-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT(*) Summary CS-97.02 - SPECIAL EDITION
March 18, 1997
Last Revised: October 2, 1997
        Updated copyright statement

This special edition of the CERT Summary highlights widespread, large-scale
attacks that are occurring against news servers.

Past CERT Summaries are available from
     ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------

Current activity - attacks on news servers
- ------------------------------------------

The CERT Coordination Center and incident response teams around the world have
received numerous reports concerning widespread, large-scale attacks on NNTP
(Network News Transport Protocol) servers throughout the world. NNTP servers
are commonly referred to as USENET news servers.

The activity involves an attempt to exploit a vulnerability in versions of
INN (InterNetNews) prior to 1.5.1. We have received reports that version 1.5.1
was thought to be vulnerable; however, as far as we are able to determine, it
is not.

INN is a commonly used software program for serving and managing news
according to the NNTP protocol. This vulnerability allows remote users to
execute arbitrary commands on the news server with the same privileges as
the user-id that manages the news server. As of 8:00 am EST (GMT -5),
March 18, 1997, it appears that the most common activity is to attempt to mail
the password file and configuration files to a remote site.

Because of the nature of USENET news, messages are passed automatically from
one site to another. The exploitation involves a particular kind of message,
known as a control message. Intruders can construct and post control messages
in such a way as to exploit the vulnerability. Because of this, your site may
have been compromised even if it was not specifically selected by an intruder.

Information about the vulnerability, along with information about patches and
workarounds, is available from

        ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd

If we receive further information, we will update this advisory.

We encourage sites that are running INN 1.5 or earlier to upgrade to
INN 1.5.1 as soon as possible.

James Brister, the current maintainer of INN, has provided additional
information regarding the update to INN 1.5.1; this information has been added
to the advisory. James has provided the following patches for INN version 1.5,
1.4sec, 1.4unoff3, and 1.4unoff4:

  ftp://ftp.isc.org/isc/inn/patches/security-patch.01    1.5
  ftp://ftp.isc.org/isc/inn/patches/security-patch.02    1.4sec
  ftp://ftp.isc.org/isc/inn/patches/security-patch.03    1.4unoff3, 1.4unoff4

The directory includes MD5 checksums for each patch.

Information regarding INN patches may be found at

        http://www.isc.org/inn.html

System administrators who did not update to INN 1.5.1 before Friday,
March 14, 1997, should take the following steps:

      * Examine your news logs for signs of exploitation. So far, we
        have reports of at least six distinct message IDs being used:

                830201540.9120@uunet.uu.net
                830201540.9122@uunet.uu.net
                830201540.9220@uunet.uu.net
                830201540.9223@uunet.uu.net
                830201540.9020@uunet.uu.net
                830201540.9221@uunet.uu.net

        Although these messages appear to come from UUNET, the messages
        were forged.

        If these message IDs appear in your logs, it is highly likely that
        these control messages reached your news server. Moreover, it is
        almost certain that additional messages will be (or already have been)
        crafted by intruders, so checking for those message IDs is not enough.

      * If you discover that your password file has been mailed to an intruder
        and you are not using a shadow password mechanism (or another password
        mechanism such as Kerberos), you should consider changing all the
        passwords on your systems.

        We encourage you to examine the following documents for further
        security information:

        ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist

            This document will help you methodically check your systems
            for signs of compromise, and offers pointers to other resources
            and suggestions on how to proceed in the event of a compromise.

        ftp://info.cert.org/pub/tech_tips/root_compromise

            This document outlines steps you can take to help recover from
            a root compromise and to secure your systems from further
            compromise.

        ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines

            This document will help you avoid common problems that can lead
            to compromises on UNIX systems, and provides a general framework
            for configuring UNIX systems.

        ftp://info.cert.org/pub/tech_tips/security_tools

            This document provides a list of tools that can help you
            to monitor your systems for signs of compromise and to
            monitor activity on your systems and networks.

        ftp://info.cert.org/pub/tech_tips/passwd_file_protection

            This document describes ways in which you can protect your
            password file from unauthorized access.

      * Examine your news server for unauthorized processes running as the
        news user. Several of the malicious NNTP control messages include a
        script that attempts to establish an outgoing telnet session to another
        location. Typically, sites with firewalls permit outbound telnet
        connections.

      * We have several reports of sites that have attempted to check their
        own exposure to this vulnerability and have inadvertently released
        control messages to the Internet that exploit this vulnerability. We
        strongly discourage sites from using control messages as a way to
        measure exposure to this vulnerability. To determine if your NNTP
        server is vulnerable, we recommend that you follow the steps outlined
        in Section I of advisory CA-97.08. If you have accidentally released
        such a message, we encourage you to notify any vulnerable sites that
        you discover through feedback from your test message. Please include
        cert@cert.org in the CC line of the messages you exchange.

      * If you discover that you have been compromised as a result of this
        vulnerability and you have a representative in FIRST, we encourage you
        to contact them directly. To locate your representative in the FIRST
        community, please see

                http://www.first.org/

      * If you do not have a representative in FIRST, we encourage you to
        report to the CERT Coordination  Center. In order to help us assess
        the 'big picture,' please include the following information:

                - Your name and contact information
                - The domain name of your news server
                - The NNTP server software you run, including version number
                - A copy of the control message(s) if you have it
                - Any additional pertinent information

        In accordance with our policies, we will not release information about
        your site without your explicit permission.

        Due to the large volume of mail we are receiving regarding this
        activity, we may not be able to follow up all reports
        individually. Nonetheless, your report will help us to understand the
        activity better and to provide more accurate information to the
        Internet community at large.

We would like to express our thanks to James Brister for his assistance in
preparing this summary.

- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ------------------------------------------------------------------------------

Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History:

Oct 02, 1997  Updated copyright history

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNDgCQXVP+x0t4w7BAQGdkwQAxDqmFCz/Rj8nVZxOwNzJ697tgOlM6hp7
nCCtHAba21UpTuBJXoDaLSlzHni+ptdPaE0upn7jjI+u3TUAPm6eXiN7xB65Nex+
OCxxn6ndYsK3A5G/Ln4cPgrbaWcY5sJMEq6UnT9UFabK+eywjfbRGF+9VxegQEQm
yLs52dD2TDQ=
=2bn0
-----END PGP SIGNATURE-----