On Thu, 18 Jan 2001, Michael H. Warfield wrote:
> Granted that RedHat's record with regard to security and
> upgrades like this has been an abysmal embarrasment. But it's still
> the only shot you've got. As low as it is, you can only do
In comparison to what?
first, the only reason this thing looks for wu-ftp and rpm.statd in 6.2
and LPRng in 7, is that these are KNOWN exploits, and have been known for
some time.
the script kiddies are not hitting you with something new and
scary... rather something old. Now... this just came out this
week... probably been in circulation since last week or the week before,
but not more than that.
So.. that would put it somewhere around first week of Jan.
Funny, there have been fixes for these exploits since ummm June 2000.
and lets see...Who is vulnerable to this exploit?? well, SecFocus says
the following:
Caldera OpenLinux 2.4
Caldera OpenLinux 2.3
Caldera OpenLinux 2.2
Connectiva Linux 5.0
Connectiva Linux 4.2
Connectiva Linux 4.1
Connectiva Linux 4.0es
Connectiva Linux 4.0
Connectiva Linux 3.0
Debian Linux 2.3
Debian Linux 2.2
Debian Linux 2.1
HP HP-UX 11.4
HP HP-UX 11.0
HP HP-UX 10.26
HP HP-UX 10.24
HP HP-UX 10.20
HP HP-UX 10.16
HP HP-UX 10.10
HP HP-UX 10.0.1
RedHat Linux 6.2 sparc
RedHat Linux 6.2 i386
RedHat Linux 6.2 alpha
RedHat Linux 6.1 sparc
RedHat Linux 6.1 i386
RedHat Linux 6.1 alpha
RedHat Linux 6.0 sparc
RedHat Linux 6.0 i386
RedHat Linux 6.0 alpha
RedHat Linux 5.2 sparc
RedHat Linux 5.2 i386
RedHat Linux 5.2 alpha
RedHat Linux 5.1
- Standard & Poors ComStock 4.2.4
RedHat Linux 5.0
Slackware Linux 7.1
Slackware Linux 7.0
TurboLinux Turbo Linux 4.0
TurboLinux Turbo Linux 3.5b2
Washington University wu-ftpd 2.6
Washington University wu-ftpd 2.5
+ RedHat Linux 6.1 i386
Washington University wu-ftpd 2.4.2academ[BETA1-15]
+ Caldera OpenLinux Standard 1.2
Washington University wu-ftpd 2.4.2academ[BETA-18]
+ RedHat Linux 5.2 i386
Oh my GOD, is that DEBIAN in there?????
Looks like just about every major distro.. except maybe Mandrake, but
Mandrake at that time was still very based on Red Hat.
published June 22, 2000
So security Focus published this, via bugtraq on June 22 2000.
and Red Hat released a security errata to fix this exploit on. . .
23-Jun-2000 wu-ftpd (RHSA-2000:039-02) wu-ftpd remote root exploit(SITE EXEC) fixed
So... there was a roughly 24 hour period where you would have been
caught. hmmm
Now lets look at that pesky rpc.statd exploit that the kiddies are looking
for:
Security Focus says rpc.statd Remote Format String Vulnerability
bugtraq id 1480
object rpc.statd (exec)
class Input Validation Error
cve CVE-2000-0666
remote Yes
local Yes
published July 16, 2000
Now... who is vulnerable to this exploit???
vulnerable
Connectiva Linux 5.1
Connectiva Linux 5.0
Connectiva Linux 4.2
Connectiva Linux 4.1
Connectiva Linux 4.0es
Connectiva Linux 4.0
Debian Linux 2.3 sparc
Debian Linux 2.3 powerpc
Debian Linux 2.3 alpha
Debian Linux 2.3
Debian Linux 2.2 sparc
Debian Linux 2.2 powerpc
Debian Linux 2.2 alpha
Debian Linux 2.2
RedHat Linux 6.2 sparc
RedHat Linux 6.2 i386
RedHat Linux 6.2 alpha
RedHat Linux 6.1 sparc
RedHat Linux 6.1 i386
RedHat Linux 6.1 alpha
RedHat Linux 6.0 sparc
RedHat Linux 6.0 i386
RedHat Linux 6.0 alpha
S.u.S.E. Linux 7.0
S.u.S.E. Linux 6.4ppc
S.u.S.E. Linux 6.4alpha
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.3 ppc
S.u.S.E. Linux 6.3 alpha
S.u.S.E. Linux 6.3
Trustix Trustix Secure Linux 1.1
Trustix Trustix Secure Linux 1.0
Why, thats an awful lot of debian and Suse in there, not just REd
Hat. Ummm I thought Red Hat was so bad with security???
Well, rpc.statd bug reported on july 16/ When did RH release the fix?
Synopsis Revised advisory: Updated package for
nfs-utils available
Advisory ID RHSA-2000:043-04
Issue Date 2000-07-17
Again, the VERY next day.
and the LPRng bug??
bugtraq id 1712
object LPRng (exec)
class Input Validation Error
cve GENERIC-MAP-NOMATCH
remote Yes
local Yes
published September 25, 2000
updated November 10, 2000
vulnerable Caldera eDesktop 2.4
Caldera eServer 2.3
Caldera OpenLinux Desktop 2.3
Caldera OpenLinux eBuilder 3.0
RedHat Linux 7.0
Trustix Trustix Secure Linux 1.1
Trustix Trustix Secure Linux 1.0
hmmm... released on September 25 2000. and look 4 Caldera version, and
two Trustix versions, and ONE Red Hat version vulnerable.
Good job by SuSE and Debian on this one.
and when did Red Hat release the update for this bug?? lets see:
Red Hat, Inc. Security Advisory
Synopsis LPRng contains a critical string format bug
Advisory ID RHSA-2000:065-06
Issue Date 2000-09-26
Updated on 2000-10-04
Product Red Hat Linux
Keywords LPRng security lpd printing lpr syslog
Well... and again, on the next day.
Now, I give you all this info for a reason. I do work for Red Hat. BUT
so what?
One of my biggest peeves is people who complain, and decry someone for
somethign that is not their doing. Red Hat didnt create those holes. If
you want to lambaste someone, you should also be comaplaining about
Debian, Turbo, SuSE, Caldera, and the other distros who are ALSO
vulnerable to these exploits.
My point is this:
A: this was written by kiddies who couldnt figure out how to write decent
code that could find an actual exploit. This worm doenst look for an
exploit. it uses known exploits, and searches for Red Hat systems,
why? because Red Hat had the programs that these exploits are for.
B: if you are going to bash a company, first make sure you know what you
are bashing them for... and B: make sure you bash everyone responsible. I
didnt see you jumping in Debian or SuSE...
Ok... enough ranting. I know Red Hat is not perfect. But then neither
are you. and neither am I. and neither is Debian, nor Turbo, nor SuSE,
nor whatever else. Nothing is perfect.
cheers
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list