SuSE Security Announcement: wuftpd (SuSE-SA:2001:043)
This should serve as a warning to all those running wuftp ..DONT. I was always amazed to see people on this list talking about how to configure it etc after all the previous problems with it. It seems to be the most consistently vulnerable FTP daemon ever created. As a friend of mine Grant says: "wuftpd is little more than a remote rootshell with ftp extensions" Adam Daniel Technical Consultant ----------------------------------------------------------------------- FORENSIC DATA SERVICES PTY LIMITED http://www.forensicdata.com.au ------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: wuftpd Announcement-ID: SuSE-SA:2001:043 Date: Wednesday, Nov. 28th, 2001 23:45 MET Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3 Vulnerability Type: remote root compromise Severity (1-10): 7 SuSE default package: no Other affected systems: all liunx-like systems using wu-ftpd 2.4.x / 2.6.0 / 2.6.1
Content of this advisory: 1) security vulnerability resolved: wuftpd problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information)
______________________________________________________________________________
<CHOP>
* adam wrote on Thu, Nov 29, 2001 at 09:25 +1100:
__________________________________________________________
SuSE Security Announcement
Package: wuftpd Announcement-ID: SuSE-SA:2001:043
I received that annoucement via bugtraq but not via suse-security. I asked before about it, and I was told that any annoucement goes to both security-annouce and security. Again, I'm feeling that is not correct, since I haven't received it twice as excepted. Was it sent to suse-security? I cannot imagine. So I ask again: Should I subscribe security-annouce, too? Thank you. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
I didnt recived it either. I just saw it on bugraq, but it wasnt sent to me from suse-security. I recognized suse sends announcements to both lists.. Suse-security & suse-seucrity-announce. Maybe they forgot the suse-security in this case? :\
-----Original Message----- From: Steffen Dettmer [mailto:steffen@dett.de] Sent: Thursday, November 29, 2001 12:39 PM To: suse-security@suse.com Subject: Re: [suse-security] SuSE Security Announcement: wuftpd (SuSE-SA:2001:043)
* adam wrote on Thu, Nov 29, 2001 at 09:25 +1100:
__________________________________________________________
SuSE Security Announcement
Package: wuftpd Announcement-ID: SuSE-SA:2001:043
I received that annoucement via bugtraq but not via suse-security. I asked before about it, and I was told that any annoucement goes to both security-annouce and security. Again, I'm feeling that is not correct, since I haven't received it twice as excepted.
Was it sent to suse-security? I cannot imagine. So I ask again: Should I subscribe security-annouce, too?
Thank you.
oki,
Steffen
-- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
I didnt recived it either. I just saw it on bugraq, but it wasnt sent to me from suse-security. I recognized suse sends announcements to both lists.. Suse-security & suse-seucrity-announce. Maybe they forgot the suse-security in this case?
Actually no... I've seen it running through. It was sent to suse-security-announce at Wed, 28 Nov 2001 23:55:25 +0100 (MET), to suse-security at Wed, 28 Nov 2001 23:58:18 +0100 (MET), and to bugtraq at Wed, 28 Nov 2001 23:59:42 +0100 (MET). We usually wait until we see our own posting from -announce until we send it off to suse-security, later other addresses, including bugtraq. Roman.
30.11.2001 19:00:16, Roman Drahtmueller
Actually no... I've seen it running through. It was sent to suse-security-announce at Wed, 28 Nov 2001 23:55:25 +0100 (MET), to suse-security at Wed, 28 Nov 2001 23:58:18 +0100 (MET), and to bugtraq at Wed, 28 Nov 2001 23:59:42 +0100 (MET). We usually wait until we see our own posting from -announce until we send it off to suse-security, later other addresses, including bugtraq.
Roman.
Hi, well I didn't get it and I can't find it on the list archive http://lists2.suse.com/archive/suse-security/2001-Nov/ but maybe I am too stupid... Christoph -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de
None of the existing FTP servers with the exceptions of VSFTPD, and maybe OpenBSD's FTPD are even remotely classifiable as "hardened". ProFTPD is a huge mess. Every single effort at a UNIX/Windows ftp server I have ever seen is a disaster. The FTP protocol itself is a disaster, for clients and servers: http://www.seifried.org/security/network/20010926-ftp-protocol.html All in all it's just horrible. For bulk transfers consider apache + wget, for users ssh scp/sftp or https. -Kurt
Agreed Kurt, HTTP is a much nicer protocal anyway and if i REALLY have to use plain FTP then its the OpenBSD daemon. BTW: an excellent doc Adam On Thu, 29 Nov 2001, Kurt Seifried wrote:
None of the existing FTP servers with the exceptions of VSFTPD, and maybe OpenBSD's FTPD are even remotely classifiable as "hardened". ProFTPD is a huge mess. Every single effort at a UNIX/Windows ftp server I have ever seen is a disaster. The FTP protocol itself is a disaster, for clients and servers:
http://www.seifried.org/security/network/20010926-ftp-protocol.html
All in all it's just horrible. For bulk transfers consider apache + wget, for users ssh scp/sftp or https.
-Kurt
On Thu, 29 Nov 2001 09:53:42 +1100 (EST)
adam
Agreed Kurt, HTTP is a much nicer protocal anyway and if i REALLY have to use plain FTP then its the OpenBSD daemon.
BTW: an excellent doc
Adam
On Thu, 29 Nov 2001, Kurt Seifried wrote:
None of the existing FTP servers with the exceptions of VSFTPD, and maybe OpenBSD's FTPD are even remotely classifiable as "hardened". ProFTPD is a huge mess. Every single effort at a UNIX/Windows ftp server I have ever seen is a disaster. The FTP protocol itself is a disaster, for clients and servers:
http://www.seifried.org/security/network/20010926-ftp-protocol.html
All in all it's just horrible. For bulk transfers consider apache + wget, for users ssh scp/sftp or https.
Personally I prefer PureFTPD. (http://www.pureftpd.org/) -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
All in all it's just horrible. For bulk transfers consider apache + wget, for users ssh scp/sftp or https.
There are many discussions going on about this these days. The overhead wrt syscalls is just about the same with both, except if one of them uses sendfile(2) to shovel the file into the network. What matters is the size of the virtual memory consumed that is not shared with other processes. We simply couldn't run our current ftp server hardware with an apache when up to 900 people are logged on.
-Kurt
Thanks,
Roman.
--
- -
| Roman Drahtmüller
Roman Drahtmueller wrote:
All in all it's just horrible. For bulk transfers consider apache + wget, for users ssh scp/sftp or https.
There are many discussions going on about this these days.
The overhead wrt syscalls is just about the same with both, except if one of them uses sendfile(2) to shovel the file into the network.
What matters is the size of the virtual memory consumed that is not shared with other processes. We simply couldn't run our current ftp server hardware with an apache when up to 900 people are logged on.
In a case like this I would always use OpenBSD. First of all it's slim, doesn't consume as many ressources as Linux and is more secure, as far as I can judge, not only their ftp-server. I'd not use it as a desktop-system yet, but I'd call it first choise for a server/firewall system. Speaking about slim systems: What packages are really needed, to get a SuSE-Linux installation running? For a router/firewall for my home network I've installed the minimum system and have deleted all yast2 and some other packages, but I guess there are still some packages installed, that I do not need on a firewall. I wounder, why SuSE doen't have such a package set as a starting point for dmz-systems or firewalls or systems, that have only the software to be used installed... Or at least publish a list for those packages on sdb. By the way, the SuSE-Internet-Update has turned out very nice, now there is no excuse even for unexperienced users to not have the latest updates installed, and that makes all of us a little more secure, nice job! Best regards, Ralf Ronneburger
-Kurt
Thanks, Roman.
check ou the why linux will never be as secure as openbsd and why openbsd will never be as secure as linux articles on my site. Security is not just smaller=better or whatever. http://www.seifried.org/security/ As for what packages are needed on suse, well that depends on you of course. Do you need dns resolver capabilties? Perl? ssh? Fark if I know. -Kurt
Speaking about slim systems:
What packages are really needed, to get a SuSE-Linux installation running? For a router/firewall for my home network I've installed the minimum system and have deleted all yast2 and some other packages, but I guess there are still some packages installed, that I do not need on a firewall. I wounder, why SuSE doen't have such a package set as a starting point for dmz-systems or firewalls or systems, that have only the software to be used installed... Or at least publish a list for those packages on sdb.
By the way, the SuSE-Internet-Update has turned out very nice, now there is no excuse even for unexperienced users to not have the latest updates installed, and that makes all of us a little more secure, nice job!
Best regards,
Ralf Ronneburger
Kurt Seifried wrote:
check ou the why linux will never be as secure as openbsd and why openbsd will never be as secure as linux articles on my site. Security is not just smaller=better or whatever.
Sure, I've never said that it only depends on the size! Although it does have some influence, you'll not doubt, I guess ;-). And as I've said, it depends on what you need the system for.
As for what packages are needed on suse, well that depends on you of course. Do you need dns resolver capabilties? Perl? ssh? Fark if I know.
No, no, no. Just want a running system, because you'll easiely notice, if you need something else - eventually something will not work - but one will hardly notice what's installed to much... Best regards, Ralf Ronneburger
-Kurt
Speaking about slim systems:
What packages are really needed, to get a SuSE-Linux installation running? For a router/firewall for my home network I've installed the minimum system and have deleted all yast2 and some other packages, but I guess there are still some packages installed, that I do not need on a firewall. I wounder, why SuSE doen't have such a package set as a starting point for dmz-systems or firewalls or systems, that have only the software to be used installed... Or at least publish a list for those packages on sdb.
By the way, the SuSE-Internet-Update has turned out very nice, now there is no excuse even for unexperienced users to not have the latest updates installed, and that makes all of us a little more secure, nice job!
Best regards,
Ralf Ronneburger
participants (8)
-
adam -
Alexander Bien -
Christoph Wegener -
Kurt Seifried -
Peter Nixon -
Ralf Ronneburger -
Roman Drahtmueller -
Steffen Dettmer