MANY LINUX USERS FACE EXPLOIT WITH NO PATCH
A widespread vulnerability affecting all versions of wu-FTPD was worsened
when one vendor mistakenly released information on the flaw early, leaving
other Linux companies scrambling to release a fix.
Core ST, the group that discovered the flaw, was working with Linux
vendors and the wu-FTP open-source group to release a fix simultaneously.
Unfortunately, a mistake by a Red Hat administrator caused Red Hat's patch
and advisory to be released early--nearly a week ahead of the approved
time.
"We were releasing some advisories on the same day, and an overzealous
administrator pushed this out as well," Mark Cox, senior engineering
director for Red Hat, said in a published report. "The company is adding
new safeguards to its publishing system to avoid similar problems in the
future. This will not happen again. It was a bad mistake."
According to security experts, the sudden release provides savvy hackers
with a roadmap to target unpatched products while vendors continue to test
their fixes.
"The early release caught software makers in the middle of the testing
process," Ivan Arce, chief technology officer for Core ST, said in
published reports. "They had to scramble to get their fixes ready and
tested for all the vulnerable distributions. Some vendors have up to 25
different distributions that are vulnerable and as you can imagine
regression testing for all of them is not quick."
The wu-FTPD Globbing Heap Corruption Vulnerability affects most major
Linux distributions, including Red Hat, SuSE, Connectiva, Caldera
International, Turbolinux, Cobalt Networks, Wirex and MandrakeSoft
products.
The vulnerability allows remote access to all files on a server, provided
an attacker can access the FTP service. For a malicious user to exploit
this vulnerability, the wu-FTPD service must either allow anonymous access
or the attacker must gain valid credentials to use the service. Anonymous
access is enabled by default on some systems.
"It would not surprise me to see someone building a worm around this
hole," says Steve Bellovin, a researcher at AT&T Labs. "But I don't think
this is critical. The 'Net as a whole has survived flaws in much more
important software, such as IIS."
According to the SecurityFocus Web site, "We are expecting to see an
increase in the frequency of this new attack, as attackers are
successfully exploiting this vulnerability. The ARIS Incident Analyst team
is aware of an exploit for this vulnerability that is targeting Linux
platforms. This exploit is currently in limited distribution within the
hacking community. It is recommended that affected sites take immediate
action to limit their exposure to this vulnerability."
The National Infrastructure Protection Center recommends users disable
FTP, which normally runs on TCP port 21. Sites that require FTP should
restrict anonymous access.
http://www.nipc.gov/warnings/advisories/2001/01-027.htmhttp://www.wu-ftpd.orghttp://www.corest.com/pressroom/advisories_desplegado.php?dxsection=10&idx=17http://www.cert.org/advisories/CA-2001-33.htmlNews From Security Digest..
Cheers!
Dilber MC Theme by HarzeM