X-RDate: Wed, 11 Mar 1998 15:17:58 +0500 (ESK)
Date: Tue, 10 Mar 1998 15:20:22 -0500
From: CERT Advisory <[email protected]>
To: [email protected]Subject: CERT Summary CS-98.03
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
CERT* Summary CS-98.03
March 10, 1998
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://ftp.cert.org/pub/
Past CERT Summaries are available from
ftp://ftp.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Recent Activity
- ---------------
Since the last regularly scheduled CERT Summary issued in December 1997
(CS-97.06), we have seen these continuing trends in incidents reported to us.
1. Root Compromises and Network Sniffers
We continue to receive daily reports of UNIX systems that have suffered a
root compromise. Many of these compromises can be traced to systems that
are unpatched or misconfigured, on which the intruders exploit well-known
vulnerabilities for which CERT advisories have been published. On many
root-compromised systems, the intruders also install packet sniffers to
collect account names and passwords on other systems. (The packet sniffers
are frequently installed as part of several widely available intruder
toolkits that also replace common system files with Trojan horse programs.)
For information about recovering from a UNIX root compromise, see
ftp://ftp.cert.org/pub/tech_tips/root_compromise
To learn about methods for detecting intruders' packet sniffers and Trojan
horse programs, see
http://www.cert.org/pub/advisories/CA-94.01.ongoing.network.monitoring.attacks.html
or ftp://ftp.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
2. Large-Scale Scanning and Attacks
We have been receiving reports of large-scale scanning of hosts on the
Internet, where intruders are using automated programs to identify systems
that are running vulnerable services. In one incident reported to the
CERT/CC, more than 250,000 hosts were scanned. Many of these scans have led
to root compromises on systems that were not patched against various
well-known problems that have been addressed in previous CERT advisories.
In recent months, the most commonly reported types of intruder scanning
and exploitation attacks continue to be against IMAP and rpc-statd
services.
A. IMAP Attacks
We continue to receive reports of IMAP attacks, as mentioned in previous
CERT Summaries (CS-98.01, CS-97.06, and CS-97.04). These reports show that
intruders are still launching large-scale, automated scans against many
networks, identifying potentially vulnerable systems.
Any system that is running a vulnerable version of certain implementations
of IMAP servers may allow an intruder to gain root-level access on that
vulnerable host.
We encourage you to check for the IMAP vulnerability and take immediate
action to address the problem. For related information, see
http://www.cert.org/pub/advisories/CA-97.09.imap_pop.html
or ftp://ftp.cert.org/pub/cert_advisories/CA-97.09.imap_popftp://ftp.cert.org/pub/cert_summaries/CS-97.04ftp://ftp.cert.org/pub/cert_summaries/CS-97.06
B. rpc-statd Attacks
We are also receiving reports of attacks involving a vulnerability in
rpc.statd (also known as statd on some systems), as mentioned in CERT
Summary CS-98.01 - SPECIAL EDITION. This vulnerability can allow an
intruder to gain root access.
For related information, see CERT Advisory CA-97.26 and CERT Summary
CS-98.01:
http://www.cert.org/pub/advisories/CA-97.26.statd.html
or ftp://ftp.cert.org/pub/cert_advisories/CA-97.26.statdftp://ftp.cert.org/pub/cert_summaries/CS-98.01
3. Denial-of-Service Attacks
We are still receiving daily reports of various types of denial-of-service
attacks.
You can find information about protecting your systems against several common
types of denial-of-service attacks in the following documents:
ftp://ftp.cert.org/pub/tech_tips/denial_of_serviceftp://ftp.cert.org/pub/cert_summaries/CS-98.02http://www.cert.org/pub/advisories/CA-98.01.smurf.html
or ftp://ftp.cert.org/pub/cert_advisories/CA-98.01.smurfhttp://www.cert.org/pub/advisories/CA-97.28.Teardrop_Land.html
or ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Landhttp://www.cert.org/pub/advisories/CA-96.26.ping.html
or ftp://ftp.cert.org/pub/cert_advisories/CA-96.26.pinghttp://www.cert.org/pub/advisories/CA-96.21.tcp_syn_flooding.html
or ftp://ftp.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_floodinghttp://www.cert.org/pub/advisories/CA-96.01.UDP_service_denial.html
or ftp://ftp.cert.org/pub/cert_advisories/CA-96.01.UDP_service_denial
We encourage you to read the above documents and apply the appropriate vendor
patches. We also encourage you to consider implementing router filters to
reduce your site's exposure to certain types of attacks.
A. More Denial-of-Service Attacks Targeting Windows 95/NT Machines
This section is a follow-up to the information provided in the Special
Edition CERT Summary released on March 4. This document is available at
ftp://ftp.cert.org/pub/cert_summaries/CS-98.02
We have received reports of sites continuing to experience "teardrop2"
denial-of-service attacks targeted at multiple hosts. Again, we encourage
you to install the appropriate patches to minimize the effect of this
attack.
Microsoft has released a new "Security Bulletin" addressing network
denial-of-service attacks. This bulletin contains pointers to Windows NT
hotfixes and a Windows 95 update which patch vulnerable machines. The
bulletin is available from the Microsoft security web site at
http://www.microsoft.com/security/netdos.htm
New Location of "New Additions" and "Updated Files" Information
- ---------------------------------------------------------------
Before we publish the next regular issue of the CERT Summary, we will have a
"What's New" page on our Web site at
http://www.cert.org/
On this page we'll highlight new documents we've made available as well as
noteworthy document updates.
As a result, this is the last time we will include the "New Additions" and
"Updated Files" sections in the CERT Summary.
What's New in the CERT FTP Archive and Web Site
- -----------------------------------------------
We have made the following changes to our FTP and Web sites since the last
regularly scheduled CERT Summary (December 1, 1997).
* New Additions
http://www.cert.org/pub/advisories/index.htmlftp://ftp.cert.org/pub/cert_advisories/
CA-97.26.statd Reports a vulnerability that
exists in the statd(1M)
program, available on a
variety of UNIX platforms.
CA-97.27.FTP_bounce Discusses the use of the PORT
command in the FTP protocol.
CA-97.28.Teardrop_Land Reports on two IP
denial-of-service attacks.
CA-98.01.smurf Describes the "smurf" IP
denial-of-service attacks. The
attack described in this
advisory is different from the
denial-of-service attacks
described in CERT advisory
CA-97.28.
CA-98.02.CDE Reports several
vulnerabilities in some
implementations of the Common
Desktop Environment (CDE).
CA-98.03.ssh-agent Details a vulnerability in the
SSH cryptographic login
program.
CA-98.04.Win32.WebServers Reports an exploitation
involving long file names on
Microsoft Windows-based web
servers.
ftp://ftp.cert.org/pub/cert_bulletins/
VB-97.15.nis_cachemgr Addresses a vulnerability that
allows attackers to specify
rogue NIS+ servers that are
under their control.
VB-97.16.CrackLib Describes a weakness in a
published version of CrackLib
(v2.5, dated 1993) that could
lead to a compromise of system
privileges.
VB-98.01.excite Discusses a security hole that
could allow a malicious user
of the software to execute
shell commands on the the host
system on which EWS has been
installed.
VB-98.02.apache Describes several possible
security issues that have been
discovered during an internal
security review of the Apache
source code.
ftp://ftp.cert.org/pub/cert_summaries/
CS-98.01 Highlights increasing attacks
involving a vulnerability in
rpc.statd, also known as statd
on some systems.
CS-98.02 Describes denial-of-service
attacks targeting a
vulnerability in the Microsoft
TCP/IP stack.
ftp://ftp.cert.org/pub/tools/cracklib/
cracklib26_small.diff
cracklib26_small.tgz
http://www.cert.org/pub/reports.html
Annual Report 1997 CERT/CC 1997 Annual Report
(Summary)
Security of the Internet Article written by the CERT/CC
staff for The Froehlich/Kent
Encyclopedia of
Telecommunications vol. 15
* Updated Files
http://www.cert.org/pub/advisories/index.htmlftp://ftp.cert.org/pub/cert_advisories/
CA-96.08.pcnfsd Added information for NCR
Corporation.
CA-96.09.rpc.statd Added information for NCR
Corporation.
CA-96.14.rdist_vul Updated information for NCR
Corporation.
CA-96.26.ping Updated information for NCR
Corporation.
CA-97.03.csetup Added information for Data
General.
CA-97.06.rlogin-term Added information for NCR
Corporation.
CA-97.09.imap_pop Updated information for Sun
Microsystems, Inc.
CA-97.11.libXt Updated information for Data
General Corporation. Added
information for Silicon
Graphics, Inc.
CA-97.16.ftpd Added information for NCR
Corporation.
CA-97.17.sperl Added information for NCR
Corporation.
CA-97.18.at Updated information for
Silicon Graphics, Inc.
CA-97.21.sgi_buffer_overflow Updated information for
Silicon Graphics, Inc.
CA-97.23.rdist Updated information for NCR
Corporation.
CA-97.25.CGI_metachar Updated tech tip and removed
Appendix A.
CA-98.03.ssh-agent In Updates section, described
two cases in which the
vulnerability is present.
ftp://ftp.cert.org/pub/tech_tips/
cgi_metacharacters Updated information.
FTP_PORT_attacks Updated information.
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email [email protected]
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4),
Monday-Friday, and are on call for emergencies during other
hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
[email protected]
In the subject line, type
SUBSCRIBE your-email-address
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/ftp://ftp.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to [email protected] with
"copyright" in the subject line.
* CERT is registered in the U.S. Patent and Trademark Office.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNQWAVnVP+x0t4w7BAQHzNQP9EmDSMKFwRsLQkX7rsxRDYnMmOHkUAUve
O107MYkhmeBBKn0P9G37wSvAhdxeqMJ7wgvVINIYEkG7DBwapBd325VS589E2dmL
r5ZLqt6cr7O7Ji3pCGVys4Xw957uMMst9BnyT3pNySBeZBX/3lc3VCxXnGUu3nX9
rzW9DUOGDJY=
=EiP3
-----END PGP SIGNATURE-----
