 5 Server.

Red Hat Enterprise Linux 5 is in its seventh year since release, and will receive security updates until March 31st 2017.

Errata count

The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 5 Server if you had installed 5.9, up to and including the 5.10 release, broken down by severity. It’s split into two columns, one for the packages you’d get if you did a default install, and the other if you installed every single package.

During installation there actually isn’t an option to install every package, you’d have to manually select them all, and it’s not a likely scenario. For a given installation, the number of package updates and vulnerabilities that affected you will depend on exactly what you selected during installation and which packages you have subsequently installed or removed.

Graph showing the number of security errata 5.9 to 5.10 for Red Hat Enterprise Linux 5

So, for a default install, from release of 5.9 up to and including 5.10, we shipped 37 advisories to address 115 vulnerabilities. 7 advisories were rated critical, 7 were important, and the remaining 23 were moderate and low.

Or, for all packages, from release of 5.9 up to and including 5.10, we shipped 70 advisories to address 232 vulnerabilities. 9 advisories were rated critical, 25 were important, and the remaining 36 were moderate and low.

You can cut down the number of security issues you need to deal with by carefully choosing the right Red Hat Enterprise Linux variant and package set when deploying a new system, and ensuring you install the latest available update release.

Critical vulnerabilities

Vulnerabilities rated critical severity are the ones that can pose the most risk to an organisation. By definition, a critical vulnerability is one that could be exploited remotely and automatically by a worm. However we also stretch that definition to include those flaws that affect web browsers or plug-ins where a user only needs to visit a malicious (or compromised) website in order to be exploited. Most of the critical vulnerabilities we fix fall into that latter category.

The 9 critical advisories addressed 25 critical vulnerabilities across just two different projects:

Updates to correct all of the 25 critical vulnerabilities were available via Red Hat Network either the same day or the next calendar day after the issues were public.

Overall, for Red Hat Enterprise Linux 5 since release until 5.9, 98% of critical vulnerabilities have had an update available to address them available from the Red Hat Network either the same day or the next calendar day after the issue was public.

Other significant vulnerabilities

Although not in the definition of critical severity, also of interest are remote denial of service flaws and local privilege escalation flaws:

  • A flaw in dbus-glibc, CVE-2013-0292 fixed by RHSA-2013:0568 (Feb 2013). A local attacker could use this flaw to escalate their privileges to root. A public exploit exists for this issue.
  • Two flaws in the kernel fixed by RHSA-2013:0621 (Mar 2013). CVE-2013-0268 could allow a local root user who has limited capabilities the ability to kernel mode privileges; a public exploit exists for this issue. CVE-2013-0871 could allow a local unprivileged user the ability to gain root. In practice our testing shows that the involved race condition is hard to win, even with the publicly available exploit.
  • A flaw in Xen, CVE-2012-6075 fixed by RHSA-2013:0599 (Mar 2013). In non-default configurations, a remote attacker could cause a guest image to crash or potentially execute arbitrary code in the guest. We are not aware of any public exploits for this issue, although in our testing we have been able to easily cause a guest crash.
  • Two flaws in BIND (bind97), CVE-2013-2266 fixed by RHSA-2013:0690 (Mar 2013) and CVE-2013-4854 fixed by RHSA-2013:1115 (Jul 2013).A remote attacker could use either of these flaws to cause BIND to crash. We are not aware of a specific exploits for these issues, but they could be easily created.

In addition, an update to NSS, RHSA-2013:0214, (Jan 2013) was made to blacklist certain certificates from a Certificate Authority.

Previous update releases

We generally measure risk in terms of the number of vulnerabilities, but the actual effort in maintaining a Red Hat Enterprise Linux system is more related to the number of advisories we released: a single Firefox advisory may fix ten different issues of critical severity, but takes far less total effort to manage than ten separate advisories each fixing one critical PHP vulnerability.

To compare these statistics with previous update releases we need to take into account that the time between each update release is different. So looking at a default installation and calculating the number of advisories per month gives the following chart:

Graph showing the number of security errata per month for Red Hat Enterprise Linux 5This data is interesting to get a feel for the risk of running Enterprise Linux 5 Server, but isn’t really useful for comparisons with other major versions, distributions, or operating systems — for example, a default install of Red Hat Enterprise Linux 4AS did not include Firefox, but 5 Server does. You can use our public security measurement data and tools, and run your own custom metrics for any given Red Hat product, package set, timescales, and severity range of interest.

See also:
5.9, 5.8, 5.7, 5.6, 5.5, 5.4, 5.3, 5.2, and 5.1 risk reports.

3 thoughts on “Enterprise Linux 5.9 to 5.10 risk report

  1. Pingback: RHEL 5.9 – 5.10 Risk Report Released | debexpert

  2. Pingback: RHEL 5.9 – 5.10 Risk Report Released | PHP World

  3. Here’s the working out:

    Note that we can’t just use a date range because we often push some RHSA
    the weeks before 5.x that were not included in the 5.x spin. These issues
    will get included when we do the next report (as anyone installing
    5.9 will have got them when they first updated). Similarly we have to
    include this time any issues that a 5.8 user will have had to install.

    So from the last blog “Fixed between GA and 5.9 iso”:

    ** Product: Red Hat Enterprise Linux 5 Server (default installation packages)
    ** Dates: 20070314 – 20130108 (2128 days)
    ** 440 advisories (C=64 I=174 L=31 M=171 )
    ** 1336 vulnerabilities (C=286 I=318 L=241 M=491 )

    ** Product: Red Hat Enterprise Linux 5 server (all packages)
    ** Dates: 20070313 – 20130108 (2129 days)
    ** 681 advisories (C=76 I=240 L=57 M=308 )
    ** 2000 vulnerabilities (C=301 I=434 L=512 M=753 )

    And just after 5.10:

    ** Product: Red Hat Enterprise Linux 5 Server (default installation packages)
    ** Dates: 20070314 – 20131001 (2394 days)
    ** 478 advisories (C=72 I=181 L=37 M=188 )
    ** 1459 vulnerabilities (C=326 I=330 L=269 M=534 )

    ** Product: Red Hat Enterprise Linux 5 server (all packages)
    ** Dates: 20070313 – 20131001 (2395 days)
    ** 752 advisories (C=86 I=265 L=65 M=336 )
    ** 2240 vulnerabilities (C=342 I=500 L=552 M=846 )

    But we need to exclude default:

    RHSA-2013:1268 (C) firefox CVE-2013-1718 (C) CVE-2013-1722 (C) CVE-2013-1725 (I)
    CVE-2013-1730 (I) CVE-2013-1732 (C) CVE-2013-1735 (C) CVE-2013-1736 (C)
    CVE-2013-1737 (M)

    not default: (none)

    As they were not included on the 5.10 iso, so will apply even to people who
    install 5.10

    This gives us “Fixed between GA and 5.10 iso”:

    ** Product: Red Hat Enterprise Linux 5 Server (default installation packages)
    ** Dates: 20070314 – 20131001 (2394 days)
    ** 477 advisories (C=71 I=181 L=37 M=188 )
    ** 1451 vulnerabilities (C=321 I=328 L=269 M=533 )

    ** Product: Red Hat Enterprise Linux 5 server (all packages)
    ** Dates: 20070314 – 20131001 (2394 days)
    ** 751 advisories (C=85 I=265 L=65 M=336 )
    ** 2232 vulnerabilities (C=337 I=498 L=552 M=845 )

    Therefore between 5.9 iso and 5.10 iso:

    ** Product: Red Hat Enterprise Linux 5 Server (default installation packages)
    ** Dates: 20130108 – 20131001 (267 days)
    ** 37 advisories (C=7 I=7 L=6 M=17 )
    ** 115 vulnerabilities (C=35 I=10 L=28 M=42 )

    ** Product: Red Hat Enterprise Linux 5 server (all packages)
    ** Dates: 20130108 – 20131001 (267 days)

    ** 70 advisories (C=9 I=25 L=8 M=28 )
    ** 232 vulnerabilities (C=36 I=64 L=40 M=92 )

Comments are closed.