Software flaw threatens Linux servers

C|Net ^ | November 28, 2001, 1:50 p.m. PT | Robert Lemos

[Don Joe]

Software flaw threatens Linux servers

By Robert Lemos
Staff Writer, CNET News.com
November 28, 2001, 1:50 p.m. PT

A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.

"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.

"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."

The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.

While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.

The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.

Huger called the flaw "serious."

The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.

While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.

Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.

"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.

"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."

[Bitwhacker]

10-4 on that one! If you ever go to the ZoneAlert site, they have a step-by-step on how to un-do the defaults MS installs on setup -- the theory being that more capability is better. Funny that they never ask you during the install...

[Bitwhacker]

I agree on the software engineering thought; but I don't think wuFTP is any indication of open source software reliability per se. What it does point out is that anybody -- anybody -- can whip up some code, call it a 'project' on Freshmeat, and have people download it without any vetting. Good or bad, that's the way it is, and the user must do some due diligence on the quality of the software.

[rdb3]

Maybe the "expert" Linux people that work with you aren't "experts" after all.

When it comes to server-based configurations, UNIX, AIX, or any version of Linux will run circles around NT. I don't care if it's clustering, web serving, or web clustering.

And, oh, it's so much less expensive.

The only Windows server we run is for our email (Exchange). My supervisor just has this thing for Exchange.

[rdb3]

I'll add my own servers to the wager.

Go ahead, make my day! You better be a Swordfish type of hacker.

[Bush2000]

I agree on the software engineering thought; but I don't think wuFTP is any indication of open source software reliability per se. What it does point out is that anybody -- anybody -- can whip up some code, call it a 'project' on Freshmeat, and have people download it without any vetting. Good or bad, that's the way it is, and the user must do some due diligence on the quality of the software.

Agree completely. I'm not really trying to bash Linux or wuFTP in particular. I think that, speaking for myself at least, I get a little annoyed when people slam software bugs with the expectation that there is any such thing as 'bug-free' code. It doesn't exist. There is certainly 'sufficiently-tested' code. But not 'bug-free'. Anybody that makes such claims is full of crap.

[JRandomFreeper]

I'm not really trying to bash Linux

Yes, you were. Post #138 got pulled because you wanted to "rub their noses in (expletive deleted)". You got a little over-excited. God knows I was like that when I was young.

/john

[Bush2000]

Yes, you were. Post #138 got pulled because you wanted to "rub their noses in (expletive deleted)". You got a little over-excited. God knows I was like that when I was young.

No, troll. There's a huge and obvious difference between "rubbing their [open source is the cure for cancer crowd] noses" and bashing Linux. If you can't see that, you're less observant than I thought.

[Bitwhacker]

I knew you weren't bashing Linux per se. Open Source has to get it's act together as to being ready for prime time. Linux certainly is NOT bug-free and does not claim to be. It is what it is -- and all are welcome to use it, improve it where you think it needs it, or just leave it be if that's your take on it. But Linux is not Open Source in and of itself; there are many projects in OS that don't work at all....

[JRandomFreeper]

Did you ping me to this thread? With a question about ftp?

To: Justa; MadIvan; Die Zaubertuba; dennisw; Terriergal; Dominic Harr; 2 Kool 2 Be 4-Gotten; kd5cts

What's the matter, people? Cat got your FTP server?

I did not troll. In fact, calling someone a troll would be a personal attack, and is prohibited by the rules of this site. So I won't.

I use open-source because my boss wants the job done. And he has no budget left (what with all the downsizing all over the US). So I have to find the things that work, and are safe, and are open-source. And I create a solution. Always from open-source. Closed source has always failed me in the long run. And I'm here for the long run.

/john

[B Knotts]

The Sun warranty system is better at keeping records than most admins.

That doesn't surprise me. :-P (and I'm not necessarily excluding myself...)

Read them the S/N, and they will tell you the day your PO hit, and whether warranty still covers it.

We had a few Suns, and couple of Axils. :-(

[Don Joe]

I took the liberty of flagging a whole bunch of people from this thread. Very grim message, go read it now, flag others as you see fit.

Is Free Republic a Fraud? Is it time for Free Republic to go away?

[Don Joe]

Groan. Let's try it one more time without a malformed URL:

Is Free Republic a Fraud? Is it time for Free Republic to go away?

[Liberal Classic]

Absolutely not, do I want to get pidgeon holed. Where are all the VMS and Novell people today? Working on Unix or Windows, maybe Big Blue.

Just an anecdote. As I was writing a long note mentioning some computing history, I went to a website that locked up Explorer Windows 98. Yay!

Linux is good because not just because of its price, but that it can do thing that until recently were done on relatively expensive hardware/software. It's good in a company environment because you can recycle older machines to do some non-critical work, saving your money for that expensive, proprietary system. There's a bunch of things it's good for.

Make that older P-II handle you print jobs, and save some money. Or if you want, you can buy a $500,000 50 node parallel computer made of linux nodes.

[oc-flyfish]

Ack, meant to say "I log and drop all incoming packets that's not meant for my mail server's SMTP port or the HTTP port on the web server"

Ok, now it makes sense.

[oc-flyfish]

You have to make it run as root as the FTP ports are 20 and 21, which are less than 1024 meaning you have to be root to access them. Plus it might su into your account if you ftp in with a username and password.

You mean that Dominic might concede that it is *gasp* a Linux bug instead?

[oc-flyfish]

There are many more 4 processor linux servers out there doing real work than there are the big iron boxes.

I am not so sure about that. IBM has a HUGE base of ES/9000 (mainframe) units out there. Not sure, but I think the RS/6000 would qualify under your qualifications as well.

[oc-flyfish]

That's not what the article says:

Now don't go confusing him with the facts...

[Justa]

It's still the wuFPT app. which provides root access via the port. Current linux FTP app.s secure and/or redirect requests made to port 21.

This topic is just about as current as discussing an access vulnerability in NT4. As best I can tell WuFTP hasn't been included in any of the Linux distributions for years, hence RH's 'reluctance' to patch the problem. Does Microsoft still offer security support for Windows 3.1?

While we're on the subject, please tell me why MS only put out a Code Red fix for Windows 2000 Server when the virus primarily corrupts the functionality of the NT4 kernals? They've provided no patches for the 3 Code Red vulnerabilities of NT4. In fact, they made Symmantic wait six weeks last Summer before approving their FixRed cleaning tool for the 98/NT4 and then only allowed a fix for CR's virtual root trojan. Now, wtf would MS do that?

Of course since the MS-approved fixes apply only to the virtual root trojan and 2000's buffer overflow infected NT4 users are out there with corrupted CMOS and bioses inside their (now lagging) NT4 systems. And just what's loaded into the CMOS and bios shadow of a CR-corrupted machine? Why, an NT5 comm.drv of all things. Imagine that.

[oc-flyfish]

While we're on the subject, please tell me why MS only put out a Code Red fix for Windows 2000 Server when the virus primarily corrupts the functionality of the NT4 kernals? They've provided no patches for the 3 Code Red vulnerabilities of NT4.

You are wrong on this. Microsoft put out patches for NT and 2000. I know because I applied them to many NT servers. It would have been nuts for Microsoft to only put out patches for 2000 as most of their customers are still running NT.

[Justa]

I'm not talking about the buffer overflow exploit. Imo that was merely the broadcast mechanism for the NT4 payloads. Oh, and I'm -quite- sure on this, having tested and cleaned CR-infected media and systems for 6 weeks. The infected 2000 Server was pulled after infection and I worked on it and the networked NT4 kernal systems thereafter. Furthermore, all the '98 virus scanners alerted that their explorer.exe shells had been corrupted by CodeRed.c. And it was in the bios and CMOS of those machines where I found the NT5 comm.drv loaded and running in addition to the (NT4) DOS comm.drv. That created dual instance calls to the OS's HAL which put CPU usage to >95% at Startup.