Posted on 11/28/2001 1:28:10 PM PST by Don Joe
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
You are so right on the money. The problem is people who accept the default installation on any OS (Windows, Linux, OS/2, whatever).
The issue that I have is that a lot of the Unix crowd states that this can NEVER happen on their OS.
The point is, I suppose, to provide a "window" for vendors/authors/etc. to fix bugs before the skr1pt k1dd13s get their hands on the latest 31337 skr1tpz.
But that has never worked as a viable strategy, and if the window is too big, only encourages slackage, and extends the period of actual vulnerabilty for Joe SysAdmin.
Purely technical question: What dropped packets are you recording if you are not logging dropped incoming packets? Do you have a security problem on your internal network?
It's Mandrake. The one with the InstallShield-like setup program that's so simple that even a 15-year old 'l33t /-/4><0R' can set it up.
How relieved they must be to know that Linux remains utterly impregnable!
I can't believe how irresponsible that article is, giving people the idea that a security issue could affect Linux systems. What nerve!
And, I would argue, lame, supposedly "user-friendly" defaults encourages poor system administration/installation/security.
I run Mandrake, Conectiva and Beehive Linuxes and have never even seen wuFTP as an installable option, i.e. it's not included in any of those distributions. Besides, any critical system utility like mail or ftp will have multiple programs to choose from. If you don't like one you pop in the CD and select another.
When was the last time a MS OS came bundled with alternative mail and ftp programs?
I think the broader picture is the open source community versus commericial. I can't tell you how many times I have heard that these types of things NEVER happen in open source (ala Linux, FreeBSD, Solaris).
Unix boxes can be secured to C2 level. The spec is called the Orange Book by the people that do that kind of thing for a living.
/john
Just f.y.i. -- there is a *ton* of buggy software for Linux. If all you're looking for is buggy software on Linux, you could point to a lot of it.
The 'security' issue is about the OS itself.
For example -- this security flaw wouldn't allow someone to affect the OS. That's what 'Linux and Unix are secure' means. Not that there has never been buggy software *for* it.
Interesting that you don't know that. I wonder if your lack of technical understanding has anything to do with your support of Microsoft?
You sound *so* uninformed right now. You really make me feel good about opposing you!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.