[SCADASEC] Major Linux security hole found
Clint Bodungen
clint at cidgcorp.com
Tue Feb 12 16:19:11 CST 2008
I *was*, in fact, only speaking of a remote/outside attack. I purposely
left out the insider aspect because if you already have an insider on a
critical system capable of executing a privilege escalation exploit, you're
already screwed. An insider with mal-intent, and even less skill, can still
do much worse than execute a stupid privilege escalation attack.
Clint
-----Original Message-----
From: scadasec-bounces at news.infracritical.com
[mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Leif Ericksen
Sent: Tuesday, February 12, 2008 4:01 PM
To: scadasec at news.infracritical.com
Subject: Re: [SCADASEC] Major Linux security hole found
It seems to me that I have read that the INSIDER THREAT is the most
often over looked, neglected and biggest threats around. MANY of the
attacks actually do come from an insider be they patsy or actually
engaged in trying to break something.
Just do a google search on the terms: +insider +threat +overlooked
there seems to be many hits that search string will bring up.
With that, if a threat that exists it should me mitigated as best and as
soon as it can be be it no matter if the threat is remote or local.
Smile and enjoy life!
--
Leif Ericksen
On Tue, 2008-02-12 at 15:06 -0500, ljknews wrote:
> At 12:58 PM -0600 2/12/08, Clint Bodungen wrote:
> > You're right, I glanced at it too quickly and misread it. It's a memory
> > space data pipe/redirection. Thanks for keeping me in check! ;)
> >
> > That being said, it's still a local privilege escalation vulnerability
and
> > my mitigation comments still apply.
>
> As I understand your comments, they are mainly aimed at an
> outside attack. Privilege escalation can also enable an
> attack by an insider, which would require additional defense
> so long as this vulnerability remains.
>
> I don't know about Linux, but on other operating systems
> it would be possible to scan executable images to find any
> new ones that are calling the vulnerable system service
> (sys_vmsplice in this Linux case). That would not give
> an immediate defense, but might detect an insider who is
> building up to an attack (or has broken the rules on
> importing unauthorized software and just has not yet
> exercised the trojan horse part of it).
_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec
To review our privacy statement, please visit:
http://www.infracritical.com/privacy.html
scadasec at news.infracritical.com
http://news.infracritical.com/mailman/listinfo/scadasec
More information about the scadasec
mailing list