Today, I worked on a customer server running Fedora Core 5. You read correctly, five. The uptime was more than 851 days (~2.5 years)! System administrators will immediately think “Cool! That’s a very reliable server!” but what about the security aspects?
I exchanged some very interesting tweets with @ChrisJohnRiley in the afternoon about this story. The customer server was correctly secured and placed on a safe VLAN. But, as notified Chris, it’s a risk that must be analyzed. What will happen if the server is moved “as is” to the company LAN or in a DMZ?
Even if updates were enabled, the fifth release of Fedora Core is deprecated since June 2007 and the system is left unpatched with several critical flaws. This is a classic problem when you deploy servers using free Linux or *BSD distributions: New releases are announced every 6 months (example: Ubuntu every April and November or OpenBSD in May and November). Usually, the last two releases are still supported and security fixed can be released. After this “grey” period, it’s your responsibility!
Keeping huge uptimes can lead to different conclusions. For the system administrator, it means a well configured and stable server. But for the security professional, it means that the system is unpatched (at least its kernel) and involves a risk.
If you are responsible of a park of servers, keep always an eye on the operating system versions you run. Plan maintenance and upgrade in time. Maybe the server cannot be upgraded easily for multiple reasons but, as a security professional, it’s up to you to apply due diligence and notify the owner about the risk…