Posted on 11/28/2001 1:28:10 PM PST by Don Joe
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
IIS bugs are 'Microsoft' bugs -- because MS *makes* IIS. IIS bugs are not 'Windows' bugs.
And this is not a Linux bug. Man, you really have to be kidding, right? You at least know that much, don't you?
Ask yourself -- with this bug, can you attack the OS itself? The answer is *no*. This is not an OS vulnerability.
I'm beginning to wonder about ya'll. Are you seriously trying to claim this as a Linux bug?
Let's see... having root access to a Linux box isn't affecting the OS?
Guess I don't need to worry about hackers geting the passsord for my NT administrator account now. Thanks for making me sleep better at night.
I think you're making that up.
One of the big 'plusses' of open-source is that bugs get fixed more quickly.
No one would *ever* say that open-source never makes buggy software. I don't believe anyone said that. We tout how *fast* we fix bugs. If there were no bugs to begin with, we couldn't be so good at fixing them. And the real story here is how so many companies worked on fixes so quickly.
I'm guessing you just misunderstood . . .
Damn, Batchmo, it's like clockwork. Every time you spot your undies, you start squealing like a Valley Girl.
Can you like *drop* the Valleyspeak filter? It's like *so* 1985. Like *gag* me, ewwww!
How would this give root access to the FTP user?
This bug doesn't give root access, that I'm aware of. Am I mistaken? Where does it say *that*?
Nice backtracking, but nope -- ya'll are claiming this is a Linux bug.
Besides, one of the biggest claims of 'open source' is we fix bugs *quickly*. So we obviously never claimed to have no bugs. You just put your foot in it, and I now wonder about your actual technical ability. You *can't* have really meant the things you've been saying, can you?
Nope, in fact I have heard it so much that it makes me want to vomit.
One of the big 'plusses' of open-source is that bugs get fixed more quickly.
Didn't happen here. I tend to disagree with this. I think MS has just as much incentive to fix a bug as does the open source community. No one looks good with "open doors" to the OS be it Linux or Windows.
Lol, see #131.
All your cloying little pocket-strokes notwithstanding, the fact remains that countless Linux admins are having flakey $#!+$ tonight because their systems were compromised by an open-source OS component.
Call me skeptical, but somehow, I doubt that your gloating -- in the face of their agony -- would be received with welcome arms tonight.
But hey, WTF do I know? Maybe you really should hop on the ol' bandwagon and remind them all that their systems are impregnable, and there's nothing to worry about.
After you calm them down, you'll have their attention, so you can let them know how Java crapplications never crash, and run like greased bats with JATO pods fleeing from Hell Heights with a strong tailwind.
Unless my lunch is making me loopy, I read it here on this tread. The daemon runs as root and allows the person to take control of the system after overflowing the buffer.
Where did you get that? I've never used that FTP software, but that makes *no* sense. Are you sure? I can't believe *anyone* would give any software 'root' access, especially any networking-type software like an FTP server.
If someone made the FTP client run as root on *purpose*, then absolutely that is a problem. But again, that isn't a 'Linux' problem now, is it? Not related to the OS or people making Linux, is it?
LOL. Now why did you have to bring that up? :-)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.