Sans list warns of Unix version control risk


Sans list warns of Unix version control risk

Cliff Saran

New threats to Unix users include a widely used software development aid known as concurrent version control, according to the latest annual Sans Top 20 vulnerability report.

With the growing use of offshore and global development, many businesses run their software projects across the internet. Version control is used to keep the various components of a project in step when multiple programmers are contributing code.

Ross Patel, director of threat research at the Sans Institute, a corporate research and education body, said that if hackers compromised a server running a concurrent version control system, they could insert a backdoor into the software being developed to provide access to the application when it is deployed.

The biggest risk, according to Patel, was that a hacker could cause the server to crash, which would disrupt the software development project.

Patel said a key trend in the Unix and Linux community was greater emphasis on kernel-level operating system security. The Sans Top 20 vulnerability report said that since the kernel has privileged access to all aspects of the system, a kernel-level compromise could be devastating.

Risks from kernel vulnerabilities include denial of service, execution of arbitrary code with system privileges, unrestricted access to the file system, or root-level access. Many vulnerabilities are exploitable remotely, and are especially dangerous when the avenue of attack is by way of a service published to the internet.

Patel said initiatives such as the US National Security Agency's Security-Enhanced Linux project showed the importance of hardening Linux from the bottom up, rather than adding security modifications on top of the Linux kernel.

This year's top 10 vulnerabilities 

Unix systems 

  • Bind domain name system  
  • Web server  
  • Authentication  
  • Version control systems  
  • Mail transport service  
  • SNMP 
  • Open Secure Sockets Layer  
  • Misconfiguration of enterprise services NIS/NFS  
  • Databases  
  • Kernel. 

Windows systems 

  • Web servers and services   
  • Workstation services  
  • Windows remote access services  
  • Microsoft SQL Server  
  • Windows authentication  
  • Web browsers   
  • File-sharing applications   
  • LSas exposures   
  • Mail client   
  • Instant messaging.  

Source: Sans Institute

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy