Home page logo
/

bugtraq logo Bugtraq mailing list archives

CERT Summary CS-97.05
From: aleph1 () DFW NET (Aleph One)
Date: Tue, 26 Aug 1997 14:43:38 -0500


-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT* Summary CS-97.05
August 26, 1997

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
incident response team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from
     ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------

Recent Activity
- ---------------
Since the last regularly-scheduled CERT Summary issued in May, we have seen
the following trends in incidents reported to us.

1. Continuing IMAP Exploits

The CERT Coordination Center continues to receive daily reports of attempts to
exploit a vulnerability in certain implementations of IMAP. This vulnerability
was the subject of our most recent CERT Summary, "CS-97.04 - Special Edition,"
which can be found at

   ftp://info.cert.org/pub/cert_summaries/CS-97.04

Intruders continue to scan large blocks of network addresses for vulnerable
systems. Because we continue to receive reports of root compromises
resulting from vulnerable versions of the IMAP server, we encourage you to
take immediate action to address this vulnerability.

We encourage you to review our advisory describing the vulnerability and
suggesting corrective actions:

   ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop


2. Increased Denial-of-Service Attacks

The CERT/CC is receiving more frequent and varied reports of denial-of-service
attacks. Intruders are exploiting vulnerabilities addressed in previous CERT
advisories, and using IP spoofing to hide the origin of the attacks. Recently
we published a new tech tip that provides an overview of denial-of-service
attacks and information that may help you respond to them:

   ftp://info.cert.org/pub/tech_tips/denial_of_service

Recently a number of networks around the Internet have been the victim of a
denial-of-service attack involving forged ICMP echo request packets
(i.e., "ping" packets) directed to a broadcast address. Each machine
responding to the broadcast packet will generate an ICMP echo reply packet
directed to the address of the original forged echo request packet. This can
generate a large amount of traffic for the sites involved.

We encourage you to defend yourself against this problem by filtering
broadcast ping packets (or all broadcast packets) at your router or
firewall. If filtering broadcast packets at your router is not a viable
option, you may be able to configure your operating system to ignore broadcast
ICMP packets. You should consult either your documentation or your vendor to
see what variables can be set on all local machines so that broadcast IP
traffic (and more specifically broadcast ICMP traffic) is ignored, thus
negating the attack.

We also strongly encourage you to filter outbound packets at your router to
prevent packets with forged source addresses from leaving your network.

For more information on this kind of packet filtering and IP spoofing attacks,
please see

   ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding
   ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing


3. Increased Use of IRC in Root Compromises

We have received a significant number of reports that intruders are
compromising machines at the root level and then installing Internet Relay
Chat (IRC) clients or servers. If you discover unauthorized IRC clients,
servers, or robots running on your systems, we encourage you to check for
signs of compromise using our Intruder Detection Checklist, available at

   ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist

This document will help you methodically check your systems for signs of
compromise; it offers pointers to other resources and suggestions on how to
proceed in the event of a compromise.


4. Increased Exploitation of IRIX Buffer Overflows

Buffer overflow vulnerabilities on IRIX systems are being exploited in many
incidents reported to the CERT/CC. These vulnerabilities are described in a
recent CERT advisory:

   ftp://info.cert.org/pub/cert_advisories/CA-97.21.sgi_buffer_overflow

Vulnerable programs discussed in the advisory include df, pset, eject,
login/scheme, ordist, and xlock.

We encourage you to apply the patches or workarounds described in Section III
of the advisory and to regularly check with your vendor for security updates.


5. Continuing INND Exploits

We continue to receive reports of widespread, large-scale attacks on NNTP
(Network News Transport Protocol) servers, as reported in the March 1997
special edition CERT Summary CS-97.02:

    ftp://info.cert.org/pub/cert_summaries/CS-97.02

Our advisory describing two vulnerabilities present in INND versions prior to
1.5.1sec2 is available at

    ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd

We strongly recommend that you do *not* try to test your own systems by
attempting to exploit the vulnerability. Many of the INND attacks reported to
us were the result of sites testing their own servers and inadvertently
releasing their test on the Internet. To determine whether or not your version
of INND is vulnerable, please consult the advisory (CA-97.08.innd).

The latest supported version of INN, 1.5.1sec2, addresses vulnerabilities that
existed in previous versions. For a pointer to the latest version of INN, see
the UPDATES section in CA-97.08.innd or

    ftp://info.cert.org/pub/latest_sw_versions/inn



What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (May 28, 1997).

* New Additions

ftp://info.cert.org/pub/cert_advisories/

    CA-97.15.sgi_login                          Describes a vulnerability in
                                                the SGI login program when
                                                the LOCKOUT parameter is set
                                                to a number greater than zero.


    CA-97.16.ftpd                               Describes a vulnerability in
                                                some versions of ftpd
                                                distributed and installed
                                                under various UNIX
                                                platforms.

    CA-97.17.sperl                              Addresses a buffer overflow
                                                condition in suidperl (sperl)
                                                built from Perl 4.n and Perl
                                                5.n distributions on UNIX
                                                systems.

    CA-97.18.at                                 This advisory addresses a
                                                buffer overflow condition in
                                                some versions of the at(1)
                                                program.

    CA-97.20.javascript                         Reports a vulnerability in
                                                JavaScript that enables
                                                remote attackers to monitor a
                                                user's Web activities.

    CA-97.21.sgi_buffer_overflow                Describes 6 buffer overflow
                                                problems in SGI IRIX
                                                systems. Problems affect the
                                                df, pset, eject, login/scheme,
                                                ordist, and xlock programs.

    CA-97.22.bind                               Describes a vulnerability in
                                                all versions of BIND before
                                                release 8.1.1, suggests
                                                several solutions, and
                                                provides pointers to the
                                                current version. Supersedes
                                                CA-96.02.bind.


ftp://info.cert.org/pub/cert_bulletins/

    VB-97.03.sun                                A Sun Security Bulletin
                                                announcing patches for a
                                                vulnerability in rpcbind

    VB-97.04.hp                                 Information from
                                                Hewlett-Packard on a
                                                vulnerability in the chfn
                                                executable in HP 9000 Series
                                                700/800s running versions of
                                                HP-US 9.X and 10.X

    VB-97.05.lynx                               Information from members of
                                                the lynx-dev mailing list
                                                about a vulnerability in
                                                temporary files that enables
                                                users to replace the temporary
                                                file with a symbolic link or
                                                with another file

    VB-97.06.lynx                               Information from members of
                                                the lynx-dev mailing list
                                                about a vulnerability in Lynx
                                                downloading that enables users
                                                to read or execute arbitrary
                                                files regardless of
                                                restrictions set by the system
                                                administrator


ftp://info.cert.org/pub/cert_summaries/

    CS-97.04                                    Special edition CERT Summary
                                                about large-scale attacks
                                                involving a vulnerability in
                                                some implementations of IMAP


ftp://info.cert.org/pub/latest_sw_versions/


    apache                                      URLs and MD5 checksum for
                                                Apache 1.2.1

    bind                                        URLs and MD5 checksum for
                                                BIND 8.8.1

    inn                                         URL and MD5 checksum for inn
                                                1.5.1sec2

    NetBIOS                                     URLs and MD5 checksums for
                                                NetBIOS Security Kit v1.0

    sendmail                                    URLs and MD5 checksum for
                                                sendmail 8.8.7


ftp://info.cert.org/pub/tech_tips/

    denial_of_service                           Provides a general overview of
                                                attacks in which the primary
                                                goal of the attack is to deny
                                                the victim(s) access to a
                                                particular resource, as well
                                                as information that may help
                                                you respond to such an attack.


ftp://info.cert.org/pub/tools/

    NetBIOS/                                    NetBIOS tar and zip files



* Updated Files

ftp://info.cert.org/pub/

    cert_faq                                    Updated the recommended
                                                reading list in Section B.11.


ftp://info.cert.org/pub/cert_advisories/

    CA-96.04.corrupt_info_from_servers          Updated the URL pointing to
                                                the current version of BIND.

    CA-96.06.cgi_example_code                   Added information about other
                                                cgi programs being exploited.

    CA-96.21.tcp_syn_flooding                   Added information from Linux.

    CA-96.26.ping                               Updated information from Sun
                                                Microsystems, Inc.

    CA-96.27.hp_sw_install                      Added information from
                                                Hewlett-Packard Company.

    CA-97.04.talkd                              Updated information from
                                                Silicon Graphics Inc. and Sun
                                                Microsystems, Inc.

    CA-97.06.rlogin-term                        Updated information from
                                                Hewlett-Packard Company.

    CA-97.08.innd                               Added information about the
                                                latest release of innd.

    CA-97.09.imap_pop                           Added information from
                                                NetManage, Inc. Clarified
                                                information in introduction
                                                and description sections.

    CA-97.10.nls                                Added other phrases for the
                                                the NLS acronym. Updated the
                                                entry for Cray Research - A
                                                Silicon Graphics Company.

    CA-97.13.xlock                              Added information from
                                                Berkeley Software Design, Inc.
                                                (BSDI) and Silicon Graphics
                                                Inc. (SGI). Updated
                                                information from Sun
                                                Microsystems, Inc.

    CA-97.16.ftpd                               Added information from
                                                Sun Microsystems, Inc.,
                                                Digital Equipment Corporation,
                                                and Silicon Graphics, Inc.

    CA-97.17.sperl                              Added information from
                                                Sun Microsystems, Inc.

    CA-97.18.at                                 Added information from
                                                Digital Equipment Corporation,
                                                Hewlett-Packard Company,
                                                and Data General Corporation.

    CA-97.20.javascript                         Added information from
                                                Netscape Communications
                                                Corporation and Microsoft.

    CA-97.21.sgi_buffer_overflow                Clarified wrapper
                                                information. Updated
                                                information from Silicon
                                                Graphics, Inc.

    CA-97.22.bind                               Clarified that version 4.9.6
                                                is not vulnerable. Noted
                                                reasons that sites should
                                                upgrade to version 8.1.1.


ftp://info.cert.org/pub/cert_advisories/obsolete_advisories

    CA-96.02.bind                               Moved to obsolete advisories
                                                directory; superseded by
                                                CA-97.22.bind.


ftp://info.cert.org/pub/cert_bulletins/

    VB-97.05.lynx                               Added acknowledgement of
                                                original reporter of the
                                                problem.

    VB-97.06.lynx                               Added acknowledgement of
                                                original reporter of the
                                                problem.


ftp://info.cert.org/pub/legal_stuff             Copyright, trademark, and
                                                related information


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert () cert org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request () cert org
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University. Conditions apply; they can be found
in http://www.cert.org/legal_stuff.html and
ftp://info.cert.org/pub/legal_stuff

If you do not have FTP or web access, send mail to cert () cert org with
"copyright" in the subject line.

*CERT is registered in the U.S. Patent and Trademark Office.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNALx7XVP+x0t4w7BAQEgfAQAgLKDyXfaqe2CtWaIeoSLYWPCZOv1tD9f
XvzQd2nME6w7A9mUCdBtP/7bKNP85dyqADcwNNAtpWk2gPp9qDQIYpPys1sHKnin
0OMUf3vGM/xaxHRDquAfrIOIppcvgDfjB6uO3sUOFV0L0HZhbxOh1aaBLZ9+rTWp
e0NO5sAR9rs=
=fHlN
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault