************************************************************************** Security Bulletin 9727 DISA Defense Communications System December 2, 1997 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= -----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT* Summary CS-97.06 December 1, 1997 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://ftp.cert.org/pub/ Past CERT Summaries are available from ftp://ftp.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Recent Activity - --------------- Since the August CERT Summary, we have seen these continuing trends in incidents reported to us. 1. Continuing IMAP Exploits Although it's been mentioned in past CERT Summaries (CS-97.04, CS-97.05), we continue to receive a significant stream of reports relating to IMAP attacks. These reports show that intruders are launching large scale, automated scans against many networks--identifying many potentially vulnerable systems. The impact of an IMAP attack is that the remote user (e.g., intruder) will be able to gain root-level access on a vulnerable host. We cannot stress enough the importance for sites to check for the IMAP vulnerability and take immediate action to address the problem. For more information see the following: ftp://ftp.cert.org/pub/cert_summaries/CS-97.04 ftp://ftp.cert.org/pub/cert_advisories/CA-97.09.imap_pop http://www.cert.org/pub/advisories/1997/CA-97.09.imap_pop.html - If you have a host that has a vulnerable IMAP server installed by default as part of the OS version, but that is not using IMAP, you should investigate any connection to port 143 for signs of a root compromise. - If you have a host that is using a vulnerable version of the IMAP server, you should investigate connections that are from outside the network or the constituency of the network for signs of a root compromise. NOTE: If you discover that you have suffered a root compromise as a result of conditions like those described in the two previous paragraphs, we would like to know. We also encourage you to recover by taking the steps outlined in ftp://ftp.cert.org/pub/tech_tips/root_compromise - If you are not running an IMAP server, connection attempts (internal or external) to port 143 are probably probes by an intruder; they could also be the result of a misconfiguration if the connection attempts originate from within your constituency. - If you are running a patched IMAP server, connections that are from outside your network or the constituency of the network are very likely to be probes by intruders. NOTE: If you have been probed (as described in the two previous paragraphs) and the attack was not successful, we would like to hear about that, too. We encourage you to contact the site from which the probe originated to alert them to the activity, in case the account used to launch the attack was compromised. Your reports will help us to continue to determine the scope of the problem and coordinate appropriate responses, although we may not be able to respond to each report individually. 2. Root Compromises In addition to the compromises occurring as a result of the above activity, we also continue to receive daily reports of sites that have suffered a root compromise. Many of these compromises can be traced to systems that are unpatched or misconfigured, which the intruders exploit using well-known vulnerabilities for which CERT advisories have been published. We encourage you to check for signs of compromise. The following documents can help you review your systems: Intruder Detection Checklist This document outlines suggested steps for determining if your system has been compromised. ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist Steps for Recovering from a UNIX Root Compromise This document sets out suggested steps for responding to a root compromise. ftp://ftp.cert.org/pub/tech_tips/root_compromise UNIX Configuration Guidelines This document describes common UNIX system configuration problems that have been exploited by intruders and recommends practices that can be used to help deter several types of break-ins. ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines List of Security Tools This document describes tools that can be used to help secure a system and deter break-ins. ftp://ftp.cert.org/pub/tech_tips/security_tools 3. CGI Scripts We continue to receive reports concerning exploitation of vulnerable cgi-bin scripts. As mentioned in recent CERT documents, the cause of the problem is not in the CGI scripting language (such as Perl and C), but in how the script is written. The CERT/CC team urges you to check all CGI scripts that are available via the World Wide Web services at your site and ensure that they sanitize user-supplied data. For more information, please see ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters These CERT advisories discuss vulnerabilities relating to cgi-bin topics: ftp://ftp.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code ftp://ftp.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir ftp://ftp.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script ftp://ftp.cert.org/pub/cert_advisories/CA-97.12.webdist ftp://ftp.cert.org/pub/cert_advisories/CA-97.24.Count_cgi ftp://ftp.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar 4. Relaying of Spam Email through Victim Sites For quite some time, the CERT Coordination Center has received reports of email spam being relayed through other sites. These reports are becoming more frequent as more spammers learn to disguise their activities by relaying their mail through unsuspecting sites (who are using older versions of sendmail, poor logging, and no anti-spam features). Since the default configuration of sendmail 8.8.8 (and prior releases) allows spam to be relayed, we encourage you to review your mail configuration and evaluate your exposure to this type of abuse. With a default sendmail configuration, no authentication is required for remote hosts (including people sending spam mail) to connect to your mail server for the purpose of relaying mail. There are features in sendmail version 8.8 that will prevent your host from being misused as a relay gateway. A document titled "Anti-Spam Provisions in sendmail 8.8", provided by the author of sendmail (Eric Allman), describes the modifications to the sendmail.cf file. It is available at http://www.sendmail.org/antispam.html These modifications to the sendmail.cf file will help prevent a variety of email spamming and bombing attacks. What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (August 26, 1997). * New Additions ftp://ftp.cert.org/pub/cert_advisories/ CA-97.23.rdist Discusses a buffer overflow problem in rdist. This is a different vulnerability from the one described in CA-96.14. CA-97.24.Count_cgi Describes a buffer overrun vulnerability in the Count.cgi cgi-bin program. This vulnerability allows intruders to force Count.cgi to execute arbitrary commands. CA-97.25.CGI_metachar Reports a vulnerability that exists in some CGI scripts and allows an attacker to execute arbitrary commands on a WWW server under the effective user-id of the server process. ftp://ftp.cert.org/pub/cert_bulletins/ VB-97.07.sgi A Silicon Graphics Inc. Security Advisory addressing vulnerabilities in the IRIX webdist.cgi, handler, and wrap programs, part of the Outbox subsystem VB-97.08.transarc Information from Transarc Corp. about a vulnerability in Transarc DCE Integrated login for sites running both AFS and DCE VB-97.09.cisco Information from Cisco Systems about vulnerabilities in CHAP authentication VB-97.10.samba Information from the Samba Team about a vulnerability that allows remote users to obtain root access on the Samba server VB-97.11.nec Details about a problem with the "nosuid" mount(1) option VB-97.12.opengroup Information about a potential problem in the OSF/DCE security server that could allow for a denial of service attack VB-97.13.GlimpseHTTP.WebGlimpse Information about a vulnerability that may allow intruders to execute arbitrary commands with the privileges of the httpd process VB-97.14.scoterm Information from the Santa Cruz Operation about a vulnerability in the implementation of scoterm that could allow unprivileged users to gain unauthorized root access to the system ftp://ftp.cert.org/pub/latest_sw_versions/ rdist Pointer to rdist 6.1.3 sendmail Pointer to sendmail 8.8.8 ftp://ftp.cert.org/pub/tech_tips/ cgi_metacharacters Discusses how to remove meta characters from user-supplied data in CGI scripts ftp://ftp.cert.org/pub/tools/ rdist/ Added rdist 6.1.3 sendmail/ Added sendmail 8.8.8 * Updated Files ftp://ftp.cert.org/pub/cert_advisories/ CA-93:19.Solaris.Startup.vulnerability Updates - Added Sun Microsystems, Inc. patch information CA-95:14.Telnetd_Environment_Vulnerability Updated information for Sun Microsystems, Inc. CA-95:17.rpc.ypupdated.vul Updated information for Sun Microsystems, Inc. CA-96.08.pcnfsd Updated information for IBM Corporation CA-96.10.nis+_configuration Updates - Added information for Sun Microsystems, Inc. CA-96.15.Solaris_KCMS_vul Updates - Added information for Sun Microsystems, Inc. CA-96.16.Solaris_admintool_vul Updates - Added information for Sun Microsystems, Inc. CA-96.17.Solaris_vold_vul Updates - Added information for Sun Microsystems, Inc. CA-96.20.sendmail_vul Updated information from Sun Microsystems, Inc. CA-96.25.sendmail_groups Updated information from Sun Microsystems, Inc. CA-96.26.ping Updated information from Sun Microsystems, Inc. CA-97.06.rlogin-term Updated information from Sun Microsystems, Inc.; added information from Data General Corporation CA-97.09.imap_pop Section III.A and Appendix A - added information for IBM Corporation CA-97.11.libXt Appendix A - updated information for Sun Microsystems, Inc. CA-97.14.metamail Updated information for Red Hat CA-97.15.sgi_login Updated information from Silicon Graphics, Inc. CA-97.16.ftpd Added information for NCR Corporation CA-97.18.at Added information for NCR Corporation CA-97.20.javascript Appendix A - updated Netscape's URLs CA-97.21.sgi_buffer_overflow Updates Section - updated information for Silicon Graphics, Inc. CA-97.22.bind Appendix A - Added information for BSDI CA-97.23.rdist Appendix A - added information for OpenBSD and Silicon Graphics, Inc., Caldera, and Siemens-Nixdorf ftp://ftp.cert.org/pub/cert_summaries/ CS-97.05 Corrected BIND version number A New Look on the CERT Web Site - ------------------------------ If you haven't visited our Web site (http://www.cert.org) since November 10, check it out. We have a new look and some new documents. We've tried to organize things so that it's easier for you to find the information you need. Some highlights include CERT incident and vulnerability statistics http://www.cert.org/pub/cert-stats/cert_stats.html CERT annual reports for 1994, 1995, and 1996 http://www.cert.org/pub/reports.html Security Improvement Modules http://www.cert.org/security-improvement/index.html An Analysis of Security Incidents on the Internet 1989-1995 http://www.cert.org/research/JHThesis/index.html Report to the President's Commission on Critical Infrastructure Protection http://www.cert.org/pub/reports.html Links to other sources of advisories and Internet security information http://www.cert.org/pub/other_sources.html - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://ftp.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. * CERT is registered in the U.S. Patent and Trademark Office. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNIMjhnVP+x0t4w7BAQGpQgQAunsd4esc4U4hOFpLOhGpyH+UoHWrp5jf B1P4U9Em1xd3tMCh+vxqWh95+atwDc/RcNoiOqKyj3XQ6EHyoez0vj5jg2q5SN19 4mtXfJcRgET7HuAd7daqpKDx68SR6kLnhuwgEu/UGLgJkbI+gqm/oHaioDr0OZCY RJKXq04QL/Y= =47iq -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.