On Tue, 25 Apr 2000, Ivan Miranda wrote:
This flaw is not Linux wide only RH and their piranha product as installed by
6.2.
> - Linux Security Flaw Detailed
>
> Internet Security Systems Inc. is warning Linux users of a back-
> door security flaw that carries ISS's highest danger rating. The
> company's vulnerability-assessment team, or "X-Force," as it is
> known, says a back-door vulnerability exists for any user running
> a full version of Red Hat Linux Piranha, which contains Linux
> Virtual Server software, a Web-based graphical user interface, as
> well as monitoring and failover applications. ISS and Red Hat Inc.
> are providing on a fix for the problem.
>
> According to ISS, an undocumented back-door password exists in the
> GUI portion of Piranha that may allow remote users to execute
> commands on the server from a remote location and may provide
> access to other systems. This security flaw has been given a "5"
> rating, on a scale from 1 to 5, because of the flaw's inherent
> ability to provide damaging access to attackers. The flaw is
> present in version 0.4.12 of the Piranha GUI, which is part of the
> latest Red Hat Linux 6.2 distribution. Early versions of Red Hat
> are not vulnerable.
>
> A security breach is possible even if Linux Virtual Server is not
> used on the system. The system is vulnerable if the affected
> Piranha-GUI package is installed and the administrator has not
> changed the password. Chris Rouland, director of X-Force for ISS
> in Atlanta, does not believe that the back door was installed with
> malicious intent, but the vulnerability does reinvigorate the
> debate between open-source and closed-source software.
>
> "I think it was just an engineering mistake," says Rouland. Open-
> source software doesn't have "an engineering organization whose
> role or job it is to provide quality assurance to commercial
> software. The upside of open source is that everyone can see it,
> so if there are glaring holes, you have peer revue." Red Hat has
> provided updated Piranha, Piranha-doc, and Piranha-GUI packages
> 0.4.13-1, and recommends that administrators be sure that a new
> password is installed following the installation.
>
> -----------------------------------------------------------------------
> For information on this and other Linux India mailing lists check out
> http://lists.linux-india.org/
--
#########################
Sathya Rangaswamy
[EMAIL PROTECTED]
Life is free and so is Linux
#######################
-----------------------------------------------------------------------
The LIH mailing list archives are available at:
http://lists.linux-india.org/cgi-bin/wilma/linux-india-help
