************************************************************************** Security Bulletin 9808 DISA Defense Communications System March 11,1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= -----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT* Summary CS-98.03 March 10, 1998 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://ftp.cert.org/pub/ Past CERT Summaries are available from ftp://ftp.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Recent Activity - --------------- Since the last regularly scheduled CERT Summary issued in December 1997 (CS-97.06), we have seen these continuing trends in incidents reported to us. 1. Root Compromises and Network Sniffers We continue to receive daily reports of UNIX systems that have suffered a root compromise. Many of these compromises can be traced to systems that are unpatched or misconfigured, on which the intruders exploit well-known vulnerabilities for which CERT advisories have been published. On many root-compromised systems, the intruders also install packet sniffers to collect account names and passwords on other systems. (The packet sniffers are frequently installed as part of several widely available intruder toolkits that also replace common system files with Trojan horse programs.) For information about recovering from a UNIX root compromise, see ftp://ftp.cert.org/pub/tech_tips/root_compromise To learn about methods for detecting intruders' packet sniffers and Trojan horse programs, see http://www.cert.org/pub/advisories/CA-94.01.ongoing.network.monitoring.attacks.html or ftp://ftp.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks 2. Large-Scale Scanning and Attacks We have been receiving reports of large-scale scanning of hosts on the Internet, where intruders are using automated programs to identify systems that are running vulnerable services. In one incident reported to the CERT/CC, more than 250,000 hosts were scanned. Many of these scans have led to root compromises on systems that were not patched against various well-known problems that have been addressed in previous CERT advisories. In recent months, the most commonly reported types of intruder scanning and exploitation attacks continue to be against IMAP and rpc-statd services. A. IMAP Attacks We continue to receive reports of IMAP attacks, as mentioned in previous CERT Summaries (CS-98.01, CS-97.06, and CS-97.04). These reports show that intruders are still launching large-scale, automated scans against many networks, identifying potentially vulnerable systems. Any system that is running a vulnerable version of certain implementations of IMAP servers may allow an intruder to gain root-level access on that vulnerable host. We encourage you to check for the IMAP vulnerability and take immediate action to address the problem. For related information, see http://www.cert.org/pub/advisories/CA-97.09.imap_pop.html or ftp://ftp.cert.org/pub/cert_advisories/CA-97.09.imap_pop ftp://ftp.cert.org/pub/cert_summaries/CS-97.04 ftp://ftp.cert.org/pub/cert_summaries/CS-97.06 B. rpc-statd Attacks We are also receiving reports of attacks involving a vulnerability in rpc.statd (also known as statd on some systems), as mentioned in CERT Summary CS-98.01 - SPECIAL EDITION. This vulnerability can allow an intruder to gain root access. For related information, see CERT Advisory CA-97.26 and CERT Summary CS-98.01: http://www.cert.org/pub/advisories/CA-97.26.statd.html or ftp://ftp.cert.org/pub/cert_advisories/CA-97.26.statd ftp://ftp.cert.org/pub/cert_summaries/CS-98.01 3. Denial-of-Service Attacks We are still receiving daily reports of various types of denial-of-service attacks. You can find information about protecting your systems against several common types of denial-of-service attacks in the following documents: ftp://ftp.cert.org/pub/tech_tips/denial_of_service ftp://ftp.cert.org/pub/cert_summaries/CS-98.02 http://www.cert.org/pub/advisories/CA-98.01.smurf.html or ftp://ftp.cert.org/pub/cert_advisories/CA-98.01.smurf http://www.cert.org/pub/advisories/CA-97.28.Teardrop_Land.html or ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land http://www.cert.org/pub/advisories/CA-96.26.ping.html or ftp://ftp.cert.org/pub/cert_advisories/CA-96.26.ping http://www.cert.org/pub/advisories/CA-96.21.tcp_syn_flooding.html or ftp://ftp.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding http://www.cert.org/pub/advisories/CA-96.01.UDP_service_denial.html or ftp://ftp.cert.org/pub/cert_advisories/CA-96.01.UDP_service_denial We encourage you to read the above documents and apply the appropriate vendor patches. We also encourage you to consider implementing router filters to reduce your site's exposure to certain types of attacks. A. More Denial-of-Service Attacks Targeting Windows 95/NT Machines This section is a follow-up to the information provided in the Special Edition CERT Summary released on March 4. This document is available at ftp://ftp.cert.org/pub/cert_summaries/CS-98.02 We have received reports of sites continuing to experience "teardrop2" denial-of-service attacks targeted at multiple hosts. Again, we encourage you to install the appropriate patches to minimize the effect of this attack. Microsoft has released a new "Security Bulletin" addressing network denial-of-service attacks. This bulletin contains pointers to Windows NT hotfixes and a Windows 95 update which patch vulnerable machines. The bulletin is available from the Microsoft security web site at http://www.microsoft.com/security/netdos.htm New Location of "New Additions" and "Updated Files" Information - --------------------------------------------------------------- Before we publish the next regular issue of the CERT Summary, we will have a "What's New" page on our Web site at http://www.cert.org/ On this page we'll highlight new documents we've made available as well as noteworthy document updates. As a result, this is the last time we will include the "New Additions" and "Updated Files" sections in the CERT Summary. What's New in the CERT FTP Archive and Web Site - ----------------------------------------------- We have made the following changes to our FTP and Web sites since the last regularly scheduled CERT Summary (December 1, 1997). * New Additions http://www.cert.org/pub/advisories/index.html ftp://ftp.cert.org/pub/cert_advisories/ CA-97.26.statd Reports a vulnerability that exists in the statd(1M) program, available on a variety of UNIX platforms. CA-97.27.FTP_bounce Discusses the use of the PORT command in the FTP protocol. CA-97.28.Teardrop_Land Reports on two IP denial-of-service attacks. CA-98.01.smurf Describes the "smurf" IP denial-of-service attacks. The attack described in this advisory is different from the denial-of-service attacks described in CERT advisory CA-97.28. CA-98.02.CDE Reports several vulnerabilities in some implementations of the Common Desktop Environment (CDE). CA-98.03.ssh-agent Details a vulnerability in the SSH cryptographic login program. CA-98.04.Win32.WebServers Reports an exploitation involving long file names on Microsoft Windows-based web servers. ftp://ftp.cert.org/pub/cert_bulletins/ VB-97.15.nis_cachemgr Addresses a vulnerability that allows attackers to specify rogue NIS+ servers that are under their control. VB-97.16.CrackLib Describes a weakness in a published version of CrackLib (v2.5, dated 1993) that could lead to a compromise of system privileges. VB-98.01.excite Discusses a security hole that could allow a malicious user of the software to execute shell commands on the the host system on which EWS has been installed. VB-98.02.apache Describes several possible security issues that have been discovered during an internal security review of the Apache source code. ftp://ftp.cert.org/pub/cert_summaries/ CS-98.01 Highlights increasing attacks involving a vulnerability in rpc.statd, also known as statd on some systems. CS-98.02 Describes denial-of-service attacks targeting a vulnerability in the Microsoft TCP/IP stack. ftp://ftp.cert.org/pub/tools/cracklib/ cracklib26_small.diff cracklib26_small.tgz http://www.cert.org/pub/reports.html Annual Report 1997 CERT/CC 1997 Annual Report (Summary) Security of the Internet Article written by the CERT/CC staff for The Froehlich/Kent Encyclopedia of Telecommunications vol. 15 * Updated Files http://www.cert.org/pub/advisories/index.html ftp://ftp.cert.org/pub/cert_advisories/ CA-96.08.pcnfsd Added information for NCR Corporation. CA-96.09.rpc.statd Added information for NCR Corporation. CA-96.14.rdist_vul Updated information for NCR Corporation. CA-96.26.ping Updated information for NCR Corporation. CA-97.03.csetup Added information for Data General. CA-97.06.rlogin-term Added information for NCR Corporation. CA-97.09.imap_pop Updated information for Sun Microsystems, Inc. CA-97.11.libXt Updated information for Data General Corporation. Added information for Silicon Graphics, Inc. CA-97.16.ftpd Added information for NCR Corporation. CA-97.17.sperl Added information for NCR Corporation. CA-97.18.at Updated information for Silicon Graphics, Inc. CA-97.21.sgi_buffer_overflow Updated information for Silicon Graphics, Inc. CA-97.23.rdist Updated information for NCR Corporation. CA-97.25.CGI_metachar Updated tech tip and removed Appendix A. CA-98.03.ssh-agent In Updates section, described two cases in which the vulnerability is present. ftp://ftp.cert.org/pub/tech_tips/ cgi_metacharacters Updated information. FTP_PORT_attacks Updated information. - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), Monday-Friday, and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://ftp.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. * CERT is registered in the U.S. Patent and Trademark Office. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNQWAVnVP+x0t4w7BAQHzNQP9EmDSMKFwRsLQkX7rsxRDYnMmOHkUAUve O107MYkhmeBBKn0P9G37wSvAhdxeqMJ7wgvVINIYEkG7DBwapBd325VS589E2dmL r5ZLqt6cr7O7Ji3pCGVys4Xw957uMMst9BnyT3pNySBeZBX/3lc3VCxXnGUu3nX9 rzW9DUOGDJY= =EiP3 -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.