**************************************************************************
Security Bulletin 9701 DISA Defense Communications System
March 18, 1997 Published by: DISN Security Coordination Center
(SCC@NIC.MIL)
1-(800) 365-3642
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.MIL [207.132.116.5] using login="anonymous" and password="guest". The bulletin pathname is scc/sec-yynn.txt (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9615.txt). They are also available on our WWW site at http://nic.mil.
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Information Systems Agency's Security !
! Coordination Center distribution system as a means of !
! providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - +
- ---------------------------------------------------------------------------
March 18, 1997
This special edition of the CERT Summary highlights widespread, large-scale attacks that are occurring against news servers.
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
- ------------------------------------------
The CERT Coordination Center and incident response teams around the world have received numerous reports concerning widespread, large-scale attacks on NNTP (Network News Transport Protocol) servers throughout the world. NNTP servers are commonly referred to as USENET news servers.
The activity involves an attempt to exploit a vulnerability in versions of INN (InterNetNews) prior to 1.5.1. We have received reports that version 1.5.1 was thought to be vulnerable; however, as far as we are able to determine, it is not.
INN is a commonly used software program for serving and managing news according to the NNTP protocol. This vulnerability allows remote users to execute arbitrary commands on the news server with the same privileges as the user-id that manages the news server. As of 8:00 am EST (GMT -5), March 18, 1997, it appears that the most common activity is to attempt to mail the password file and configuration files to a remote site.
Because of the nature of USENET news, messages are passed automatically from one site to another. The exploitation involves a particular kind of message, known as a control message. Intruders can construct and post control messages in such a way as to exploit the vulnerability. Because of this, your site may have been compromised even if it was not specifically selected by an intruder.
Information about the vulnerability, along with information about patches and
workarounds, is available from
ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd
If we receive further information, we will update this advisory.
We encourage sites that are running INN 1.5 or earlier to upgrade to INN 1.5.1 as soon as possible.
James Brister, the current maintainer of INN, has provided additional information regarding the update to INN 1.5.1; this information has been added to the advisory. James has provided the following patches for INN version 1.5, 1.4sec, 1.4unoff3, and 1.4unoff4:
ftp://ftp.isc.org/isc/inn/patches/security-patch.01 1.5
ftp://ftp.isc.org/isc/inn/patches/security-patch.02 1.4sec
ftp://ftp.isc.org/isc/inn/patches/security-patch.03
1.4unoff3, 1.4unoff4
The directory includes MD5 checksums for each patch.
Information regarding INN patches may be found at
http://www.isc.org/inn.html
System administrators who did not update to INN 1.5.1 before Friday, March 14, 1997, should take the following steps:
Although these messages appear to come from UUNET, the messages were forged.
If these message IDs appear in your logs, it is highly likely that these control messages reached your news server. Moreover, it is almost certain that additional messages will be (or already have been) crafted by intruders, so checking for those message IDs is not enough.
In accordance with our policies, we will not release information about your site without your explicit permission.
Due to the large volume of mail we are receiving regarding this activity, we may not be able to follow up all reports individually. Nonetheless, your report will help us to understand the activity better and to provide more accurate information to the Internet community at large.
We would like to express our thanks to James Brister for his assistance in preparing this summary.
- ---------------------------------------------------------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center.
CERT is a service mark of Carnegie Mellon University.
****************************************************************************
* *
* *
* *
* *
* *
* *
* *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.
This document was prepared as an service to the DOD
community. Neither the United States Government nor any of their
employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed,
or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government.
The opinions of the authors expressed herein do not necessarily
state or reflect those of the United States Government, and shall
not be used for advertising or product endorsement purposes.