-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
CERT(sm) Advisory CA-95:07 
Original issue date:  April 10, 1995
Last revised: April 21, 1995 
              SUPERSEDED BY CA-95:07a

Topic:  Vulnerability in SATAN
- -----------------------------------------------------------------------------

           *** THIS ADVISORY HAS BEEN SUPERSEDED BY CA-95:07a ***

There is a vulnerability introduced into systems running SATAN version
1.0.  This vulnerability affects all systems that support the use of
SATAN with the HTML interface.

The CERT team recommends that you take the precautions described in
Section III below before you run SATAN and that you upgrade to SATAN
version 1.1 when available.

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

For an overview of SATAN (Security Administrator Tool for Analyzing Systems),
see CERT advisory CA-95:06.

- -----------------------------------------------------------------------------

I.   Description

     In SATAN version 1.0, it is possible for unauthorized users to gain
     root access to systems during the time SATAN is running from the root
     account. This vulnerability exploits a weakness in the HTML server
     started by SATAN on a random, high-numbered TCP port.  Additional
     details on this vulnerability will be found in the SATAN
     documentation provided with SATAN version 1.1 when version 1.1 is 
     released.

II.  Impact

     Unauthorized users can execute programs as root. Access to an account on
     the system may not be necessary to do this.


III. Solution

     It is expected that SATAN version 1.1 will fix this problem, and if
     possible you should wait for this version before running SATAN.  

     The following precautions will prevent the introduction of this 
     vulnerability while you are running SATAN and are recommended  
     whether you are running SATAN version 1.0 or 1.1.  

     1. Install all relevant security patches for the system on which you will
        run SATAN. 

     2. Execute SATAN only from the console of the system on which it is
        installed (e.g., do not run SATAN from an X terminal, from a diskless
        workstation, or from a remote host). 

     3. Ensure that the SATAN directory tree is not NFS-mounted from a remote
        system. 

     4. Ensure that the SATAN directory tree cannot be read by users other
        than root.

     5. Do not link to any URLs outside your own system and site while running
        the browser started by SATAN. If you use external links while SATAN is
        running from the SATAN browser, security can be compromised on the
        system from which you are executing SATAN. So, for example, do not use
        previously stored links such as those found in bookmarks and pull-down
        menus. 

     Note that SATAN 1.1 is expected to check systems for this SATAN 1.0
     vulnerability as part of scanning other systems.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted.  The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet E-mail: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

Postal address:  CERT Coordination Center
                 Software Engineering Institute
                 Carnegie Mellon University
                 Pittsburgh, PA 15213-3890
                 USA

CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request@cert.org.

Past advisories, CERT bulletins, information about FIRST representatives, and
other information related to computer security are available for anonymous FTP
from info.cert.org. 



Copyright 1995, 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

Aug. 07, 1996  Information previously in the README was inserted
               into the advisory. Added supersession statement.
Apr. 21, 1995  Superseded by CA-95:07a.
Apr. 10, 1995  Sec. III - added precaution #5.


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOBS+CFr9kb5qlZHQEQIr1ACcD7EDo457uHMtYv2bG8nWICDtRMsAoM96
nNe73KrHD4aAa1Et5W+3griG
=Fied
-----END PGP SIGNATURE-----