Skip to comments.
Software flaw threatens Linux servers
C|Net ^
| November 28, 2001, 1:50 p.m. PT
| Robert Lemos
Posted on 11/28/2001 1:28:10 PM PST by Don Joe
Software flaw threatens Linux servers
By
Robert LemosStaff Writer, CNET News.com
November 28, 2001, 1:50 p.m. PT
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
TOPICS: Culture/Society; Front Page News; News/Current Events
KEYWORDS:
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-60, 61-80 ... 341-354 next last
To: thunderdome
"But we weren't working at a breakneck pace to get a patch out, because everyone was working together."Imagine Bill Gates saying that line and every penguin kisser would be flaming M$.
Exactly. Microsoft gets bashed for even needing a patch, let alone not getting it out the instant a problem is detected.
To: Don Joe
Ha! This is a riot. I will predict the top excuses used by the Linux Torvalds sycophants:
- Denial: "This article was paid for by Microsoft." (Remember: In their world, all bad news is delivered by Microsoft shills. There is no such thing as objective journalism which calls out Linux faults).
- Equivocation: "The FTP server isn't part of the operating system." (This is my personal favorite. Linux advocates have essentially pared their definition of what is included in the operating system down to include just the kernel. Everything else isn't included -- even though it's on the same disc. Of course, they won't hesitate to slam Windows because IIS -- which likewise isn't part of the operating system -- is included during Setup.).
- Blame the User: "Geez, nobody uses FTP anymore." (Linux advocates are so in touch with end-user needs that they never lose an opportunity to ignore them).
- Moral Relativism: "Yeah, so Linux has bugs. But so what? We can fix our bugs faster. (Tell that to the folks whose FTP servers were already compromised).
22
posted on
11/28/2001 1:55:38 PM PST
by
Bush2000
To: Don Joe
Come on. Linux is "open source," right? The users just need to get in there under the hood and fix it. It's their problem.
To: Liberal Classic
This isn't a linux problem, specifically. It's a problem with the ftp server program. This isn't Bill Gates' fault, but it isn't Linus Torvald's either. :) That's a mighty thin hair your splitting, my friend...:)
To: Don Joe
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
Imagine ... they weren't prepared for an instant patch. How is this possible? I thought that open source is the cure for cancer.
25
posted on
11/28/2001 1:57:51 PM PST
by
Bush2000
To: Liberal Classic
26
posted on
11/28/2001 1:59:24 PM PST
by
Bush2000
To: Bush2000
you nailed it...
kinda like "shooting fish in a barrel"...
To: danneskjold
Hairsplitting? No. This is not a Linux problem. A previous verson of WU-FTP had the same problem on Sun and SGIs.
To: lelio
Then quit using wuFTP or the Univ of Washington IMAP server! Those two are #3 and #4 behind Sendmail and BIND in Things That Have a New Bug Everyweek. Not that I have a thing against UW, but man do those two programs suck.
Look, either open source works -- or it doesn't. If you guys can't fix these problems, maybe you should pay somebody to do it for you.
29
posted on
11/28/2001 2:01:40 PM PST
by
Bush2000
To: Liberal Classic
Hairsplitting? No. This is not a Linux problem. A previous verson of WU-FTP had the same problem on Sun and SGIs.
I'll agree with that as soon as you agree that IIS bugs aren't a Windows problem.
30
posted on
11/28/2001 2:03:03 PM PST
by
Bush2000
To: Liberal Classic
Hairsplitting? No. This is not a Linux problem. A previous verson of WU-FTP had the same problem on Sun and SGIs. What OS does this article report on?
To: Archmagus
"Of course, they're gonna blame MS for this. It's second nature for Linux nuts to blame MS for all their problems.
Now, Now, blaming the Linux OS for wu-ftp's shortcomings is kind of like blaming Windows for the flaws in Norton Utilities. Just so you know, wu-ftp is a program run under Linux not Linux itself. And just like lots of NU customers, most people that used or had heard about the flaws in wu-ftp switched over to other packages years ago. On the other hand the MS OS itself is still very un-secure and flakey.
God Bless America
To: Bush2000
Look, either open source works -- or it doesn't.
ROTFL! I can release anything and it falls under "open source." My bad coding doesn't damn the entire process.
Its huge programs like this, I'm thinking sendmail here, which lead to much simpliar things like Qmail which does its job and that's it.
33
posted on
11/28/2001 2:04:15 PM PST
by
lelio
To: Bush2000
wu-ftpd is part of the RedHat Linux operating system.
It is not part of some other Linux-based operating systems.
So, no, it's not a "Linux" problem. It's a wu-ftpd problem. There have been many, many wu-ftpd holes in the past, most of which were worse than this one. That's why anyone with a clue is no longer using wu-ftpd. And, yes, RedHat deserves a thwack of the cluestick for still using that pile of steaming feces that is wu-ftpd.
34
posted on
11/28/2001 2:04:35 PM PST
by
B Knotts
To: JustAnAmerican
Now, Now, blaming the Linux OS for wu-ftp's shortcomings is kind of like blaming Windows for the flaws in Norton Utilities. Just so you know, wu-ftp is a program run under Linux not Linux itself. And just like lots of NU customers, most people that used or had heard about the flaws in wu-ftp switched over to other packages years ago. On the other hand the MS OS itself is still very un-secure and flakey. I disagree. If the OS allows a program to breach its (the OS's) file security, the problem is at least equally with the OS.
To: Bush2000
You're claiming IIS is a third-party application?
36
posted on
11/28/2001 2:06:09 PM PST
by
B Knotts
To: Bush2000
Loserville? Excuse me? You want to get nasty?
The WU-FTP software package had the same problem on Sun, SGI, and a number of other unix systems. The problem was the software program did not check its input correctly, the famous stack overflow problem. The problem is that the software runs as the administrator, and when compromised the crack runs as administrator. This problem exists on Linux, Solaris, IRIX, and Windows.
To: Bush2000
I will direct the gentle reader to note that posts 20 and 22 were both posted at the exact same time, verifiable by looking at their respective timestamps.
Even so, I brace for the Wounded Linies to scream foul, accusing B2K of having read their poor fallen comrade's post before creating his own entry. Denial is cruel; heartlessly cruel.
38
posted on
11/28/2001 2:09:01 PM PST
by
Don Joe
To: Liberal Classic
famous stack overflow problem
Well then those handful of people running HPUX should be safe as it has some sort of gee-whiz protection against buffer overflows.
39
posted on
11/28/2001 2:09:50 PM PST
by
lelio
To: danneskjold
If the ftp daemon is run as a normal user in a chroot jail, there would be no access to the file system in general, despite a bug like this one. Hence, it is not a general OS problem.
40
posted on
11/28/2001 2:10:00 PM PST
by
B Knotts
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-60, 61-80 ... 341-354 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson