************************************************************************** Security Bulletin 9514 DISA Defense Communications System April 5, 1995 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9428). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 95-11 Release date: 4 April 1995, 2:30 PM EDT (GMT -4) SUBJECT: Security Administrator Tool for Analyzing Networks (SATAN). SUMMARY: SATAN is a tool for remotely probing and identifying the vulnerabilities of systems on IP networks. Each IP address for a given subdomain is systematically scanned for security weaknesses, which if found are then identified and logged for each system. SATAN has been widely publicized in the national media and on various Internet forums. The software is scheduled to be released 5 April 95, 14:00 GMT, and will be freely available to anyone on the Internet. BACKGROUND: The vulnerabilities SATAN scans for are not new and have all been addressed in previously released ASSIST bulletins. Vulnerability scanners are not new either, however SATAN provides a more comprehensive scan than previous tools and utilizes a World Wide Web (WWW) client to provide a friendly, point and click interface. Extensive information is provided to explain which vulnerabilities are being identified, and how those vulnerabilities can be removed. In addition to reporting vulnerabilities, SATAN gathers general network information (network topology, network services run, types of hardware and software being used on the network). As described in the SATAN documentation, SATAN has an exploratory mode that allows it to probe hosts that have not been explicitly specified. Thus, SATAN could probe not only targeted hosts, but also hosts outside your administrative domain. All information provided here relates to version 0.51 of the beta release. SATAN is made up of HyperText Markup Language (HTML) documents, C code, and Perl scripts which generate HTML code dynamically. It requires an HTML viewer (Mosaic, Netscape, or Lynx), a C compiler, and PERL version 5. The user simply interacts with a WWW client, entering necessary data into forms. The control panel for SATAN provides four hypertext options: Target Selection, Reporting & Data Analysis, Documentation, and Configuration & Administration. Through Target Selection, the user can enter a machine or a domain of machines to attack, and the extent of the attack (Light, Normal, Heavy). A Light attack will simply report what hosts are available, and what Remote Procedure Call (RPC) services they offer. A Normal attack will probe the targets by establishing finger, telnet, FTP, WWW, gopher, and SMTP connections. These will be used to establish what the operating system is, and what vulnerabilities may be available. A Heavy attack will additionally search for several other known vulnerabilities, such as writable anonymous ftp directories or trusted hosts. Once the targets and extent of probing are established, a simple mouse click will begin the analysis. When finished, the user finds the results in the Reporting & Data Analysis link. SATAN is highly customizable and extendible. Through configuration files, numerous default values can be modified. New probes to be performed on each host may be added by writing a program (or script) with the proper input and output, and naming it with an extension of ".satan.". This will allow users to write their own attacks tools, and add them to SATAN in a plug-and-play manner. IMPACT: SATAN is being promoted by its developers as a security tool for system administrators, not an attack tool for crackers. However, if the history of vulnerability scanning tools previously released on the Internet is any indication, this tool will be widely used by individuals trying to gain unauthorized access to networked systems. RECOMMENDED SOLUTIONS: It will be extremely important for DoD system administrators and network security personnel to make sure the vulnerabilities SATAN scans for have been eliminated from their systems. Recomendations include the following. A. Examine your systems for the vulnerabilities listed in this section and implement security fixes accordingly. B. The following files are available via anonymous FTP from assist.mil (IP 199.211.123.11) and can be referenced for information on improving system security. /pub/general.info/security_info /pub/general.info/packet_filtering.ps /pub/general.info/securing.info.servers C. Use the Security Profile Inspector (SPI) for Unix (available from ASSIST) to assess systems' security configuration. D. TCP wrappers can provide access control and flexible logging to most network services which can help you prevent and detect some network attacks. This software is available from ASSIST (see ASSIST INFORMATION RESOURCES section in the trailer of this bulletin). E. The Swatch log file monitor can be used to identify patterns in log file entries and associate them with actions. This tool is available from: ftp://ee.stanford.edu:/pub/sources/swatch.tar.Z F. Install the Courtney tool developed by the DOE CIAC to detect SATAN attacks (see "Detecting Probes" section below for details on Courtney). Vulnerabilities Probed by SATAN - - ------------------------------- Listed below are vulnerabilities that the beta 0.51 version of SATAN tests for, along with references to ASSIST advisories and other documents where appropriate. Administrators should verify the state of their systems and perform corrective actions as necessary. 1. NFS export to unprivileged programs 2. NFS export via portmapper 3. Unrestricted NFS export See ASSIST bulletin 94-41 for security measures you can take to address NFS vulnerabilities. The following advisories also address problems related to NFS: ASSIST 94-03 - Revised Patch for SunOS /usr/etc/rpc.mountd Vulnerability. ASSIST 93-11 - Sun security patches and software updates. ASSIST 92-56 - Multiple SunOS vulnerabilities patched. ASSIST 92-37 - Revised patch for SunOS /usr/etc/rpc.mountd vulnerability. ASSIST 92-30 - Security problem in SunOS fsirand program. 4. NIS password file access See ASSIST 92-39 for information about SunOS 4.x machines using NIS, and ASSIST 93-01 for information about HP machines using NIS. 5. rexd access See ASSIST 92-61 for more information about IBM AIX machines using rexd, and ASSIST 92-46 for information about NeXT. 6. Sendmail vulnerabilities See ASSIST 95-07 for the information about sendmail security issues. 7. TFTP file access See ASSIST 92-09 for security measures that address TFTP access problems. In addition, ASSIST 92-10 contains information about tftp for IBM AIX users. 8. Remote shell access Comment out rshd in the file /etc/inetd.conf or protect it with a TCP wrapper. 9. Unrestricted X server access Filter X at your firewall. See section (B) above for packet filtering information reference. 10. Writable FTP home directory See ASSIST 93-20 and section (B) above (securing.info.servers) for guidance on anonymous FTP configuration. 11. wu-ftpd vulnerability See ASSIST 93-12, ASSIST 94-11 and ASSIST 94-12 for more information about ftpd. Detecting Probes - - ---------------- One indication of attacks by SATAN and other tools is evidence of a heavy scan of a range of ports and services in a relatively short time. Many UNIX network daemons do not provide sufficient logging to determine if SATAN is probing the system. The Department of Energy (DOE) CIAC has developed a tool for detecting SATAN attacks. The tool is called Courtney and can be obtained along with related files through anonymous FTP from assist.mil (IP 199.211.123.11) in /pub/tools/courtney/courtney-1.2.tar.Z. The following is additional info from the Courtney README file that comes with the software. Name: Courtney Date: 3/24/95 Description: Monitors the network and identifies the source machines of SATAN probes/attacks. Courtney receives input from tcpdump counting the number of new services a machine originates within a certain time window. If one machine connects to numerous services within that time window, courtney identifies that machine as a potential SATAN host. Requirements: Courtney requires that Perl v.5, libpcap, and tcpdump be installed. They are available via anonymous FTP at the following sites. libpcap-0.0 ftp.ee.lbl.gov:/libpcap-0.0.tar.Z tcpdump-3.0 ftp.ee.lbl.gov:/tcpdump-3.0.tar.Z perl5 ftp.uu.net:/systems/gnu/perl5.001.tar.gz Courtney configuration variables: $UPDATE_INTERVAL Specifies the time, in minutes, to update the host information. $OLD_AGE When updating host information, gets rid of host entries that have timestamps older that OLD_AGE. $HIGH_THRESHOLD What number of services a single system must achieve before it is considered the source of a HEAVY_ATTACK $LOW_THRESHOLD What number of services a single system must achieve before it is considered the source of a NORMAL_ATTACK $DEBUG Prints a bunch of stuff. $MONITOR Only prints out the host count. Used for watching the hosts and activity. $SYSLOG Log attack warnings via syslog (default). $SCREEN Log attack warnings to stdout. Design: Courtney is based on the fingerprint of any scanner, including SATAN. Scanners probe every port, or at least the more common ports, attempting to gather information about what services the target machine offers. If one machine connects to numerous services within a brief time period, then that machine may be doing some sort of scanning. Limitations: Since courtney's input is from tcpdump, the filter for tcpdump must coincide with courtney. There are 30 services that are being monitored, if you remove or add one, you must include changes to both tcpdump's filter and courtney's perl script. When monitoring busy networks or monitoring on a slower system, some network traffic may be missed by the kernel. This has the potential to cause courtney to fail to detect some attacks. ASSIST would like to thank the DOE CIAC and CERT Coordination Center for information contained in this bulletin. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-756-7993/1154 DSN 289-7993/1154, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. ASSIST Contact Information: PHONE: 800-357-4231 (or 703-756-7974 DSN 289), duty hours are 06:00 to 22:30 EDT (GMT -4) Monday through Friday. During off duty hours, weekends and holidays, ASSIST can be reached via pager at 800-791- 4857. The page will be answered within 30 minutes, however if a quicker response is required, prefix the phone number with "999". ELECTRONIC MAIL: Send to assist@assist.mil. ASSIST BBS: Leave a message for the "sysop". Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DDN Security bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.