Archive of CERT general posting, CERT Summary CS-98.03

11/03/98, CERT Summary CS-98.03
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@coal.cert.org
Subject: CERT Summary CS-98.03
From: CERT Advisory <cert-advisory@cert.org>
Date: Tue, 10 Mar 1998 15:20:34 -0500
Organization: CERT(sm) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org

-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT* Summary CS-98.03
March 10, 1998

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
     ftp://ftp.cert.org/pub/

Past CERT Summaries are available from 
     ftp://ftp.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------

Recent Activity
- ---------------
Since the last regularly scheduled CERT Summary issued in December 1997
(CS-97.06), we have seen these continuing trends in incidents reported to us.

1. Root Compromises and Network Sniffers

   We continue to receive daily reports of UNIX systems that have suffered a
   root compromise. Many of these compromises can be traced to systems that
   are unpatched or misconfigured, on which the intruders exploit well-known
   vulnerabilities for which CERT advisories have been published. On many
   root-compromised systems, the intruders also install packet sniffers to
   collect account names and passwords on other systems. (The packet sniffers
   are frequently installed as part of several widely available intruder
   toolkits that also replace common system files with Trojan horse programs.)

   For information about recovering from a UNIX root compromise, see

     ftp://ftp.cert.org/pub/tech_tips/root_compromise

   To learn about methods for detecting intruders' packet sniffers and Trojan
   horse programs, see

 http://www.cert.org/pub/advisories/CA-94.01.ongoing.network.monitoring.attacks.html
 or ftp://ftp.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks


2. Large-Scale Scanning and Attacks

   We have been receiving reports of large-scale scanning of hosts on the
   Internet, where intruders are using automated programs to identify systems
   that are running vulnerable services. In one incident reported to the
   CERT/CC, more than 250,000 hosts were scanned. Many of these scans have led
   to root compromises on systems that were not patched against various
   well-known problems that have been addressed in previous CERT advisories.

   In recent months, the most commonly reported types of intruder scanning
   and exploitation attacks continue to be against IMAP and rpc-statd
   services.

   A. IMAP Attacks

   We continue to receive reports of IMAP attacks, as mentioned in previous
   CERT Summaries (CS-98.01, CS-97.06, and CS-97.04). These reports show that
   intruders are still launching large-scale, automated scans against many
   networks, identifying potentially vulnerable systems.

   Any system that is running a vulnerable version of certain implementations
   of IMAP servers may allow an intruder to gain root-level access on that
   vulnerable host.

   We encourage you to check for the IMAP vulnerability and take immediate
   action to address the problem. For related information, see

     http://www.cert.org/pub/advisories/CA-97.09.imap_pop.html
     or ftp://ftp.cert.org/pub/cert_advisories/CA-97.09.imap_pop

     ftp://ftp.cert.org/pub/cert_summaries/CS-97.04

     ftp://ftp.cert.org/pub/cert_summaries/CS-97.06

   B. rpc-statd Attacks

   We are also receiving reports of attacks involving a vulnerability in
   rpc.statd (also known as statd on some systems), as mentioned in CERT
   Summary CS-98.01 - SPECIAL EDITION. This vulnerability can allow an
   intruder to gain root access.

   For related information, see CERT Advisory CA-97.26 and CERT Summary
   CS-98.01:

     http://www.cert.org/pub/advisories/CA-97.26.statd.html
     or ftp://ftp.cert.org/pub/cert_advisories/CA-97.26.statd

     ftp://ftp.cert.org/pub/cert_summaries/CS-98.01


3. Denial-of-Service Attacks

We are still receiving daily reports of various types of denial-of-service
attacks.

You can find information about protecting your systems against several common
types of denial-of-service attacks in the following documents:

     ftp://ftp.cert.org/pub/tech_tips/denial_of_service

     ftp://ftp.cert.org/pub/cert_summaries/CS-98.02

     http://www.cert.org/pub/advisories/CA-98.01.smurf.html
     or ftp://ftp.cert.org/pub/cert_advisories/CA-98.01.smurf

     http://www.cert.org/pub/advisories/CA-97.28.Teardrop_Land.html
     or ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land

     http://www.cert.org/pub/advisories/CA-96.26.ping.html
     or ftp://ftp.cert.org/pub/cert_advisories/CA-96.26.ping

     http://www.cert.org/pub/advisories/CA-96.21.tcp_syn_flooding.html
     or ftp://ftp.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding

     http://www.cert.org/pub/advisories/CA-96.01.UDP_service_denial.html
     or ftp://ftp.cert.org/pub/cert_advisories/CA-96.01.UDP_service_denial

We encourage you to read the above documents and apply the appropriate vendor
patches. We also encourage you to consider implementing router filters to
reduce your site's exposure to certain types of attacks.

   A. More Denial-of-Service Attacks Targeting Windows 95/NT Machines

   This section is a follow-up to the information provided in the Special
   Edition CERT Summary released on March 4. This document is available at

     ftp://ftp.cert.org/pub/cert_summaries/CS-98.02

   We have received reports of sites continuing to experience "teardrop2"
   denial-of-service attacks targeted at multiple hosts. Again, we encourage
   you to install the appropriate patches to minimize the effect of this
   attack.

   Microsoft has released a new "Security Bulletin" addressing network
   denial-of-service attacks. This bulletin contains pointers to Windows NT
   hotfixes and a Windows 95 update which patch vulnerable machines. The
   bulletin is available from the Microsoft security web site at

     http://www.microsoft.com/security/netdos.htm


New Location of "New Additions" and "Updated Files" Information
- ---------------------------------------------------------------
Before we publish the next regular issue of the CERT Summary, we will have a
"What's New" page on our Web site at 

   http://www.cert.org/

On this page we'll highlight new documents we've made available as well as
noteworthy document updates.

As a result, this is the last time we will include the "New Additions" and
"Updated Files" sections in the CERT Summary.



What's New in the CERT FTP Archive and Web Site
- -----------------------------------------------
We have made the following changes to our FTP and Web sites since the last
regularly scheduled CERT Summary (December 1, 1997).

* New Additions

http://www.cert.org/pub/advisories/index.html
ftp://ftp.cert.org/pub/cert_advisories/

    CA-97.26.statd                              Reports a vulnerability that
                                                exists in the statd(1M)
                                                program, available on a
                                                variety of UNIX platforms.

    CA-97.27.FTP_bounce                         Discusses the use of the PORT
                                                command in the FTP protocol.

    CA-97.28.Teardrop_Land                      Reports on two IP
                                                denial-of-service attacks.

    CA-98.01.smurf                              Describes the "smurf" IP
                                                denial-of-service attacks. The
                                                attack described in this
                                                advisory is different from the
                                                denial-of-service attacks
                                                described in CERT advisory
                                                CA-97.28.

    CA-98.02.CDE                                Reports several
                                                vulnerabilities in some
                                                implementations of the Common
                                                Desktop Environment (CDE).

    CA-98.03.ssh-agent                          Details a vulnerability in the
                                                SSH cryptographic login
                                                program.

    CA-98.04.Win32.WebServers                   Reports an exploitation
                                                involving long file names on
                                                Microsoft Windows-based web
                                                servers.


ftp://ftp.cert.org/pub/cert_bulletins/

    VB-97.15.nis_cachemgr                       Addresses a vulnerability that
                                                allows attackers to specify
                                                rogue NIS+ servers that are
                                                under their control.

    VB-97.16.CrackLib                           Describes a weakness in a
                                                published version of CrackLib
                                                (v2.5, dated 1993) that could
                                                lead to a compromise of system
                                                privileges.

    VB-98.01.excite                             Discusses a security hole that
                                                could allow a malicious user
                                                of the software to execute
                                                shell commands on the the host
                                                system on which EWS has been
                                                installed.

    VB-98.02.apache                             Describes several possible
                                                security issues that have been
                                                discovered during an internal
                                                security review of the Apache
                                                source code.


ftp://ftp.cert.org/pub/cert_summaries/

    CS-98.01                                    Highlights increasing attacks
                                                involving a vulnerability in
                                                rpc.statd, also known as statd
                                                on some systems.

    CS-98.02                                    Describes denial-of-service
                                                attacks targeting a
                                                vulnerability in the Microsoft
                                                TCP/IP stack.


ftp://ftp.cert.org/pub/tools/cracklib/

    cracklib26_small.diff

    cracklib26_small.tgz


http://www.cert.org/pub/reports.html

    Annual Report 1997                          CERT/CC 1997 Annual Report
                                                (Summary)

    Security of the Internet                    Article written by the CERT/CC
                                                staff for The Froehlich/Kent
                                                Encyclopedia of
                                                Telecommunications vol. 15


* Updated Files

http://www.cert.org/pub/advisories/index.html
ftp://ftp.cert.org/pub/cert_advisories/

    CA-96.08.pcnfsd                             Added information for NCR
                                                Corporation.

    CA-96.09.rpc.statd                          Added information for NCR
                                                Corporation.

    CA-96.14.rdist_vul                          Updated information for NCR
                                                Corporation.

    CA-96.26.ping                               Updated information for NCR
                                                Corporation.

    CA-97.03.csetup                             Added information for Data
                                                General.

    CA-97.06.rlogin-term                        Added information for NCR
                                                Corporation.

    CA-97.09.imap_pop                           Updated information for Sun
                                                Microsystems, Inc.

    CA-97.11.libXt                              Updated information for Data
                                                General Corporation. Added
                                                information for Silicon
                                                Graphics, Inc.

    CA-97.16.ftpd                               Added information for NCR
                                                Corporation.

    CA-97.17.sperl                              Added information for NCR
                                                Corporation.

    CA-97.18.at                                 Updated information for
                                                Silicon Graphics, Inc.

    CA-97.21.sgi_buffer_overflow                Updated information for
                                                Silicon Graphics, Inc.

    CA-97.23.rdist                              Updated information for NCR
                                                Corporation.

    CA-97.25.CGI_metachar                       Updated tech tip and removed
                                                Appendix A.

    CA-98.03.ssh-agent                          In Updates section, described
                                                two cases in which the
                                                vulnerability is present.


ftp://ftp.cert.org/pub/tech_tips/

    cgi_metacharacters                          Updated information.

    FTP_PORT_attacks                            Updated information.



- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org 

Phone    +1 412-268-7090 (24-hour hotline) 
                CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4),
                Monday-Friday, and are on call for emergencies during other
                hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to 
        cert-advisory-request@cert.org
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://ftp.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information. 

Location of CERT PGP key
         ftp://ftp.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
 
* CERT is registered in the U.S. Patent and Trademark Office.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNQWAVnVP+x0t4w7BAQHzNQP9EmDSMKFwRsLQkX7rsxRDYnMmOHkUAUve
O107MYkhmeBBKn0P9G37wSvAhdxeqMJ7wgvVINIYEkG7DBwapBd325VS589E2dmL
r5ZLqt6cr7O7Ji3pCGVys4Xw957uMMst9BnyT3pNySBeZBX/3lc3VCxXnGUu3nX9
rzW9DUOGDJY=
=EiP3
-----END PGP SIGNATURE-----



Previous message sorted by date: CERT Summary CS-98.02
Next message sorted by date: CERT Summary CS-98.04
Previous message sorted by thread: CERT Summary CS-98.02
Next message by thread: CERT Summary CS-98.04
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000