The security hole comes at an inopportune moment for Red Hat. The company has been trying to convince customers that its Linux is a good foundation for e-commerce and other corporate operations, software fit to be compared with Microsoft Windows, Sun Microsystems' Solaris or other commercial operating systems.
Red Hat's Piranha software, which lets several Linux machines share a task such as delivering Web pages, has a password-protected feature used to control the software. But the part of the software that checks the password also will run whatever command an attacker wants, said Mike Wangsmo, director of the Piranha product.
"It was a dumb thing," Wangsmo said. He added that an attacker could do only limited damage because he or she wouldn't have full administrative privileges. That's enough to destroy or deface a Web site, however.
On top of that problem, Red Hat 6.2 shipped with the password set--username "piranha" and password "q"--meaning that an administrator couldn't use the management software in the first place unless that password were known, Wangsmo said. The product is supposed to prompt for a password the first time it's used.
Internet Security Systems (ISS), the group that found the vulnerability, was more critical of the problems, giving it its most severe rating and saying it could provide a launch pad for a more severe attack.
"It's very straightforward. There's an undocumented password built into the 6.2 version of Red Hat," said Chris Rouland, director of X-Force, the research arm of ISS.
ISS calls the problem a "back door"--an undocumented way to gain control over the computer. Red Hat disputes this description, saying the problem is a flaw in the password protection for an ordinary, documented feature.
Red Hat has released a repair for the problem.
The problem illustrates both the promise and the pitfalls of open-source software such as Linux, in which the original programming instructions are available for all to see. On the one hand, the approach allows many eyes to scrutinize code for vulnerabilities and to create a repair without having to wait for a controlling company to get around to it. On the other hand, it lets malicious hackers find vulnerabilities that might not otherwise be obvious.
"We found this by taking a cursory glance at the source of the application," Rouland said.
The peer review argument from open-source advocates has merit, Rouland said, but it's not a guarantee of secure software. For example, the email software Sendmail has been open source for 20 years, "and people found vulnerabilities in it every year of that 20 years," Rouland said.
Another security problem in general with Linux is that it contains numerous packages written by numerous people, often with little or no quality control, Rouland said.
Red Hat is helping to bring some order to this situation, however. For example, the company follows the traditional practice of posting security advisories to security mailing lists. And Rouland said the company is very responsive to security issues.
Microsoft has undergone a similar transformation in the past two-and-a-half years, since its Windows NT server software started getting used on computers attached to the Internet, Rouland said.
"Microsoft pretty much pulled a 180," he said. "They execute very quickly on releasing bug fixes. As Windows has been deployed into hostile environments like the Internet, they've really ramped up their security."