Posted on 11/28/2001 1:28:10 PM PST by Don Joe
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
My prediction is true... 11 machines per day.
Are we going to have a big group hug soon? You know I hate those things. :-)
This is an important and very good question. It really highlights an argument made by one of the chief Open Source advocates: Eric S. Raymond. He wrote a paper called "The Cathedral and the Bazaar," in which he compared projects which used a top-down approach, vs. projects which use a more chaotic approach. He argues that the "Bazaar" approach gains the benefits of less bugs, and quicker bug fixes.
wu-ftpd is developed in more of a "Cathedral" style, as far as I know.
Funny, that's the EXACT term I used to describe the election of Hillary last November!
Sounds like a good FR screen name...
But it is open source right?
I'll agree with that as soon as you agree that IIS bugs aren't a Windows problem.
IIS is not a Windows problem, it's a MICROSOFT problem
So is this a Red Hat problem?
I'm not ashamed to say I earned my keep working with Microsoft products. Now days I work on mid-range unix servers. None of these vendors are perfect. IBM, Sun, Microsoft all have their patches.
I don't have a real high opinion of a lot of Microsoft software these days, but they've had a few hits, IMO. DOS 5.0 was good, and Visual Basic 1.0 was cool. VB had a built in development enviroment, the forerunner to Visual Studio. It was the bees knees back then when when you wrote a Windows program, you wrote in in DOS using MS C+ 6.0 (if I recall). Workbench was still a DOS application. Edit Code. Start Windows. Run Program. Crash. Reboot. Edit Code. Start Windows. Run Program. Crash. Reboot. Frankly, Windows has come a long way.
I am not a computer bigot. Compuers are apolitical. They're machines. Use what suits you. For some people, that's Windows, for others a Mac. Some people need large, expensive servers, and some people need cheap boxes. Linux is really good, better than a lot of people who bash it realize. People that knock it really haven't seen what it can do.
Yes, it is. And that was my point. This is not a "Linux" problem; it is a wu-ftpd and RedHat problem.
Sounds like Dr. Seuss
When Linux users fight with
Globbing Heap errors
Sounds like more than just a Red Hat problem.
By the way, my web server logs match yours pretty well. I take security pretty seriously, so I keep an eye on my web server. I keep my port monitor running continuously, so I can see if someone is connected that should not be, or if I am suddenly sending large amounts of data unexpectedly.
Not quite. The answering machine will get the message once it finishes saying its piece. :)
Unfortunately for some people an operating system is like a religion. That is why we have so many OS Holy Wars threads on FR.
I have installeed RedHat 7.1 (to use nmap on my network) but never really could get into the hang of it. I am going to load 7.2 soon and give it another try. Probably end up taking a class on it sometime as well.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.