Vendors Prepare Patches for FTP Server Flaw
Security hole leaves servers from HP, SGI, and Sun apparently vulnerable to hacker exploit.Margret Johnston and James Niccolai, IDG News Service
PGP Security's Computer Vulnerability Emergency Response Team, or COVERT, has notified three vendors that new vulnerabilities have been discovered in their FTP server software.
The security holes could let hackers break into the servers, steal data, deface Web sites, or substitute false data for information a company provides to its customers, according to PGP Security, a Network Associates business unit.
FTP servers are used by more than 90 percent of all enterprise networks to share data with employees, partners, and customers. The vulnerability could affect a significant portion of those networks, according to PGP Security.
The COVERT lab isn't aware of any serious failures attributed to the vulnerability, but as news of the security hole spreads, "it's kind of a race to see if vendors can patch their systems before they are exploited by the bad guys," says Jim Magdych, manager of COVERT Lab.
The problem was discovered in Unix systems from Sun Microsystems, SGI, and Hewlett-Packard, Magdych says. PGP Security is working with these vendors so they can provide patches, he says. COVERT is also working with other vendors to determine whether their servers are vulnerable and to prepare patches for customers.
Sun, HP Prepare Patch
Sun has verified that the security hole exists in its Solaris operating system, and is preparing a software patch that should be available to customers in the next two to three days, says Russ Castronovo, Sun representative.
"We have (identified) it, we have been able to replicate it, we've developed a patch already, and we're in the process of testing and backporting it to other versions of Solaris," Castronovo says. PGP alerted Sun to the problem on March 28, Castronovo adds.
HP also says PGP notified the company of the problem two weeks ago, and "since that time we've been trying to get them to tell us what the (infected) code was," says Shirley Quastler, an HP spokesperson. HP hasn't confirmed yet that the vulnerability exists in its operating system, she adds.
"We received the (infected) code (Monday) and it's undergoing analysis right now, and if in fact there is a vulnerability, a patch will be prepared and HP will issue a security alert to protect its customers," she says.
An SGI representative wasn't able to comment immediately.
Search Function Impaired
The vulnerability is linked to the "glob" function, which is programming shorthand for a function that lets you search using a truncated version of a name or a word. The glob function often returns more data than expected to the FTP server, causing it to overflow the buffer. This is a common type of vulnerability that leaves data open to exploitation, Magdych says.
"If someone could compromise the FTP server, they could potentially replace Web sites, deface them or replace files with Trojan horse (virus) programs," Magdych says. Trojan horse programs would be especially insidious because they can be set to run when unsuspecting users try to download a patch.
This notification about an FTP vulnerability follows the lab's warning in January of a possible vulnerability in the software used in most Domain Name System servers.
Magdych says the efforts are a continuation of COVERT lab's efforts to identify vulnerabilities in systems used broadly by the Internet community, and to help close those gaps before they are exploited. PGP Security does not provide the patches, but it sells a risk-assessment product called CyberCop Scanner, which has been updated to detect the latest vulnerability.