96-06
79f526efb12a59be7f6c30e1b9ca5a733462bc6c222632853598e3fe74f074da
-----BEGIN PGP SIGNED MESSAGE-----
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---
======= ============ ====== ======
======= ============== ======= =======
=== === ==== ====== ======
=== =========== ======= =======
=== =========== === ======= ===
=== === ==== === ===== ===
======= ============== ===== === =====
======= ============ ===== = =====
EMERGENCY RESPONSE SERVICE
OUTSIDE ADVISORY REDISTRIBUTION
25 July 1996 12:00 GMT Number: ERS-OAR-E01-1996:006.1
===============================================================================
The IBM-ERS Outside Advisory Redistribution is designed to provide customers
of the IBM Emergency Response Service with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.
IBM makes no representations and assumes no responsibility for the contents or
accuracy of the advisories themselves.
IBM-ERS is forwarding the following information from the CERT Coordination
Center. Contact information for the CERT Coordination Center is included in
the forwarded text below; please contact them if you have any questions or need
further information.
===============================================================================
********************** FORWARDED INFORMATION STARTS HERE **********************
CERT(sm) Summary CS-96.04
July 23, 1996
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Increasing Sophistication of Intruder Community Expertise
- ---------------------------------------------------------
In earlier summaries, we noted that the intruder community was
analyzing operating system source code to develop increasingly
sophisticated and effective exploitation techniques. The intruder
community is now developing new techniques to analyze programs for
potential vulnerabilities even in the absence of source code. This can
be done with a tool that traces system calls and subroutine calls
within a program, thus allowing a person to match such calls against
command line parameters.
Although there is little that sites can do in direct response to this
information, it does highlight the importance of staying up to date
with security patches and workarounds for your operating systems and
applications.
Operating System Concerns
- -------------------------
We receive reports relating to incident activity from many different
sites using a wide variety of operating systems. Because of problems
we see that directly relate to operating systems, we felt it
worthwhile to make a few observations about choosing an operating
system. For information on this subject, see
ftp://info.cert.org/pub/tech_tips/choose_operating_sys
Forged Advisories
- -----------------
Occasionally, we see forged advisories on various newsgroups or other
distribution lists. If you have the Pretty Good Privacy (PGP) program,
you can determine whether or not an advisory is genuine by checking
the PGP signature.
We use PGP to sign all our advisories. To verify that a CERT advisory
is authentic,
1. Get the CERT public key from
ftp://info.cert.org/pub/CERT_PGP.key
2. Verify the authenticity of the document by checking the PGP
signature. To do this, enter the following command:
%pgp <filename>
You should see a message that includes the statement
Good signature from user "CERT Coordination Center <cert@cert.org>".
Signature made <date>
Recent Activity and Trends
- --------------------------
Since the May CERT Summary, we have seen these continuing trends in
incidents reported to us.
1. Linux root compromises
At least once a week we see reports of Linux machines that suffer
break-ins leading to root compromises. In many of these incidents, the
systems were misconfigured, and/or the intruders exploited well-known
vulnerabilities (for which CERT advisories have been published); the
intruders then installed Trojan horse programs and/or network
monitoring programs (packet sniffers).
If you are running Linux, we strongly urge you to keep up to date with
patches and security workarounds. We recommend that you also review
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
ftp://info.cert.org/pub/cert_advisories/CA-94:01.README
Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at
http://bach.cis.temple.edu/linux/linux-security/
2. Telnetd in Linux systems
We have noticed an increase in the exploitation of a vulnerability in
the telnetd environment on unpatched Linux-based systems. If you have
not patched your system(s) for this vulnerability, we urge you to
review CERT advisory CA-95:14 and the associated README file and
install the patch or workaround provided.
ftp://info.cert.org/pub/cert_advisories/CA-95:14.Telnetd_Environment_Vulnerability
ftp://info.cert.org/pub/cert_advisories/CA-95:14.README
3. Password Cracking
We continue to receive daily reports of unauthorized site access as a
result of compromised accounts and/or "cracked" passwords. For
information about protecting your password files, please see
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
4. Sendmail attacks
Although discussed in previous summaries, we continue to receive
reports each week about intruders who attempt to exploit sendmail
vulnerabilities. We have published several advisories on sendmail. If
you have not addressed the vulnerabilities in sendmail, we urge you to
review these advisories and take appropriate action. All advisories,
including sendmail advisories, can be found at
ftp://info.cert.org/pub/cert_advisories/
In many of these attempts, intruders are trying to obtain
password files. For information on protecting your password files, see
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
We have had many questions about when to use the sendmail restricted
shell program (smrsh). You should run smrsh with any UNIX system that
is running sendmail, regardless of vendor or version.
smrsh is now included as part of the current sendmail distribution
(effective with version 8.7.1). We strongly urge you to upgrade to the
latest version of sendmail. See
ftp://info.cert.org/pub/latest_sw_versions/sendmail
5. cgi-bin vulnerabilities
Since our last summary, we've seen an increase in the number of
reports relating to vulnerabilities in cgi-bin programs. Any cgi-bin
program that relies on escape_shell_cmd() to prevent exploitation of
shell-based library calls may be vulnerable to attack. For more
information about cgi-bin vulnerabilities and patches, please see
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
ftp://info.cert.org/pub/cert_advisories/CA-96.06.README
There have been discussions in several public forums about the problem
of general-purpose interpreters being placed in the cgi-bin directory.
If these interpreters are accessible in the cgi-bin directory of a Web
server, then a remote user can execute any command the interpreters
can execute on that server. For more details and patch information,
see
ftp://info.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir
6. Mail spamming/spoofing attacks
We receive at least three incidents each week of mail spamming and/or
spoofing attacks. For information on responding to and recovering from such
activity, see
ftp://info.cert.org/pub/tech_tips/email_bombing_spamming
ftp://info.cert.org/pub/tech_tips/email_spoofing
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (May 22, 1996).
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-96.10.nis+_configuration
CA-96.10.README
CA-96.11.interpreters_in_cgi_bin_dir
CA-96.11.README
CA-96.12.suidperl_vul
CA-96.12.README
CA-96.13.dip_vul
CA-96.13.README
ftp://info.cert.org/pub/cert_bulletins/
VB-96.08.sgi
VB-96.09.freebsd
VB-96.10.sco
VB-96.11.freebsd
ftp://info.cert.org/pub/tech_tips/
choose_operating_sys Things to consider when choosing an
operating system for your site
ftp://info.cert.org/pub/tools/
ifstatus Added the ifstatus program
ftp://info.cert.org/pub/vendors/
sun/sun_bulletin_00135 Added bulletin from Sun
Microsystems, Inc.
dec/dec-96.0383 Added bulletin from Digital
Equipment Corporation
* Updated Files
ftp://info.cert.org/pub/cert_advisories/
CA-95:13.README Added vendor information for Digital
Equipment Corporation and Silicon
Graphics, Inc.
CA-96.04.README Added information about the next
release of BIND
CA-96.08.README Added vendor information for Digital
Equipment Corporation, NEC
Corporation, and Data Design Systems,
Inc. Added patch information for
FreeBSD, Inc.
CA-96.09.README Added vendor information for Digital
Equipment Corporation. Added pointers
to Silicon Graphics, Inc. release notes
and Sun Microsystems, Inc. patches
CA-96.12.README Added vendor information for FreeBSD,
NEC Corporation, and Digital Equipment
Corporation
ftp://info.cert.org/pub/FIRST/
first-contacts Updated contact information
ftp://info.cert.org/pub/latest_sw_versions/
bind Added pointer to version 4.9.4
ifstatus Added pointer to ifstatus
If you use any of the software listed in this directory, we recommend
that you upgrade to the current versions. Among other changes, these
new versions address security weaknesses present in previous versions.
If you have any questions about the software listed in this directory,
please contact the vendor for more information.
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.
*********************** FORWARDED INFORMATION ENDS HERE ***********************
===============================================================================
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment. By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).
As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services. From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources. To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).
IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.
IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information. The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.
IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.
The information in this document is provided as a service to customers of
the IBM Emergency Response Service. Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries. The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---
-----BEGIN PGP SIGNATURE-----
Version: 2.7.1
iQCVAwUBMfdf5/WDLGpfj4rlAQGkAgP/Yv3hh6UcsPwh4jX+lGFRgTvP3OY1acEs
FHbX6NZF1f9ZQg58wjE20Xgn+j/SvDCgLc5TxsX+qWFkGHck8Iyqt8eX/Av5ipzy
NeJybAF6e73/n5c5VeWixAEcOpqGw+XWtIVekQFPlG+luSjfb1axg+FyTLM0gNFG
yO2HOnASPVE=
=cS9n
-----END PGP SIGNATURE-----