Security Advisories
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
-----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT* Summary CS-97.03 May 28, 1997 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Recent Activity - --------------- Since the February CERT Summary, we have seen these continuing trends in incidents reported to us. 1. Continuing cgi-bin Exploits The CERT Coordination Center continues to receive daily reports of attempts to exploit vulnerabilities in cgi-bin scripts. Our original advisory regarding these vulnerabilities was published in March 1996, and is available from: ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code The most frequently reported exploitation attempts use the "phf" program discussed in the advisory. The "phf" program is installed by default with several implementations of httpd servers. Intruders continue to use widely available "phf" exploit scripts to attempt to obtain a copy of the /etc/passwd file. Fortunately, many of the reported attempts are unsuccessful. We are now receiving reports that "php" is being exploited as well. Similar attacks may succeed against other cgi scripts if the scripts are written without appropriate care regarding security issues. We encourage sites to evaluate all programs in their cgi-bin directory and remove any scripts that are not in active use. 2. INND Exploits In our previous summary (CS-97.02 - SPECIAL EDITION) we reported widespread, large-scale attacks on NNTP (Network News Transport Protocol) servers. CS-97.02 is available from ftp://info.cert.org/pub/cert_summaries/CS-97.02 We continue to receive reports that INND versions older than 1.5.1 are being exploited. For more information about the INND vulnerability please see ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd We recommend that you *not* try to exploit your own server to determine if it is vulnerable. Many of the INND attacks reported were a result of sites testing their own servers and inadvertently releasing their test on the Internet. To determine if your version of INND is vulnerable, please consult the advisory (CA-97.08.innd). A number of sites have reported that they continue to be vulnerable after applying the patch for upgrading to INN 1.5.1. If you are upgrading to INN 1.5.1, please be sure to read the README file carefully. 3. Chargen and Echo Services The CERT/CC continues to receive reports of denial-of-service attacks that result from an intruder creating a "UDP packet storm" either on a system or between two systems. An attack on one host causes that host to perform poorly. An attack between two hosts can cause extreme network congestion in addition to adversely affecting host performance. For more information about this problem please see ftp://ftp.cert.org/pub/cert_advisories/CA-96.01.UDP_service_denial We recommend disabling unneeded services on each host, in particular the chargen and echo services, and filtering these services at the firewall or Internet gateway. Note that these services cannot be wrapped by TCP wrappers as they are usually part of inetd itself. 4. Spoofed CERT Summary The CERT/CC has received a number of questions about fake CERT Summaries. All documents produced by the CERT Coordination Center are PGP (Pretty Good Privacy) signed to ensure the integrity of their information and their authenticity. We encourage you to verify all of our documents using PGP. Our PGP public key is available from ftp://info.cert.org/pub/CERT_PGP.key This same key can be used to encrypt incident and vulnerability reports sent to us. For more information about PGP please see http://web.mit.edu/network/pgp.html What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (February 26, 1997). * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-97.08.innd Describes two vulnerabilities in INN. One affects versions 1.5 and earlier; the other affects 1.5.1 and earlier. Vendor information and pointers to patches are included. CA-97.09.imap_pop Reports a vulnerability in some Internet Message Access Protocol (IMAP) and Post Office Protocol (POP) implementations (imapd, ipop2d, and ipop3d). Vendor and upgrade information are included. CA-97.10.nls Reports a buffer overflow condition that affects some libraries using the Natural Language Service (NLS). Vendor vulnerability and patch information are included. CA-97.11.libXt Reports a buffer overflow vulnerability in the Xt library of the X Windowing System. Vendor vulnerability and patch information are included. CA-97.12.webdist Describes a vulnerability in the webdist.cgi-bin program, part of the IRIX Mindshare Out Box package, available with IRIX 5.x and 6.x. A workaround is included. CA-97.13.xlock Reports a buffer overflow problem in some versions of xlock. Patch information and a workaround are included. ftp://info.cert.org/pub/cert_bulletins/ VB-97.01.dec Information from Digital Equipment Corporation about a potential vulnerability in the Division of Privilege (DoP). VB-97.02.sol_guestbook Information from Selena Sol about a vulnerability in her Guestbook script for Web servers using Server Side Includes (SSI). ftp://info.cert.org/pub/cert_summaries/ CS-97.02 This special edition of the CERT Summary highlights widespread, large-scale attacks that are occurring against news servers. * Updated Files ftp://info.cert.org/pub/cert_advisories/ CA-96.02.bind Noted that BIND 8.1 was released in May 1997. Gave new location of the BIND archives. CA-96.08.pcnfsd Corrected a name in acknowledgments. CA-96.20.sendmail_vul Updated vendor information for Hewlett-Packard Company. CA-96.21.tcp_syn_flooding Updated vendor information for Hewlett-Packard Company. CA-96.24.sendmail.daemon.mode Updated vendor information for Hewlett-Packard Company. CA-97.02.hp_newgrp Noted that the vulnerability described in this advisory is being exploited. CA-97.03.csetup Updated the Solution section to include URL for SGI patch information. CA-97.04.talkd Updated vendor information for Hewlett-Packard Company. CA-97.05.sendmail Updated NEC Corporation information. CA-97.08.innd Added information about Topic 2, ucbmail, including a new patch that must be applied to many versions of INN. Replaced pointer to patch 04 with patch 05 and noted that you must use patch 05. Added information from various vendors. Noted that the vulnerability is being actively exploited. CA-97.09.imap_pop Added vendor information from Microsoft Corporation. CA-97.10.nls Updated vendor information from Hewlett-Packard Company. CA-97.11.libXt Updated vendor information from Hewlett-Packard Company. CA-97.14.metamail Added vendor information from Berkeley Software Design, Inc. (BSDI). Changed release date of the patch. ftp://info.cert.org/pub/latest_sw_versions/ ifstatus Added pointer to latest version, ifstatus 2.0. - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email This email address is being protected from spambots. You need JavaScript enabled to view it. Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to This email address is being protected from spambots. You need JavaScript enabled to view it. In the subject line, type SUBSCRIBE your-email-address CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1997 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. * Registered U.S. Patent and Trademark Office. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM4x6mHVP+x0t4w7BAQGQBAP+KHYNhLYQXqXvx2OsglfZsrewW3nJVmlm rmF6JNWxoWi+wu/jJwcyE1g/dNv0KpdKZq9smT/1llD/g/bVmSMmffI1F/A45lpG DMzLfJzJVCwAk6hDvfirXDd659JvzXNmXJmw0GxywERbI3QUEKn8egQFCVr03B9K RmlmOteXYkg= =OKD7 -----END PGP SIGNATURE-----
Powered by: | MHonArc |