Users login

Create an account »


Users login

Home » Hacking News » Servers Left Vulnerable By Early Patch Release

Servers Left Vulnerable By Early Patch Release

by Majik on November 29th, 2001 A coordinated effort by multiple vendors to plug a security hole in software found on many Internet servers went off the rails this week when one of the vendors, open- source Linux bundler Red Hat, released information on its fix ahead of schedule.

Red Hat's Mark Cox, senior director of engineering, told Newsbytes that his company has been apologizing to other vendors who were caught off guard by the early release of a patch for a file transfer protocol (FTP) server called Wu-Ftpd - a well-known workhorse behind many online software repositories and the file- transfer doorway to numerous Web sites.

The problem with Red Hat's early release Tuesday, security experts said, was that a close examination of the source-code patch affords savvy hackers a roadmap to the FTP server's vulnerability, which happens to be one that could allow a malicious individual unfettered access to the Linux-based systems on which it usually runs.

Oliver Friedrichs, director of engineering at Security Focus, said that a mitigating factor with the current Wu-Ftpd vulnerability is that a hacker would have to be logged in as a valid FTP user in order to exploit the problem.

On the other hand, many sites - such as software archives - include an "anonymous" user account open to all as a way to permit public access without pre-arranged passwords.

Friedrichs said Wu-Ftpd administrators who don't yet have access to a patched version of the software are encouraged to disable anonymous access and ensure that all other users are trusted individuals.

At the heart of the problem being called the "Wu-Ftpd file globbing heap corruption vulnerability" is an error in the way the software manages memory used to store a list of files a user might queue for transfer using keyboard shortcuts such as the '*' wildcard character.

A bulletin published today by San Mateo, Calif.-based Security Focus in the wake of Red Hat's early release says that a hacker, injecting executable code into an area of memory that Wu-Ftpd calculates it has stored a valid file list, could trick the system into launching the rogue commands.

Friedrichs told Newsbytes the word is out that software to automate the exploitation of the Wu-Ftpd vulnerability is already being shared in some hacker groups.

Red Hat's Cox said his company had been working with other vendors on a coordinated response to the problem, which Security Focus itself had hinted about last week (without giving details) in a head- up message to companies who might ship Wu-Ftpd with their own software.

Cox said the Red Hat patch and an accompanying terse advisory were queued to be released in concert with those of other vendors when a glitch cause the information to be published along with a batch of fixes for other software components.

Security Focus said the issue affects the FTP server bundles with such popular Linux packages as those from Conectiva, Caldera, MandrakeSoft, TurboLinux, Debian Linux, and S.u.S.E.

Wu-Ftpd, BSD-based software, which takes part of its name from its Washington University roots, has its own distribution site, but a fix for the newly discovered vulnerability had yet to be posted there late this afternoon.

By Steven Bonisteel, Newsbytes

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »