Archive of CERT general posting, CERT Summary CS-97.06

02/12/97, CERT Summary CS-97.06
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: CERT Summary CS-97.06
From: CERT Advisory <cert-advisory@cert.org>
Date: Mon, 1 Dec 1997 16:38:27 -0500
Organization: CERT(sm) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org

-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT* Summary CS-97.06 
December 1, 1997

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
     ftp://ftp.cert.org/pub/

Past CERT Summaries are available from
     ftp://ftp.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------

Recent Activity
- ---------------

Since the August CERT Summary, we have seen these continuing trends in
incidents reported to us.

1. Continuing IMAP Exploits

Although it's been mentioned in past CERT Summaries (CS-97.04, CS-97.05), we
continue to receive a significant stream of reports relating to IMAP
attacks. These reports show that intruders are launching large scale,
automated scans against many networks--identifying many potentially vulnerable
systems.

The impact of an IMAP attack is that the remote user (e.g., intruder) will be
able to gain root-level access on a vulnerable host.

We cannot stress enough the importance for sites to check for the IMAP
vulnerability and take immediate action to address the problem. For more
information see the following:

   ftp://ftp.cert.org/pub/cert_summaries/CS-97.04
   ftp://ftp.cert.org/pub/cert_advisories/CA-97.09.imap_pop
   http://www.cert.org/pub/advisories/1997/CA-97.09.imap_pop.html

 - If you have a host that has a vulnerable IMAP server installed by default
   as part of the OS version, but that is not using IMAP, you should
   investigate any connection to port 143 for signs of a root compromise.

 - If you have a host that is using a vulnerable version of the IMAP server,
   you should investigate connections that are from outside the network or the
   constituency of the network for signs of a root compromise.

        NOTE: If you discover that you have suffered a root compromise as a
        result of conditions like those described in the two previous
        paragraphs, we would like to know. We also encourage you to recover
        by taking the steps outlined in

            ftp://ftp.cert.org/pub/tech_tips/root_compromise

 - If you are not running an IMAP server, connection attempts (internal or
   external) to port 143 are probably probes by an intruder; they could also
   be the result of a misconfiguration if the connection attempts originate
   from within your constituency.

 - If you are running a patched IMAP server, connections that are from outside
   your network or the constituency of the network are very likely to be
   probes by intruders.

        NOTE: If you have been probed (as described in the two previous
        paragraphs) and the attack was not successful, we would like to hear
        about that, too. We encourage you to contact the site from which the
        probe originated to alert them to the activity, in case the account
        used to launch the attack was compromised.

        Your reports will help us to continue to determine the scope of the
        problem and coordinate appropriate responses, although we may not be
        able to respond to each report individually.


2. Root Compromises

In addition to the compromises occurring as a result of the above activity, we
also continue to receive daily reports of sites that have suffered a root
compromise. Many of these compromises can be traced to systems that are
unpatched or misconfigured, which the intruders exploit using well-known
vulnerabilities for which CERT advisories have been published.

We encourage you to check for signs of compromise. The following documents can
help you review your systems:

Intruder Detection Checklist

        This document outlines suggested steps for determining if your system
        has been compromised.

        ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist

Steps for Recovering from a UNIX Root Compromise

        This document sets out suggested steps for responding to a root
        compromise.

        ftp://ftp.cert.org/pub/tech_tips/root_compromise

UNIX Configuration Guidelines

        This document describes common UNIX system configuration problems that
        have been exploited by intruders and recommends practices that can be
        used to help deter several types of break-ins.

        ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines

List of Security Tools

        This document describes tools that can be used to help secure a system
        and deter break-ins.

        ftp://ftp.cert.org/pub/tech_tips/security_tools


3. CGI Scripts

We continue to receive reports concerning exploitation of vulnerable cgi-bin
scripts. As mentioned in recent CERT documents, the cause of the problem is
not in the CGI scripting language (such as Perl and C), but in how the script
is written.

The CERT/CC team urges you to check all CGI scripts that are available via the
World Wide Web services at your site and ensure that they sanitize
user-supplied data. For more information, please see

        ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters

These CERT advisories discuss vulnerabilities relating to cgi-bin topics:

ftp://ftp.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
ftp://ftp.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir
ftp://ftp.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script
ftp://ftp.cert.org/pub/cert_advisories/CA-97.12.webdist
ftp://ftp.cert.org/pub/cert_advisories/CA-97.24.Count_cgi
ftp://ftp.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar


4. Relaying of Spam Email through Victim Sites

For quite some time, the CERT Coordination Center has received reports of
email spam being relayed through other sites. These reports are becoming more
frequent as more spammers learn to disguise their activities by relaying their
mail through unsuspecting sites (who are using older versions of sendmail,
poor logging, and no anti-spam features).

Since the default configuration of sendmail 8.8.8 (and prior releases) allows
spam to be relayed, we encourage you to review your mail configuration and
evaluate your exposure to this type of abuse. With a default sendmail
configuration, no authentication is required for remote hosts (including
people sending spam mail) to connect to your mail server for the purpose of
relaying mail.

There are features in sendmail version 8.8 that will prevent your host from
being misused as a relay gateway. A document titled "Anti-Spam Provisions in
sendmail 8.8", provided by the author of sendmail (Eric Allman), describes the
modifications to the sendmail.cf file. It is available at

  http://www.sendmail.org/antispam.html

These modifications to the sendmail.cf file will help prevent a variety of
email spamming and bombing attacks.



What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (August 26,
1997).

* New Additions

ftp://ftp.cert.org/pub/cert_advisories/

    CA-97.23.rdist                              Discusses a buffer overflow
                                                problem in rdist. This is a
                                                different vulnerability from
                                                the one described in CA-96.14.

    CA-97.24.Count_cgi                          Describes a buffer overrun
                                                vulnerability in the Count.cgi
                                                cgi-bin program. This
                                                vulnerability allows intruders
                                                to force Count.cgi to execute
                                                arbitrary commands.

    CA-97.25.CGI_metachar                       Reports a vulnerability that
                                                exists in some CGI scripts and
                                                allows an attacker to execute
                                                arbitrary commands on a WWW
                                                server under the effective
                                                user-id of the server process.


ftp://ftp.cert.org/pub/cert_bulletins/

    VB-97.07.sgi                                A Silicon Graphics
                                                Inc. Security Advisory
                                                addressing vulnerabilities in
                                                the IRIX webdist.cgi, handler,
                                                and wrap programs, part of the
                                                Outbox subsystem

    VB-97.08.transarc                           Information from Transarc
                                                Corp. about a vulnerability in
                                                Transarc DCE Integrated login
                                                for sites running both AFS and
                                                DCE

    VB-97.09.cisco                              Information from Cisco Systems
                                                about vulnerabilities in CHAP
                                                authentication

    VB-97.10.samba                              Information from the Samba
                                                Team about a vulnerability
                                                that allows remote users to
                                                obtain root access on the
                                                Samba server

    VB-97.11.nec                                Details about a problem with
                                                the "nosuid" mount(1)
                                                option

    VB-97.12.opengroup                          Information about a potential
                                                problem in the OSF/DCE
                                                security server that could
                                                allow for a denial of service
                                                attack

    VB-97.13.GlimpseHTTP.WebGlimpse             Information about a
                                                vulnerability that may allow
                                                intruders to execute arbitrary
                                                commands with the privileges
                                                of the httpd process

    VB-97.14.scoterm                            Information from the Santa
                                                Cruz Operation about a
                                                vulnerability in the
                                                implementation of scoterm that
                                                could allow unprivileged users
                                                to gain unauthorized root
                                                access to the system


ftp://ftp.cert.org/pub/latest_sw_versions/

    rdist                                       Pointer to rdist 6.1.3

    sendmail                                    Pointer to sendmail 8.8.8


ftp://ftp.cert.org/pub/tech_tips/

    cgi_metacharacters                          Discusses how to remove meta
                                                characters from user-supplied
                                                data in CGI scripts

ftp://ftp.cert.org/pub/tools/

    rdist/                                      Added rdist 6.1.3

    sendmail/                                   Added sendmail 8.8.8




* Updated Files

ftp://ftp.cert.org/pub/cert_advisories/

    CA-93:19.Solaris.Startup.vulnerability      Updates - Added Sun
                                                Microsystems, Inc. patch
                                                information

    CA-95:14.Telnetd_Environment_Vulnerability  Updated information for
                                                Sun Microsystems, Inc.

    CA-95:17.rpc.ypupdated.vul                  Updated information for
                                                Sun Microsystems, Inc.

    CA-96.08.pcnfsd                             Updated information for
                                                IBM Corporation

    CA-96.10.nis+_configuration                 Updates - Added
                                                information for Sun
                                                Microsystems, Inc.

    CA-96.15.Solaris_KCMS_vul                   Updates - Added
                                                information for Sun
                                                Microsystems, Inc.

    CA-96.16.Solaris_admintool_vul              Updates - Added
                                                information for Sun
                                                Microsystems, Inc.

    CA-96.17.Solaris_vold_vul                   Updates - Added
                                                information for Sun
                                                Microsystems, Inc.

    CA-96.20.sendmail_vul                       Updated information
                                                from Sun Microsystems, Inc.

    CA-96.25.sendmail_groups                    Updated information
                                                from Sun Microsystems, Inc.

    CA-96.26.ping                               Updated information
                                                from Sun Microsystems, Inc.

    CA-97.06.rlogin-term                        Updated information
                                                from Sun Microsystems, Inc.;
                                                added information from Data
                                                General Corporation

    CA-97.09.imap_pop                           Section III.A and Appendix A -
                                                added information for
                                                IBM Corporation

    CA-97.11.libXt                              Appendix A - updated
                                                information for Sun
                                                Microsystems, Inc.

    CA-97.14.metamail                           Updated information for
                                                Red Hat

    CA-97.15.sgi_login                          Updated information from
                                                Silicon Graphics, Inc.

    CA-97.16.ftpd                               Added information for NCR
                                                Corporation

    CA-97.18.at                                 Added information for NCR
                                                Corporation

    CA-97.20.javascript                         Appendix A - updated
                                                Netscape's URLs

    CA-97.21.sgi_buffer_overflow                Updates Section - updated
                                                information for Silicon
                                                Graphics, Inc.

    CA-97.22.bind                               Appendix A - Added information
                                                for BSDI

    CA-97.23.rdist                              Appendix A - added information
                                                for OpenBSD and Silicon
                                                Graphics, Inc., Caldera, and
                                                Siemens-Nixdorf

ftp://ftp.cert.org/pub/cert_summaries/

    CS-97.05                                    Corrected BIND version number



A New Look on the CERT Web Site
- ------------------------------
If you haven't visited our Web site (http://www.cert.org) since November 10,
check it out. We have a new look and some new documents. We've tried to
organize things so that it's easier for you to find the information you
need. Some highlights include

CERT incident and vulnerability statistics
        http://www.cert.org/pub/cert-stats/cert_stats.html

CERT annual reports for 1994, 1995, and 1996
        http://www.cert.org/pub/reports.html

Security Improvement Modules
        http://www.cert.org/security-improvement/index.html

An Analysis of Security Incidents on the Internet 1989-1995
        http://www.cert.org/research/JHThesis/index.html

Report to the President's Commission on Critical Infrastructure Protection
        http://www.cert.org/pub/reports.html

Links to other sources of advisories and Internet security information
        http://www.cert.org/pub/other_sources.html


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://ftp.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://ftp.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------

Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

* CERT is registered in the U.S. Patent and Trademark Office.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNIMjhnVP+x0t4w7BAQGpQgQAunsd4esc4U4hOFpLOhGpyH+UoHWrp5jf
B1P4U9Em1xd3tMCh+vxqWh95+atwDc/RcNoiOqKyj3XQ6EHyoez0vj5jg2q5SN19
4mtXfJcRgET7HuAd7daqpKDx68SR6kLnhuwgEu/UGLgJkbI+gqm/oHaioDr0OZCY
RJKXq04QL/Y=
=47iq
-----END PGP SIGNATURE-----



Previous message sorted by date: CERT Advisory CA-97.25 - REVISED- Code Correction
Previous message sorted by thread: CERT Advisory CA-97.25 - REVISED- Code Correction
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000