A vulnerability in the most widely used FTP server program for Linux (wuFTP) has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies (SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft to name but a few) scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Ivan Arce, chief technology officer for Core ST (the group that discovered the flaw), said that the early release by Red Hat has hurt security. "The early release caught (software makers) in the middle of the testing process," he said. "They had to scramble to get their fixes ready and tested for all the vulnerable distributions. Some vendors have up to 25 different distributions that are vulnerable and as you can imagine regression testing for all of them is not quick."
News source: CNet News
View: Security Focus Security Alert: Wu-Ftpd File Globbing Heap Corruption Vulnerability