**************************************************************************

Security Bulletin 9701 DISA Defense Communications System

March 18, 1997 Published by: DISN Security Coordination Center

(SCC@NIC.MIL) 1-(800) 365-3642

DEFENSE INFORMATION SYSTEM NETWORK

SECURITY BULLETIN

The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.MIL [207.132.116.5] using login="anonymous" and password="guest". The bulletin pathname is scc/sec-yynn.txt (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9615.txt). They are also available on our WWW site at http://nic.mil.

**************************************************************************

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

! !

! The following important advisory was issued by the Computer !

! Emergency Response Team (CERT) and is being relayed unedited !

! via the Defense Information Systems Agency's Security !

! Coordination Center distribution system as a means of !

! providing DISN subscribers with useful security information. !

! !

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

- ---------------------------------------------------------------------------

CERT(sm) Summary CS-97.02 - SPECIAL EDITION

March 18, 1997

This special edition of the CERT Summary highlights widespread, large-scale attacks that are occurring against news servers.

Past CERT Summaries are available from

ftp://info.cert.org/pub/cert_summaries/

- ---------------------------------------------------------------------------

Current activity - attacks on news servers

- ------------------------------------------

The CERT Coordination Center and incident response teams around the world have received numerous reports concerning widespread, large-scale attacks on NNTP (Network News Transport Protocol) servers throughout the world. NNTP servers are commonly referred to as USENET news servers.

The activity involves an attempt to exploit a vulnerability in versions of INN (InterNetNews) prior to 1.5.1. We have received reports that version 1.5.1 was thought to be vulnerable; however, as far as we are able to determine, it is not.

INN is a commonly used software program for serving and managing news according to the NNTP protocol. This vulnerability allows remote users to execute arbitrary commands on the news server with the same privileges as the user-id that manages the news server. As of 8:00 am EST (GMT -5), March 18, 1997, it appears that the most common activity is to attempt to mail the password file and configuration files to a remote site.

Because of the nature of USENET news, messages are passed automatically from one site to another. The exploitation involves a particular kind of message, known as a control message. Intruders can construct and post control messages in such a way as to exploit the vulnerability. Because of this, your site may have been compromised even if it was not specifically selected by an intruder.

Information about the vulnerability, along with information about patches and

workarounds, is available from

ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd

If we receive further information, we will update this advisory.

We encourage sites that are running INN 1.5 or earlier to upgrade to INN 1.5.1 as soon as possible.

James Brister, the current maintainer of INN, has provided additional information regarding the update to INN 1.5.1; this information has been added to the advisory. James has provided the following patches for INN version 1.5, 1.4sec, 1.4unoff3, and 1.4unoff4:

ftp://ftp.isc.org/isc/inn/patches/security-patch.01 1.5

ftp://ftp.isc.org/isc/inn/patches/security-patch.02 1.4sec

ftp://ftp.isc.org/isc/inn/patches/security-patch.03 1.4unoff3, 1.4unoff4

The directory includes MD5 checksums for each patch.

Information regarding INN patches may be found at

http://www.isc.org/inn.html

System administrators who did not update to INN 1.5.1 before Friday, March 14, 1997, should take the following steps:

Examine your news logs for signs of exploitation. So far, we have reports of at least six distinct message IDs being used:

830201540.9120@uunet.uu.net

830201540.9122@uunet.uu.net

830201540.9220@uunet.uu.net

830201540.9223@uunet.uu.net

830201540.9020@uunet.uu.net

830201540.9221@uunet.uu.net

Although these messages appear to come from UUNET, the messages were forged.

If these message IDs appear in your logs, it is highly likely that these control messages reached your news server. Moreover, it is almost certain that additional messages will be (or already have been) crafted by intruders, so checking for those message IDs is not enough.

If you discover that your password file has been mailed to an intruder and you are not using a shadow password mechanism (or another password mechanism such as Kerberos), you should consider changing all the passwords on your systems.

We encourage you to examine the following documents for further security information:

ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist

This document will help you methodically check your systems for signs of compromise, and offers pointers to other resources and suggestions on how to proceed in the event of a compromise.

ftp://info.cert.org/pub/tech_tips/root_compromise

This document outlines steps you can take to help recover from a root compromise and to secure your systems from further compromise.

ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines

This document will help you avoid common problems that can lead to compromises on UNIX systems, and provides a general framework for configuring UNIX systems.

ftp://info.cert.org/pub/tech_tips/security_tools

This document provides a list of tools that can help you to monitor your systems for signs of compromise and to monitor activity on your systems and networks.

ftp://info.cert.org/pub/tech_tips/passwd_file_protection

This document describes ways in which you can protect your password file from unauthorized access.

Examine your news server for unauthorized processes running as the news user. Several of the malicious NNTP control messages include a script that attempts to establish an outgoing telnet session to another location. Typically, sites with firewalls permit outbound telnet connections.
We have several reports of sites that have attempted to check their own exposure to this vulnerability and have inadvertently released control messages to the Internet that exploit this vulnerability. We strongly discourage sites from using control messages as a way to measure exposure to this vulnerability. To determine if your NNTP server is vulnerable, we recommend that you follow the steps outlined in Section I of advisory CA-97.08. If you have accidentally released such a message, we encourage you to notify any vulnerable sites that you discover through feedback from your test message. Please include cert@cert.org in the CC line of the messages you exchange.
If you discover that you have been compromised as a result of this vulnerability and you have a representative in FIRST, we encourage you to contact them directly. To locate your representative in the FIRST community, please see

http://www.first.org/

If you do not have a representative in FIRST, we encourage you to report to the CERT Coordination Center. In order to help us assess the 'big picture,' please include the following information:
- Your name and contact information
- The domain name of your news server
- The NNTP server software you run, including version number
- A copy of the control message(s) if you have it
- Any additional pertinent information

In accordance with our policies, we will not release information about your site without your explicit permission.

Due to the large volume of mail we are receiving regarding this activity, we may not be able to follow up all reports individually. Nonetheless, your report will help us to understand the activity better and to provide more accurate information to the Internet community at large.

We would like to express our thanks to James Brister for his assistance in preparing this summary.

- ---------------------------------------------------------------------------

How to Contact the CERT Coordination Center

Email cert@cert.org

Phone +1 412-268-7090 (24-hour hotline)

CERT personnel answer 8:30-5:00 p.m. EST

(GMT-5)/EDT(GMT-4), and are on call for

emergencies during other hours.

Fax +1 412-268-6989

Postal address

CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

Pittsburgh PA 15213-3890

USA

To be added to our mailing list for CERT advisories and bulletins, send your

email address to

cert-advisory-request@cert.org

In the subject line, type

SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group

comp.security.announce

CERT publications, information about FIRST representatives, and other

security-related information are available for anonymous FTP from

http://www.cert.org/

ftp://info.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information.

Location of CERT PGP key

ftp://info.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------

This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center.

CERT is a service mark of Carnegie Mellon University.

****************************************************************************

* *

The point of contact for NIPRNET security-related incidents is the *
ASSIST: *

* *

E-mail address: ASSIST@ASSIST.MIL *

* *

Telephone: 1-(800)-357-4231 (24 hours/day) *

* *

You may also contact the Security Coordination Center (SCC) at the *
NIC: *

* *

E-mail address: SCC@NIC.MIL *

* *

Telephone: 1-(800)-365-3642 *

* *

NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, *
Monday through Friday except on federal holidays. *

* *

****************************************************************************

PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.

This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.

DEFENSE INFORMATION SYSTEM NETWORK

SECURITY BULLETIN

CERT(sm) Summary CS-97.02 - SPECIAL EDITION

Current activity - attacks on news servers

How to Contact the CERT Coordination Center

Postal address

Copyright 1997 Carnegie Mellon University