Feeds

Red Hat pre-releases major Linux bug details

Doh! Other vendors caught unprepared

  • alert
  • submit to reddit

High performance access to file storage

On the surface, it was just another turn of the endless cycle of software release, hole discovery, and patching: operating system vendor Red Hat issued an advisory Tuesday warning the world about a serious security hole in a file transfer program that comes with Linux, and urged customers to download a patch.

There was just one problem: Red Hat's advisory jumped the gun on what was intended to be a simultaneous multi-vendor release, carefully coordinated by the government-funded Computer Emergency Response Team (CERT), and scheduled for 3 December. Caught off guard, other Linux vendors were rushing Wednesday to finalize their own patches for the hole-- a memory-allocation bug in the ubiquitous Washington University WU-FTPd program.

"The vendors agreed on releasing the information about the flaw... on December 3rd," wrote Roman Drahtmüller, of Linux vendor SuSE, in an email interview. "This timeline was set up for vendors to build and test their packages, which can be a very time-consuming process... If this timeline is broken, distributors... run into a difficult situation, since their users can't download the update packages."

The hole is the result of a programming error in the portion of WU-FTPd that processes file names containing special characters. BindView's Matt Power discovered in April that the server would crash if presented with the file name '~{', but the program's maintainers believed the bug could not be exploited.

Then researchers at Argentina-based Core Security Technologies discovered the bug themselves in November, and proved that careful manipulation of the bug yields remote root access to vulnerable systems.

To exploit the bug, attackers must first log in to a host's FTP server. But on many systems, limited anonymous FTP access is enabled by default.

The hole affects thousands of users of virtually every Linux release. Because of the wide implications, Core, working with CERT, and, at one point, SecurityFocus' "Vulnerability Help" team, arranged a coordinated release with Caldera, SuSE, TurboLinux, Debian, Red Hat, and other Linux vendors, so that patches would be available for every distribution simultaneously. December 3rd was picked for the release.

That plan went out the window Tuesday, when Red Hat unilaterally issued its own advisory.

"Everybody else, they look like jerks, and they have to scramble to get fixes," said an irate Ivan Arce, CTO of Core Security Technologies. "The only fixes now out publicly are Red Hat's."

Red Hat apologized to other vendors Tuesday night.

"It was a big mistake," says Mark Cox, Red Hat's senior director of engineering. "The package was ready to go live, and we were holding off until the date this was going to hit." Instead, a Red Hat administrator accidentally swept up the advisory with other, unrelated updates sent out Tuesday.

The company has changed its release process to store a 'not-before date' with its pending releases, says Cox. "It's not going to be possible to release something before that date, so we make sure this doesn't happen again. It's not a very good thing."

Despite the snafu, Cox says coordinated releases have worked well for the Linux community in the past. "I don't think it shows any sort of inherent problems in that process."

The FBI's National Infrastructure Protection Center (NIPC) issued an advisory on the hole Wednesday afternoon, and warned that attacks may already be underway. "It is believed that an exploit, leveraging this vulnerability for Linux systems, is already circulating in the hacker community," reads the advisory.

© 2001 SecurityFocus.com, all rights reserved.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.