Software flaw threatens Linux servers

C|Net ^ | November 28, 2001, 1:50 p.m. PT | Robert Lemos

[Don Joe]

Software flaw threatens Linux servers

By Robert Lemos
Staff Writer, CNET News.com
November 28, 2001, 1:50 p.m. PT

A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.

"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.

"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."

The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.

While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.

The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.

Huger called the flaw "serious."

The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.

While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.

Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.

"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.

"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."

[danneskjold]

"But we weren't working at a breakneck pace to get a patch out, because everyone was working together."

Imagine Bill Gates saying that line and every penguin kisser would be flaming M$.

Exactly. Microsoft gets bashed for even needing a patch, let alone not getting it out the instant a problem is detected.

[Bush2000]

Ha! This is a riot. I will predict the top excuses used by the Linux Torvalds sycophants:

• Denial: "This article was paid for by Microsoft." (Remember: In their world, all bad news is delivered by Microsoft shills. There is no such thing as objective journalism which calls out Linux faults).
  
  
• Equivocation: "The FTP server isn't part of the operating system." (This is my personal favorite. Linux advocates have essentially pared their definition of what is included in the operating system down to include just the kernel. Everything else isn't included -- even though it's on the same disc. Of course, they won't hesitate to slam Windows because IIS -- which likewise isn't part of the operating system -- is included during Setup.).
  
  
• Blame the User: "Geez, nobody uses FTP anymore." (Linux advocates are so in touch with end-user needs that they never lose an opportunity to ignore them).
  
  
• Moral Relativism: "Yeah, so Linux has bugs. But so what? We can fix our bugs faster. (Tell that to the folks whose FTP servers were already compromised).
  
  

[Clinton's a rapist]

Come on. Linux is "open source," right? The users just need to get in there under the hood and fix it. It's their problem.

[danneskjold]

This isn't a linux problem, specifically. It's a problem with the ftp server program. This isn't Bill Gates' fault, but it isn't Linus Torvald's either. :)

That's a mighty thin hair your splitting, my friend...:)

[Bush2000]

The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.

Imagine ... they weren't prepared for an instant patch. How is this possible? I thought that open source is the cure for cancer.

[Bush2000]

Congratulations! You win an all-expenses paid trip to Loserville! See http://www.freerepublic.com/focus/fr/579875/posts?page=25#22.

[danneskjold]

you nailed it...

kinda like "shooting fish in a barrel"...

[Liberal Classic]

Hairsplitting? No. This is not a Linux problem. A previous verson of WU-FTP had the same problem on Sun and SGIs.

[Bush2000]

Then quit using wuFTP or the Univ of Washington IMAP server! Those two are #3 and #4 behind Sendmail and BIND in Things That Have a New Bug Everyweek. Not that I have a thing against UW, but man do those two programs suck.

Look, either open source works -- or it doesn't. If you guys can't fix these problems, maybe you should pay somebody to do it for you.

[Bush2000]

Hairsplitting? No. This is not a Linux problem. A previous verson of WU-FTP had the same problem on Sun and SGIs.

I'll agree with that as soon as you agree that IIS bugs aren't a Windows problem.

[danneskjold]

Hairsplitting? No. This is not a Linux problem. A previous verson of WU-FTP had the same problem on Sun and SGIs.

What OS does this article report on?

[JustAnAmerican]

"Of course, they're gonna blame MS for this. It's second nature for Linux nuts to blame MS for all their problems.

Now, Now, blaming the Linux OS for wu-ftp's shortcomings is kind of like blaming Windows for the flaws in Norton Utilities. Just so you know, wu-ftp is a program run under Linux not Linux itself. And just like lots of NU customers, most people that used or had heard about the flaws in wu-ftp switched over to other packages years ago. On the other hand the MS OS itself is still very un-secure and flakey.

God Bless America

[lelio]

Look, either open source works -- or it doesn't.
ROTFL! I can release anything and it falls under "open source." My bad coding doesn't damn the entire process.
Its huge programs like this, I'm thinking sendmail here, which lead to much simpliar things like Qmail which does its job and that's it.

[B Knotts]

wu-ftpd is part of the RedHat Linux operating system.

It is not part of some other Linux-based operating systems.

So, no, it's not a "Linux" problem. It's a wu-ftpd problem. There have been many, many wu-ftpd holes in the past, most of which were worse than this one. That's why anyone with a clue is no longer using wu-ftpd. And, yes, RedHat deserves a thwack of the cluestick for still using that pile of steaming feces that is wu-ftpd.

[danneskjold]

Now, Now, blaming the Linux OS for wu-ftp's shortcomings is kind of like blaming Windows for the flaws in Norton Utilities. Just so you know, wu-ftp is a program run under Linux not Linux itself. And just like lots of NU customers, most people that used or had heard about the flaws in wu-ftp switched over to other packages years ago. On the other hand the MS OS itself is still very un-secure and flakey.

I disagree. If the OS allows a program to breach its (the OS's) file security, the problem is at least equally with the OS.

[B Knotts]

You're claiming IIS is a third-party application?

[Liberal Classic]

Loserville? Excuse me? You want to get nasty?

The WU-FTP software package had the same problem on Sun, SGI, and a number of other unix systems. The problem was the software program did not check its input correctly, the famous stack overflow problem. The problem is that the software runs as the administrator, and when compromised the crack runs as administrator. This problem exists on Linux, Solaris, IRIX, and Windows.

[Don Joe]

I will direct the gentle reader to note that posts 20 and 22 were both posted at the exact same time, verifiable by looking at their respective timestamps.

Even so, I brace for the Wounded Linies to scream foul, accusing B2K of having read their poor fallen comrade's post before creating his own entry. Denial is cruel; heartlessly cruel.

[lelio]

famous stack overflow problem
Well then those handful of people running HPUX should be safe as it has some sort of gee-whiz protection against buffer overflows.

[B Knotts]

If the ftp daemon is run as a normal user in a chroot jail, there would be no access to the file system in general, despite a bug like this one. Hence, it is not a general OS problem.