CS-96.04
ed26230263a8e30b21339ee15fcaad29abe985d55bc56b3021eb1d9a07e9921f
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------------
CERT(*) Summary CS-96.04
July 23, 1996
Last Revised: October 2, 1997
Updated copyright statement
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Increasing Sophistication of Intruder Community Expertise
- ---------------------------------------------------------
In earlier summaries, we noted that the intruder community was
analyzing operating system source code to develop increasingly
sophisticated and effective exploitation techniques. The intruder
community is now developing new techniques to analyze programs for
potential vulnerabilities even in the absence of source code. This can
be done with a tool that traces system calls and subroutine calls
within a program, thus allowing a person to match such calls against
command line parameters.
Although there is little that sites can do in direct response to this
information, it does highlight the importance of staying up to date
with security patches and workarounds for your operating systems and
applications.
Operating System Concerns
- -------------------------
We receive reports relating to incident activity from many different
sites using a wide variety of operating systems. Because of problems
we see that directly relate to operating systems, we felt it
worthwhile to make a few observations about choosing an operating
system. For information on this subject, see
ftp://info.cert.org/pub/tech_tips/choose_operating_sys
Forged Advisories
- -----------------
Occasionally, we see forged advisories on various newsgroups or other
distribution lists. If you have the Pretty Good Privacy (PGP) program,
you can determine whether or not an advisory is genuine by checking
the PGP signature.
We use PGP to sign all our advisories. To verify that a CERT advisory
is authentic,
1. Get the CERT public key from
ftp://info.cert.org/pub/CERT_PGP.key
2. Verify the authenticity of the document by checking the PGP
signature. To do this, enter the following command:
%pgp <filename>
You should see a message that includes the statement
Good signature from user "CERT Coordination Center <cert@cert.org>".
Signature made <date>
Recent Activity and Trends
- --------------------------
Since the May CERT Summary, we have seen these continuing trends in
incidents reported to us.
1. Linux root compromises
At least once a week we see reports of Linux machines that suffer
break-ins leading to root compromises. In many of these incidents, the
systems were misconfigured, and/or the intruders exploited well-known
vulnerabilities (for which CERT advisories have been published); the
intruders then installed Trojan horse programs and/or network
monitoring programs (packet sniffers).
If you are running Linux, we strongly urge you to keep up to date with
patches and security workarounds. We recommend that you also review
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at
http://bach.cis.temple.edu/linux/linux-security/
2. Telnetd in Linux systems
We have noticed an increase in the exploitation of a vulnerability in
the telnetd environment on unpatched Linux-based systems. If you have
not patched your system(s) for this vulnerability, we urge you to
review CERT advisory CA-95:14 and install the patch or workaround
provided.
ftp://info.cert.org/pub/cert_advisories/CA-95:14.Telnetd_Environment_Vulnerability
3. Password Cracking
We continue to receive daily reports of unauthorized site access as a
result of compromised accounts and/or "cracked" passwords. For
information about protecting your password files, please see
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
4. Sendmail attacks
Although discussed in previous summaries, we continue to receive
reports each week about intruders who attempt to exploit sendmail
vulnerabilities. We have published several advisories on sendmail. If
you have not addressed the vulnerabilities in sendmail, we urge you to
review these advisories and take appropriate action. All advisories,
including sendmail advisories, can be found at
ftp://info.cert.org/pub/cert_advisories/
In many of these attempts, intruders are trying to obtain
password files. For information on protecting your password files, see
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
We have had many questions about when to use the sendmail restricted
shell program (smrsh). You should run smrsh with any UNIX system that
is running sendmail, regardless of vendor or version.
smrsh is now included as part of the current sendmail distribution
(effective with version 8.7.1). We strongly urge you to upgrade to the
latest version of sendmail. See
ftp://info.cert.org/pub/latest_sw_versions/sendmail
5. cgi-bin vulnerabilities
Since our last summary, we've seen an increase in the number of
reports relating to vulnerabilities in cgi-bin programs. Any cgi-bin
program that relies on escape_shell_cmd() to prevent exploitation of
shell-based library calls may be vulnerable to attack. For more
information about cgi-bin vulnerabilities and patches, please see
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
There have been discussions in several public forums about the problem
of general-purpose interpreters being placed in the cgi-bin directory.
If these interpreters are accessible in the cgi-bin directory of a Web
server, then a remote user can execute any command the interpreters
can execute on that server. For more details and patch information,
see
ftp://info.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir
6. Mail spamming/spoofing attacks
We receive at least three incidents each week of mail spamming and/or
spoofing attacks. For information on responding to and recovering from such
activity, see
ftp://info.cert.org/pub/tech_tips/email_bombing_spamming
ftp://info.cert.org/pub/tech_tips/email_spoofing
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (May 22, 1996).
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-96.10.nis+_configuration
CA-96.11.interpreters_in_cgi_bin_dir
CA-96.12.suidperl_vul
CA-96.13.dip_vul
ftp://info.cert.org/pub/cert_bulletins/
VB-96.08.sgi
VB-96.09.freebsd
VB-96.10.sco
VB-96.11.freebsd
ftp://info.cert.org/pub/tech_tips/
choose_operating_sys Things to consider when choosing an
operating system for your site
ftp://info.cert.org/pub/tools/
ifstatus Added the ifstatus program
ftp://info.cert.org/pub/vendors/
sun/sun_bulletin_00135 Added bulletin from Sun
Microsystems, Inc.
dec/dec-96.0383 Added bulletin from Digital
Equipment Corporation
* Updated Files
ftp://info.cert.org/pub/cert_advisories/
CA-95:13 Added vendor information for Digital
Equipment Corporation and Silicon
Graphics, Inc.
CA-96.04 Added information about the next
release of BIND
CA-96.08 Added vendor information for Digital
Equipment Corporation, NEC
Corporation, and Data Design Systems,
Inc. Added patch information for
FreeBSD, Inc.
CA-96.09 Added vendor information for Digital
Equipment Corporation. Added pointers
to Silicon Graphics, Inc. release notes
and Sun Microsystems, Inc. patches
CA-96.12 Added vendor information for FreeBSD,
NEC Corporation, and Digital Equipment
Corporation
ftp://info.cert.org/pub/FIRST/
first-contacts Updated contact information
ftp://info.cert.org/pub/latest_sw_versions/
bind Added pointer to version 4.9.4
ifstatus Added pointer to ifstatus
If you use any of the software listed in this directory, we recommend
that you upgrade to the current versions. Among other changes, these
new versions address security weaknesses present in previous versions.
If you have any questions about the software listed in this directory,
please contact the vendor for more information.
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ------------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
CERT is registered in the U.S. Patent and Trademark Office.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History:
Oct 02, 1997 Updated copyright history
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNDgB43VP+x0t4w7BAQHmLgQAnM+f3nTzJzXi3ed309IatQ/fPDRAoB3A
wkzULnPIYTsl+ahCAt5+d0kXn1FcfhiZomwJfeTurc0ss3wDZ2Ki1sI8zlxZSBZS
xtb54+Sm/AcgshrDbe3aHuj20EYtNKhV50ojZTi5OkDkclcv+dNW0aErvsbSQCfr
H1zIU2LqfwU=
=KZ+L
-----END PGP SIGNATURE-----