From proff Fri Sep 27 05:31:20 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id FAA10363 for best-of-security; Fri, 27 Sep 1996 05:31:19 +1000 Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id FAA08492 for proff@suburbia.net; Fri, 27 Sep 1996 05:27:50 +1000 X-Envelope-From: aultja@sch.ge.com Fri Sep 27 05:27:42 1996 Received: (sendmail@localhost) by suburbia.net (8.7.4/Proff-950810) id FAA08337 for ; Fri, 27 Sep 1996 05:27:40 +1000 Received: from ns.ge.com(192.35.39.24) via SMTP by suburbia.net, id smtpd02017aaa; Thu Sep 26 16:11:18 1996 Received: from thomas.ge.com (thomas.ge.com [3.47.28.21]) by ns.ge.com (8.7.5/8.7.3) with ESMTP id MAA21829 for ; Thu, 26 Sep 1996 12:12:15 -0400 (EDT) Received: from stes02.sch.ge.com (stes02.sch.ge.com [3.72.108.134]) by thomas.ge.com (8.7.5/8.7.5) with SMTP id MAA01412 for ; Thu, 26 Sep 1996 12:10:56 -0400 (EDT) Received: from dso037.sch.ge.com (dso037.sch.ge.com [3.72.112.46]) by stes02.sch.ge.com (8.6.12/8.6.12) with ESMTP id MAA21474 for ; Thu, 26 Sep 1996 12:08:57 -0400 Message-Id: <199609261608.MAA21474@stes02.sch.ge.com> Prev-Resent: Thu, 26 Sep 1996 12:08:52 -0400 Prev-Resent: "best-of-security@suburbia.net " From: CERT Advisory Date: 24 Sep 1996 21:32:54 GMT Subject: CERT Summary CS-96.05 Newsgroups: comp.security.announce Lines: 294 Resent-To: best-of-security@suburbia.net Resent-Date: Thu, 26 Sep 1996 12:08:54 -0400 Resent-Message-ID: <5516.843754134@sch.ge.com> Resent-From: Jim Ault Apparently-To: Approved: proff@suburbia.net -----BEGIN PGP SIGNED MESSAGE----- CERT(sm) Summary CS-96.05 September 24, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - ------------------------------------------------------------------------- -- Clarification to CS-96.04 - ------------------------- In our previous CERT Summary, we said that the intruder community is developing new techniques and tools to analyze programs for potential vulnerabilities even in the absence of source code. We did not mean to impl y that all developers of these techniques in the wider technical community ar e members of the intruder community, nor that they intend their work to be us ed by the intruder community. Recent Activity and Trends - -------------------------- Since the July CERT Summary, we have noticed these trends in incidents reported to us. 1. Denial of Service Attacks Instructions for executing denial-of-service attacks and programs to implement such attacks have recently been widely distributed. Since this information was published, we have noticed a significant and rapid increase in the number of denial-of-service attacks executed against sites. To learn more about denial-of-service attacks and how to limit them, see ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding To monitor and log an attack, you can use a tool such as Argus. For more information regarding Argus, see ftp://info.cert.org/pub/tech_tips/security_tools 2. Continuing Linux Exploitations We continue to see incidents in which Linux machines are the victims of break-ins leading to root compromises. In many of these incidents, the systems were misconfigured and/or the intruders exploited well-known vulnerabilities for which CERT advisories have been published. If you are running Linux, we strongly urge you to keep up to date with patches and security workarounds. We also recommend that you review ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attac ks ftp://info.cert.org/pub/tech_tips/root_compromise Further, you may want to monitor the Linux newsgroups and mailing lists for security patches and workarounds. More information can be found at http://bach.cis.temple.edu/linux/linux-security/ 3. PHF Exploits At least weekly, and often daily, we see reports of password files being obtained illegally by intruders who have exploited a vulnerability in the PHF cgi-bin script. The script is installed by default with several implementations of httpd servers, and it contains a weakness that allows intruders to retrieve the password file for the machine running the httpd server. The vulnerability is described in ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code Once the intruders retrieve the password file, they may attempt to crack the passwords found in the file. For information about protecting your password files, please see ftp://info.cert.org/pub/tech_tips/passwd_file_protection 4. Software Piracy We have received frequent reports regarding software piracy since the last CERT Summary was issued. Although software piracy is beyond the scope of the mission of the CERT Coordination Center, it is often associated with compromised hosts or accounts because intruders sometimes use compromised hosts to distribute pirated software. News of illegal collections of software circulates quickly within the underground community, which may focus unwanted attention on a site used for software piracy. We encourage you to periodically check your systems for signs of software piracy. To learn more, please examine our relevant tech tips: ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config To learn more about detecting and preventing security breaches, please see ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist - ---------------------------------- What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (July 23, 1996). * README Files Incorporated into Advisories As of August 30, 1996, we no longer put advisory updates into README files. We now revise the advisories themselves. In addition, we have updated past advisories with information from their README files. We urge you to check advisories regularly for updates that relate to your site. * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-96.14.rdist_vul CA-96.15.Solaris_KCMS_vul CA-96.16.Solaris_admintool_vul CA-96.17.Solaris_vold_vul CA-96.18.fm_fls CA-96.19.expreserve CA-96.20.sendmail_vul CA-96.21.tcp_syn_flooding ftp://info.cert.org/pub/cert_bulletins/ VB-96.12.freebsd VB-96.13.hp VB-96.14.sgi VB-96.15.sco VB-96.16.transarc ftp://info.cert.org/pub/latest_sw_versions swatch ftp://info.cert.org/pub/tech_tips UNIX_configuration_guidelines These replace the security_info fil e intruder_detection_checklist (the CERT Security Checklist). security_tools ftp://info.cert.org/pub/vendors/ hp/HPSBUX9607-033 Added Hewlett-Packard bulletin abou t a security vulnerability in expreserv e. * Updated Files ftp://info.cert.org/pub/cert_advisories/ CA-96.02.bind In the appendix, updated Sun Microsystems, Inc. patch informatio n. In section I, added information abo ut the next release of bind and the IsValid program. CA-96.08.pcnfsd Updated URL for IBM Corporation, updated Hewlett-Packard Company pat ch information, and modified NEC Corporation patch information. CA-96.09.rpc.statd Updated URL for IBM Corporation, removed a workaround for SunOS 4.x (patches now available), updated information on Hewlett-Packard Company, and added patch informatio n for NEC Corporation. Also updated opening paragraph. CA-96.14.rdist_vul In Appendix A, added note under Silicon Graphics, Inc. about using the find command, updated the Hewlett-Packard Company entry, adde d information about Digital Equipment Corporation, and added an IBM Corporation URL. CA-96.15.Solaris_KCMS_vul In Introduction, added information about Solaris 2.5.1. CA-96.18.fm_fls Added vendor information to Appendi x A. Added Section III.B, which provides another possible solution to the problem. CA-96.19.expreserve In Appendix A, added information fo r Silicon Graphics Inc. and Sun Microsystems, Inc. CA-96.20.sendmail_vul Added to Sec. III.B instructions on configuring sendmail at sites that use '&' in the gecos filed of /etc/pass wd. Added to Sec. III.C a note on uid f or "mailnull" user. In the appendix, a dded information from FreeBSD, Inc. and Berkeley Software Design, Inc. (BSD I). ftp://info.cert.org/pub/FIRST first-contacts ftp://info.cert.org/pub/latest_sw_versions rdist-patch-status Updated information for Hewlett-Packard Company and NeXT Software, Inc. information. Updated rdist version information in Section II.G. sendmail ftp://info.cert.org/pub/tech_tips root_compromise - ------------------------------------------------------------------------- -- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send you r email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - ------------------------------------------------------------------------- -- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMkhCfHVP+x0t4w7BAQFR5gQAtYvbKLJAbTzfRizblM9mbl/4oLfnsqdQ HcX8KKDNAtVd2DWKGEsq7U7v9w8KyzDtVpRFba8VSsVmpzixzxnbZSifwyfkcuX9 x2xbQ1SVWBjep399HkbYtS0Y3C0RdCo9p/uxdB5/GkZqD3NMdPoBvFf+j/H6376w tDcheNKNobk= =DZgd -----END PGP SIGNATURE-----