Software flaw threatens Linux servers

C|Net ^ | November 28, 2001, 1:50 p.m. PT | Robert Lemos

[Don Joe]

Software flaw threatens Linux servers

By Robert Lemos
Staff Writer, CNET News.com
November 28, 2001, 1:50 p.m. PT

A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.

"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.

"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."

The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.

While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.

The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.

Huger called the flaw "serious."

The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.

While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.

Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.

"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.

"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."

[oc-flyfish]

Heh heh. It's all in good fun.

Oh oh... I am sensing a group hug again...

[Dominic Harr]

But hey, WTF do I know?

That's about the only thing you've gotten correct here.

This is not a Linux bug. Not even close.

And the lack of knowledge displayed in *claiming* it's a Linux bug is astounding, and fully explains your defense of MS!

[danneskjold]

But that has never worked as a viable strategy, and if the window is too big, only encourages slackage, and extends the period of actual vulnerabilty for Joe SysAdmin.

And that is really wrong with this story. If the user community had been informed on Nov 14th, they could have at least disabled or not allowed anonymous access while the bug was being corrected. As it is, they were left in the dark, with their systems wide open, and would still be in the dark if Red Hat hadn't jumped the gun.

And by their own admission, the vendors "...weren't working at a breakneck pace to get a patch out, because everyone was working together." Sounds like collusion.

[oc-flyfish]

Got to go. Have to present to the Board of Directors on why we need to spend $50,000 on a records retention system tonight. And yes, it will be running on a Microsoft server. ;-)

Have fun everyone!

[Don Joe]

"This bug doesn't give root access, that I'm aware of. Am I mistaken? Where does it say *that*?"

How's that go? Oh, yeah, now I remember: "You sound like *so* uninformed! Ewwwwwww!"

[Crispy]

I wonder if this has anything to do with www.linuxtoday.com 's main page being hacked right now.

[Dominic Harr]

(ie. few to no bugs)

Man, really, you're embarrasing yourself. <P This isn't a Linux bug.

[danneskjold]

If I may be so bold, one of the products my company develops is record retention software, FWIW.

[Bush2000]

That's about the only thing you've gotten correct here. This is not a Linux bug. Not even close. And the lack of knowledge displayed in *claiming* it's a Linux bug is astounding, and fully explains your defense of MS!

As he clearly pointed out, try telling that to admins who installed RedHat Linux along with this FTP server and got f*d over. I'm sure they would be relieved to know that it's not a 'Linux bug' but, rather, just a 'compromise root access bug'.

[oc-flyfish]

Shucks... too late. We went with Loris Technologies out of Canada.

Yes, I know I said I was leaving but this thread is so much fun!

[oc-flyfish]

Now I am really leaving. TTFN!

[danneskjold]

Shucks... too late. We went with Loris Technologies out of Canada

Oh well. FYI, Some of our clients are the top Accounting firms (PWC, KPMG, AA, etc...).

And we're in the United States...:)

Really, good luck...

[Don Joe]

"LOL. Now why did you have to bring that up? :-)"

I was inspired by your "makes me want to vomit" comment. :)

[Dominic Harr]

I'm sure they would be relieved to know that it's not a 'Linux bug' but, rather, just a 'compromise root access bug'.

Look, I'm shooting straight here. This makes you sound *very* unknowledgable.

This isn't a Linux bug. No one will even *think* it's a Linux bug. I know because of your MS leanings you'd like to try and sell that, but no one will buy it except the truly ignorant.

And it's making you look *very* bad.

[danneskjold]

They still don't get the irony, do they?

[Don Joe]

"Heh heh. It's all in good fun."

That's only until someone puts their eye out. :)

[Bush2000]

oc-flyfish: "I can't tell you how many times I have heard that these types of things NEVER happen in open source (ala Linux, FreeBSD, Solaris)."

Dominic Harr: "I think you're making that up."

Another example of your reality disconnect, Dominic. Yeah, it's all our imagination. Nobody ever says that these things don't happen in open source projects. Ever visit Slashdot.org?

[dennisw]

Thanks...I'm gonna run out and buy some overpriced crapware from Micro$not.

[Dominic Harr]

They still don't get the irony, do they?

No, ya'll don't!

[Dominic Harr]

Nobody ever says that these things don't happen in open source projects.

I'm on slashdot regularly. No one has ever claimed that open source code never has bugs.

That's as bogus a claim as calling this a Linux bug.

Dude, I had hoped you were smarter than these others. I had written them off as technical incompetents a while back. You, well, because of the email conversations, I had hope you might have some potential.

I suppose I was mistaken.

Please tell me you're just saying this for partisan reasons, and don't really believe it?