U.S. DOE's Computer Incident Advisory Capability ___ __ __ _ ___ __ __ __ __ __ / | /_\ / |\ | / \ | |_ /_ \___ __|__ / \ \___ | \| \__/ | |__ __/ Number 01 January 31, 1994 With this issue, the United States Department of Energy's Computer Incident Advisory Capability (CIAC) begins the electronic publication of articles on relevant computer security topics -- CIAC Notes. This is a service requested by our customers and we welcome your feedback on this issue of CIAC Notes. Please contact the editor, Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. TABLE of CONTENTS What is CIAC Notes? Subscribing to CIAC Notes The New CIAC Project Leader The CIAC Team Contacting CIAC The Growing Threat of Automated Intrusion Virus Information CIAC's Computer Security Information Servers OpenVMS Security Update Patch Kits CIAC Bulletins Issued in FY '93 (D-series) & FY '94 (E-series) CIAC Information Technology Security Workshops CIAC Publications ------------------------------ WHAT IS CIAC NOTES? CIAC has published urgent advisories and important information bulletins since its inception in 1988 to alert sites about attacks or to report vulnerabilities and their countermeasures. CIAC Notes, a third level of notification, is a means to communicate information that does not warrant the issuing of a bulletin nor fit the bulletin format. It is for timely, but not time-critical information; it includes articles with either a broader scope or with more depth than can be covered in a bulletin. CIAC Notes will be published as needed, without a schedule and distributed only electronically. This issue, being the first, is probably larger and has more background information than ones to follow. All the articles in this issue were provided by CIAC team members. If you have information appropriate for this forum, please let us know. CIAC advisories, bulletins and notes are available electronically from CIAC's computer security information servers, Felicia and Irbis. Instruction on accessing these servers is provided in the article: "CIAC Computer Security Information Servers," below. ------------------------------ SUBSCRIBING TO CIAC NOTES We intend to use electronic methods only to distribute CIAC Notes. Our mailing list is managed by a public domain software package called ListProcessor software which supports several types of user commands via E-mail. Our Internet address is: ciac-listproc@llnl.gov. ListProcessor ignores E-mail header subject lines, so you may leave that blank. To subscribe to CIAC Notes (i.e., add a person to our mailing list), send the following request as the E-mail message body, substituting valid information for items in parentheses: subscribe CIAC-NOTES (Full_Name) (Phone_number) To subscribe (add an address which is) a distribution_list, first subscribe the person responsible for your distribution_list. You will receive an acknowledgement, containing your address and access code, with information on how to change information, cancel the subscription, or get help. Then, change the address to be the distribution_list address by sending a second E-mail request. As the body of the message, send the following request: set CIAC-NOTES address (password) (distribution_list_address) To be removed from this mailing list, send the following request: unsubscribe CIAC-NOTES For more information, send the following request: help If you have any questions about this list, you may contact the list's owner: listmanager@cheetah.llnl.gov ------------------------------ THE NEW CIAC PROJECT LEADER We are pleased to announce that Sandra L. Sparks is the new CIAC Project Leader. Sandy brings fifteen years of a professional background in computer science, the last several years working in computer security areas, and lots of enthusiasm to her role in CIAC. Sandy is available to talk with you via phone at 510-422-6856 or E-mail as ssparks@llnl.gov. In an emergency incident situation, she can be contacted via the secondary skypage: call 1-800-SKYPAGE (759-7243) and enter PIN number 855-0074. ------------------------------ THE CIAC TEAM The following people are presently assigned to the CIAC Team. Each one has a variety of computer security experience and various specializations. Name Technical Support Areas ---- ----------------------- Cindy Durflinger Administrative support specialist Rich Feingold OpenVMS, ULTRIX, UNIX, PC, networks, training Bill Orvis (half time) DOS, Macintosh, UNICOS, OpenVMS, engineering Karyn Pichnarczyk DOS, Macintosh, viruses, UNIX Sandy Sparks IBM VM/CMS, PC systems Allan Van Lehn OpenVMS, sys admin, special projects, Notes editor Steve Weeber SunOS, UNIX, X-windows, firewalls, Netmap ------------------------------ CONTACTING CIAC If you require additional assistance or wish to report a vulnerability, call CIAC at 510-422-8193, fax messages to 510-423-8002 or send E-mail to ciac@llnl.gov. For emergencies and off-hour assistance, call 1-800-SKYPAGE (759-7243) and enter PIN number 855-0070 (primary) or 855-0074 (secondary). The CIAC Duty Officer can be reached via the primary and the Project Leader can be reached via the secondary skypage number. ------------------------------ THE GROWING THREAT OF AUTOMATED INTRUSION The term computer hacker, often used by the media today to describe computer intruders, was originally used to describe people that enjoyed exploring the details of computer systems, finding undocumented or unintended features. These people were often called wizards or gurus, in deference to the collection of arcane knowledge they possessed. Most malicious intruders were also willing to spend days pouring over source code, but they were looking for vulnerabilities and persistently examining machine after machine looking for weaknesses. They tended to share their discoveries with others of like intent, often over the network they explored as if it were a giant computer maze game. This characterization of the average computer intruder is rapidly changing. More and more of today's hackers aren't investing the time to master complex operating systems or develop contacts in the computer underground. This new breed of intruder simply makes use of an increasing number of publicly available, automated intrusion tools. The obscure knowledge required to exploit system vulnerabilities has now been encoded in easy-to-use, widely available software packages. The information that in the past was available only to a determined few is now easily accessible by anyone. This represents a dramatic increase in the size of the potential intruder population and a corresponding increase in the level of threat to which systems are exposed. A recent example of one such tool, the Internet Security Scanner (ISS), was described in CIAC Advisory D-25. ISS was made publicly available on the Internet in late September, and within hours of its release, CIAC received multiple reports of attempted ISS intrusions. The tool automatically scans a specified range of network addresses, testing each machine found for the presence of more than a dozen vulnerabilities. ISS then generates a report summarizing the methods by which each machine may be compromised. This new tool reduces to a single command a process that in the past would have required detailed knowledge, programming skills, and persistence. Now, more than ever, it is vital that hosts be configured securely and that networks be monitored for intruder activity. Tools, available to U.S. Government agencies from the Computer Security Technology Center at Lawrence Livermore National Laboratory, such as the Network Intrusion Detector (NID) and the Security Profile Inspector (SPI), are capable of both detecting automated attacks in progress and preventing their success. For further information, contact Stephen A. Weeber, CIAC at 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ VIRUS INFORMATION PC Virus Information Boot sector type viruses are the most prevalent of the reported PC viruses in 1993. Of these, the top two are Form and Stoned. Hence, CIAC urges users to have NO DISKETTES in the A drive during the boot up process. CIAC also encourages use of the capability some clone computers have to disable bootup from the A drive. Check the hardware manual to see if your computer has this capability and how to set it. Beware! Even if a diskette is not bootable, it can transfer a boot sector virus to the hard drive during the boot up process [unless bootup from the floppy drive(s) is disabled]. PC Anti-Virus Software Reference to any specific commercial product does not necessarily constitute or imply its endorsement, recommendation or favoring by CIAC, the United States Government or the University of California. As of January 31, 1994, current versions of PC anti-virus software are: PRODUCT_NAME COMPANY VERSION DATE_RELEASED ------------ ------- ------- ------------- AVP Kami Limited 1.07 October 1993 CP AntiVirus (CPAV) Central Point Software Inc. 2.1 November 1993 Data Physician PLUS!* Digital Dispatch Inc. 4.0C January 1994 FindVirus/Dr.Solomon's Ontrack Computer Systems Inc. 6.5 October 1993 AntiVirus Toolkit F-PROT FRISK Associates 2.10c December 1993 IBM Antivirus IBM Corp. 1.04 December 1993 Integrity Master Stiller Research, Dept. B1 1.51 June 1993 Norton AntiVirus (NAV) Symantec Corp. 3.0 October 1993 PC Rx Antivirus Trend Micro Devices Inc. 2.65 ? SCAN McAfee Associates 109 October 1993 Thunderbyte 6.09 ? Untouchable Fifth Generation Systems Inc. 29.04 ? VET Cybec E7.334 ? Virex for the PC Datawatch, Triangle Sw. Div. 2.91 October 1993 ViruSave EliaShim Microcomputers Inc. 5.3 ? VirusBuster Leprechaun Sw. Int'l Ltd. 3.98 ? * Note: The Department of Energy has a site license for Data Physician Plus. It is available from your site CPPM. For further information, contact Karyn Pichnarczyk, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. A PC Virus: "The Satan Bug Virus" The Satan Bug Virus represents a new generation of polymorphic, self- encrypting viruses. This virus is described in CIAC Bulletin D-22. CIAC has reports of it at three sites in the U.S., one site within and two others outside of the DOE. The virus infects programs (.COM, .EXE, and .OVL files) and drivers (.SYS files) on MS-DOS/PC-DOS computers. When an infected program is executed, the virus runs first, loads itself into memory and then runs the infected program. The only thing you might notice is that an infected program seems to load a little slower than normal. The virus then watches the operating system for file open requests (Open or Execute) and infects each opened file, if it is not already infected. It keeps track of which files are infected by adding 100 years to the file's modification date. This isn't obvious when listing a directory by using the DIR command because only the last two digits of the year are displayed. Because the virus also attacks drivers, and drivers are often located in limited sized holes in high memory, an infected driver will often no longer fit into its hole. When that happens, the system will fail. Since drivers control access to networked file servers, a machine with the Satan Bug Virus may be unable to connect to a file server. This is a primary symptom of a Satan Bug Virus infection. Satan Bug is not widespread, is not intentionally damaging, but does result in a loss of time and a loss of access to facilities especially while it is being removed. At the moment, most current versions of anti-viral programs detect and remove the virus (please see the list in the article "Current Virus Information" above). Be careful when scanning disks for viruses. If your scanner is infected or if the virus is in memory and the scanner didn't detect it (or it did detect it and you told it to scan your disk anyway) the act of opening each file to scan for viruses may infect every file on your hard disk. If your scanner indicates that a virus is in memory, or that the scanner has been infected, DO NOT COMPLETE THE SCAN. Reboot your system from a clean, locked floppy disk, then run a clean version of the scanner on another locked floppy disk. For further information, contact William J. Orvis, CIAC at 510-422-8193, or send e-mail to ciac@llnl.gov. Macintosh Virus Information Two new Macintosh viruses have recently been discovered, CODE-1 and MBDF-B. Neither appear intent on doing damage, but can cause system failures due to poor programming. New versions of Macintosh anti-virus software now detect and eradicate these viruses. CODE-1's only explicit action is to rename the hard disk to "Trent Saburo" if the system is restarted on October 31 of any year. On any other day, the virus simply spreads. The MBDF-B virus is a simple variant of the MBDF-A virus. It has some of the same symptoms: Claris applications indicate that they have been altered; BeHierarchic shareware ceases to work properly; and some programs crash if a menu bar item is selected with the mouse. The MBDF-B virus is so similar to MBDF-A that some antivirus packages actually report MBDF-B as the MBDF-A virus. Macintosh Anti-Virus Software Reference to any specific commercial product does not necessarily constitute or imply its endorsement, recommendation or favoring by CIAC, the United States Government or the University of California. As of January 31, 1994, current versions of Macintosh anti-virus software [all released early November 1993] are: PRODUCT_NAME VERSION COMMENTS ------------ ------- -------- CPAV 3.0a Central Point Software Inc. BBS: 503-690-6650 Disinfectant 3.3 Free Software Gatekeeper 1.3 Free Software Rival CODE-1 Vaccine E-mailed to all registered users SAM Virus Clinic & Intercept 3.5.9 Symantec Customer Svc 800-441-7234 Virex 4.1 Datawatch Corp. Triangle Sw. Div. 919-549-0711, BBS: 919-549-0042 VirusDetective 5.0.10 Shareware (product phasing out) For further information, contact Karyn Pichnarczyk, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. A Macintosh Virus: "The Merry Xmas Virus" The Merry Xmas Virus, discovered at the end of 1992, infects Hypercard stacks on the Macintosh. The virus is written in Hypercard's scripting language and resides in the Stack script. Whenever a card is opened or closed, the virus checks to see if the current stack and the Home stack are infected. If either is not, the virus infects it. A symptom of the virus is many short disk accesses when you are not doing anything, as the virus continually tests the current stack for the infection. The virus is not intentionally damaging and does little more than copy itself from stack to stack. It can only infect the currently open stack and the Home stack. It does not infect stacks that are not open. Some anti-virus utilities detect the virus in stacks that had the virus previously but have had it removed. They find remnants of the virus on a disk in unused portions of the disk file. These remnants cannot infect but are sufficient to set off some virus detection programs. If you have a Hypercard Stack that has been reported as having the virus, you can check that stack by examining the Stack script. If at the end of the Stack script you find script comments of the form "-- merryxmas" at the ends of many of the lines, the stack is infected. Probably your Home stack is infected as well. To get rid of the virus, select the lines of virus code (about the last 54 lines of the script), delete them and save the script. Quickly switch to your Home stack's stack script and check it as well. Continue checking both the Home's and the stack's stack script until they both no longer have the virus, because as you are switching from one stack to the next, the virus may be reinfecting the stack you have just disinfected. Running Hypercard and the Home stack from a locked disk will prevent reinfection. For further information, contact William J. Orvis, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ CIAC's COMPUTER SECURITY INFORMATION SERVERS The following article is an overview of how to access CIAC's information servers and how to download information from them. Complete details for accessing these systems are available in the document: "The FELICIA Bulletin Board System and the IRBIS Anonymous FTP Server; Computer Security Information Sources for the DOE Community, CIAC-2302, Computer Incident Advisory Capability, Lawrence Livermore National Laboratory, Livermore, CA, (1993)." Contact CIAC at 510-422-8193 for a copy. CIAC operates two file server systems for the DOE community: FELICIA, a Bulletin Board System (BBS) and IRBIS, an anonymous File Transfer Protocol (FTP) server. FELICIA is a BBS which is accessible via telephone using a modem. IRBIS is accessible via the Internet. Both of these file servers contain all of the publicly available CIAC, CERT, NIST, and DDN bulletins, virus descriptions, the virus-l moderated virus bulletin board, copies of public domain and shareware virus detection/protection software, and copies of useful public domain and shareware utility programs. Accessing FELICIA FELICIA is a BBS accessed via analog telephone line, a modem, and a terminal or computer running a terminal emulator program. Set your modem transmission protocol to 8 bit, no parity, one stop bit. The access numbers are: 510-423-4753 - 2400 baud or slower 510-423-3331 - 9600 baud V.32 or slower The first time you call in, you will have to register your name and address. To download or read files, switch to the file section and follow the directions. Most of the popular downloading protocols are available, including XMODEM, YMODEM, SEALink, and Kermit. Accessing IRBIS IRBIS is an anonymous FTP server on the Internet, so you must have Internet access to use it. (Note: irbis.llnl.gov will change to ciac.llnl.gov in the future.) Use FTP to connect to irbis.llnl.gov (128.115.19.60). Use "anonymous" as your user name and your e-mail address as your password. Stored in the first level directory, the file 0-index.txt is a document explaining the directory structure for downloadable files. All the computer security related files and documents are in subdirectories of the directory /pub/ciac and the file, 0-index.txt, in each subdirectory lists the other files in that directory, briefly describing their contents. The file news.txt in the /pub/ciac directory contains a list of the new files placed in the archive. Use the GET [for single files] and MGET [for multiple files] commands to download one or more files to your own machine. Scanning Downloaded Software With any software you obtain, you should exercise caution and scan individual software packages before using the software for the first time. Unless otherwise indicated, all software on FELICIA and IRBIS has been scanned for "known" viruses, but it is advisable to scan all downloaded software using the most recent version of a virus scanning tool. Be sure to scan archived applications AFTER they have been extracted from the .ZIP, .ARC, or SIT archive, as most scanning software cannot detect a virus within an archived application. Downloading Considerations If you are downloading to a Macintosh, be sure to use the text version of the downloading protocol (e.g., Text-XMODEM, Text-YMODEM, etc. for downloads from FELICIA or ASCII mode from IRBIS) at your Macintosh when downloading pure text files or unformatted documents. The Text version of the downloading protocol corrects for the difference in the end of line characters used on the PC and Macintosh systems (the PC expects a CR-LF at the end of a line while the Macintosh expects a CR only). When downloading a binary Macintosh file such as a program file or a formatted document, be sure to set the MacBinary form of the protocol (e.g., MacBinary-XMODEM for downloads from FELICIA and Binary mode on IRBIS) on your Macintosh. If you forget to do this, you can convert later using the Apple File Exchange utility included with the Macintosh system. Downloadable PC-DOS/MS-DOS files are either text files (.TXT), zip or arc archives (.ZIP or .ARC), self-extracting archives (.EXE) or executables (.COM or .EXE). Text files and executables can be downloaded directly and used. Be sure to use a binary downloading capability (e.g., XMODEM) for the executable files and archives. Files in ZIP archives must be extracted after downloading with PKUNZIP before they can be used. Macintosh files in SIT archives must be extracted with Stuffit before they can be used. Macintosh files in .CPT archives must be extracted with Compactor or Extractor. SEA files on the Macintosh are self extracting archives and need no archiving program. Archiving utilities for both PC and Macintosh files are available in their respective file sections. For further information, contact William J. Orvis, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ OPENVMS SECURITY UPDATE PATCH KITS Digital Equipment Corporation (DEC) is preparing and testing patch kits for OpenVMS VAX and Alpha AXP systems. There will be a kit for OpenVMS VAX versions 5.4-3, 5.5, 5.5-1, 5.5-2, 5.5-2H4, 5.5-2HF and 6.0 and a kit for OpenVMS AXP versions 1.5 and 1.5-1H1. These kits collect a number of patches presently available from DEC. A few of the patches provide enhanced security, hence the designation "security kit." These kits make it easy to install this large collection of remedial fixes, helping those running older versions. A future release of OpenVMS will incorporate these patches. DEC will be sending kits to their software warranty and software contract maintenance customers. To obtain further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ CIAC BULLETINS ISSUED IN FY '93 (D-series) & FY '94 (E-series) CIAC issues two categories of computer security announcements: the information bulletin and the advisory notice. Information bulletins describe security vulnerabilities and recommended countermeasures. Advisory notices are more imperative, urging prompt action to close vulnerabilities, either potentially or actively exploited. Advisory notices are delivered as quickly as possible via FAX, E-mail, and postal service. D-01 Bull. Novell NetWare Access Rights Vulnerability Any Novell NetWare 3.x, NetWare 2.x, and NetWare for Unix user, equipped with a special program, can gain the access rights assignable by any other user currently attached to the server. October 14, 1992, 0900 PDT D-02 Adv. Restricted Distribution October 23, 1992, 1500 PST D-03 Bull. Patch Available for VAX/VMS MONITOR Vulnerability Announced the availability of a kit to fix problems with VMS Versions 5.0 through 5.4-2. October 30, 1992, 0800 PST D-04 Bull. 18 New and Upgraded Security Patches Available For SunOS Announced security patches for SunOS versions 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.3 and Solaris 2.0 FCS (which contains SunOS 5.0). November 11, 1992, 1200 PST D-05 Bull. Revised Hewlett-Packard NIS ypbind Vulnerability A revised CERT/cc ADVISORY concerns a vulnerability in the NIS ypbind module for the Hewlett-Packard (HP) series 300, 700, and 800 computers running the HP/UX Operating System. January 22, 1993, 1400 PST D-06 Bull. Failure to Disable User Accounts for VMS 5.3 to 5.5-2 Local login failures to VAXstations via DECwindows or Motif for VMS versions 5.3 through Open VMS 5.5-2 will not cause an account to be DISUSERed even though the sysgen parameter LGI_BRK_DISUSER is set to 1. February 12, 1993, 1400 PST D-07 Bull. Restricted Distribution February 23, 1993, 1700 PST D-08 Adv. Vulnerability in VMS V5 and Derivative Operating Systems Patch [#1084] is available for systems running VMS V5.0 through OpenVMS V5.5#030#2 and OpenVMS AXP V1.0 (including all SEVMS V5.1 through V5.5#030#2). A malicious program simplified obtaining all system privileges by authorized, unprivileged users. February 23, 1993, 1200 PST D-09 Bull. OpenVMS Security Patch #1084 Problems Systems with security patch #1084 installed will not boot after performing certain system upgrades [workaround or revised patch available]. March 2, 1993, 1400 PST D-10 Bull. November 17 Virus on MS DOS Computers The November 17 virus [aliases: NOV 17, 855] is a MS DOS file infector which will overwrite the hard disk on November 17 of any year. Infected files grow by 768, 800, 855, or 880 bytes. March 9, 1993, 1000 PST D-11 Bull. Sun Security Patches and Software Updates New patches for SunOS 4.0.3, Solaris 2.0 , 2.1 or later and new release of DECnet Interface (DNI) and PC-NFS software packages reported. March 19, 1993, 1400 PST D-12, 12a Bull. Restricted Distribution April 02, 1993, 1000 PST D-13 Bull. wuarchive FTP Daemon Vulnerability Disable daemon, then patch or install new version of Washington University's wuarchive FTP server dated April 8 or later. April 9, 1993, 1000 PDT D-14 Bull. Restricted Distribution May 3, 1993, 1400 PDT D-15 Bull. Vulnerability in Cisco Routers used as Firewalls Under certain circumstances Cisco routers, running software releases 8.2, 8.3, 9.0, 9.1, and 9.17 using the "no IP source-route" command, will pass IP source routed packets that should be denied. May 12, 1993, 1500 PDT D-16 Adv. Vulnerability in SunOS expreserve utility A patch is available for the expreserve utility in SunOS versions 4.1, 4.1.1, 4.1.2, 4.1.3, 5.0, 5.1, and 5.2 to prevent any file on the system from being overwritten [can be used to obtain root access to the system]. June 11, 1993, 0001 PDT D-17 Bull. Restricted Distribution June 17, 1993, 1500 PDT D-18 Bull. Solaris 2.x expreserve patches available Expreserve patches are now available for Solaris 2.0, 2.1, and 2.2 (SunOS 5.0, 5.1, and 5.2). July 1, 1993, 0900 PDT D-19 Bull. Attacks on Anonymous FTP Servers Recommendations are provided to protect against attacks on improperly configured anonymous FTP servers. July 15, 1993, 1100 PDT D-20 Bull. Summary of SunOS Security Patches All security related patches currently available from Sun Microsystems. August 6, 1993, 1200 PDT D-21 Bull. Novell NetWare LOGIN.EXE Security Patch Novell NetWare 4.x's LOGIN.EXE program allows inadvertent compromise of a user's name and password. September 7, 1993, 1140 PDT D-22 Bull. Satan Bug Virus on MS-DOS Computers The Satan Bug virus is a new, encrypted, polymorphic virus that infects all .COM, .EXE, .SYS, and .OVL files on MS-DOS/PC-DOS computers. September 4, 1993, 1000 PDT D-23 Bull. Restricted Distribution September 4, 1993, 1000 PST D-24 Bull. SCO Home Directory Vulnerability A workaround is given for various SCO Operating Systems that permit unauthorized access to the "dos" and "asg" accounts. September 17, 1993, 1115 PDT D-25 Adv. Automated Network Intrusion Software ISS or Internet Security Scanner, which does automated scanning of networked computers for security vulnerabilities, was recently made publicly available on the Internet. September 30, 1993, 1100 PDT D-26 Bull. Restricted Distribution September 30, 1993, 1111 PDT E-01 Adv. Vulnerabilities in Sun sendmail, tar, and audio The /usr/lib/sendmail utility under SunOS 4.1.x and SunOS 5.x permits unauthorized access to some system files by remote users. Archive files created with the /bin/tar utility under SunOS 5.x contain extraneous system configuration and user information from the /etc/passwd and /etc/group files should the archive files be distributed. Microphones attached to Sun workstations may be used to eavesdrop on conversations near the computer. October 21, 1993, 1130 PDT E-02 Bull. Vulnerabilities in SGI IRIX Default Configuration SGI IRIX systems configured with operating system defaults and by the auto-installation procedure are vulnerable to attack. October 25, 1993, 1330 PDT E-03 Adv. UNIX sendmail Vulnerabilities Details of these vulnerabilities have been openly discussed in several electronic forums, including the Firewalls mailing list and the USENET newsgroup comp.security.unix. In addition, at least one automated tool designed to exploit these vulnerabilities has been widely distributed. November 4, 1993, 2300 PST E-04 Bull. xterm Logfile Vulnerability Local users may use the version 5 and earlier X11 xterm logfile facility, if installed with setuid or setgid, to create or modify files on the system. This can enable unauthorized access, including root access. November 11, 1993, 2130 PST E-05 Bull. SunOS/Solbourne loadmodule and modload Vulnerability Local users may use the utilities $OPENWINHOME/bin/loadmodule and /usr/etc/modload to execute commands as root. This vulnerability only affects systems with OpenWindows 3.0 installed under SunOS 4.1.x on sun4 and Solbourne architectures. December 15, 1993, 1200 PST E-06 Bull. Solaris System Startup Vulnerability A person with physical access to a workstation with eeprom(1m) security enabled can force a startup failure in fsck(8) and gain root privilege without suppllying the eeprom or root password. December 17, 1993, 1500 PST E-07 Bull. UNIX sendmail Vulnerabilities Update Present status of vendor security patches to correct vulnerabilities in the UNIX sendmail utility reported in CIAC Advisory E-03. Workarounds given in E-03 may be safely used even after vendor patches have been installed. January 7, 1994, 0900 PST E-08 Bull. Restricted Distribution January 25, 1994, 1530 PST For further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ CIAC INFORMATION TECHNOLOGY SECURITY WORKSHOPS CIAC presents comprehensive, practical information technology security training and awareness workshops for technical staff and managers. These workshops enable participants to improve the security of their information technology resources. Drawing on knowledge of today's vulnerabilities and countermeasures, we show how to prevent and respond to computer and network incidents, and leverage the DOE's information technology security expertise for your site's greatest benefit. We tailor the workshops for your location, building it from the following self-contained modules: Incident prevention and response The changing nature of threats Legal issues Risk assessment Electronic resources for security related information How CIAC helps Management policy, procedures, and programs Managing unclassified computer security Firewalls CIAC bases its workshops on the latest, real world events. The workshops actively involve the participants, showing them how to protect and defend their essential resources. We actively encourage each participant to bring their concerns, challenges, and problems for group interaction and resolution. The workshops are a forum for finding solutions and an informal environment for networking with other security professionals. Upon completing the workshops, the successful participant will understand the issues and know where to find the resources necessary to prevent and effectively respond to computer and network security incidents. There is a general session followed by separate technical and management sessions. Depending on site needs and requirements, the workshops run from one to two and one-half days. There is currently no cost to DOE sites. To request scheduling for your location or to obtain further information, contact Richard A. Feingold, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ CIAC PUBLICATIONS A recent CIAC publication, the U.S. DOE Fingertip Guide to Incident Handling, is available from your DOE site's computer security officer (CPPM and/or CSSM). CIAC is preparing publications on a variety of computer security related topics. Many of these will be updated as needed to keep the information current. The publications will be available in electronic form via CIAC's servers or in printed form for those who do not have Internet or telephone- modem access. Instruction on accessing these servers is provided in the article: CIAC Computer Security Information Servers, above. We welcome suggestions for topics that you feel would be valuable. The publications planned for a March 1994 release are: CIAC_# Title ------ ----- 2300 Abstracts of the CIAC-2300 Series Documents 2301 Computer Virus Information Update 2302 The FELICIA Bulletin Board System and the IRBIS Anonymous FTP Server 2303 The Console Password Feature for DEC Workstations For further information, contact Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. ------------------------------ This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ------------------------------ End of CIAC Notes Number 01 94_01_31 **************************************