[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
CERT* Summary CS-97.06
December 1, 1997
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://ftp.cert.org/pub/
Past CERT Summaries are available from
ftp://ftp.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Recent Activity
- ---------------
Since the August CERT Summary, we have seen these continuing trends in
incidents reported to us.
1. Continuing IMAP Exploits
Although it's been mentioned in past CERT Summaries (CS-97.04, CS-97.05), we
continue to receive a significant stream of reports relating to IMAP
attacks. These reports show that intruders are launching large scale,
automated scans against many networks--identifying many potentially vulnerable
systems.
The impact of an IMAP attack is that the remote user (e.g., intruder) will be
able to gain root-level access on a vulnerable host.
We cannot stress enough the importance for sites to check for the IMAP
vulnerability and take immediate action to address the problem. For more
information see the following:
ftp://ftp.cert.org/pub/cert_summaries/CS-97.04
ftp://ftp.cert.org/pub/cert_advisories/CA-97.09.imap_pop
http://www.cert.org/pub/advisories/1997/CA-97.09.imap_pop.html
- If you have a host that has a vulnerable IMAP server installed by default
as part of the OS version, but that is not using IMAP, you should
investigate any connection to port 143 for signs of a root compromise.
- If you have a host that is using a vulnerable version of the IMAP server,
you should investigate connections that are from outside the network or the
constituency of the network for signs of a root compromise.
NOTE: If you discover that you have suffered a root compromise as a
result of conditions like those described in the two previous
paragraphs, we would like to know. We also encourage you to recover
by taking the steps outlined in
ftp://ftp.cert.org/pub/tech_tips/root_compromise
- If you are not running an IMAP server, connection attempts (internal or
external) to port 143 are probably probes by an intruder; they could also
be the result of a misconfiguration if the connection attempts originate
from within your constituency.
- If you are running a patched IMAP server, connections that are from outside
your network or the constituency of the network are very likely to be
probes by intruders.
NOTE: If you have been probed (as described in the two previous
paragraphs) and the attack was not successful, we would like to hear
about that, too. We encourage you to contact the site from which the
probe originated to alert them to the activity, in case the account
used to launch the attack was compromised.
Your reports will help us to continue to determine the scope of the
problem and coordinate appropriate responses, although we may not be
able to respond to each report individually.
2. Root Compromises
In addition to the compromises occurring as a result of the above activity, we
also continue to receive daily reports of sites that have suffered a root
compromise. Many of these compromises can be traced to systems that are
unpatched or misconfigured, which the intruders exploit using well-known
vulnerabilities for which CERT advisories have been published.
We encourage you to check for signs of compromise. The following documents can
help you review your systems:
Intruder Detection Checklist
This document outlines suggested steps for determining if your system
has been compromised.
ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist
Steps for Recovering from a UNIX Root Compromise
This document sets out suggested steps for responding to a root
compromise.
ftp://ftp.cert.org/pub/tech_tips/root_compromise
UNIX Configuration Guidelines
This document describes common UNIX system configuration problems that
have been exploited by intruders and recommends practices that can be
used to help deter several types of break-ins.
ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines
List of Security Tools
This document describes tools that can be used to help secure a system
and deter break-ins.
ftp://ftp.cert.org/pub/tech_tips/security_tools
3. CGI Scripts
We continue to receive reports concerning exploitation of vulnerable cgi-bin
scripts. As mentioned in recent CERT documents, the cause of the problem is
not in the CGI scripting language (such as Perl and C), but in how the script
is written.
The CERT/CC team urges you to check all CGI scripts that are available via the
World Wide Web services at your site and ensure that they sanitize
user-supplied data. For more information, please see
ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters
These CERT advisories discuss vulnerabilities relating to cgi-bin topics:
ftp://ftp.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
ftp://ftp.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir
ftp://ftp.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script
ftp://ftp.cert.org/pub/cert_advisories/CA-97.12.webdist
ftp://ftp.cert.org/pub/cert_advisories/CA-97.24.Count_cgi
ftp://ftp.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar
4. Relaying of Spam Email through Victim Sites
For quite some time, the CERT Coordination Center has received reports of
email spam being relayed through other sites. These reports are becoming more
frequent as more spammers learn to disguise their activities by relaying their
mail through unsuspecting sites (who are using older versions of sendmail,
poor logging, and no anti-spam features).
Since the default configuration of sendmail 8.8.8 (and prior releases) allows
spam to be relayed, we encourage you to review your mail configuration and
evaluate your exposure to this type of abuse. With a default sendmail
configuration, no authentication is required for remote hosts (including
people sending spam mail) to connect to your mail server for the purpose of
relaying mail.
There are features in sendmail version 8.8 that will prevent your host from
being misused as a relay gateway. A document titled "Anti-Spam Provisions in
sendmail 8.8", provided by the author of sendmail (Eric Allman), describes the
modifications to the sendmail.cf file. It is available at
http://www.sendmail.org/antispam.html
These modifications to the sendmail.cf file will help prevent a variety of
email spamming and bombing attacks.
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (August 26,
1997).
* New Additions
ftp://ftp.cert.org/pub/cert_advisories/
CA-97.23.rdist Discusses a buffer overflow
problem in rdist. This is a
different vulnerability from
the one described in CA-96.14.
CA-97.24.Count_cgi Describes a buffer overrun
vulnerability in the Count.cgi
cgi-bin program. This
vulnerability allows intruders
to force Count.cgi to execute
arbitrary commands.
CA-97.25.CGI_metachar Reports a vulnerability that
exists in some CGI scripts and
allows an attacker to execute
arbitrary commands on a WWW
server under the effective
user-id of the server process.
ftp://ftp.cert.org/pub/cert_bulletins/
VB-97.07.sgi A Silicon Graphics
Inc. Security Advisory
addressing vulnerabilities in
the IRIX webdist.cgi, handler,
and wrap programs, part of the
Outbox subsystem
VB-97.08.transarc Information from Transarc
Corp. about a vulnerability in
Transarc DCE Integrated login
for sites running both AFS and
DCE
VB-97.09.cisco Information from Cisco Systems
about vulnerabilities in CHAP
authentication
VB-97.10.samba Information from the Samba
Team about a vulnerability
that allows remote users to
obtain root access on the
Samba server
VB-97.11.nec Details about a problem with
the "nosuid" mount(1)
option
VB-97.12.opengroup Information about a potential
problem in the OSF/DCE
security server that could
allow for a denial of service
attack
VB-97.13.GlimpseHTTP.WebGlimpse Information about a
vulnerability that may allow
intruders to execute arbitrary
commands with the privileges
of the httpd process
VB-97.14.scoterm Information from the Santa
Cruz Operation about a
vulnerability in the
implementation of scoterm that
could allow unprivileged users
to gain unauthorized root
access to the system
ftp://ftp.cert.org/pub/latest_sw_versions/
rdist Pointer to rdist 6.1.3
sendmail Pointer to sendmail 8.8.8
ftp://ftp.cert.org/pub/tech_tips/
cgi_metacharacters Discusses how to remove meta
characters from user-supplied
data in CGI scripts
ftp://ftp.cert.org/pub/tools/
rdist/ Added rdist 6.1.3
sendmail/ Added sendmail 8.8.8
* Updated Files
ftp://ftp.cert.org/pub/cert_advisories/
CA-93:19.Solaris.Startup.vulnerability Updates - Added Sun
Microsystems, Inc. patch
information
CA-95:14.Telnetd_Environment_Vulnerability Updated information for
Sun Microsystems, Inc.
CA-95:17.rpc.ypupdated.vul Updated information for
Sun Microsystems, Inc.
CA-96.08.pcnfsd Updated information for
IBM Corporation
CA-96.10.nis+_configuration Updates - Added
information for Sun
Microsystems, Inc.
CA-96.15.Solaris_KCMS_vul Updates - Added
information for Sun
Microsystems, Inc.
CA-96.16.Solaris_admintool_vul Updates - Added
information for Sun
Microsystems, Inc.
CA-96.17.Solaris_vold_vul Updates - Added
information for Sun
Microsystems, Inc.
CA-96.20.sendmail_vul Updated information
from Sun Microsystems, Inc.
CA-96.25.sendmail_groups Updated information
from Sun Microsystems, Inc.
CA-96.26.ping Updated information
from Sun Microsystems, Inc.
CA-97.06.rlogin-term Updated information
from Sun Microsystems, Inc.;
added information from Data
General Corporation
CA-97.09.imap_pop Section III.A and Appendix A -
added information for
IBM Corporation
CA-97.11.libXt Appendix A - updated
information for Sun
Microsystems, Inc.
CA-97.14.metamail Updated information for
Red Hat
CA-97.15.sgi_login Updated information from
Silicon Graphics, Inc.
CA-97.16.ftpd Added information for NCR
Corporation
CA-97.18.at Added information for NCR
Corporation
CA-97.20.javascript Appendix A - updated
Netscape's URLs
CA-97.21.sgi_buffer_overflow Updates Section - updated
information for Silicon
Graphics, Inc.
CA-97.22.bind Appendix A - Added information
for BSDI
CA-97.23.rdist Appendix A - added information
for OpenBSD and Silicon
Graphics, Inc., Caldera, and
Siemens-Nixdorf
ftp://ftp.cert.org/pub/cert_summaries/
CS-97.05 Corrected BIND version number
A New Look on the CERT Web Site
- ------------------------------
If you haven't visited our Web site (http://www.cert.org) since November 10,
check it out. We have a new look and some new documents. We've tried to
organize things so that it's easier for you to find the information you
need. Some highlights include
CERT incident and vulnerability statistics
http://www.cert.org/pub/cert-stats/cert_stats.html
CERT annual reports for 1994, 1995, and 1996
http://www.cert.org/pub/reports.html
Security Improvement Modules
http://www.cert.org/security-improvement/index.html
An Analysis of Security Incidents on the Internet 1989-1995
http://www.cert.org/research/JHThesis/index.html
Report to the President's Commission on Critical Infrastructure Protection
http://www.cert.org/pub/reports.html
Links to other sources of advisories and Internet security information
http://www.cert.org/pub/other_sources.html
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
This email address is being protected from spambots. You need JavaScript enabled to view it.
In the subject line, type
SUBSCRIBE your-email-address
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://ftp.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to This email address is being protected from spambots. You need JavaScript enabled to view it. with
"copyright" in the subject line.
* CERT is registered in the U.S. Patent and Trademark Office.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNIMjhnVP+x0t4w7BAQGpQgQAunsd4esc4U4hOFpLOhGpyH+UoHWrp5jf
B1P4U9Em1xd3tMCh+vxqWh95+atwDc/RcNoiOqKyj3XQ6EHyoez0vj5jg2q5SN19
4mtXfJcRgET7HuAd7daqpKDx68SR6kLnhuwgEu/UGLgJkbI+gqm/oHaioDr0OZCY
RJKXq04QL/Y=
=47iq
-----END PGP SIGNATURE-----
| Powered by: | MHonArc  |