Among the few certainties that I have always had about operating systems I can certainly mention "Linux is better than Microsoft".
But is it really like that?
It is these days the discovery of a bugs that allows you to do priviledge escalation on the main Linux servers.
Il bugs is identified with the CVE-2018-14665 code and appears to have been identified by Narendra Shinde.
The problem is not found in the Linux kernel code, but, so it seems, in the code of the most used graphical interfaces on Linux distributions, X.org server, starting from the 1.19.0 version.
This means that for nearly two years now all systems that use X.org servers are potentially subject to based attacks priviledge escalation.
To be clear, the systems affected by this vulnerability are OpenBSD, Debian Ubuntu, Fedora, Red Hat Enterprise Linux and CentOS!
I do not think it is advisable to continue with the technical analysis of the problem, in the detailed links at the end of the article it is possible to find the necessary information and suggestions for solving the problem.
What interests me is to deepen some aspects often underestimated and to do so I will try to ask some simple questions to which I will try to answer.
First, what happened to Unix, then Linux in the past?
And then, who decides if and how to apply them patch of a system in use or switching to the next version?
No doubt those who, like me, have a certain age, clashed with the need to use the command line of Unix or Linux or both, which today is very often replaced by the use of a graphical version.
The introduction of the graphics was a success for the systems, bringing together many potential users, making the Unix / Linux systems more similar to Windows systems, but at the same time it was necessary to increase the complexity. In short, while previously there were powerful and relatively light systems available, the introduction of graphics has weighed down the code.
Linux Operating Systems are generally the prerogative of technicians, they are used within data center for the management of networks and IT systems that need high performance, this is their characteristic, but often they are little known by managers and decision-makers who rely on technicians. Behavior correct or not, difficult to say.
Who better than a good technician can say what is needed for a system to work better? Probably none.
But who has the responsibility of the company? Who answers juridically errors? Who pays in case of non-compliance with privacy legislation or in case of subtraction of industrial, military or state secrets?
Now, I think it is clear that technicians must have their autonomy but I think it is equally clear that in a serious organization a risk analysis system must be used that also takes into consideration technological risk and the analysis of patch (functional and safety) must be taken into account, such as risk analysis in the transition from one version to the next.
The process that has pushed towards the graphics is very similar to the one that has pushed and still pushes towards virtualization ... I hope that those who have chosen virtualization have made it consciously!
What is increasingly clear to me is the fact that we need to do simple things, so that it is possible to exercise effective control, and this is a rule that I believe can always be valid, even more so in the information technology field.
Surely in a critical environment it is necessary to make sure that the technical staff is able to work using safe tools and following clear procedures.
The ability to use operating systems Linux like from the command line is therefore, in my opinion, a capacity to be preserved, without being attracted too much by the unspeakable ease of graphics systems that, as a counterpart, increase the complexity of the code and the attack surface.
To learn more:
- https://www.nushinde.com
- https://www.bleepingcomputer.com/news/security/trivial-bug-in-xorg-gives...
- https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=xserver-xorg-video-int...
https://www.theregister.co.uk/2018/10/25/x_org_server_vulnerability
(photo: US DoD)
