Linux servers under the Phalanx gun: A problem with people, not code

As The Register reports Wednesday, Linux servers are increasingly under attack from Phalanx2, a "self-injecting kernel rootkit designed for the Linux 2.6 branch that hides files, processes and sockets and includes tools for sniffing a tty program and connecting to it with a backdoor."

According to The Register:

The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel. The attacks then install a rootkit known as Phalanx2, which scours the newly infected system for additional SSH keys. There's a viral aspect to this attack. As new SSH keys are stolen, new machines are potentially vulnerable to attack.

The U.S. Computer Emergency Readiness Team has recommended an approach to counteracting the risk, but this is where Linux (and Windows and Solaris and...) security meets reality: Linux may be inherently more secure as a system, but ultimately security is a question of process and people, not merely code.

Administrators must apply the patches. If Linux server administrators are anything like Oracle server administrators--65 percent of whom never install critical security patches--then Linux security will be as fallible as that of any other system. If IT administrators won't secure Linux, it won't be secured.

Much is made about security in open source, and often for good reason. But judging from the lack of chatter on the Web about the Phalanx attacks, I'm not optimistic that we're responding fast enough as a community to this new security breach.

[Penguinisto]

There's not much chatter yet because the warning just barely came out (SANS reported it late yesterday). Also, you would have had to 1) not patched against the OpenSSL bug from weeks ago, and 2) have had one (or more) of your SSH keys (assuming you even use them) stolen or compromised.

FWIW: Oracle servers get patched slower because Oracle patches have a greater chance of breaking things (esp. with delicate or even bone-headed queries/scripting).

/P

[rapier1]

Penguinisto,
So I do a lot of SSH development. The set of patches I came up with, while not part of the official OpenSSH offerings, are widely used to enhance performance. Because of that I get a lot of mail from people and I'd say at least half of them are looking for patches for OpenSSH 3.8, 4.1, 4.3 etc... old versions - years old. Regardless of what people *should* be doing they just aren't doing it. They're not upgrading OpenSSL, they aren't upgrading OpenSSH, they're not password locking their keys. They just aren't. These aren't idiots but if they don't know it broken they don't see any reason to fix it. So while I don't think this is a potential meltdown I do think there are a good number of people that are at risk and that this may end up being somewhat disruptive.

[Penguinisto]

You sort of left out context, whether or not they use ssh keys, what application (could be Cygwin for all I know) etc.

So where are these packages of yours, then? I'm kind of curious to see them.

[rapier1]

just google hpn-ssh. it won't do you much good unless you have a BDP > 2MB but we also included mid stream cipher switching to null (post auth (we maintain HMAC)) and a threaded aes-ctr cipher. As for the context of the requests - you know as much as I do. However, Corrina does a damn fine job of keeping SSH under cygwin current with releases. Of course, if you are using cygwin performance probably isn't a priority.

[alegr]

Of course, if users click on unsafe attachments, and always run as administrators, it's Windows horrible security. But if beloved Linux is compromized, it's just admins not doing their job.

[Penguinisto]

That's because part of a admin's job is to not run with root privileges unless he/she has a good reason to.

Next...?

[electromanvern]

@Penguinisto

An I'm sure now that Vista runs user sessions at low priv by default that you will have to agree that would have helped to prevent this type of 'user error'.

[softwaredesignengineer]

Stupid Windows with all its big security holes that allows unsafe attachments to be opened and executed and users to run as administrators with all access right... oh wait wait...this was Linux??? geeez, pPlease ignore my post...... the admins don't know how to use Linux security.

[upperfalls]

There's no chatter because this is old news. Competent admins have patched OpenSSL long ago. Only incompetent types still have a problem. Do you really expect them to talk?

[The_Decider]

The only thing I am concerned about is your decline lack of quality writing.

This is speculative at best and is only meant to drive traffic your way.

As others have said this is old news. It is your fault you are up to date on events in Linux.

[Vegaman_Dan]

The problem that I see here is that self-titled administrators are too ego-driven and full of themselves to actually consider that there may be an issue here and take steps to avoid it. Confident in their abilities to move the planet itself if they so choose, they disregard taking these steps because... well, it can't happen to them- they are infallible, as are the systems they manage.

Take a look at those people who call themselves admins and see if this isn't the case. Responsible people don't brag about being admins. Those that do are prime targets for this sort of situation.

Apple and Microsoft have nothing on *nix admins for egos. That's something nobody can touch.

[Penguinisto]

Nice try - try again.

When the OpenSSL bug came out a few weeks back, every *nix admin I know of was auditing their servers to see if they were affected, and were patching appropriately (including key revocation/regens as needed). I busily did the same, and it took less than a day to install the vendor patches, audit the keys, and revoke the old ones (and even then it was only done out of paranoia).

This "issue" separates the men from the boys, so to speak. Getting bitten requires that 1) you never bothered to patch the earlier OpenSSL bug, weeks after it was announced, 2) you continue to use keys generated by the buggy versions, 3) your key somehow gets swiped from the server (meaning that you left it in an unsecure location), and 4) that you parked the thing, rigged as described, directly onto the public Internet where some schmuck can get at it (hint: you NEVER use SSH keys on a public-facing server. Ever.) Remove either one of those steps, and the whole house of cards falls apart, and no cookie for the script kiddie.

By the way... how effective is a "rootkit" that can be found with a simple "cd" command, or picked up by any decent file-integrity checking binary? Weren't "rootkits" supposed to be nearly completely undetectable?

Given all of this, methinks that Mr. Asay is shouting "wolf!" rather prematurely, considering the convolutions required to even infect a machine with this thing.

--

So, let's compare this to the typical Windows bust-in, where the fault (usually) lies with privilege escalations and zero-day (or outright unpached-by-the-vendor) flaws in the OS. Instead of relying on a convoluted series of events to be true, it usually requires a double-click, or merely surfing to a poisoned website.

[francip]

You say "Linux may be inherently more secure as a system" and then you link this sentence to your own post that actually says: "Does this mean Linux is more secure? Not necessarily...".

I guess in your next piece you'll write "As we all know, Linux is more secure" and link to this one.

[richto]

Errrm, nice meaningless squigley picture, but its been well known and widely acknowledged for years now that Windows is inherently more secure than Linux with far fewer vulnerabilities that are fixed much faster.

e.g. http://blogs.technet.com/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx

or

http://blogs.technet.com/security/archive/2007/08/16/july-2007-operating-system-vulnerability-scorecard.aspx


Thats why for instance the US and UK armies and Navies use it in perference to Linux. Not to mention that a Linux / Apache webserver is 5 times more likely to be hacked defaced than a Windows / IIS one.

[Dalkorian]

Thanks, I needed a good laugh.