[CentOS] what percent of time are there unpatched exploits against default config?

Wed Dec 28 04:29:19 UTC 2011
Bennett Haselton <bennett at peacefire.org>

On Tue, Dec 27, 2011 at 8:33 PM, Gilbert Sebenste <
sebenste at weather.admin.niu.edu> wrote:

> On Tue, 27 Dec 2011, Bennett Haselton wrote:
>
> > Suppose I have a CentOS 5.7 machine running the default Apache with no
> > extra modules enabled, and with the "yum-updatesd" service running to
> pull
> > down and install updates as soon as they become available from the
> > repository.
> >
> > So the machine can still be broken into, if there is an unpatched exploit
> > released in the wild, in the window of time before a patch is released
> for
> > that update.
> >
> > Roughly what percent of the time is there such an unpatched exploit in
> the
> > wild, so that the machine can be hacked by someone keeping up with the
> > exploits?  5%?  50%?  95%?
>
> There's no way to give you an exact number, but let me put it this way:
>
> If you've disable as much as you can (which by default, most stuff is
> disabled, so that's good), and you restart Apache after each update,
> your chances of being broken into are better by things like SSH brute
> force attacks. There's always a chance someone will get in, but when you
> look at the security hole history of Apache, particularly over the past
> few years, there have been numerous CVE's, but workarounds and they aren't
> usually earth-shattering. Very few of them have. The latest version that
> ships with 5.7 is as secure as they come. If it wasn't, most web sites
> on the Internet would be hacked by now, as most run Apache
>

I was asking because I had a server that did get broken into, despite
having yum-updatesd running and a strong password.  He said that even if
you apply all latest updates automatically, there were still windows of
time where an exploit in the wild could be used to break into a machine; in
particular he said:

"For example, there was a while back ( ~march ) a kernel exploit that
affected CentOS / RHEL. The patch came after 1-2 weeks of the security
announcement. The initial announcement provided a simple work around until
the new version is released."

Was this a sufficiently high-profile incident that you know what he's
referring to?  If this kind of thing happens once a year or more, than
surely this is a much greater threat than "brute forcing the SSH
password"?  That's what I'm talking about -- how often does this sort of
thing happen, where you need to be subscribed to be a security mailing list
in order to know what workaround to make to stay safe, as opposed to simply
running yum-updatesd to install latest patches automatically.

Bennett