In-Depth

Alerts: BSD and Postfix Vulnerabilities; File-Sharing Dangers

New vulnerabilities in BSD operating system and Postfix, a popular mail transfer agent; the FTC warns about the dangers of file-sharing

• By Mathew Schwartz
• 08/20/2003

Vulnerability: BSD operating systems and WU-FTPd

CERT warned of a vulnerability in 4.4BSD that an attacker can exploit to gain root access to a server, or access as an anonymous user with write access to the server. Since the functionality derives from FreeBSD 3.x tree, CERT warns that “other applications and operating systems that use or were derived from this code base may be affected.”

WU-FTPd binaries compiled on Linux 2.0.x, or later 2.4.x kernels, are also thought to be affected.

Users of operating systems from the following companies should make sure they’ve downloaded the latest security patches: Apple Computer, Conectiva, Debian, FreeBSD, Hewlett-Packard, Immunix, MandrakeSoft, NetBSD, OpenBSD, Red Hat Inc., Sun Microsystems, SuSE, TurboLinux, Wind River Systems, and WU-FTPD Development Group.

CERT says, “to help mitigate a remote attacker from exploiting this issue, and as a general practice, do not permit anonymous user to have write access to the server.”

For more information:http://www.kb.cert.org/vuls/id/743092

Vulnerability in Popular Mail Transfer Agent

Versions of Postfix prior to 2.0 are vulnerable to a denial-of-service vulnerability since address-parsing software in the popular mail-transfer agent (MTA) can supply a remote SMTP listener with malformed envelope addresses. An attacker could exploit the vulnerability in a variety of ways, such as by locking up the queue manager, force-queuing mail to an address that will bounce and confuse the MTA, or locking an SMTP listener open even after the session is dropped, then repeating until it causes a denial of service.

According to Michal Zalewski, who discovered the vulnerabilities, “recent [Postfix] 1.1 releases, having no publicly disclosed security problems, are still commonly used and shipped in several popular Linux distributions, including Red Hat 9 or Debian 3.0.”

For more information:http://www.kb.cert.org/vuls/id/895508

Alert: FTC Quietly Enters File-Sharing Fray

The Federal Trade Commission issued an alert to computer users, “File-Sharing: A Fair Share? Maybe Not.”

Puns aside, the advisory warns about the risks people face when using file-sharing software. Though targeted at consumers, the warnings should keep network administrators up at night. Chief among them are unwittingly sharing private—or corporate—files, downloading (perhaps also unwittingly) copyrighted material, which places the user at legal risk, or downloading viruses, vulnerability exploits, or renamed pornography.

The same warnings go for corporate laptops used at home by employees’ children.

The FTC advises that if you are use file sharing, ensure that only “intended files are shared,” be careful what you download and open since it could be spyware, keep anti-virus software up to date, and educate family members who also use your computer about all potential file-sharing the risks.

For more information: http://www.ftc.gov/bcp/conline/pubs/alerts/sharealrt.htm