Freaks Macintosh Archive

home *** CD-ROM | disk | FTP | other *** search

/ Freaks Macintosh Archive / Freaks Macintosh Archive.bin / Freaks Macintosh Archives / Textfiles / cert / CERTSummaries96.sit.hqx / CERT summaries 96' next >

Wrap

PGP Signed Message | 1997-01-21 | 56KB | 1,599 lines

-----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT(sm) Summary CS-96.01 January 23, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our strategic incident response staff. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Recent Activity - --------------- In the last two months we have seen the same types of activity that we described in the CERT advisory CA-95:18 Widespread Attacks on Internet Sites. If you have not yet taken steps to protect your site against the activities described below, we urge you to do so as soon as possible. Description Intruders are doing the following: - using automated tools to scan sites for NFS and NIS vulnerabilities - exploiting the rpc.ypupdated vulnerability to gain root access - exploiting the loadmodule vulnerability to gain root access - installing Trojan horse programs and packet sniffers - launching IP spoofing attacks Solution The CERT staff urges you to immediately take the steps described in the advisories referenced below. Note that it is important to periodically recheck these files as they contain updated information received after the advisory was published. a. Using automated tools to scan sites for NFS and NIS vulnerabilities * CA-94:15.NFS.Vulnerabilities * CA-92:13.SunOS.NIS.vulnerability b. Exploiting the rpc.ypupdated vulnerability to gain root access * CA-95:17.rpc.ypupdated.vul c. Exploiting the loadmodule vulnerability to gain root access * CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability * CA-95:12.sun.loadmodule.vul d. Installing Trojan horse programs and packet sniffers * CA-94:01.ongoing.network.monitoring.attacks e. Launching IP spoofing attacks * CA-95:01.IP.spoofing The CERT advisories are available from ftp://info.cert.org/pub/cert_advisories What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (November 28, 1995). * New Additions ftp://info.cert.org/pub/ Sysadmin_Tutorial.announcement (This CERT course will be given four times this year in Pittsburgh, Pennsylvania, USA.) ftp://info.cert.org/pub/cert_advisories/ CA-95:16.wu-ftpd.vul CA-95:17.rpc.ypupdated.vul CA-95:18.widespread.attacks ftp://info.cert.org/pub/cert_bulletins/ VB-95:10.elm VB-95:10a.elm (listed additional FTP sites) * Updated Files ftp://info.cert.org/pub/ cert_faq ftp://info.cert.org/pub/cert_advisories/ CA-95:13 (syslog - added info from Digital Equipment) CA-95:15 (SGI lp - added info) CA-95:16 (wu-ftpd - added clarification and Solaris 2.4 info) CA-95:17 (rpc.ypupdated - added vendor info for Digital & HP) ftp://info.cert.org/pub/tech_tips/ AUSCERT_checklist1.1 (replaced AUSCERT checklist version 1.0) - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMhCsXHVP+x0t4w7BAQHfBgQAuo/+ApxplmfDVxE0O6IahjhJmzKO28M8 X4Hx+BtfZycxe3WgT7mHVTN4iIl2n8k4d1PAUJZGdzhYe7kjiH2auiVUEruR9fQC aREps8J2gn1BWWUijWuVWMQZ8n0IRmeRseJu1Fa17oz93QnKThPD4H31O8+fj6Jh Pzgs8THUUX4= =3+Ic -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT(sm) Summary CS-96.02 March 26, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our strategic incident response staff. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Recent Activity - --------------- In the two months since the last CERT Summary, we have continued to receive reports about the same types of activities that were described in CERT advisory CA-95:18 Widespread Attacks on Internet Sites. In addition, we have seen an increase in the number of reports relating to software piracy, many of which involve intruders taking advantage of systems with poorly configured anonymous FTP areas. If you haven't done so already, the CERT staff urges you to immediately take the steps described in the advisories listed below. Note that it is important to periodically recheck these files, as they can contain updated information that we receive after an advisory is published. The majority of the incidents reported to our incident response staff during the last two months fit into one (or more) of these seven categories: 1. Root compromise on systems that are unpatched or running old OS versions. We receive daily reports of systems that have been compromised by intruders who have gained unauthorized access to root or other privileged accounts by exploiting widely known security vulnerabilities on systems that did not have appropriate patches installed (and/or systems that were running old [unpatched] versions of the operating system). We encourage everyone to check with their vendor(s) regularly for updates or new patches that relate to their systems, and install security-related patches as soon as they are available. For a list of additional suggestions on recovering from a UNIX root compromise, see ftp://info.cert.org/pub/tech_tips/root_compromise 2. Compromised user-level accounts that are leveraged to gain further access. We receive daily reports of compromised accounts that have been used to launch attacks against other sites, and/or have been used to gain privileged access on vulnerable systems. We encourage you to check your systems regularly (in accordance with your site policies and guidelines) for any signs of unauthorized accesses or suspicious activity. For a list of suggestions on how to determine whether your system may have been compromised, see ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist 3. Packet sniffers and Trojan horse programs We continue to receive almost daily incident reports about intruders who have installed packet sniffers on root-compromised systems. These sniffers, used to collect account names and passwords, are frequently installed as part of a widely-available kit that also replaces common system files with Trojan horse programs. The Trojan horse binaries (du, ls, ifconfig, netstat, login, ps, etc.) hide the intruders' files and sniffer activity on the system on which they are installed. For further information and methods for detecting packet sniffers and Trojan horse binaries, see the following files: ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks ftp://info.cert.org/pub/cert_advisories/CA-94:05.MD5.checksums 4. IP spoofing attacks We continue to receive several reports each week of IP spoofing attacks. Intruders attack by using automated tools that are becoming widespread on the Internet. Some sites incorrectly believed that they were blocking such spoofed packets, and others planned to block them but hadn't yet done so. For further information on this type of attack and how to prevent it, see ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing 5. Software piracy We receive new reports each week about compromised accounts and/or poorly configured anonymous FTP servers that are being used for exchanging pirated software. While the compromised accounts should be addressed as a separate security issue (see item 2, above), the abuse of anonymous FTP areas for software piracy activities can be reduced if the anonymous FTP service is correctly configured and administered. For related information and guidelines for configuring anonymous FTP, see ftp://info.cert.org/pub/cert_advisories/CA-93:10.anonymous.FTP.activity 6. Sendmail attacks We still receive new reports each week about intruders attempting to exploit vulnerabilities in the sendmail program mailer facility. Unfortunately, some of these attacks have been successful against sites that are running old versions of sendmail and/or are not restricting the sendmail program mailer facility. Sendmail's program mailer facility can be restricted by using the sendmail restricted shell program (smrsh). Information on known sendmail vulnerabilities and the smrsh tool can be obtained from ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supplement ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul The smrsh program can be obtained from: ftp://info.cert.org/pub/tools/smrsh/ smrsh is also included in the sendmail 8.7.5 distribution. 7. NFS and NIS attacks, and automated tools to scan for vulnerabilities We receive weekly reports of intruders using automated tools to scan sites for hosts that may be vulnerable to NFS and NIS attacks. Intruders are continuing to exploit the rpc.ypupdated vulnerability to gain root access, and intruders are still exploiting widely known vulnerabilities in NFS to gain root access. For related information, see ftp://info.cert.org/pub/cert_advisories/CA-95:17.rpc.ypupdated.vul ftp://info.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities ftp://info.cert.org/pub/cert_advisories/CA-92:13.SunOS.NIS.vulnerability What's New at the CERT Coordination Center - ------------------------------------------ The CERT Coordination Center has a new Web site. It includes information on Internet security and has a link to the CERT FTP archive. http://www.cert.org What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (January 23, 1996). * New Additions ftp://info.cert.org/pub incident_reporting_form v.3 (replaced v.2 with v.3) ftp://info.cert.org/pub/cert_advisories CA-96.01.UDP_service_denial CA-96.02.bind CA-96.03.kerberos_4_key_server CA-96.04.corrupt_info_from_servers CA-96.05.java_applet_security_mgr CA-96.06.cgi_example_code ftp://info.cert.org/pub/cert_bulletins VB-96.01.splitvt VB-96.02.sgi VB-96.03.sun VB-96.04.bsdi ftp://info.cert.org/pub/FIRST conference.info ftp://info.cert.org/pub/tech_tips root_compromise ftp://info.cert.org/pub/tools /cpm/* (replaced older version with v.1.2) /sendmail/sendmail.8.7.5 (replaced older version) /tcp_wrappers/tcp_wrappers_7.3 (replaced older version) /sendmail/smrsh/* (replaced older vsersion with v.8.4) ftp://info.cert.org/pub/vendors /sgi/SGI_contact_info * Updated Files ftp://info.cert.org/pub cert_faq (version 10.2) ftp://info.cert.org/pub/cert_advisories CA-94:01 (added info about cpm v.1.2) CA-95:13 (added info from sendmail author and Cray; added info from HP and Sun) CA-95:14 (added info from NEC Corp and Silicon Graphics) CA-95:17 (added info from IBM) CA-96.01 (new URL for Argus; added info from Silicon Graphics) CA-96.02 (added info from IBM, Solbourne, and Silicon Graphics) CA-96.03 (added new checksums and patch info; added info from Transarc and TGV Software, Inc.) CA-96.04 (added info from Silicon Graphics) CA-96.05 (added pointer to Netscape 2.01) rdist-patch-status (added pointer to version 6.1.2) ftp://info.cert.org/pub/vendors /hp/HP.contact.info - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA URLs: http://www.cert.org/ ftp://info.cert.org/pub/ To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMhCtFXVP+x0t4w7BAQGqMwP8Da/27XOhG+hWDqO69XiYxTXFQUrDPkKz 5KaHbMjEKnCj1pu1zt71cNdxCj6zz4fpfRxGqPdORkwLvl7glgWjxtW3bhRJVje3 ytdb8Us0fLwQ+zZnkfgkTJa5MNwCLGwF3ntLpupWH+9yJBZd5taZ+rIleb12tRFb Jw7H7y2bNjM= =YDeN -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT(sm) Summary CS-96.03 May 22, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ We have changed the way we sign CERT publications. Before May 20, 1996, we put our PGP signature in a separate .asc file, which was available for anonymous FTP. As of May 20, 1996, the CERT PGP signature is in the document itself. CS-96.03 (this summary), VB-96.06, and VB-96.07 are signed this way. The first advisory to be signed this way will be CA-96.10, which has not yet been released. In addition, we have removed the .asc files from past publications and re-signed them in the text. You can get the CERT public key from PGP Public Key Servers and from ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Recent Activity - --------------- Since the March CERT Summary, we have seen these continuing trends in incidents reported to us. 1. Password files and cracking We have seen an increase in incidents in which intruders obtain password files from sites and then try to compromise accounts by cracking passwords. Once intruders gain access to a user account, they attempt to gain root access through a cracked root password or by exploiting another vulnerability. These incidents point to the need for system administrators to address three areas: - Protect your password file so an intruder cannot obtain a copy of it. - Ensure that good passwords are selected so that they cannot easily be cracked, or use a technology where passwords are not located in the password file. - Ensure that you are up to date with security patches and workarounds and watch for unusual activity. To learn more about these problems, see the following file: ftp://info.cert.org/pub/tech_tips/passwd_file_protection 2. Linux machines We have seen an increase in break-ins and root compromises of Linux machines. In some cases, the intruders are installing packet sniffers on Linux machines. If you are use Linux on your machines, we recommend that you keep up to date with patches and security workarounds. We also recommend that you review ftp://info.cert.org/pub/cert_advisories/CA-94:01.ongoing.network.monitoring.attacks The advisory describes sniffers, suggests approaches for addressing the problem, and contains updated information after advisory was issued. We also recommend that you monitor the Linux newsgroups and mailing lists for security patches and workarounds. Additionally, a World Wide Web page that some sites reference is http://bach.cis.temple.edu/linux/linux-security Note that this reference should not be construed as a formal endorsement of the page or its contents. We are simply including it in this summary so that our readers are aware of its existence; you may evaluate it as appropriate to your situation. 3. Machines being probed to find known vulnerabilities We continue to get reports of machines being probed for known vulnerabilities. In many cases, these sites did not have up-to-date security patches and the machines were compromised at the root level. In some cases, the intruders are using the Internet Security Scanner (ISS). These intruders frequently use ISS on a large range of IP addresses and then use the information collected to compromise vulnerable computers. So that you can determine if your machines are vulnerable to the problems that ISS examines, you may wish to run ISS against your own site (in accordance with your organization's policies and procedures). ISS is available from ftp://info.cert.org/pub/tools/iss/iss13.tar We also encourage you to take relevant steps discussed in these documents: ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist ftp://info.cert.org/pub/tech_tips/packet_filtering 4. Mail spoofing and mail bombing We have seen a large increase in the number of reports concerning email spoofing, bombing, and spamming. To learn more about dealing with these issues, see the files: ftp://info.cert.org/pub/tech_tips/email_bombing_spamming ftp://info.cert.org/pub/tech_tips/email_spoofing What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (March 26, 1996). * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-96.07.java_bytecode_verifier CA-96.08.pcnfsd CA-96.09.rpc.statd ftp://info.cert.org/pub/cert_bulletins/ VB-96.05.dec VB-96.06.freebsd VB-96.07.freebsd ftp://info.cert.org/pub/tech_tips root_compromise anonymous_ftp_abuses email_bombing_spamming email_spoofing passwd_file_protection * Updated Files ftp://info.cert.org/pub/cert_advisories/ CA-94:04 CA-94:09 CA-95:01 (added a pointer to Argus) CA-95:13 CA-96.02 CA-96.06 (added info from another response team) CA-96.07 (added a pointer to Netscape 2.02) CA-96.08 (updated fix info that was in the original Appendix B) CA-96.09 (added info from TGV/Cisco, a workaround for SunOS 4.s, and a clarification) CA-96.13 (added info from the Santa Cruz Operation) ftp://info.cert.org/pub/tech_tips anonymous_ftp_config (file name changed) ftp://info.cert.org/pub/tools /ValidateHostname (replaced older version of IsValid.c and updated the README) ftp://info.cert.org/pub/vendors /sgi/SGI_contact_info (added URL for SGI Security Web pages) Keeping Current - --------------- Often during the couse of our work, we learn about software upgrades that fix security problems. In a new section of our FTP archive we list these upgrades, their sources, and their MD5 checksums. ftp://info.cert.org/pub/latest_sw_versions/ If you use any of the software listed in this directory, we recommend that you upgrade to the current versions. Among other changes, these new versions address security weaknesses present in previous versions. If you have any questions about the software listed in this directory, please contact the vendor for more information. - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMhCtvnVP+x0t4w7BAQGPxwP+OXm4mGzeNJ5boL2GLh/ba8PaLlW0YE5q d43gdRhmSuT66PtOwrCG9zqwhuomHbRKTbifS9KVVfWDQaDUtGYEAuEWFL9CT0D4 /qh3RO7TrBiQ2sgZoakOpdXXkc3qjqrj9voMk/N9dPWd8WiVxp3Ujzc26sadxydB 9G8fLVqEYW4= =DEop -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------------- CERT(sm) Summary CS-96.04 July 23, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Increasing Sophistication of Intruder Community Expertise - --------------------------------------------------------- In earlier summaries, we noted that the intruder community was analyzing operating system source code to develop increasingly sophisticated and effective exploitation techniques. The intruder community is now developing new techniques to analyze programs for potential vulnerabilities even in the absence of source code. This can be done with a tool that traces system calls and subroutine calls within a program, thus allowing a person to match such calls against command line parameters. Although there is little that sites can do in direct response to this information, it does highlight the importance of staying up to date with security patches and workarounds for your operating systems and applications. Operating System Concerns - ------------------------- We receive reports relating to incident activity from many different sites using a wide variety of operating systems. Because of problems we see that directly relate to operating systems, we felt it worthwhile to make a few observations about choosing an operating system. For information on this subject, see ftp://info.cert.org/pub/tech_tips/choose_operating_sys Forged Advisories - ----------------- Occasionally, we see forged advisories on various newsgroups or other distribution lists. If you have the Pretty Good Privacy (PGP) program, you can determine whether or not an advisory is genuine by checking the PGP signature. We use PGP to sign all our advisories. To verify that a CERT advisory is authentic, 1. Get the CERT public key from ftp://info.cert.org/pub/CERT_PGP.key 2. Verify the authenticity of the document by checking the PGP signature. To do this, enter the following command: %pgp <filename> You should see a message that includes the statement Good signature from user "CERT Coordination Center <cert@cert.org>". Signature made <date> Recent Activity and Trends - -------------------------- Since the May CERT Summary, we have seen these continuing trends in incidents reported to us. 1. Linux root compromises At least once a week we see reports of Linux machines that suffer break-ins leading to root compromises. In many of these incidents, the systems were misconfigured, and/or the intruders exploited well-known vulnerabilities (for which CERT advisories have been published); the intruders then installed Trojan horse programs and/or network monitoring programs (packet sniffers). If you are running Linux, we strongly urge you to keep up to date with patches and security workarounds. We recommend that you also review ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks Further, you may want to monitor the Linux newsgroups and mailing lists for security patches and workarounds. More information can be found at http://bach.cis.temple.edu/linux/linux-security/ 2. Telnetd in Linux systems We have noticed an increase in the exploitation of a vulnerability in the telnetd environment on unpatched Linux-based systems. If you have not patched your system(s) for this vulnerability, we urge you to review CERT advisory CA-95:14 and install the patch or workaround provided. ftp://info.cert.org/pub/cert_advisories/CA-95:14.Telnetd_Environment_Vulnerability 3. Password Cracking We continue to receive daily reports of unauthorized site access as a result of compromised accounts and/or "cracked" passwords. For information about protecting your password files, please see ftp://info.cert.org/pub/tech_tips/passwd_file_protection 4. Sendmail attacks Although discussed in previous summaries, we continue to receive reports each week about intruders who attempt to exploit sendmail vulnerabilities. We have published several advisories on sendmail. If you have not addressed the vulnerabilities in sendmail, we urge you to review these advisories and take appropriate action. All advisories, including sendmail advisories, can be found at ftp://info.cert.org/pub/cert_advisories/ In many of these attempts, intruders are trying to obtain password files. For information on protecting your password files, see ftp://info.cert.org/pub/tech_tips/passwd_file_protection We have had many questions about when to use the sendmail restricted shell program (smrsh). You should run smrsh with any UNIX system that is running sendmail, regardless of vendor or version. smrsh is now included as part of the current sendmail distribution (effective with version 8.7.1). We strongly urge you to upgrade to the latest version of sendmail. See ftp://info.cert.org/pub/latest_sw_versions/sendmail 5. cgi-bin vulnerabilities Since our last summary, we've seen an increase in the number of reports relating to vulnerabilities in cgi-bin programs. Any cgi-bin program that relies on escape_shell_cmd() to prevent exploitation of shell-based library calls may be vulnerable to attack. For more information about cgi-bin vulnerabilities and patches, please see ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code There have been discussions in several public forums about the problem of general-purpose interpreters being placed in the cgi-bin directory. If these interpreters are accessible in the cgi-bin directory of a Web server, then a remote user can execute any command the interpreters can execute on that server. For more details and patch information, see ftp://info.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir 6. Mail spamming/spoofing attacks We receive at least three incidents each week of mail spamming and/or spoofing attacks. For information on responding to and recovering from such activity, see ftp://info.cert.org/pub/tech_tips/email_bombing_spamming ftp://info.cert.org/pub/tech_tips/email_spoofing What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (May 22, 1996). * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-96.10.nis+_configuration CA-96.11.interpreters_in_cgi_bin_dir CA-96.12.suidperl_vul CA-96.13.dip_vul ftp://info.cert.org/pub/cert_bulletins/ VB-96.08.sgi VB-96.09.freebsd VB-96.10.sco VB-96.11.freebsd ftp://info.cert.org/pub/tech_tips/ choose_operating_sys Things to consider when choosing an operating system for your site ftp://info.cert.org/pub/tools/ ifstatus Added the ifstatus program ftp://info.cert.org/pub/vendors/ sun/sun_bulletin_00135 Added bulletin from Sun Microsystems, Inc. dec/dec-96.0383 Added bulletin from Digital Equipment Corporation * Updated Files ftp://info.cert.org/pub/cert_advisories/ CA-95:13 Added vendor information for Digital Equipment Corporation and Silicon Graphics, Inc. CA-96.04 Added information about the next release of BIND CA-96.08 Added vendor information for Digital Equipment Corporation, NEC Corporation, and Data Design Systems, Inc. Added patch information for FreeBSD, Inc. CA-96.09 Added vendor information for Digital Equipment Corporation. Added pointers to Silicon Graphics, Inc. release notes and Sun Microsystems, Inc. patches CA-96.12 Added vendor information for FreeBSD, NEC Corporation, and Digital Equipment Corporation ftp://info.cert.org/pub/FIRST/ first-contacts Updated contact information ftp://info.cert.org/pub/latest_sw_versions/ bind Added pointer to version 4.9.4 ifstatus Added pointer to ifstatus If you use any of the software listed in this directory, we recommend that you upgrade to the current versions. Among other changes, these new versions address security weaknesses present in previous versions. If you have any questions about the software listed in this directory, please contact the vendor for more information. - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMhCusnVP+x0t4w7BAQF2YAQAzS5ioLEfcEmbAkqldMFuIK22VhyDHF1j 2oDoYNEoXVbxvCG4P2hsQBfLY7gYPDBcQmAtQENre4KgewCChhvcwOLYtHHXWH/j kwNZbmU4ymPFB4VpJ8VuMDvkWXid7loNbYGaxohUsp3tMM8LubmeAMYgFtt5ot2y wZR8k/9jwzo= =BZOQ -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- CERT(sm) Summary CS-96.05 September 24, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Clarification to CS-96.04 - ------------------------- In our previous CERT Summary, we said that the intruder community is developing new techniques and tools to analyze programs for potential vulnerabilities even in the absence of source code. We did not mean to imply that all developers of these techniques in the wider technical community are members of the intruder community, nor that they intend their work to be used by the intruder community. Recent Activity and Trends - -------------------------- Since the July CERT Summary, we have noticed these trends in incidents reported to us. 1. Denial of Service Attacks Instructions for executing denial-of-service attacks and programs to implement such attacks have recently been widely distributed. Since this information was published, we have noticed a significant and rapid increase in the number of denial-of-service attacks executed against sites. To learn more about denial-of-service attacks and how to limit them, see ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding To monitor and log an attack, you can use a tool such as Argus. For more information regarding Argus, see ftp://info.cert.org/pub/tech_tips/security_tools 2. Continuing Linux Exploitations We continue to see incidents in which Linux machines are the victims of break-ins leading to root compromises. In many of these incidents, the systems were misconfigured and/or the intruders exploited well-known vulnerabilities for which CERT advisories have been published. If you are running Linux, we strongly urge you to keep up to date with patches and security workarounds. We also recommend that you review ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks ftp://info.cert.org/pub/tech_tips/root_compromise Further, you may want to monitor the Linux newsgroups and mailing lists for security patches and workarounds. More information can be found at http://bach.cis.temple.edu/linux/linux-security/ 3. PHF Exploits At least weekly, and often daily, we see reports of password files being obtained illegally by intruders who have exploited a vulnerability in the PHF cgi-bin script. The script is installed by default with several implementations of httpd servers, and it contains a weakness that allows intruders to retrieve the password file for the machine running the httpd server. The vulnerability is described in ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code Once the intruders retrieve the password file, they may attempt to crack the passwords found in the file. For information about protecting your password files, please see ftp://info.cert.org/pub/tech_tips/passwd_file_protection 4. Software Piracy We have received frequent reports regarding software piracy since the last CERT Summary was issued. Although software piracy is beyond the scope of the mission of the CERT Coordination Center, it is often associated with compromised hosts or accounts because intruders sometimes use compromised hosts to distribute pirated software. News of illegal collections of software circulates quickly within the underground community, which may focus unwanted attention on a site used for software piracy. We encourage you to periodically check your systems for signs of software piracy. To learn more, please examine our relevant tech tips: ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config To learn more about detecting and preventing security breaches, please see ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist - ---------------------------------- What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (July 23, 1996). * README Files Incorporated into Advisories As of August 30, 1996, we no longer put advisory updates into README files. We now revise the advisories themselves. In addition, we have updated past advisories with information from their README files. We urge you to check advisories regularly for updates that relate to your site. * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-96.14.rdist_vul CA-96.15.Solaris_KCMS_vul CA-96.16.Solaris_admintool_vul CA-96.17.Solaris_vold_vul CA-96.18.fm_fls CA-96.19.expreserve CA-96.20.sendmail_vul CA-96.21.tcp_syn_flooding ftp://info.cert.org/pub/cert_bulletins/ VB-96.12.freebsd VB-96.13.hp VB-96.14.sgi VB-96.15.sco VB-96.16.transarc ftp://info.cert.org/pub/latest_sw_versions swatch ftp://info.cert.org/pub/tech_tips UNIX_configuration_guidelines These replace the security_info file intruder_detection_checklist (the CERT Security Checklist). security_tools ftp://info.cert.org/pub/vendors/ hp/HPSBUX9607-033 Added Hewlett-Packard bulletin about a security vulnerability in expreserve. * Updated Files ftp://info.cert.org/pub/cert_advisories/ CA-96.02.bind In the appendix, updated Sun Microsystems, Inc. patch information. In section I, added information about the next release of bind and the IsValid program. CA-96.08.pcnfsd Updated URL for IBM Corporation, updated Hewlett-Packard Company patch information, and modified NEC Corporation patch information. CA-96.09.rpc.statd Updated URL for IBM Corporation, removed a workaround for SunOS 4.x (patches now available), updated information on Hewlett-Packard Company, and added patch information for NEC Corporation. Also updated opening paragraph. CA-96.14.rdist_vul In Appendix A, added note under Silicon Graphics, Inc. about using the find command, updated the Hewlett-Packard Company entry, added information about Digital Equipment Corporation, and added an IBM Corporation URL. CA-96.15.Solaris_KCMS_vul In Introduction, added information about Solaris 2.5.1. CA-96.18.fm_fls Added vendor information to Appendix A. Added Section III.B, which provides another possible solution to the problem. CA-96.19.expreserve In Appendix A, added information for Silicon Graphics Inc. and Sun Microsystems, Inc. CA-96.20.sendmail_vul Added to Sec. III.B instructions on configuring sendmail at sites that use '&' in the gecos filed of /etc/passwd. Added to Sec. III.C a note on uid for "mailnull" user. In the appendix, added information from FreeBSD, Inc. and Berkeley Software Design, Inc. (BSDI). ftp://info.cert.org/pub/FIRST first-contacts ftp://info.cert.org/pub/latest_sw_versions rdist-patch-status Updated information for Hewlett-Packard Company and NeXT Software, Inc. information. Updated rdist version information in Section II.G. sendmail ftp://info.cert.org/pub/tech_tips root_compromise - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMkhCfHVP+x0t4w7BAQFR5gQAtYvbKLJAbTzfRizblM9mbl/4oLfnsqdQ HcX8KKDNAtVd2DWKGEsq7U7v9w8KyzDtVpRFba8VSsVmpzixzxnbZSifwyfkcuX9 x2xbQ1SVWBjep399HkbYtS0Y3C0RdCo9p/uxdB5/GkZqD3NMdPoBvFf+j/H6376w tDcheNKNobk= =DZgd -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- CERT(sm) Summary CS-96.6 November 26, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - ---------------------------------------------------------------------------- Recent Activity - --------------- Since the September CERT Summary, we have noticed these continuing trends in incidents reported to us. 1. cgi-bin/phf Exploits We continue to see frequent reports of attempts to exploit the vulnerability in the CGI example program "phf". The phf program, which is installed by default with several implementations of httpd servers, contains a weakness that can allow intruders to execute arbitrary commands on the server. The most common attack involves an attempt to retrieve the httpd server's /etc/passwd file, and sample scripts for exploiting this vulnerability in phf have been widely posted on the Internet. While we are encouraged to see that the majority of the recently reported attacks have failed (because the attacked sites had already removed the phf program), the steady reports of continuing attacks indicate that these phf exploits are still being widely attempted. For more information about this vulnerability, see ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code For related information about protecting your password files, please see ftp://info.cert.org/pub/tech_tips/passwd_file_protection 2. Continuing Linux Exploits We continue to see incidents in which Linux machines have been the victims of root compromises. In many of these incidents, the compromised systems were unpatched or misconfigured, and the intruders exploited well-known vulnerabilities for which CERT advisories have been published. If you are running Linux, we strongly urge you to keep current with all security patches and workarounds. If your system has been root compromised, we also recommend that you review ftp://info.cert.org/pub/tech_tips/root_compromise Further, you may want to monitor the Linux newsgroups and mailing lists for security patches and workarounds. More information can be found at http://bach.cis.temple.edu/linux/linux-security/ - ---------------------------------- What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (September 24, 1996). * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-96.22.bash_vuls Addresses two problems with the GNU Project's Bourne Again SHell (bash): one in yy_string_get() and one in yy_readline_get(). CA-96.23.workman_vul Describes a vulnerability in the WorkMan compact disc-playing program that affects UNIX System V Release 4.0 and derivatives and Linux systems. CA-96.24.sendmail.daemon.mode Addresses a vulnerability that allows intruders to gain root privileges. Includes patch and upgrade information. ftp://info.cert.org/pub/cert_bulletins/ VB-96.17.linux Linux Security FAQ Update from Alexander Yuriev. Includes information about a mount/umount vulnerability. VB-96.18.sun Addresses vulnerabilities in the libc and libnsl libraries of Solaris 2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1) from Sun Microsystems, Inc. Includes patch information. ftp://info.cert.org/pub/latest_sw_versions/ bash Added information on bash 1.14.7. sendmail Added information on sendmail 8.8.3. * Updated Files ftp://info.cert.org/pub/ Sysadmin_Tutorial.announcement Added date of next course offering. ftp://info.cert.org/pub/cert_advisories/ CA-94:01.ongoing.network.monitoring.attacks Clarified introductory information. Added a pointer to the CERT tech tip on root compromises. CA-95:02.binmail.vulnerabilities Removed Appendices B & C, which contained outdated information. In section B, added information that mail.local is now part of sendmail. Added a pointer to sendmail. CA-96.09.rpc.statd Updated information from Silicon Graphics Inc. CA-96.20.sendmail_vul Added a pointer to CA-96.24. CA-96.21.tcp_syn_flooding Revised second paragraph of introduction for clarity. Added new information for Silicon Graphics Inc. (SGI), Berkeley Software Design, Inc. (BSDI), Sun Microsystems, Inc. Revised appendix information on reserved private network numbers. Added pointer to information in ftp://info.cert.org/pub/vendors. CA-96.22.bash_vuls Added Appendix A containing information from IBM Corporation, LINUX, and Silicon Graphics, Inc. (SGI). Removed patch for problem in yy_readline_get, as the problem described for yy_string_get is not exploitable for yy_readline_get. ftp://info.cert.org/pub/tools/mail.local/ README Added information that mail.local is now a part of sendmail. Added a pointer to sendmail. ftp://info.cert.org/pub/tools/sendmail/ sendmail.8.8.3.patch sendmail.8.8.3.tar.Z sendmail.8.8.3.tar.gz sendmail.8.8.3.tar.sig ftp://info.cert.org/pub/vendors/hp/ HP.contact_info Replaced instructions for subscribing by email with the new URLs people must use. - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMpoitXVP+x0t4w7BAQEp1gP/XK7WsKsoplL4F9YdMi9CyHCd/H1Qh3Nm oyJDD9O19EPsCjeuFgBX5bGWb26L1MeuuCyEhV/5Z9Vf2R9wrPcOq3l+UeVjV/0t SDwp/Y2R4uP+hdCzkDKk5Ryuzoxq3xj4TD0GNv8XRShQbUR2u05zFbzbyiH+ONh8 C7E1HKBP03M= =nrOY -----END PGP SIGNATURE-----