Posted on 11/28/2001 1:28:10 PM PST by Don Joe
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
RedHat's share of the Linux market is certainly nowhere even in the vicinity of Microsoft's share of the PC OS market.
Unlike the flaks at Micro$oft of course.
Ah, true, true. Only, you're still not sure that the message will be listened to, only that you've left it.
If you don't mind saying, which one do you use? Can it be configured to generate alerts when something weird happens?
Huh? The point of the article seemed to imply that the real problem was with Red Hat releasing their patch before everyone else, who "...weren't working at a breakneck pace to get a patch out, because everyone was working together."
True, but I know for a fact that Linux-Mandrake, at least, gives you an option of ProFTPd or wu-ftpd. But, they should have dumped wu-ftpd entirely long ago.
Most Linux servers that I know of run either RedHat or Debian. Debian does not even offer wu-ftpd. But, Debian is more security-oriented.
This is an application bug by the way and not an OS bug. Please keep the two seperate.
This is a seperate piece of software unrelated to Linux.
Imagine how little you'd think of someone who was screaming about a bug in WS-FTP, calling it a 'Windows' bug.
That's how uninformed *ya'll* look here!
Yep. I never mention it, but my secret guideline for spotting a xNIX newbie know-it-all is if they claim their Linux machine is 'secure' from unauthorized use or contact.
Instantly, I know that this person is some goofy convert from Win9x who's managed to load RedHat (that they got from Best Buy) on the consumer Hewlett Packard that mom bought them last Christmas.
REAL Unix systems do not run on PC hardware. End of discussion.
And at the time CERT adopted this policy, some people predicted problems like this as a result (i.e., waiting to fix bugs until right before the public announcement).
Um... you don't really know what you are talking about do you? I receive alerts at any time of the day or night from Microsoft when a new exploit is discovered.
Try checking out Microsoft's security site and then we can talk.
I also don't allow anonymous ftp. I also don't allow ftp from the internet. Service port 21 doesn't exist on my firewall linux box.
If this is showing up, it's because wanna-be admins don't know squat about security. It happens with all os's. You wouldn't believe the number of people running windows that share their hard disk via DSL. Idiots will be idiots.
/john
What exactly is the point of that policy?
Here is the BugTraq entry for the security exploit in question. It says that the WU-FTP version 2.6.0.* RPM packages is vunderable on their Intel, SPARC, Alpha,and PPC versions of Linux. WU-FTP runs on SunOS, AIX, IRIX, SCO Unix, DEC OSF (now Compaq Tru64), *BSD, and Linux. It could very well mean that 2.6.0 is vunderable on many more versions of unix.
The patch is being released by the German competition to RedHat, SuSE Linux
Within five years or so, a large proportion of the UNIX world will be on 64-bit Intel and AMD. Even Sun is porting Solaris to Itanium, just in case.
And AMD's SledgeHammer isn't going to do SMP--it will do 8-way NUMA.
All the biggest MS defenders, in here trumpeting this as a Linux bug.
I'm beginning to understand *why* they defend MS in the first place. It doesn't take much technical knowledge to understand this is related to Linux like WS-FTP is related to Windows. Believing this is a 'Linux' bug takes a certain special lack of technical understanding . . .
Imagine if we were to post on every application for Windows that had a bug, like this was posted . . . would there be any bandwidth left for anything else?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.