, SecurityFocus 2000-05-01
Security companies can make headlines by using the right jargon, even when it's wrong.
“
Was ISS trying to maximize its media coverage by utilizing a popular buzzword?
”
In it they claim "Internet Security Systems (ISS) X-Force has identified a backdoor password in the Red Hat Linux Piranha product. [...] A backdoor password exists in the GUI portion of Piranha that may allow remote attackers to execute commands on the server."
A backdoor is normally understood in computer security circles to refer to a system vulnerability deliberately put in place by system designers or operators such that it would allow them to bypass normal security checks. The "wemilo" password discovered in the Cart32 shopping cart software last week is an example of a genuine backdoor.
The "backdoor" discovered by ISS actually consists of two separate vulnerabilities. The first one is the fact that the documented "piranah" web account created when you install this package has an undocumented default password. Default passwords are a very common vulnerability -- many operating systems and applications ship with them. In this case the logon screen of the software clearly states (in error) that there is initially no password for this account at all, and it advises the user to set one up if necessary.
The second vulnerability involves the lack of input validation when an authenticated web user changes his password, which allows him to execute commands with the user id under which the web server is running, normally 'nobody'.
Neither of these vulnerabilities fits the description of a backdoor. There is no evidence that RedHat put them in place maliciously, and both vulnerabilities require that the user authenticate himself using normal mechanisms.
ISS has plenty of bright security engineers that could have set the record straight before they released their advisory. Even Chris Rouland, director of Internet Security Systems' "X-Force" team seems to agree. He is quoted in a
I have to wonder whether ISS's choice of words was influenced at all by the recent media interest in backdoors in software products. Only a week earlier, a supposed backdoor in Microsoft's IIS server sparked national media attention before being debunked.
Was ISS trying to maximize its media coverage by utilizing a popular buzzword, or was it slip up? I guess only they know for sure.
Computer security companies and experts can exert a great deal of power. When reported in the media, their claims about the security of specific products can greatly influence the public's attitude about those products, and help or hurt companies and free software projects. Security companies need to learn to wield this power carefully, by always verifying their claims and working with the vulnerable product developers -- when possible -- in bringing a quick resolution to the problem.
There is nothing wrong with getting publicity by discovering and publicizing security vulnerabilities... if it's done right.
