From travis@borneo.evtech.com Thu Jul 25 04:02:40 1996 Received: from midway (midway.evtech.com [204.96.163.2]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id EAA00545 for ; Thu, 25 Jul 1996 04:02:30 +1000 Received: from tahiti.evtech.com (tahiti.evtech.com [192.35.179.19]) by midway (8.7.3/8.6.9) with ESMTP id NAA21735 for ; Wed, 24 Jul 1996 13:02:25 -0500 (CDT) Received: from borneo.evtech.com (borneo.evtech.com [192.35.179.29]) by tahiti.evtech.com (8.6.12/8.6.12) with ESMTP id NAA03697 for ; Wed, 24 Jul 1996 13:02:24 -0500 Message-Id: <199607241802.NAA03697@tahiti.evtech.com> To: best-of-security@suburbia.net Subject: CERT Summary CS-96.04 (fwd) From: travis@EvTech.com Date: Wed, 24 Jul 1996 13:02:22 -0500 Sender: travis@EvTech.com ------- Forwarded Message - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------------- CERT(sm) Summary CS-96.04 July 23, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - - --------------------------------------------------------------------------- Increasing Sophistication of Intruder Community Expertise - - --------------------------------------------------------- In earlier summaries, we noted that the intruder community was analyzing operating system source code to develop increasingly sophisticated and effective exploitation techniques. The intruder community is now developing new techniques to analyze programs for potential vulnerabilities even in the absence of source code. This can be done with a tool that traces system calls and subroutine calls within a program, thus allowing a person to match such calls against command line parameters. Although there is little that sites can do in direct response to this information, it does highlight the importance of staying up to date with security patches and workarounds for your operating systems and applications. Operating System Concerns - - ------------------------- We receive reports relating to incident activity from many different sites using a wide variety of operating systems. Because of problems we see that directly relate to operating systems, we felt it worthwhile to make a few observations about choosing an operating system. For information on this subject, see ftp://info.cert.org/pub/tech_tips/choose_operating_sys Forged Advisories - - ----------------- Occasionally, we see forged advisories on various newsgroups or other distribution lists. If you have the Pretty Good Privacy (PGP) program, you can determine whether or not an advisory is genuine by checking the PGP signature. We use PGP to sign all our advisories. To verify that a CERT advisory is authentic, 1. Get the CERT public key from ftp://info.cert.org/pub/CERT_PGP.key 2. Verify the authenticity of the document by checking the PGP signature. To do this, enter the following command: %pgp You should see a message that includes the statement Good signature from user "CERT Coordination Center ". Signature made Recent Activity and Trends - - -------------------------- Since the May CERT Summary, we have seen these continuing trends in incidents reported to us. 1. Linux root compromises At least once a week we see reports of Linux machines that suffer break-ins leading to root compromises. In many of these incidents, the systems were misconfigured, and/or the intruders exploited well-known vulnerabilities (for which CERT advisories have been published); the intruders then installed Trojan horse programs and/or network monitoring programs (packet sniffers). If you are running Linux, we strongly urge you to keep up to date with patches and security workarounds. We recommend that you also review ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks ftp://info.cert.org/pub/cert_advisories/CA-94:01.README Further, you may want to monitor the Linux newsgroups and mailing lists for security patches and workarounds. More information can be found at http://bach.cis.temple.edu/linux/linux-security/ 2. Telnetd in Linux systems We have noticed an increase in the exploitation of a vulnerability in the telnetd environment on unpatched Linux-based systems. If you have not patched your system(s) for this vulnerability, we urge you to review CERT advisory CA-95:14 and the associated README file and install the patch or workaround provided. ftp://info.cert.org/pub/cert_advisories/CA-95:14.Telnetd_Environment_Vulnerability ftp://info.cert.org/pub/cert_advisories/CA-95:14.README 3. Password Cracking We continue to receive daily reports of unauthorized site access as a result of compromised accounts and/or "cracked" passwords. For information about protecting your password files, please see ftp://info.cert.org/pub/tech_tips/passwd_file_protection 4. Sendmail attacks Although discussed in previous summaries, we continue to receive reports each week about intruders who attempt to exploit sendmail vulnerabilities. We have published several advisories on sendmail. If you have not addressed the vulnerabilities in sendmail, we urge you to review these advisories and take appropriate action. All advisories, including sendmail advisories, can be found at ftp://info.cert.org/pub/cert_advisories/ In many of these attempts, intruders are trying to obtain password files. For information on protecting your password files, see ftp://info.cert.org/pub/tech_tips/passwd_file_protection We have had many questions about when to use the sendmail restricted shell program (smrsh). You should run smrsh with any UNIX system that is running sendmail, regardless of vendor or version. smrsh is now included as part of the current sendmail distribution (effective with version 8.7.1). We strongly urge you to upgrade to the latest version of sendmail. See ftp://info.cert.org/pub/latest_sw_versions/sendmail 5. cgi-bin vulnerabilities Since our last summary, we've seen an increase in the number of reports relating to vulnerabilities in cgi-bin programs. Any cgi-bin program that relies on escape_shell_cmd() to prevent exploitation of shell-based library calls may be vulnerable to attack. For more information about cgi-bin vulnerabilities and patches, please see ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code ftp://info.cert.org/pub/cert_advisories/CA-96.06.README There have been discussions in several public forums about the problem of general-purpose interpreters being placed in the cgi-bin directory. If these interpreters are accessible in the cgi-bin directory of a Web server, then a remote user can execute any command the interpreters can execute on that server. For more details and patch information, see ftp://info.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir 6. Mail spamming/spoofing attacks We receive at least three incidents each week of mail spamming and/or spoofing attacks. For information on responding to and recovering from such activity, see ftp://info.cert.org/pub/tech_tips/email_bombing_spamming ftp://info.cert.org/pub/tech_tips/email_spoofing What's New in the CERT FTP Archive - - ---------------------------------- We have made the following changes since the last CERT Summary (May 22, 1996). * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-96.10.nis+_configuration CA-96.10.README CA-96.11.interpreters_in_cgi_bin_dir CA-96.11.README CA-96.12.suidperl_vul CA-96.12.README CA-96.13.dip_vul CA-96.13.README ftp://info.cert.org/pub/cert_bulletins/ VB-96.08.sgi VB-96.09.freebsd VB-96.10.sco VB-96.11.freebsd ftp://info.cert.org/pub/tech_tips/ choose_operating_sys Things to consider when choosing an operating system for your site ftp://info.cert.org/pub/tools/ ifstatus Added the ifstatus program ftp://info.cert.org/pub/vendors/ sun/sun_bulletin_00135 Added bulletin from Sun Microsystems, Inc. dec/dec-96.0383 Added bulletin from Digital Equipment Corporation * Updated Files ftp://info.cert.org/pub/cert_advisories/ CA-95:13.README Added vendor information for Digital Equipment Corporation and Silicon Graphics, Inc. CA-96.04.README Added information about the next release of BIND CA-96.08.README Added vendor information for Digital Equipment Corporation, NEC Corporation, and Data Design Systems, Inc. Added patch information for FreeBSD, Inc. CA-96.09.README Added vendor information for Digital Equipment Corporation. Added pointers to Silicon Graphics, Inc. release notes and Sun Microsystems, Inc. patches CA-96.12.README Added vendor information for FreeBSD, NEC Corporation, and Digital Equipment Corporation ftp://info.cert.org/pub/FIRST/ first-contacts Updated contact information ftp://info.cert.org/pub/latest_sw_versions/ bind Added pointer to version 4.9.4 ifstatus Added pointer to ifstatus If you use any of the software listed in this directory, we recommend that you upgrade to the current versions. Among other changes, these new versions address security weaknesses present in previous versions. If you have any questions about the software listed in this directory, please contact the vendor for more information. - - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - - --------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMfUSNnVP+x0t4w7BAQG3CgQAiRAD3meYp01qIOTMk0xAkw0SeKvrCG6/ C4i/A33Vmxm+ff1DxX7XQH00JTfDglZfgghDHt5l6K7wjKng6EEQH1SlXkk9mCuA +Ftn1Q2skILHJk6gHhmq4Exd8srHjxxVeRw2up1fivKTYLT8XCWnEzbGk2TOFZZh aynavCwOets= =cvWI - -----END PGP SIGNATURE----- ------- End of Forwarded Message