Here's an email that was forwarded to me, originally from a Mircosoft employee to his customers. The FUD factor is off the scale!
<snip> > -----Original Message----- > Sent: Monday, December 03, 2001 7:42 PM > Subject: FBI Warns: Turn Off Your Linux FTP Servers > Just in case you know someone running Linux... FBI Warns: Turn Off Your Linux FTP Servers The FBI, following the premature, accidental disclosure of a massive security hole by Red Hat, has issued an alert advising all web sites running Linux-based FTP servers to shut down immediately - or at a minimum disable anonymous guest login and strictly enforce password security. The security problem is believed to affect most FTP servers in the world. Patches are imminent - and some may be available by the time this story is read. Anyone who doesn't patch risks the consequences. The hole isn't in Linux itself, but in the wu-FTPd program, written at Washington University, that ships with the most copies of Linux. Some folks describe wu-FTPd as "ubiquitous." The flaw, known by the unlovely name "wu-FTP Globbing Heap Corruption Vulnerability," lets a hacker who knows how access every single file on the server. Those tricks were unknown until Red Hat accidentally revealed the problem on Tuesday by issuing an alert and saying it had a fix - for Red Hat Linux only. Once hackers knew the hole existed it was apparently simple to write an "exploit" to take advantage of it. "It is believed that an exploit, leveraging this vulnerability for Linux system, is already circulating in the hacker community," the FBI's National Infrastructure Protection Center warned Wednesday. The emergency problem was created when Red Hat accidentally violated an understanding, coordinated by the US government-funded Computer Emergency Response Team (CERT), under which the major Linux vendors agreed not to reveal the problem until December 3. By then a patch was supposed to be ready for all affected Linux distributions, a list that includes Caldera, Sun/Cobalt, Connectiva, MandrakeSoft, TurboLinux, Wirex, Debian and SuSE in addition to Red Hat. The list of which versions of each distribution are affected is pages long. A red-faced Red Hat admitted it goofed. It said it finished work on its own fix early. The security alert was written and wasn't supposed to go out until December 3, but slipped out along with some other unrelated software updates. The problem was that there was no patch ready for anyone else's distribution. Hmmm. Red Hat apologized to the industry and said that it's changing its release process to prevent such a thing from happening again, but the damage was done. According to the FBI, the security problem was actually discovered more than six months ago by Bindview. Nobody in the Linux community did anything about it for all that time based on a belief, proven erroneous on November 14 by Core Security Technologies, that the vulnerability could not be exploited. Linux security folks began patching Globbing Heap but, according to some reports, they were working at a leisurely pace, figuring they had until December 3 to finish. After all, why bolt down a few gulps of Thanksgiving turkey and ruin the holiday weekend by rushing back to work. If such a tale had been told about a Windows security vulnerability, Microsoft would have been publicly hung by the thumbs and flogged with a wet noodle until it cried for mercy. That's not to say that Microsoft hasn't faced equally horrendous security problems, Nimda and Code Red just to name the most recent headline grabbers. This problem may, though, be even greater in scale because there are believed to be far more Linux-powered ftp sites on the Internet than Windows-powered sites. Nobody has an accurate count. According to the FBI the greatest danger is to web sites that let anyone access the files in a given directory on their server - the so-called anonymous or guest login. The practice of letting guests log-in is widespread. Anyone who's ever downloaded a piece of free software, a free music file or even a text file has probably used such a login, even if they didn't realize they were doing it. The vulnerability also exists on sites that are password protected. Anyone with a legitimate password providing access to even a single directory can apparently misuse the right and penetrate a server down to the root. At press time, the wu-FTP group had posted what appears to be a patch, though it's not clear that it works with all Linux distributions. The patch was said to protect only wu-FTP 2.6.1. Users of earlier versions have to upgrade and then apply several patches. This isn't, by the way, a job for grandma. The patch is raw source code. When the various distributions release finished patches they should be usable by normal human beings, or as close to normal as anyone who's in charge of a web server ever gets. There's also another problem. The Washington University crew warns that some pre-released Linux distributions include the beta version of a new cut of wu-FTP. The beta of the new version, currently identified as version 2.7 but scheduled for eventual release as version 2.8, is vulnerable. The patch won't fix it. - SZ > > Know that you have friends at Microsoft Federal... > > Randy Schmidt, MCP2000 > Air Force & DoD Agencies > 757-303-7705 > > <<Randy Schmidt ([EMAIL PROTECTED]).vcf>> > Tomas L. Byrnes > ByrneIT > Strategic Internet Analysis and Consulting > E-Business, Multimedia, and Convergence > Evaluation, Planning, and Implementation > VOX 760.635.3999 > FAX 760.635.9394 > PCS 760.402.3999 > [EMAIL PROTECTED] > <snip> _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
