Software flaw threatens Linux servers

C|Net ^ | November 28, 2001, 1:50 p.m. PT | Robert Lemos

[Don Joe]

Software flaw threatens Linux servers

By Robert Lemos
Staff Writer, CNET News.com
November 28, 2001, 1:50 p.m. PT

A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.

"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.

"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."

The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.

While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.

The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.

Huger called the flaw "serious."

The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.

While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.

Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.

"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.

"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."

[Don Joe]

"And the lack of knowledge displayed in *claiming* it's a Linux bug is astounding, and fully explains your defense of MS!"

Um, Batchmo? Oh, BATCHmo...

As long as you're taking the time to rake me over the coals for being "*so*" ignorant in "*claiming* it's a Linux bug" (yow, "astounding", even !), could you spare just a little bit more effort and... how can I say this tactfully... could you bother to cite where I "claimed that this was a Linux bug"?

After you finish that (Kirk to computer: calculate Pi"), you can take the time to explain how this isn't a linux exploit.

Ideally, I'd like to see you explain it to the aforementioned Linux admins who are yanking its tentacles from their collective bungs as we speak.

[Bush2000]

Look, I'm shooting straight here. This makes you sound *very* unknowledgable. This isn't a Linux bug. No one will even *think* it's a Linux bug. I know because of your MS leanings you'd like to try and sell that, but no one will buy it except the truly ignorant. And it's making you look *very* bad.

Your logic reminds me of this lame-O joke.

Two Afghanis are standing around a Taliban weapons depot when an allied 500lb bomb drops onto a jeep, sending shrapnel flying and killing one of the two men. The other is told to report back to headquarters what happened. Fearing reprisals, the other man says, "Oh, yes. Damned shame about Achmed getting hit by a car."

[The KG9 Kid]

"... What is a real unix system?"

Something that can compete with high-end IBM S390 mainframes in a corporate/government environment. I'm picturing a Sun Fire 15k (>US$4,000,000)with 106 UltraSPARC III processors.

If you worked as a network admin for a company that had one of those, and proposed the bright idea of loading Linux on it, the IS&T chief would probably fire you on the spot.

Any computer that a man can pick up alone and move from one side of the lab to the other is but a toy.

Before you mention that IBM is also embracing 'Tux' the Penguin, you might also want to notice that the IBM AS/400 midrange does most jobs lots better, stabler, and cheaper than a similarly-configured Linux system.

[Bush2000]

I suppose I was mistaken.

You should assign this as a macro on your keyboard. Whenever you type in a statement, don't forget to run the macro afterward.

[Bush2000]

They still don't get the irony, do they?

Nope. But I predicted that back in post #22.

[JRandomFreeper]

to admins who installed RedHat Linux

I wouldn't hire an admin that would install RedHat. I also have a 30 page checklist for checking on possible security holes. An observant admin can block most problems. This is not a linux problem. It is an admin problem, just like the idiot admins that don't apply the IIS patches. It must give the microsofties a real thrill to see an opensource bug finally hit the news. Of course, Microsoft hits the news on a regular basis with it's very damaging problems. GRIN!

/john

[Dominic Harr]

You should assign this as a macro on your keyboard.

I admit it.

I was mistaken.

I thought you had at least some technical competency. This thread proves me wrong.

Ah, well.

Ya'll have fun. If you can't even understand this simple issue, then there's no real point discussing any technical topics with you at all, is there?

Ciao, for now. I'm sure you won't miss me!

[Bush2000]

For those that missed it (post #22):

... the top excuses used by the Linux Torvalds sycophants:

Denial: "This article was paid for by Microsoft." (Remember: In their world, all bad news is delivered by Microsoft shills. There is no such thing as objective journalism which calls out Linux faults).

Equivocation: "The FTP server isn't part of the operating system." (This is my personal favorite. Linux advocates have essentially pared their definition of what is included in the operating system down to include just the kernel. Everything else isn't included -- even though it's on the same disc. Of course, they won't hesitate to slam Windows because IIS -- which likewise isn't part of the operating system -- is included during Setup.).

Blame the User: "Geez, nobody uses FTP anymore." (Linux advocates are so in touch with end-user needs that they never lose an opportunity to ignore them).

Moral Relativism: "Yeah, so Linux has bugs. But so what? We can fix our bugs faster. (Tell that to the folks whose FTP servers were already compromised).

[stainlessbanner]

hey....that e15k is some machine. we are running an e10k with 64 400mhz processors. let me tell you that baby flies!

[Bush2000]

I wouldn't hire an admin ...

What makes you think you're good enough to be hired by us?

[lelio]

Purely technical question: What dropped packets are you recording if you are not logging dropped incoming packets? Do you have a security problem on your internal network?
Ack, meant to say "I log and drop all incoming packets that's not meant for my mail server's SMTP port or the HTTP port on the web server"

[Don Joe]

"They still don't get the irony, do they?"

"No, ya'll don't!"

It's Peewee Harrman!

Hey, Peewee -- "I know you are but what am I" is like *so*...

No, I'm not gonna go there. Wouldn't be prudent.

[lelio]

I can't believe *anyone* would give any software 'root' access, especially any networking-type software like an FTP server.
You have to make it run as root as the FTP ports are 20 and 21, which are less than 1024 meaning you have to be root to access them.
Plus it might su into your account if you ftp in with a username and password.

[Petronski]

I would humbly submit, as an example of what you are saying, that WIN95 included an install program for AOL. Shall Microsoft be blamed for every bug or security problem initiated at or through AOL? I don't think so. Nor is AOL part of WIN95 just because it takes up some left-over space on the install disk.

Microsoft included a piece of third-party software on their OS installation disk that is nasty and buggy and full of every kind of problem, but these AOHell problems cannot be blamed on Microsoft. Nor can this WU-ftp thing be blamed on Red Hat, beyond stating that they included a buggy, nasty piece of third-party software on their install disk.

For the record, I use 100% Microsoft top to bottom, with the single exception of INTUIT tax software in the wintertime.

[Justa]

Here: The current Linux distributions and their components.

Now, go find wuFTP there.

Pffffff

Later.

[danneskjold]

I need to go fishing with you guys. Two of the best trollers I've seen...:)

[B Knotts]

Well, SGI is going to put Linux on their up-to-512 proc Origin systems, which in the future will be Itanium-based. Or at least they were last week. Who knows this week. :-)

But seriously, that's why they've GPL'd XFS, and have done a lot of work on the Linux fs layer. They plan to sell CXFS (Clustering XFS) to those who need it.

[TechJunkYard]

Ha! This is a riot.

I figured you would be filled with glee.

My FTP server started getting hit Sunday from APNIC subnets. RedHat sent me an advisory Tuesday. That's enough time to recognise the problem, analyze the exploit and come up with a fix. And RH doesn't even own this piece of code.

This is really a minor blip as things go. Stuff Happens -- the Linux community knows this... we monitor CERT Bugtraq and RHN for a reason... the only people who got bitten by this were the ones with weak (or no) firewalls and/or no clue. Leave yourself open to the world and you deserve what you get.

[Don Joe]

"Nope. But I predicted that back in post #22."

Man, you're really on tonight!

[Robert_Paulson2]

More and more... I see ms-dos worshippers attacking linux... must be making a dent in their God... heh heh... Hey I USE Micro-Sloppped...

BUT I applaud and support the UNISES in their BALANCING act to the manaical MS juggernaut... and keep one or two of them running here as often as possible. YOU have mail.