IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 01-027

"Significant Vulnerability Identified In Common Linux File Transport Protocol Program"
November 28, 2001

Summary:

The National Infrastructure Protection Center (NIPC) has learned about a vulnerability in versions of the Washington University File Transport Protocol Daemon (WU-FTPD) that could lead to an attacker gaining surreptitious access to sensitive information. For those systems using the WU-FTPD service for which a patch is not yet available, it is suggested that you either disable FTP by blocking TCP port 21 or, in those instances where this is not an option, disable anonymous logon.

Problem:

The original problem was discovered by Bindview more than 6 months ago, but not believed to be exploitable at that time. Since that time, Core Security Technologies has proven that the vulnerability is exploitable. Additionally, it is believed that an exploit, leveraging this vulnerability for Linux systems, is already circulating in the hacker community.

In order for an attacker to be able to exploit this vulnerability, the WU-FTPD service must either allow anonymous access or the attacker must gain valid credentials to use the service. Anonymous access is often enabled by default on some systems.

Additional technical information, including a list of affected versions can be found at the following web site:

http://aris.securityfocus.com/alerts/wuftpd/

Mitigation:

The WU-FTPD development team has been notified of the problem and is working on a patch to correct the problem. Until a patch is released, users can mitigate the potential impact of this by disabling FTP, which normally runs on TCP port 21. Also, it is suggested, for those sites that require FTP to be enabled, that they restrict anonymous access, which is basically a guest account that is often available without any additional authentication.

Recipients of this advisory are encouraged to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to the other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at 888-585-9078 or nipc.watch@fbi.gov.