From: SMTP%"cert-advisory-request@cert.org" 26-AUG-1997 19:44:07.98 To: cert-advisory@cert.org CC: Subj: CERT Summary CS-97.05 Return-Path: cert_mailer@cert.org Received: by arisia.gce.com (UCX V4.1-12C, OpenVMS V7.1 VAX); Tue, 26 Aug 1997 19:42:27 -0400 Received: from coal.cert.org (coal.cert.org [192.88.210.31]) by bort.mv.net (8.8.5/mem-951016) with SMTP id MAA16534 for ; Tue, 26 Aug 1997 12:52:07 -0400 (EDT) Received: (from cert-advisory@localhost) by coal.cert.org (8.6.12/CERT) id LAA03238 for cert-advisory-queue-13; Tue, 26 Aug 1997 11:58:03 -0400 Date: Tue, 26 Aug 1997 11:58:03 -0400 Message-Id: <199708261558.LAA03238@coal.cert.org> From: CERT Advisory To: cert-advisory@cert.org Subject: CERT Summary CS-97.05 Reply-To: cert-advisory-request@cert.org Organization: CERT(sm) Coordination Center - +1 412-268-7090 -----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT* Summary CS-97.05 August 26, 1997 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our incident response team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Recent Activity - --------------- Since the last regularly-scheduled CERT Summary issued in May, we have seen the following trends in incidents reported to us. 1. Continuing IMAP Exploits The CERT Coordination Center continues to receive daily reports of attempts to exploit a vulnerability in certain implementations of IMAP. This vulnerability was the subject of our most recent CERT Summary, "CS-97.04 - Special Edition," which can be found at ftp://info.cert.org/pub/cert_summaries/CS-97.04 Intruders continue to scan large blocks of network addresses for vulnerable systems. Because we continue to receive reports of root compromises resulting from vulnerable versions of the IMAP server, we encourage you to take immediate action to address this vulnerability. We encourage you to review our advisory describing the vulnerability and suggesting corrective actions: ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop 2. Increased Denial-of-Service Attacks The CERT/CC is receiving more frequent and varied reports of denial-of-service attacks. Intruders are exploiting vulnerabilities addressed in previous CERT advisories, and using IP spoofing to hide the origin of the attacks. Recently we published a new tech tip that provides an overview of denial-of-service attacks and information that may help you respond to them: ftp://info.cert.org/pub/tech_tips/denial_of_service Recently a number of networks around the Internet have been the victim of a denial-of-service attack involving forged ICMP echo request packets (i.e., "ping" packets) directed to a broadcast address. Each machine responding to the broadcast packet will generate an ICMP echo reply packet directed to the address of the original forged echo request packet. This can generate a large amount of traffic for the sites involved. We encourage you to defend yourself against this problem by filtering broadcast ping packets (or all broadcast packets) at your router or firewall. If filtering broadcast packets at your router is not a viable option, you may be able to configure your operating system to ignore broadcast ICMP packets. You should consult either your documentation or your vendor to see what variables can be set on all local machines so that broadcast IP traffic (and more specifically broadcast ICMP traffic) is ignored, thus negating the attack. We also strongly encourage you to filter outbound packets at your router to prevent packets with forged source addresses from leaving your network. For more information on this kind of packet filtering and IP spoofing attacks, please see ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing 3. Increased Use of IRC in Root Compromises We have received a significant number of reports that intruders are compromising machines at the root level and then installing Internet Relay Chat (IRC) clients or servers. If you discover unauthorized IRC clients, servers, or robots running on your systems, we encourage you to check for signs of compromise using our Intruder Detection Checklist, available at ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist This document will help you methodically check your systems for signs of compromise; it offers pointers to other resources and suggestions on how to proceed in the event of a compromise. 4. Increased Exploitation of IRIX Buffer Overflows Buffer overflow vulnerabilities on IRIX systems are being exploited in many incidents reported to the CERT/CC. These vulnerabilities are described in a recent CERT advisory: ftp://info.cert.org/pub/cert_advisories/CA-97.21.sgi_buffer_overflow Vulnerable programs discussed in the advisory include df, pset, eject, login/scheme, ordist, and xlock. We encourage you to apply the patches or workarounds described in Section III of the advisory and to regularly check with your vendor for security updates. 5. Continuing INND Exploits We continue to receive reports of widespread, large-scale attacks on NNTP (Network News Transport Protocol) servers, as reported in the March 1997 special edition CERT Summary CS-97.02: ftp://info.cert.org/pub/cert_summaries/CS-97.02 Our advisory describing two vulnerabilities present in INND versions prior to 1.5.1sec2 is available at ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd We strongly recommend that you do *not* try to test your own systems by attempting to exploit the vulnerability. Many of the INND attacks reported to us were the result of sites testing their own servers and inadvertently releasing their test on the Internet. To determine whether or not your version of INND is vulnerable, please consult the advisory (CA-97.08.innd). The latest supported version of INN, 1.5.1sec2, addresses vulnerabilities that existed in previous versions. For a pointer to the latest version of INN, see the UPDATES section in CA-97.08.innd or ftp://info.cert.org/pub/latest_sw_versions/inn What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (May 28, 1997). * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-97.15.sgi_login Describes a vulnerability in the SGI login program when the LOCKOUT parameter is set to a number greater than zero. CA-97.16.ftpd Describes a vulnerability in some versions of ftpd distributed and installed under various UNIX platforms. CA-97.17.sperl Addresses a buffer overflow condition in suidperl (sperl) built from Perl 4.n and Perl 5.n distributions on UNIX systems. CA-97.18.at This advisory addresses a buffer overflow condition in some versions of the at(1) program. CA-97.20.javascript Reports a vulnerability in JavaScript that enables remote attackers to monitor a user's Web activities. CA-97.21.sgi_buffer_overflow Describes 6 buffer overflow problems in SGI IRIX systems. Problems affect the df, pset, eject, login/scheme, ordist, and xlock programs. CA-97.22.bind Describes a vulnerability in all versions of BIND before release 8.1.1, suggests several solutions, and provides pointers to the current version. Supersedes CA-96.02.bind. ftp://info.cert.org/pub/cert_bulletins/ VB-97.03.sun A Sun Security Bulletin announcing patches for a vulnerability in rpcbind VB-97.04.hp Information from Hewlett-Packard on a vulnerability in the chfn executable in HP 9000 Series 700/800s running versions of HP-US 9.X and 10.X VB-97.05.lynx Information from members of the lynx-dev mailing list about a vulnerability in temporary files that enables users to replace the temporary file with a symbolic link or with another file VB-97.06.lynx Information from members of the lynx-dev mailing list about a vulnerability in Lynx downloading that enables users to read or execute arbitrary files regardless of restrictions set by the system administrator ftp://info.cert.org/pub/cert_summaries/ CS-97.04 Special edition CERT Summary about large-scale attacks involving a vulnerability in some implementations of IMAP ftp://info.cert.org/pub/latest_sw_versions/ apache URLs and MD5 checksum for Apache 1.2.1 bind URLs and MD5 checksum for BIND 8.8.1 inn URL and MD5 checksum for inn 1.5.1sec2 NetBIOS URLs and MD5 checksums for NetBIOS Security Kit v1.0 sendmail URLs and MD5 checksum for sendmail 8.8.7 ftp://info.cert.org/pub/tech_tips/ denial_of_service Provides a general overview of attacks in which the primary goal of the attack is to deny the victim(s) access to a particular resource, as well as information that may help you respond to such an attack. ftp://info.cert.org/pub/tools/ NetBIOS/ NetBIOS tar and zip files * Updated Files ftp://info.cert.org/pub/ cert_faq Updated the recommended reading list in Section B.11. ftp://info.cert.org/pub/cert_advisories/ CA-96.04.corrupt_info_from_servers Updated the URL pointing to the current version of BIND. CA-96.06.cgi_example_code Added information about other cgi programs being exploited. CA-96.21.tcp_syn_flooding Added information from Linux. CA-96.26.ping Updated information from Sun Microsystems, Inc. CA-96.27.hp_sw_install Added information from Hewlett-Packard Company. CA-97.04.talkd Updated information from Silicon Graphics Inc. and Sun Microsystems, Inc. CA-97.06.rlogin-term Updated information from Hewlett-Packard Company. CA-97.08.innd Added information about the latest release of innd. CA-97.09.imap_pop Added information from NetManage, Inc. Clarified information in introduction and description sections. CA-97.10.nls Added other phrases for the the NLS acronym. Updated the entry for Cray Research - A Silicon Graphics Company. CA-97.13.xlock Added information from Berkeley Software Design, Inc. (BSDI) and Silicon Graphics Inc. (SGI). Updated information from Sun Microsystems, Inc. CA-97.16.ftpd Added information from Sun Microsystems, Inc., Digital Equipment Corporation, and Silicon Graphics, Inc. CA-97.17.sperl Added information from Sun Microsystems, Inc. CA-97.18.at Added information from Digital Equipment Corporation, Hewlett-Packard Company, and Data General Corporation. CA-97.20.javascript Added information from Netscape Communications Corporation and Microsoft. CA-97.21.sgi_buffer_overflow Clarified wrapper information. Updated information from Silicon Graphics, Inc. CA-97.22.bind Clarified that version 4.9.6 is not vulnerable. Noted reasons that sites should upgrade to version 8.1.1. ftp://info.cert.org/pub/cert_advisories/obsolete_advisories CA-96.02.bind Moved to obsolete advisories directory; superseded by CA-97.22.bind. ftp://info.cert.org/pub/cert_bulletins/ VB-97.05.lynx Added acknowledgement of original reporter of the problem. VB-97.06.lynx Added acknowledgement of original reporter of the problem. ftp://info.cert.org/pub/legal_stuff Copyright, trademark, and related information - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1997 Carnegie Mellon University. Conditions apply; they can be found in http://www.cert.org/legal_stuff.html and ftp://info.cert.org/pub/legal_stuff If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. *CERT is registered in the U.S. Patent and Trademark Office. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNALx7XVP+x0t4w7BAQEgfAQAgLKDyXfaqe2CtWaIeoSLYWPCZOv1tD9f XvzQd2nME6w7A9mUCdBtP/7bKNP85dyqADcwNNAtpWk2gPp9qDQIYpPys1sHKnin 0OMUf3vGM/xaxHRDquAfrIOIppcvgDfjB6uO3sUOFV0L0HZhbxOh1aaBLZ9+rTWp e0NO5sAR9rs= =fHlN -----END PGP SIGNATURE-----