100TB’s Ultimate Security Guide: Libarchive Is Vulnerable

13th July, 2016 by

June saw the announcement of three vulnerabilities in the popular libarchive package. This package is used on many Linux and Unix systems for managing compressed files, allowing various applications to handle these files. The bugs potentially allowed an attacker to execute code on a vulnerable system through the manipulation of a compressed file that libarchive may be used to open.  

Updates To The Rescue

Fortunately the bugs are already resolved, and updating your system to the latest version of libarchive should solve the problem. The fix is available in most Linux distribution’s repositories, and while this may solve the problem with applications that use libarchive as a shared library, there are others that may compile a specific version of libarchive into their software. Identifying these can be a bit more difficult, although the software supplier should update it with the new fixes. If you haven’t updated yet, or checked your software for updates, then now is a good time to do it.

With the knowledge of this bug out in the wild, attackers may already be crafting attacks against systems that make use of ir, taking advantage of systems that may not yet be updated. This brings us to the subject of updates. People often mistakenly assume that because a new update of their software doesn’t bring any new features that there’s no point in updating the software. Tucked in with the release notes of an update, often at the bottom, will be a listing of bugs fixed with the software. hese are usually fairly innocuous, but sometimes, as with libarchive’s recent update, they can be important to security.

Don’t Let Time Pass You By: Auto Update Configurations

Most server environments don’t default to automatically installing updates for you. This means that unless you manually obtain the updates, or reconfigure the system to automatically update for you, a large number of vulnerabilities may develop over time within your server’s software. Checking for updates is something easily forgotten, so we recommend setting up a monitoring alert when new packages are available so you can manually install them, or configuring your system to automatically install security updates.

If you want to look into applying updates automatically, then for systems running Debian, Ubuntu or other Debian-based Linux distributions the unattended-upgrades package is available for configuring the system to update automatically. CentOS and Red Hat users can achieve the same thing with the yum-cron package.  The Windows Update tool can be configured to apply updates automatically for Windows users.

Understandably, automatic updates aren’t suitable for everyone, as in some rare occasions an update can introduce a change that can stop other applications working as they should. If your system is affected in this way  it is important to set up a test environment in which to trial the updates before applying them to your live server.  

As well as the updates that come with your system, most Linux distributions keep a web page or mailing list devoted to security information which will affect your distribution allowing you to keep track of issues that could be relevant to your deployment, and take mitigating steps prior to updating. Similarly, Microsoft offers security information on their TechNet web pages in the Security TechCenter. These web pages can be very helpful for keeping tabs on the security of your system, especially when a bug or flaw is discovered and released to the public before a patch is ready to fix it.

(Visited 7 times, 1 visits today)