Hey Tina, Rob (all others, too!) ... have a field day with this one
:-)
Read the enclosure then come back and read the cited references. I
think you'll find the forwarded email very enlightening.
googling for wu-ftp, CERT, NIPC, Core and Bindview Corporation
reveals:
http://www.wu-ftpd.org/
http://www.cert.org/advisories/CA-2001-33.html
http://www.nipc.gov/
http://www.core-sdi.com/pressroom/pop_nota.php?idx=172
http://www.bindview.com/
Pay close attention to dates. It took 6 months to find the actual
exploit; 2 weeks to fix it. Code Red got rolling in March. The "iffy"
code in wu-ftp was spotted 2 months later. Nov. 14 it was developed
into a full tilt exploit. Nov. 28 a distribution specific upgrade
became available from RedHat. By Dec. 3 (not quite 3 weeks) all major
distros had patched upgrades available. Meanwhile, I still get hit
with over 1,400 Nimda attempts a day. And the Gartner Group has
advised corporations to pull IIS as being not worth fixing and a risk
to the continuation of business. If you read between the lines, I
think you will agree somebody wanted these exploits exposed. Core
appears to have released the exploit code the same day it announced
the vulnerability.
Question how many copies of wu-ftp are still in use. Question the
reference to Grannie ... and whether I would be getting hit 1,400
times a day if she could apply a MSFT service pack. The difference
is, any Linux Grannie running an FTP server knows it. Most Windows
people have no idea what is actually running on their machines.
Wu-ftp ships with a lot of distributions. It is not enabled by
default in any of them that I know of. AFAIK, ProFTP is generally the
favored form of FTP for those running Linux-based FTP servers. To get
a real feel for the threat to the public from breached wu-ftp
servers, consider that all five of these conditions must be true. 1)
Must be exposed to the internet --> 2) must run Linux --> 3) must run
an FTP server --> 4) must have chosen wu-ftp --> 5) has not applied a
single package upgrade.
Think hard about the wet-noodle line. Isn't the customary MSFT
defense to whine that it is made a target because it has so many
copies installed? Linux didn't cop that plea ... Linux fixed the
problem.
So nearly as I can tell, the "patches are imminent" line is a
definite and verifiable falsehood. The patches were available two
days before the email was sent. If the original author of the email
was as well versed in the matter as he presented himself as being, he
could be reasonably expected to know he was lying.
Bill
---------- Forwarded Message ----------
Subject: [MDLUG] From you friendly Microsoft rep
Date: Wed, 05 Dec 2001 10:24:55 EST
From: Ray Hernandez <hernan43@msu.edu>
To: mdlug@radiusnet.net
This was a warning sent out by my company's Microsoft rep:
Just in case you know someone running Linux...
FBI Warns: Turn Off Your Linux FTP Servers
The FBI, following the premature, accidental disclosure of a massive
security hole by Red Hat, has issued an alert advising all web sites
running Linux- based FTP servers to shut down immediately - or at a
minimum disable anonymous guest login and strictly enforce password
security.
The security problem is believed to affect most FTP servers in the
world. Patches are imminent - and some may be available by the time
this story is read. Anyone who doesn't patch risks the consequences.
The hole isn't in Linux itself, but in the wu-FTPd program, written
at Washington University, that ships with the most copies of Linux.
Some folks describe wu-FTPd as "ubiquitous."
The flaw, known by the unlovely name "wu-FTP Globbing Heap Corruption
Vulnerability," lets a hacker who knows how access every single file
on the server.
Those tricks were unknown until Red Hat accidentally revealed the
problem on Tuesday by issuing an alert and saying it had a fix - for
Red Hat Linux only. Once hackers knew the hole existed it was
apparently simple to write an "exploit" to take advantage of it.
"It is believed that an exploit, leveraging this vulnerability for
Linux system, is already circulating in the hacker community," the
FBI's National Infrastructure Protection Center warned Wednesday.
The emergency problem was created when Red Hat accidentally violated
an understanding, coordinated by the US government-funded Computer
Emergency Response Team (CERT), under which the major Linux vendors
agreed not to reveal the problem until December 3.
By then a patch was supposed to be ready for all affected Linux
distributions, a list that includes Caldera, Sun/Cobalt, Connectiva,
MandrakeSoft, TurboLinux, Wirex, Debian and SuSE in addition to Red
Hat. The list of which versions of each distribution are affected is
pages long.
A red-faced Red Hat admitted it goofed. It said it finished work on
its own fix early. The security alert was written and wasn't
supposed to go out until December 3, but slipped out along with some
other unrelated software updates. The problem was that there was no
patch ready for anyone else's distribution. Hmmm.
Red Hat apologized to the industry and said that it's changing its
release process to prevent such a thing from happening again, but
the damage was done.
According to the FBI, the security problem was actually discovered
more than six months ago by Bindview. Nobody in the Linux community
did anything about it for all that time based on a belief, proven
erroneous on November 14 by Core Security Technologies, that the
vulnerability could not be exploited.
Linux security folks began patching Globbing Heap but, according to
some reports, they were working at a leisurely pace, figuring they
had until December 3 to finish. After all, why bolt down a few gulps
of Thanksgiving turkey and ruin the holiday weekend by rushing back
to work.
If such a tale had been told about a Windows security vulnerability,
Microsoft would have been publicly hung by the thumbs and flogged
with a wet noodle until it cried for mercy.
That's not to say that Microsoft hasn't faced equally horrendous
security problems, Nimda and Code Red just to name the most recent
headline grabbers.
This problem may, though, be even greater in scale because there are
believed to be far more Linux-powered ftp sites on the Internet than
Windows-powered sites. Nobody has an accurate count.
According to the FBI the greatest danger is to web sites that let
anyone access the files in a given directory on their server - the
so-called anonymous or guest login. The practice of letting guests
log-in is widespread. Anyone who's ever downloaded a piece of free
software, a free music file or even a text file has probably used
such a login, even if they didn't realize they were doing it.
The vulnerability also exists on sites that are password protected.
Anyone with a legitimate password providing access to even a single
directory can apparently misuse the right and penetrate a server
down to the root.
At press time, the wu-FTP group had posted what appears to be a
patch, though it's not clear that it works with all Linux
distributions. The patch was said to protect only wu-FTP 2.6.1.
Users of earlier versions have to upgrade and then apply several
patches.
This isn't, by the way, a job for grandma. The patch is raw source
code. When the various distributions release finished patches they
should be usable by normal human beings, or as close to normal as
anyone who's in charge of a web server ever gets.
There's also another problem.
The Washington University crew warns that some pre-released Linux
distributions include the beta version of a new cut of wu-FTP. The
beta of the new version, currently identified as version 2.7 but
scheduled for eventual release as version 2.8, is vulnerable. The
patch won't fix it. - SZ
-------------------------------------------------------
--
total used free shared buffers cached
Mem: 1545352 1463748 81604 0 311936 794256
Swap: 401584 12 401572
Total: 1946936 1463760 483176
Linux a.genesis.com 2.4.14 #3 Fri Nov 9 23:14:31 EST 2001 K7 750MHz
1:56am up 5 days, 2 min, 5 users, load average: 0.03, 0.08, 0.07
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:02:16 EDT