[1181] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] CERT Summary CS-96.05

daemon@ATHENA.MIT.EDU (CERT Advisory)
Wed Sep 25 18:34:21 1996

Resent-From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
Resent-To: linux-security@tarsier.cv.nrao.edu
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Date: Tue, 24 Sep 1996 17:24:25 -0400

A general FYI from CERT.  I won't comment on their having singled Linux
out as the one OS that gets broken into due to mis-configuration and/or
ignorance of previous advisories.  [We all know that this never happens
to "real" operating systems.]

Oh, wait...I guess I just commented.  :)~

--Up.

-----BEGIN PGP SIGNED MESSAGE-----

CERT(sm) Summary CS-96.05
September 24, 1996

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from
     ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------


Clarification to CS-96.04
- -------------------------

In our previous CERT Summary, we said that the intruder community is
developing new techniques and tools to analyze programs for potential
vulnerabilities even in the absence of source code. We did not mean to imply
that all developers of these techniques in the wider technical community are
members of the intruder community, nor that they intend their work to be used
by the intruder community.


Recent Activity and Trends
- --------------------------

Since the July CERT Summary, we have noticed these trends in incidents
reported to us.

1. Denial of Service Attacks

Instructions for executing denial-of-service attacks and programs to
implement such attacks have recently been widely distributed. Since
this information was published, we have noticed a significant and
rapid increase in the number of denial-of-service attacks executed
against sites.

To learn more about denial-of-service attacks and how to limit them,
see

  ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding

To monitor and log an attack, you can use a tool such as Argus. For
more information regarding Argus, see

  ftp://info.cert.org/pub/tech_tips/security_tools


2. Continuing Linux Exploitations

We continue to see incidents in which Linux machines are the victims
of break-ins leading to root compromises. In many of these incidents,
the systems were misconfigured and/or the intruders exploited
well-known vulnerabilities for which CERT advisories have been
published.

If you are running Linux, we strongly urge you to keep up to date with
patches and security workarounds. We also recommend that you review

  ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
  ftp://info.cert.org/pub/tech_tips/root_compromise

Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at

  http://bach.cis.temple.edu/linux/linux-security/


3. PHF Exploits

At least weekly, and often daily, we see reports of password files
being obtained illegally by intruders who have exploited a
vulnerability in the PHF cgi-bin script. The script is installed by
default with several implementations of httpd servers, and it contains
a weakness that allows intruders to retrieve the password file for the
machine running the httpd server. The vulnerability is described in

  ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code

Once the intruders retrieve the password file, they may attempt to
crack the passwords found in the file. For information about
protecting your password files, please see

  ftp://info.cert.org/pub/tech_tips/passwd_file_protection


4. Software Piracy

We have received frequent reports regarding software piracy since the
last CERT Summary was issued. Although software piracy is beyond the
scope of the mission of the CERT Coordination Center, it is often
associated with compromised hosts or accounts because intruders
sometimes use compromised hosts to distribute pirated software. News
of illegal collections of software circulates quickly within the
underground community, which may focus unwanted attention on a site
used for software piracy.

We encourage you to periodically check your systems for signs of
software piracy. To learn more, please examine our relevant tech tips:

  ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses
  ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config

To learn more about detecting and preventing security breaches, please see

  ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist



- ----------------------------------
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (July 23,
1996).

* README Files Incorporated into Advisories

As of August 30, 1996, we no longer put advisory updates into README files. We
now revise the advisories themselves. In addition, we have updated past
advisories with information from their README files. We urge you to check
advisories regularly for updates that relate to your site.

* New Additions

ftp://info.cert.org/pub/cert_advisories/

    CA-96.14.rdist_vul
    CA-96.15.Solaris_KCMS_vul
    CA-96.16.Solaris_admintool_vul
    CA-96.17.Solaris_vold_vul
    CA-96.18.fm_fls
    CA-96.19.expreserve
    CA-96.20.sendmail_vul
    CA-96.21.tcp_syn_flooding

ftp://info.cert.org/pub/cert_bulletins/

    VB-96.12.freebsd
    VB-96.13.hp
    VB-96.14.sgi
    VB-96.15.sco
    VB-96.16.transarc

ftp://info.cert.org/pub/latest_sw_versions

    swatch

ftp://info.cert.org/pub/tech_tips

    UNIX_configuration_guidelines       These replace the security_info file
    intruder_detection_checklist        (the CERT Security Checklist).
    security_tools

ftp://info.cert.org/pub/vendors/

    hp/HPSBUX9607-033                   Added Hewlett-Packard bulletin about a
                                        security vulnerability in expreserve.



* Updated Files

ftp://info.cert.org/pub/cert_advisories/

    CA-96.02.bind                       In the appendix, updated Sun
                                        Microsystems, Inc. patch information.
                                        In section I, added information about
                                        the next release of bind and the
                                        IsValid program.

    CA-96.08.pcnfsd                     Updated URL for IBM Corporation,
                                        updated Hewlett-Packard Company patch
                                        information, and modified NEC
                                        Corporation patch information.

    CA-96.09.rpc.statd                  Updated URL for IBM Corporation,
                                        removed a workaround for SunOS 4.x
                                        (patches now available), updated
                                        information on Hewlett-Packard
                                        Company, and added patch information
                                        for NEC Corporation. Also updated
                                        opening paragraph.

    CA-96.14.rdist_vul                  In Appendix A, added note under
                                        Silicon Graphics, Inc. about using the
                                        find command, updated the
                                        Hewlett-Packard Company entry, added
                                        information about Digital Equipment
                                        Corporation, and added an IBM
                                        Corporation URL.

    CA-96.15.Solaris_KCMS_vul           In Introduction, added information
                                        about Solaris 2.5.1.

    CA-96.18.fm_fls                     Added vendor information to Appendix A.
                                        Added Section III.B, which provides
                                        another possible solution to the
                                        problem.

    CA-96.19.expreserve                 In Appendix A, added information for
                                        Silicon Graphics Inc. and Sun
                                        Microsystems, Inc.

    CA-96.20.sendmail_vul               Added to Sec. III.B instructions on
                                        configuring sendmail at sites that use
                                        '&' in the gecos filed of /etc/passwd.
                                        Added to Sec. III.C a note on uid for
                                        "mailnull" user. In the appendix, added
                                        information from FreeBSD, Inc. and
                                        Berkeley Software Design, Inc. (BSDI).

ftp://info.cert.org/pub/FIRST

    first-contacts

ftp://info.cert.org/pub/latest_sw_versions

    rdist-patch-status                  Updated information for
                                        Hewlett-Packard Company and NeXT
                                        Software, Inc. information. Updated
                                        rdist version information in
                                        Section II.G.
    sendmail


ftp://info.cert.org/pub/tech_tips

    root_compromise



- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMkhCfHVP+x0t4w7BAQFR5gQAtYvbKLJAbTzfRizblM9mbl/4oLfnsqdQ
HcX8KKDNAtVd2DWKGEsq7U7v9w8KyzDtVpRFba8VSsVmpzixzxnbZSifwyfkcuX9
x2xbQ1SVWBjep399HkbYtS0Y3C0RdCo9p/uxdB5/GkZqD3NMdPoBvFf+j/H6376w
tDcheNKNobk=
=DZgd
-----END PGP SIGNATURE-----

home help back first fref pref prev next nref lref last post