Following Core Security Technologies notifying Linux vendors of a serious security vulnerability in WU-FTP, a common Linux FTP server, the companies began coordinating with CERT to provide patches to fix the problem.
These patches were to be released when the information of the vulnerability went public.
However, an inadvertent announcement by Red Hat made the information on this vulnerability available to the public before all of the vendors had readied their patches, causing the other Linux vendors to scramble a bit.
Red Hat has apologised for the mistake and vowed not to let it happen again. If you have not already patched your Linux systems running WU-FTP, you should go to CERT Advisory CA-2001-33 (www.cert.org/advisories/CA-2001-33.html) and download and install the patch for your Linux system(s).
Threat level: high to extreme
Core Security Technologies discovered that Washington University's WU-FTP suffers from a vulnerability in the wu-ftpd daemon because it does not properly handle glob commands.
Further, it found that all versions of wu-ftpd up to and including 2.6.1 are vulnerable to this problem. This includes the default version of WU-FTP that ships on nearly every major Linux distribution.
The threat is particularly serious because the vulnerability gives any FTP session the ability to access any files on the server. Since most FTP servers allow anonymous as a login user, most servers are vulnerable to anyone on the Internet.
Mitigating factors
Administrators who have removed the anonymous FTP user account are still vulnerable to this problem, but attackers will need a valid user account name and password to establish an FTP session and make an attack.
If wu-ftpd does not have root privileges on a system, the potential damage will be limited to whatever privileges it is granted on that server.
A quick and dirty fix for many systems is to simply turn off the wu-ftpd daemon and/or block TCP port 21 on the firewall.
Fix
A specific wu-ftpd 2.6.1 patch (http://archives .neohapsis.com/archives/vulnwatch/2001-q4/0059.html) is available from Neohapsis Archives, and some vendors have released a beta version of wu-ftpd (usually labelled 2.7.0).
The developer of wu-ftpd advises that those having this version immediately revert their systems to version 2.6.1 and apply the necessary patch to that version.
No patch has been released for 2.7.0, and wu-ftpd.org has announced that it will skip that release number to avoid any confusion.
Ultimately, multiple Linux and UNIX versions are vulnerable to this problem. The best resource to see which distributions and versions are vulnerable and to locate individual patches and updated information is the CERT Vulnerability Note #886083 (www.kb.cert .org/vuls/id/886083) or individual vendor sites.
One word of warning: When you search for more information on this vulnerability, it's important to know that a Trojan horse masquerading as a patch to wu-ftpd 2.6.1 was recently posted to the Vuln-Dev mailing list.
This is not a legitimate patch, and it will damage your files if applied. A full report is available at Newsbytes (www.newsbytes.com/ news/01/170392.html).
That is what I like about open source, that things get fixed as soon as a flaw is identified.
Microsoft would just keep quite about it and leave their customers knowingly open to attack.