New threats to Unix users include a widely used software development aid known as concurrent version control, according to the latest annual Sans Top 20 vulnerability report.
With the growing use of offshore and global development, many businesses run their software projects across the internet. Version control is used to keep the various components of a project in step when multiple programmers are contributing code.
Ross Patel, director of threat research at the Sans Institute, a corporate research and education body, said that if hackers compromised a server running a concurrent version control system, they could insert a backdoor into the software being developed to provide access to the application when it is deployed.
The biggest risk, according to Patel, was that a hacker could cause the server to crash, which would disrupt the software development project.
Patel said a key trend in the Unix and Linux community was greater emphasis on kernel-level operating system security. The Sans Top 20 vulnerability report said that since the kernel has privileged access to all aspects of the system, a kernel-level compromise could be devastating.
Risks from kernel vulnerabilities include denial of service, execution of arbitrary code with system privileges, unrestricted access to the file system, or root-level access. Many vulnerabilities are exploitable remotely, and are especially dangerous when the avenue of attack is by way of a service published to the internet.
Patel said initiatives such as the US National Security Agency's Security-Enhanced Linux project showed the importance of hardening Linux from the bottom up, rather than adding security modifications on top of the Linux kernel.
This year's top 10 vulnerabilities
- Bind domain name system
- Web server
- Version control systems
- Mail transport service
- Open Secure Sockets Layer
- Misconfiguration of enterprise services NIS/NFS
- Web servers and services
- Workstation services
- Windows remote access services
- Microsoft SQL Server
- Windows authentication
- Web browsers
- File-sharing applications
- LSas exposures
- Mail client
- Instant messaging.
Source: Sans Institute