[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
CERT* Summary CS-97.03
May 28, 1997
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Recent Activity
- ---------------
Since the February CERT Summary, we have seen these continuing trends in
incidents reported to us.
1. Continuing cgi-bin Exploits
The CERT Coordination Center continues to receive daily reports of attempts to
exploit vulnerabilities in cgi-bin scripts. Our original advisory regarding
these vulnerabilities was published in March 1996, and is available from:
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
The most frequently reported exploitation attempts use the "phf" program
discussed in the advisory. The "phf" program is installed by default with
several implementations of httpd servers. Intruders continue to use widely
available "phf" exploit scripts to attempt to obtain a copy of the /etc/passwd
file. Fortunately, many of the reported attempts are unsuccessful. We are now
receiving reports that "php" is being exploited as well.
Similar attacks may succeed against other cgi scripts if the scripts are
written without appropriate care regarding security issues. We encourage sites
to evaluate all programs in their cgi-bin directory and remove any scripts
that are not in active use.
2. INND Exploits
In our previous summary (CS-97.02 - SPECIAL EDITION) we reported widespread,
large-scale attacks on NNTP (Network News Transport Protocol)
servers. CS-97.02 is available from
ftp://info.cert.org/pub/cert_summaries/CS-97.02
We continue to receive reports that INND versions older than 1.5.1 are being
exploited. For more information about the INND vulnerability please see
ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd
We recommend that you *not* try to exploit your own server to determine if it
is vulnerable. Many of the INND attacks reported were a result of sites
testing their own servers and inadvertently releasing their test on the
Internet. To determine if your version of INND is vulnerable, please consult
the advisory (CA-97.08.innd).
A number of sites have reported that they continue to be vulnerable after
applying the patch for upgrading to INN 1.5.1. If you are upgrading to INN
1.5.1, please be sure to read the README file carefully.
3. Chargen and Echo Services
The CERT/CC continues to receive reports of denial-of-service attacks that
result from an intruder creating a "UDP packet storm" either on a system or
between two systems. An attack on one host causes that host to perform
poorly. An attack between two hosts can cause extreme network congestion in
addition to adversely affecting host performance. For more information about
this problem please see
ftp://ftp.cert.org/pub/cert_advisories/CA-96.01.UDP_service_denial
We recommend disabling unneeded services on each host, in particular the
chargen and echo services, and filtering these services at the firewall or
Internet gateway. Note that these services cannot be wrapped by TCP wrappers
as they are usually part of inetd itself.
4. Spoofed CERT Summary
The CERT/CC has received a number of questions about fake CERT Summaries. All
documents produced by the CERT Coordination Center are PGP (Pretty Good
Privacy) signed to ensure the integrity of their information and their
authenticity. We encourage you to verify all of our documents using PGP. Our
PGP public key is available from
ftp://info.cert.org/pub/CERT_PGP.key
This same key can be used to encrypt incident and vulnerability
reports sent to us. For more information about PGP please see
http://web.mit.edu/network/pgp.html
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (February 26,
1997).
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-97.08.innd Describes two vulnerabilities in
INN. One affects versions 1.5 and
earlier; the other affects 1.5.1 and
earlier. Vendor information and
pointers to patches are included.
CA-97.09.imap_pop Reports a vulnerability in some
Internet Message Access Protocol
(IMAP) and Post Office Protocol (POP)
implementations (imapd, ipop2d, and
ipop3d). Vendor and upgrade
information are included.
CA-97.10.nls Reports a buffer overflow condition
that affects some libraries using the
Natural Language Service (NLS). Vendor
vulnerability and patch information
are included.
CA-97.11.libXt Reports a buffer overflow
vulnerability in the Xt library of the
X Windowing System. Vendor
vulnerability and patch information
are included.
CA-97.12.webdist Describes a vulnerability in the
webdist.cgi-bin program, part of the
IRIX Mindshare Out Box package,
available with IRIX 5.x and 6.x. A
workaround is included.
CA-97.13.xlock Reports a buffer overflow problem in
some versions of xlock. Patch
information and a workaround are
included.
ftp://info.cert.org/pub/cert_bulletins/
VB-97.01.dec Information from Digital Equipment
Corporation about a potential
vulnerability in the Division of
Privilege (DoP).
VB-97.02.sol_guestbook Information from Selena Sol about a
vulnerability in her Guestbook script
for Web servers using Server Side
Includes (SSI).
ftp://info.cert.org/pub/cert_summaries/
CS-97.02 This special edition of the CERT
Summary highlights widespread,
large-scale attacks that are
occurring against news servers.
* Updated Files
ftp://info.cert.org/pub/cert_advisories/
CA-96.02.bind Noted that BIND 8.1 was released in
May 1997. Gave new location of the
BIND archives.
CA-96.08.pcnfsd Corrected a name in acknowledgments.
CA-96.20.sendmail_vul Updated vendor information for
Hewlett-Packard Company.
CA-96.21.tcp_syn_flooding Updated vendor information for
Hewlett-Packard Company.
CA-96.24.sendmail.daemon.mode Updated vendor information for
Hewlett-Packard Company.
CA-97.02.hp_newgrp Noted that the vulnerability described
in this advisory is being exploited.
CA-97.03.csetup Updated the Solution section to
include URL for SGI patch
information.
CA-97.04.talkd Updated vendor information for
Hewlett-Packard Company.
CA-97.05.sendmail Updated NEC Corporation information.
CA-97.08.innd Added information about Topic 2,
ucbmail, including a new patch that
must be applied to many versions of
INN. Replaced pointer to patch 04 with
patch 05 and noted that you must use
patch 05. Added information from
various vendors. Noted that the
vulnerability is being actively
exploited.
CA-97.09.imap_pop Added vendor information from
Microsoft Corporation.
CA-97.10.nls Updated vendor information from
Hewlett-Packard Company.
CA-97.11.libXt Updated vendor information from
Hewlett-Packard Company.
CA-97.14.metamail Added vendor information from Berkeley
Software Design, Inc. (BSDI). Changed
release date of the patch.
ftp://info.cert.org/pub/latest_sw_versions/
ifstatus Added pointer to latest version,
ifstatus 2.0.
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
This email address is being protected from spambots. You need JavaScript enabled to view it.
In the subject line, type
SUBSCRIBE your-email-address
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
* Registered U.S. Patent and Trademark Office.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM4x6mHVP+x0t4w7BAQGQBAP+KHYNhLYQXqXvx2OsglfZsrewW3nJVmlm
rmF6JNWxoWi+wu/jJwcyE1g/dNv0KpdKZq9smT/1llD/g/bVmSMmffI1F/A45lpG
DMzLfJzJVCwAk6hDvfirXDd659JvzXNmXJmw0GxywERbI3QUEKn8egQFCVr03B9K
RmlmOteXYkg=
=OKD7
-----END PGP SIGNATURE-----
| Powered by: | MHonArc  |