Posted on 11/28/2001 1:28:10 PM PST by Don Joe
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
When it comes to server-based configurations, UNIX, AIX, or any version of Linux will run circles around NT. I don't care if it's clustering, web serving, or web clustering.
And, oh, it's so much less expensive.
The only Windows server we run is for our email (Exchange). My supervisor just has this thing for Exchange.
Go ahead, make my day! You better be a Swordfish type of hacker.
Yes, you were. Post #138 got pulled because you wanted to "rub their noses in (expletive deleted)". You got a little over-excited. God knows I was like that when I was young.
/john
To: Justa; MadIvan; Die Zaubertuba; dennisw; Terriergal; Dominic Harr; 2 Kool 2 Be 4-Gotten; kd5ctsWhat's the matter, people? Cat got your FTP server?
I did not troll. In fact, calling someone a troll would be a personal attack, and is prohibited by the rules of this site. So I won't.
I use open-source because my boss wants the job done. And he has no budget left (what with all the downsizing all over the US). So I have to find the things that work, and are safe, and are open-source. And I create a solution. Always from open-source. Closed source has always failed me in the long run. And I'm here for the long run.
/john
That doesn't surprise me. :-P (and I'm not necessarily excluding myself...)
Read them the S/N, and they will tell you the day your PO hit, and whether warranty still covers it.
We had a few Suns, and couple of Axils. :-(
Is Free Republic a Fraud? Is it time for Free Republic to go away?
Is Free Republic a Fraud? Is it time for Free Republic to go away?
Just an anecdote. As I was writing a long note mentioning some computing history, I went to a website that locked up Explorer Windows 98. Yay!
Linux is good because not just because of its price, but that it can do thing that until recently were done on relatively expensive hardware/software. It's good in a company environment because you can recycle older machines to do some non-critical work, saving your money for that expensive, proprietary system. There's a bunch of things it's good for.
Make that older P-II handle you print jobs, and save some money. Or if you want, you can buy a $500,000 50 node parallel computer made of linux nodes.
Ok, now it makes sense.
You mean that Dominic might concede that it is *gasp* a Linux bug instead?
I am not so sure about that. IBM has a HUGE base of ES/9000 (mainframe) units out there. Not sure, but I think the RS/6000 would qualify under your qualifications as well.
Now don't go confusing him with the facts...
This topic is just about as current as discussing an access vulnerability in NT4. As best I can tell WuFTP hasn't been included in any of the Linux distributions for years, hence RH's 'reluctance' to patch the problem. Does Microsoft still offer security support for Windows 3.1?
While we're on the subject, please tell me why MS only put out a Code Red fix for Windows 2000 Server when the virus primarily corrupts the functionality of the NT4 kernals? They've provided no patches for the 3 Code Red vulnerabilities of NT4. In fact, they made Symmantic wait six weeks last Summer before approving their FixRed cleaning tool for the 98/NT4 and then only allowed a fix for CR's virtual root trojan. Now, wtf would MS do that?
Of course since the MS-approved fixes apply only to the virtual root trojan and 2000's buffer overflow infected NT4 users are out there with corrupted CMOS and bioses inside their (now lagging) NT4 systems. And just what's loaded into the CMOS and bios shadow of a CR-corrupted machine? Why, an NT5 comm.drv of all things. Imagine that.
You are wrong on this. Microsoft put out patches for NT and 2000. I know because I applied them to many NT servers. It would have been nuts for Microsoft to only put out patches for 2000 as most of their customers are still running NT.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.