Software flaw threatens Linux servers

C|Net ^ | November 28, 2001, 1:50 p.m. PT | Robert Lemos

[Don Joe]

Software flaw threatens Linux servers

By Robert Lemos
Staff Writer, CNET News.com
November 28, 2001, 1:50 p.m. PT

A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.

"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.

"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."

The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.

While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.

The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.

Huger called the flaw "serious."

The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.

While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.

Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.

"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.

"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."

[Don Joe]

Hmm, looks like pretty much a standard anti-MS rant, with all the standard "security issues", complaints about facts not being disclosed, complaints about facts being disclosed (before a fix is available), etc., etc., etc., except for two things: 1. the total lack of venom, and 2. the fact that the exploited OS is Thy Holy Linux.

Let's see how the hypocritical MS-bashers deal with this mess!

[Don Joe]

An Oh, The Irony bump.

[SolitaryMan]

It'll never happen.

[lelio]

"We put a stop to this,"
Then quit using wuFTP or the Univ of Washington IMAP server! Those two are #3 and #4 behind Sendmail and BIND in Things That Have a New Bug Everyweek.
Not that I have a thing against UW, but man do those two programs suck.

[Smogger]

bump!

All this talk about the vulnerabilities of MS this and MS that and how sweet linux is blah blah.. makes me laugh.

Myself and others were hacking unix long before Windows was ever written. Cracking the password files, catting the TTY, trojan horses. Unix has to be the most hacked OS of all time.

[epluribus_2]

You Bet! They would have noted how this quick announcement by RED HAT would give them an unfair market advantage against it's competitors. BWAAAAAHAAAAA!!!!

[Rodney King]

bump

[danneskjold]

Let me see if I understand this: The same people who bash Microsoft for not releasing security flaw issues soon enough are upset that RedHat released the info too soon?

Priceless...

[AppyPappy]

wu-FTP

Never heard of it.

[thunderdome]

I know many linux admins that don't touch wuftpd since the last spate of holes were discovered. ncftpd is a good replacement.

It is an OS and not a religion (tell a Macintosh fanatic that)....but I think that the wealth of available tools makes Linux, OpenBSD, and FreeBSD servers easier to maintain and troubleshoot (and more difficult to setup) than any of the MS servers...and you get more bang for your hardware.

[HardStarboard]

>>>upset that RedHat released the info too soon? <<<

I suppose it's too much to hope for to wish that the Justice Department and 17 states would bring suit for unfair marketing practices!

[Mannaggia l'America]

Here is a list of other Linux security fixes you don't hear about in the big media.

[Liberal Classic]

WU-FTP is a freeware FTP server (file transfer protocol) which was written by Bryan O'Connor when he was at Washington University. Mr O'Connor doesn't work on WU-FTP anymore, nor is he still at WU.

It is not a linux specific package. It runs on Sun, SGI, IBM, FreeBSD, etc, etc. This is not the first security exploit for this particular package, either.

[B Knotts]

First of all, who the heck uses FTP anymore? I always use scp whenever/whereever possible.

Secondly, holes in wu-ftpd are nothing new. And they don't threaten only "Linux" servers; they threaten xBSD servers, or any other machine running wu-ftpd.

Finally, I use Debian GNU/Linux, which uses ProFTPd.

[danneskjold]

:) Be nice...

[Archmagus]

Oops.

Of course, they're gonna blame MS for this. It's second nature for Linux nuts to blame MS for all their problems.

[thunderdome]

"But we weren't working at a breakneck pace to get a patch out, because everyone was working together."

Imagine Bill Gates saying that line and every penguin kisser would be flaming M$.

This really does bring out the hypocrisy of the MS bashers...Although I am not a real lover of maintaining Microsoft servers, they do make their software very usable...and their WindowsUpdate makes security updatesa painless process.

[TomServo]

This is a myth Don. Everyone know that Linux is a rock-solid, flawlessly implemented OS - for home or server. Linux does everything. Last night it cooked my favorite meal. Right now it's changing our cats litterbox. Tommorrow it's scheduled to change the oil in my truck.

[Liberal Classic]

This isn't a linux problem, specifically. It's a problem with the ftp server program. This isn't Bill Gates' fault, but it isn't Linus Torvald's either. :)