**************************************************************************
Security Bulletin 9727 DISA Defense Communications System
December 2, 1997 Published by: DISN Security Coordination Center
(SCC@NIC.MIL) 1-(800) 365-3642
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil.
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Information Systems Agency's Security !
! Coordination Center distribution system as a means of !
! providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - +
=============================================================================
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
December 1, 1997
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://ftp.cert.org/pub/
Past CERT Summaries are available from
ftp://ftp.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
- ---------------
Since the August CERT Summary, we have seen these continuing trends in incidents reported to us.
Although it's been mentioned in past CERT Summaries (CS-97.04, CS-97.05), we continue to receive a significant stream of reports relating to IMAP attacks. These reports show that intruders are launching large scale, automated scans against many networks-identifying many potentially vulnerable systems.
The impact of an IMAP attack is that the remote user (e.g., intruder) will be able to gain root-level access on a vulnerable host.
We cannot stress enough the importance for sites to check for the IMAP vulnerability and take immediate action to address the problem. For more information see the following:
ftp://ftp.cert.org/pub/cert_summaries/CS-97.04
ftp://ftp.cert.org/pub/cert_advisories/CA-97.09.imap_pop
http://www.cert.org/pub/advisories/1997/CA-97.09.imap_pop.html
In addition to the compromises occurring as a result of the above activity, we also continue to receive daily reports of sites that have suffered a root compromise. Many of these compromises can be traced to systems that are unpatched or misconfigured, which the intruders exploit using well-known vulnerabilities for which CERT advisories have been published.
We encourage you to check for signs of compromise. The following documents can help you review your systems:
This document outlines suggested steps for determining if your system
has been compromised.
ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist
This document sets out suggested steps for responding to a root
compromise.
ftp://ftp.cert.org/pub/tech_tips/root_compromise
This document describes common UNIX system configuration problems that have been exploited by intruders and recommends practices that can be used to help deter several types of break-ins.
ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines
This document describes tools that can be used to help secure a system
and deter break-ins.
ftp://ftp.cert.org/pub/tech_tips/security_tools
We continue to receive reports concerning exploitation of vulnerable cgi-bin scripts. As mentioned in recent CERT documents, the cause of the problem is not in the CGI scripting language (such as Perl and C), but in how the script is written.
The CERT/CC team urges you to check all CGI scripts that are available via the
World Wide Web services at your site and ensure that they sanitize
user-supplied data. For more information, please see
ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters
These CERT advisories discuss vulnerabilities relating to cgi-bin topics:
ftp://ftp.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
ftp://ftp.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir
ftp://ftp.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script
ftp://ftp.cert.org/pub/cert_advisories/CA-97.12.webdist
ftp://ftp.cert.org/pub/cert_advisories/CA-97.24.Count_cgi
ftp://ftp.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar
For quite some time, the CERT Coordination Center has received reports of email spam being relayed through other sites. These reports are becoming more frequent as more spammers learn to disguise their activities by relaying their mail through unsuspecting sites (who are using older versions of sendmail, poor logging, and no anti-spam features).
Since the default configuration of sendmail 8.8.8 (and prior releases) allows spam to be relayed, we encourage you to review your mail configuration and evaluate your exposure to this type of abuse. With a default sendmail configuration, no authentication is required for remote hosts (including people sending spam mail) to connect to your mail server for the purpose of relaying mail.
There are features in sendmail version 8.8 that will prevent your host from
being misused as a relay gateway. A document titled "Anti-Spam Provisions in
sendmail 8.8", provided by the author of sendmail (Eric Allman), describes the
modifications to the sendmail.cf file. It is available at
http://www.sendmail.org/antispam.html
These modifications to the sendmail.cf file will
help prevent a variety of email spamming and bombing attacks.
- ----------------------------------
We have made the following changes since the last CERT Summary (August 26, 1997).
ftp://ftp.cert.org/pub/cert_advisories/
CA-97.23.rdist Discusses a buffer overflow
problem in rdist. This is a different vulnerability from the one described in CA-96.14.
CA-97.24.Count_cgi Describes a buffer overrun
vulnerability in the Count.cgi cgi-bin program. This vulnerability allows intruders to force Count.cgi to execute arbitrary commands.
CA-97.25.CGI_metachar Reports a vulnerability that
exists in some CGI scripts and allows an attacker
to execute arbitrary commands on a WWW server under the effective
user-id of the server process.
ftp://ftp.cert.org/pub/cert_bulletins/
VB-97.07.sgi A Silicon Graphics
Inc. Security Advisory
addressing vulnerabilities in
the IRIX webdist.cgi, handler,
and wrap programs, part of the
Outbox subsystem
VB-97.08.transarc Information from Transarc
Corp. about a vulnerability in
Transarc DCE Integrated login
for sites running both AFS and
DCE
VB-97.09.cisco Information from Cisco Systems
about vulnerabilities in CHAP
authentication
VB-97.10.samba Information from the Samba
VB-97.11.nec Details about a problem with
the "nosuid" mount(1)
option
VB-97.12.opengroup Information about a potential
VB-97.13.GlimpseHTTP.WebGlimpse Information about a
vulnerability that may allow
intruders to execute arbitrary
commands with the privileges
of the httpd process
VB-97.14.scoterm Information from the Santa
ftp://ftp.cert.org/pub/latest_sw_versions/
rdist Pointer to rdist 6.1.3
sendmail Pointer to sendmail 8.8.8
ftp://ftp.cert.org/pub/tech_tips/
cgi_metacharacters Discusses how to remove meta
characters from user-supplied
data in CGI scripts
ftp://ftp.cert.org/pub/tools/
rdist/ Added rdist 6.1.3
sendmail/ Added sendmail 8.8.8
ftp://ftp.cert.org/pub/cert_advisories/
CA-93:19.Solaris.Startup.vulnerability Updates - Added Sun
Sun Microsystems, Inc.
CA-95:17.rpc.ypupdated.vul Updated information for
Sun Microsystems, Inc.
CA-96.08.pcnfsd Updated information for
IBM Corporation
CA-96.10.nis+_configuration Updates - Added
CA-96.15.Solaris_KCMS_vul Updates - Added
CA-96.16.Solaris_admintool_vul Updates - Added
CA-96.17.Solaris_vold_vul Updates - Added
CA-96.20.sendmail_vul Updated information
from Sun Microsystems, Inc.
CA-96.25.sendmail_groups Updated information
from Sun Microsystems, Inc.
CA-96.26.ping Updated information
from Sun Microsystems, Inc.
CA-97.06.rlogin-term Updated information
from Sun Microsystems, Inc.;
added information from Data
General Corporation
CA-97.09.imap_pop Section III.A and Appendix A -
CA-97.11.libXt Appendix A - updated
CA-97.14.metamail Updated information for
Red Hat
CA-97.15.sgi_login Updated information from
Silicon Graphics, Inc.
CA-97.16.ftpd Added information for NCR
Corporation
CA-97.18.at Added information for NCR
Corporation
CA-97.20.javascript Appendix A - updated
Netscape's URLs
CA-97.21.sgi_buffer_overflow Updates Section - updated
CA-97.22.bind Appendix A - Added information
for BSDI
CA-97.23.rdist Appendix A - added information
for OpenBSD and Silicon
Graphics, Inc., Caldera, and
Siemens-Nixdorf
ftp://ftp.cert.org/pub/cert_summaries/
CS-97.05 Corrected BIND version number
- ------------------------------
If you haven't visited our Web site (http://www.cert.org) since November 10,
check it out. We have a new look and some new documents. We've tried to
organize things so that it's easier for you to find the information you
need. Some highlights include
CERT incident and vulnerability statistics
http://www.cert.org/pub/cert-stats/cert_stats.html
CERT annual reports for 1994, 1995, and 1996
http://www.cert.org/pub/reports.html
Security Improvement Modules
http://www.cert.org/security-improvement/index.html
An Analysis of Security Incidents on the Internet 1989-1995
http://www.cert.org/research/JHThesis/index.html
Report to the President's Commission on Critical Infrastructure Protection
http://www.cert.org/pub/reports.html
Links to other sources of advisories and Internet security information
http://www.cert.org/pub/other_sources.html
- ---------------------------------------------------------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line.
****************************************************************************
* *
* *
* *
* *
* *
* *
* *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.
This document was prepared as an service to the DOD
community. Neither the United States Government nor any of their
employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed,
or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government. The
opinions of the authors expressed herein do not necessarily state
or reflect those of the United States Government, and shall not
be used for advertising or product endorsement purposes.