Unix and Linux → UNIX is safe (not)

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11.

Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products.

Successful attacks of this vulnerability can result in takeover of Oracle Solaris.

»nvd.nist.gov/vuln/detail ··· 20-14871

Who still uses Solaris? Honest question, anyone I knew that ran it switched to something else a long time ago.

Many companies still use Solaris for Oracle databases. It is not as easy as turning a switch and you are on Redhat.

You'd be shocked. I have customers with tens of thousands of instances and continuing to grow. It just works.

Like you, my employer has many Oracle/Solaris instances running and we have been moving them slowly to other platforms and into the cloud. However, if you have people that can get to the server behind your firewall then a much large problem exists. It really boils down to where does the company and to spend its $$$$.

It's always PAM. This design is so terrible in that code is injected into a processes address space. Certainly bad for Solaris as this vulnerability has been in the wild for many years now and appears to have been known by bad actors. But avoid misinformation around this being anything but further proof of weakness in the PAM system and in this case, the implementation in Solaris. It's is also not a vulnerability in SSH itself, that is just an easy vector of exploitation.

-Bry.

Yes its PAM. I wonder how such important part of OS security system escaped auditors attention.

Its UNIX. Its ORACLE with plenty of money and kind of the best devs... and decent SUN legacy...

 

I am not convinced that UNIX is safe or not safe.

What I do see is that the approach to security in some (most?) UNIX distributions is very good.

An OS being "safe" is a destination.

But security is not a destination, it is a journey.

How does a UNIX distribution (any UNIX distribution) handle security as an ongoing process.

That is the question to ask.

Microsoft view of security is nothing more than just the business. Nothing personal fellow Americans. Zuck foreigners.

I'm sure one can make HelloWorld exploitable infinitely.
I wonder what pixie powder is used for code running whole net itself.

The vulnerabilities of any *nix are vastly overblown compared to the alternative.

The DoD.

In 2014 they made the decision to replace Solaris with Linux on the systems that used it (Among others UAV control), but 6 years later not everything has been changed yet..... because hey, the wheels of bureaucracy turn slowly.

In 2018, the last news report I can find on that, many systems were still running Solaris.

The DoD also still runs HP-UX for several operations.

There are exceptions, but in principle the OS is as safe as its user.

If the world was reversed, and 95% of the world would run linux instead of windows, there would still be people running some sort of script that came by email, and blindly typing in their SUDO password without checking.

 

Agreed.

But that is a bit of a tangent, no?

Not again...

Windows server never was as secure as Linux/UNIX/BSD server.
Windows never was as secure as billions Android smartphones with the same users. Android even without recent updates...

Don't blame users. Opening unknown file is not a deadly crime. Easy exploitable Windows is the problem. Always was.

Disagree here a bit. It depends on the targeted operating system and it depends on the security knowledge of the user. My wife runs Linux, I do "cyber security" for a living and have for probably the past decade and a half. Someone performed ATO (Account Take-Over) of an O365 mailbox that commonly communicates with my wife. They thread-jacked the thread similar to how Ursnif/Valak does, sent her an Emotet-laden maldoc, and provided contextual information to suggest she open it. She opened it in LibreOffice. I reversed the macro code and it has no impact on a Linux system. If it were targeting Linux she would have been compromised.

Windows, while being complete trash, is no more or no less secure than any other operating system in the context of the above. With the current threat landscape it should be known that ATO, BES, and the methods mentioned above *are* how Windows systems are being compromised outside of vulnerabilities themselves. Watching things like Redline Stealer or QasarRAT coming into corporate organizations via Maldoc droppers is extremely common. Exploit Kits are dead, well aside from a RigEK here and there.

Attackers aren't ignorant and aside from a skiddie here and there some of this stuff is well executed to exploit the weakest part of any system -- the user. It just so happens that the commonality of Linux and BSD systems as contrasted to Windows users is far fewer. Let's not kid ourselves, Linux isn't intrinsically more secure on the public Internet than a Windows system assuming proper and sane OSI Layer 3, Layer 4, and Layer 7 (LB/WAF) are in place.

I should add, I despise Windows, but lets not suggest that Linux by virtue is better than Windows from a security aspect especially in context of the 'luser' of said system. I run FreeBSD and my wife and children run Linux. I've run my own MTA and webserver for the last 20+ years and it runs on Linux.

linux is better
»www.linuxcompatible.org/ ··· -3-2021/

OK, so Solaris may not be safe, but I am not seeing HP-UX, IBM AIX, Mac OSX, FreeBSD, NetBSD or any *BSD variations affected by Solaris issues...

Every platform has its issues. For proprietary platforms you don't always know about them and there are no CVEs nor other public disclosures but they most certainly do exist. I know of a few that are pretty nasty (no I can not and will not disclose any details as they are covered by an NDA).

I thought that as we enter the third decade of the 21st century that we'd be past any remnants of "OS wars", but alas it seems not

If one blindly thinks that any given platform is necessarily "safe" generically then that person has not been paying attention for the past several decades. There are different types of issues that affect different types of platforms. That doesn't mean that just because one issue doesn't impact a platform that platform is somehow "safe".

It may be related to this article:

»arstechnica.com/gadgets/ ··· mer-pcs/

Money and convenience trump security just about every time.

Vulnerability in the Etch-A-Sketch design allows anyone with access to your sketch to change your drawing