**************************************************************************
Security Bulletin 9703 DISA Defense Communications System
April 4, 1997 Published by: DISN Security Coordination Center
(SCC@NIC.MIL)
1-(800) 365-3642
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.MIL [207.132.116.5] using login="anonymous" and password="guest". The bulletin pathname is scc/sec-yynn.txt (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9615.txt). They are also available on our WWW site at http://nic.mil.
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Information Systems Agency's Security !
! Coordination Center distribution system as a means of !
! providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
Added information on a second vulnerability (labeled Topic 2), including a new patch that must be applied to many versions of INN. Labeled vendor information as input on Topic 1 or 2.
A complete revision history is at the end of this file.
- -----------------------------------------------------------------------------
A second vulnerability was found in INN (InterNetNews server) after the initial publication of this advisory. We are including it in this advisory as "Topic 2" so that all INN information is in one advisory. Versions 1.5.1 and earlier are vulnerable to this second problem.
Information about the first vulnerability has been widely distributed, and we have received numerous reports of exploitation. INN 1.5 and earlier are vulnerable to this problem.
Both vulnerabilities allow unauthorized users to execute arbitrary commands on the machine running INN by sending a maliciously formed news control message. Because the problem is with the content of news control messages, attacks can be launched remotely and may reach news servers located behind Internet firewalls.
The CERT/CC staff recommends that sites upgrade to INN 1.5.1 and add the patch described in Section III.A. Until you can upgrade, you should apply two patches, as described in Section III.B. You may also want to check with your vendor. Vendors who have provided input for this advisory are listed in Sec. III.C and Appendix A.
We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
- -----------------------------------------------------------------------------
A second vulnerability involving INN has been found. It is similar to *but not the same as* the one described in Topic 1 below.
INN itself attempts to carefully remove certain shell "metacharacters" from data in control messages before passing that data to a shell. The patch for Topic 1 fixes some of the checks that were found to be inadequate. However ucbmail, a program typically configured as the mailer INN should use, lacks similar checks. INN passes some data unchecked to this mailer, which in turn passes the data to a shell for processing.
James Brister, the current maintainer of INN, has
made a patch available that checks more data before it is passed
to the mailer program. Although only the ucbmail program is known
to have this problem, sites are encouraged to apply the patch
regardless of what mail program their INN is configured to use.
The INN daemon (innd) processes "newgroup" and "rmgroup" control messages in a shell script (parsecontrol) that uses the shell's "eval" command. However, some of the information passed to eval comes from the message without adequate checks for characters that are special to the shell.
This permits anyone who can send messages to an INN server - almost anyone with Usenet access - to execute arbitrary commands on that server. These commands run with the uid and privileges of the "innd" process on that server. Because such messages are usually passed through Internet firewalls to a site's news server, servers behind such firewalls are vulnerable to attack. Also, the program executes these commands before checking whether the sender is authorized to create or remove newsgroups, so checks at that level (such as running pgpverify) do not prevent this problem.
As of the advisory update of March 18, 1997, we have received numerous reports that the vulnerability is being exploited.
You can determine which version of INN your site is running by connecting to the NNTP port (119) of your news server. For example:
Type "quit" to exit the connection. Note
that this does not indicate whether or not the patch recommended
below has been installed.
(applies to both topics 1 & 2)
Remote, unauthorized users can execute arbitrary
commands on the system with the same privileges as the innd (INN
daemon) process. Attacks may reach news servers located behind
Internet firewalls.
Warning: If you applied any of the solutions offered in the version of
this advisory released on Feb. 20, 1997, you must add an additional patch.
(The following recommendations apply to both topics 1 & 2.)
We recommend upgrading to version 1.5.1 and applying the patch developed by James Brister, the current maintainer of INN (Section III. A). If you upgraded previously, you must apply this new patch to protect against the second vulnerability. Until you can upgrade, you need to apply two patches (Section III. B). You may also want to consult your vendor. Vendors who have provided input for this advisory are listed in Sec. III.C and Appendix A.
After installing any of the patches or updates, ensure
that you restart your INN server.
http://www.isc.org/inn.html
The md5 checksum for the gzip'ed tar file is
MD5 (inn-1.5.1.tar.gz) = 555d50c42ba08ece16c6cdfa392e0ca4
The patch is available from
ftp://ftp.isc.org:/isc/inn/patches/security-patch.04
Checksums for patches are in the directory, along
with a README.
FIRST apply:
version patch
------- -----
1.5 ftp://ftp.isc.org/isc/inn/patches/security-patch.01
1.4sec ftp://ftp.isc.org/isc/inn/patches/security-patch.02
1.4unoff3, 1.4unoff4 ftp://ftp.isc.org/isc/inn/patches/security-patch.03
THEN apply (1.5.1, 1.5, 1.4sec, 1.4unoff3, 1.4unoff4)
ftp://ftp.isc.org:/isc/inn/patches/security-patch.04
There are md5 checksums for each file in the directory,
and a README file describes what is what.
...........................................................................
Below is a list of the vendors who have provided
information for this advisory, along with an indication about
whether the information relates to the first vulnerability or
both. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear
from that vendor. Please contact the vendor directly.
====================================
We ship INN as part of our distribution. BSD/OS
2.1 includes INN 1.4sec and 2.1 users should apply the patch referenced
in the advisory. BSD/OS 3.0 includes INN 1.4unoff4 and the patch
for that version is already included so BSD/OS 3.0 is not vulnerable
as distributed.
An upgrade package for Caldera OpenLinux Base 1.0 will appear at Caldera's site:
ftp://ftp.caldera.com/pub/col-1.0/updates/Helsinki/004/inn-1.5.1-2.i386.rpm
MD5 sum is:
3bcd3120b93f41577d3246f3e9276098 inn-1.5.1-2.i386.rpm
Cray Research has never shipped any news server with
Unicos.
The current version of INN shipped with Debian is 1.4unoff4. However
the "unstable" (or development) tree contains inn-1.5.1. It can be
gotten from any debian mirror in the subdirectory
debian/unstable/binary/news
d3603d9617fbf894a3743a330544b62e 591154 news optional inn_1.5.1-1_i386.deb
205850779d2820f03f2438d063e1dc51 45230 news optional inn-dev_1.5.1-1_i386.deb
badbe8431479427a4a4de8ebd6e1e150 31682 news optional
inewsinn_1.5.1-1_i386.deb
Products below are shipped with INN mentioned in this advisory, so they are vulnerable and patches are in progress.
Goah/NetworkSV R1.2 vulnerable
Goah/NetworkSV R2.2 vulnerable
Goah/NetworkSV R3.1 vulnerable
Goah/IntraSV R1.1 vulnerable
The Netscape News Server 2.01 is immune to the attack outlined in the advisory.
The News Server 1.1 is, however, subject to the same
vulnerability as INN and we have advised customers to install
the patch described in the advisory.
There is a critical security hole in INN which affects all versions of Red Hat Linux. A new version, inn-1.5.1-6, is now available for Red Hat Linux 4.0 and 4.1 for all platforms. If you are running an earlier version of Red Hat, we strongly encourage you to upgrade to 4.1 as soon as possible, as many critical security fixes have been made. The new version of inn is PGP signed with the Red Hat PGP key, which is available on all Red Hat CDROMs, ftp.redhat.com, and public keyservers.
You may upgrade to the new version as follows:
- -----------
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/inn-1.5.1-6.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/inn-1.5.1-6.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/inn-1.5.1-6.sparc.rpm
- -----------
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/inn-1.5.1-6.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/alpha/inn-1.5.1-6.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/sparc/inn-1..5.1-6.sparc.rpm
- -----------------------------------------------------------------------------
The CERT Coordination Center thanks James Brister of the Internet Software Consortium for making fixes available and Matt Power of MIT for analyzing and reporting the first problem. We also thank AUSCERT for their contributions to this advisory. James Crawford Ralston of the University of Pittsburgh and Frank Miller of Tektronix Corporation assisted with the March 18, 1997 update.
The second vulnerability addressed in this advisory was discovered by security experts in the Global Security Analysis Laboratory (GSAL) at IBM's T.J. Watson Research Center. We thank the IBM Emergency Response Service for providing information on this topic. (They published information in ERS-SVA-E01-1997:002.1. Their alert is copyrighted 1997 by International Business Machines Corporation.)
- -----------------------------------------------------------------------------
If you believe that your system has been compromised,
contact the CERT Coordination Center or your representative in
the Forum of Incident Response and Security Teams (see ftp://info.cert.org/pub/FIRST/team-info).
- ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during
other hours.
Fax +1 412-268-6989
We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information.
ftp://info.cert.org/pub/CERT_PGP.key
CERT publications and other security information are available from
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- ---------------------------------------------------------------------------
This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included.
- ---------------------------------------------------------------------------
This file: ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd
http://www.cert.org
click on "CERT Advisories"
==============================================================================
March 18, 1997
- --------------
If you are upgrading to INN 1.5.1, please be sure to read the README file carefully. Note that if you are upgrading to 1.5.1 from a previous release, running a "make update" alone is not sufficient to ensure that all of the vulnerable scripts are replaced (e.g., parsecontrol). Please especially note the following from the INN 1.5.1 distribution README file:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apr 03, 1997 Added information on a second vulnerability (labeled Topic 2),
including a new patch that must be applied to many versions of INN. Labeled vendor information as input on Topic 1 or 2.
Mar 25, 1997 Section III.B - added a note that no patches are available for
version 1.4sec2.
Mar 24, 1997 Appendix A - added information from Netscape.
Mar 21, 1997 Appendix A - added information from NEC Corporation.
Acknowledgments - added J. C. Ralston and F. Miller
Mar 17, 1997 Section III.B - corrected patch information (patch.03 must be
used for 1.4unoff3, 1.4unoff4 rather than patch.01); added a URL for INN information.
Section III.A and introduction - noted that the vulnerability
is being actively exploited.
****************************************************************************
* *
* *
* *
* *
* *
* *
* *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.
This document was prepared as an service to the DOD
community. Neither the United States Government nor any of their
employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed,
or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government.
The opinions of the authors expressed herein do not necessarily
state or reflect those of the United States Government, and shall
not be used for advertising or product endorsement purposes.