[103] in Intrusion Detection Systems
CIAC Bulletin F-23 2 of 2
daemon@ATHENA.MIT.EDU (Frank Swift at Home)
Fri May 12 04:44:09 1995
Date: Thu, 11 May 1995 18:54:32 -0700
To: ids@uow.edu.au, academic-firewalls@net.tamu.edu, firewalls-uk@gbnet.net
From: uncl@llnl.gov (Frank Swift at Home)
Reply-To: ids@uow.edu.au
Date: Thu, 11 May 1995 13:14:19 -0700
Errors-To: listmanager@cheetah.llnl.gov
Reply-To: fisher@bill.llnl.gov
Originator: ciac-bulletin@cheetah.llnl.gov
Sender: ciac-bulletin@cheetah.llnl.gov
Precedence: bulk
From: fisher@bill.llnl.gov (John M. Fisher)
To: uncl@llnl.gov
Subject: CIAC Bulletin F-23
X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas
is prompted for a password.
The rshd server has had one security related defect. APAR IX45182
corrected a defect in which the "-l" option (used to control operation of
the server) did not work properly. This APAR was first delivered in PTF
U432655. This PTF should be applied to any system which has been
configured according to the instructions given below. This problem does
not exist on any release of AIX v4.
The rlogind server has had one significant security related defect. APARs
IX44254 and IX44367 corrected a defect in which any network user was able
to gain access to the remote system as any user. These APARs were first
delivered in PTFs U431620 and U431622 respectively. Both of these PTFs or
their superceding PTFs should be installed on all systems. This problem
does not exist on any release of AIX v4.
Two significant enhancements have been made to the rshd server. APAR
IX45701 added a facility for restricting use of rshd and rexecd on a user
by user basis. This feature may be useful for critical system accounts
which might be subject to attack via a network connection. This APAR was
first delivered in PTF U434068. APAR IX48235 added additional auditing
capability. This feature may be useful when connecting to unsecure
networks or when you are interested in monitoring rshd usage. A USER_Login
audit event will be created for each rshd invocation. This may be used in
conjunction with the TCPIP_access event to determine local user and remote
hostname for each rshd and rexecd. As of the writing of this document this
APAR has not been packaged into a PTF.
Both rshd and rlogind are subject to security violations related to
use of the /etc/hosts.equiv and $HOME/.rhosts files. This exposure can
be removed by adding the "-l" flag to the rshd and rlogind command
lines in /etc/inetd.conf. The following two lines are an example of how
you might do this.
shell stream tcp nowait root /etc/rshd rshd -l
login stream tcp nowait root /etc/rlogind rlogind -l
If you do not wish to grant remote network access to your system, you may
disable this facility entirely with lines similar to the following.
#shell stream tcp nowait root /etc/rshd rshd
#login stream tcp nowait root /etc/rlogind rlogind
Please refer to InfoExplorer for additional information on configuring
the /etc/inetd.conf file and the inetd daemon.
Should you choose to enable rshd and/or rlogind, the use of the
/etc/hosts.equiv and $HOME/.rhosts files creates a dependency on the
information in those files and the information which the servers use being
accurate. Errors in either file or spoofing of host addresses or names
are common causes of security exposures. When the network is not secure
or trustworthy, consider disabling these services for some or all users or
enabling the auditing subsystem to track possible attacks. You may also
wish to consider use of a firewall or some other form of packet filter to
restrict access to trustworthy hosts or networks.
InfoExplorer describes the proper configuration of the /etc/hosts.equiv
file. As a general rule, grant access to specific users and specific
hosts. You should monitor the existence of .rhosts files and insure that
users are educated about their proper use.
The telnet service may be more appropriate in an unsecured network
environment as it does not support the pre-authentication of users.
CERT advisory CA-94:09 was released on May 23, 1994 describing the security
exposure in the rlogin service.
Use the following aix cmd to determine if you have applied one of these ptfs:
$ lslpp -al U43xxxx
..........................................................................
9. Unrestricted X server access
..........................................................................
In 1993 CERT issued advisory CA-93:17 which documented a xterm vulnerability
in X11R5 and earlier versions of X11. This problem was resolved by the
following apars:
aixterm X11r4 : ix34738 - resolved by U417488 and U419246
aixterm X11r5 : ix40275 - resolved by ptf U425631
xterm X11r4 : ix40279 - resolved by ptf U425255 and U425228
xterm X11r5 : resolved by U493250 (3.2.5 Gold)
Use the following aix cmd to determine if you have applied these ptfs:
$ lslpp -al U4xxxxx
If you are using AIX 3.2, please make sure you have all these
ptfs applied to avoid potential security problems. These fixes
are shipped as part of the GOLD version of AIX 4.1. Because of X11's design,
the client/server can be accessed by any other host on the network. If
you are on the Internet, your display can be accessed by any machine in
the world. X11 security issues for AIX are similar to the X11 security problems
facing other X11 vendors. It is difficult to make X completely secure.
However, there are access control mechanisms which can be put in place
to help make your environment more secure. You should never use the
"xhost +" cmd because this will enable any remote user to read/write
screen information. Please remove all "xhost +" cmds from any file
or program on your system. A useful tool for limiting X access, please
see the /usr/bin/xauth
The best source of information on securing X is in : O'Reilly & Associates,Inc.
"X Window System Adminstrator's Guide". Specifically chapter 4 which goes into
detail about X security. The discussion in this chapter applies to the AIX
environment. In additon, the Common Desktop Enviroment (CDE) interface
available on AIX 4.1 uses XDMCP protocol discussed in this chapter.
..........................................................................
10. Writable FTP home directory
..........................................................................
In 1992, CERT issued advisory CA-92:09 about an AIX Anonymous FTP
Vulnerability. This problem was resolved by apar ix23944, which
was included in the GOLD release of AIX 3.2. Thus, AIX 3.2 and 4.1 systems
are not vulnerable to this problem. The original problem was discovered
on AIX 3.1. If you are running AIX 3.1, please update to the latest
release of 3.1, which resolves this problem.
The following information can be very helpful:
- The ftpd man page has explicit instructions for securely
configuring your anonymous FTP user and subtree.
- The /usr/lpp/samples/tcpip/anon.ftp file can be used to securely
set up your anonymous account. (/usr/samples/tcpip/anon.ftp in AIX 4.1)
- The CERT tip found at ftp://info.cert.org/tech_tips/anonymous_ftp
contains applicable information.
..........................................................................
11. wu-ftpd vulnerability
..........................................................................
This problem only affects users running the wuarchive-ftpd.
If you do not have this modified version of ftpd, then you are
not vulnerable to this specific attack. If you are running the
wuarchive-ftpd, and your version is dated prior to April 8, 1993,
please take corrective action or remove this daemon.
You can obtain more information about this service via anonymous ftp
from wuarchive.wustl.edu (128.252.135.4).
This service is NOT distributed with AIX.
..........................................................................
III. More information on AIX security
..........................................................................
We publish an AIX security newsletter that is updated whenever
we have security information that affects AIX users.
To subscribe to the newsletter:
mail -s "subscribe security" aixserv@austin.ibm.com < /dev/null
If you have comments or questions about AIX security, or you
would like to notify us of a potential problem, please send mail
to security@austin.ibm.com.
To order an APAR from IBM in the U.S. call 1-800-237-5511.
APARs may be obtained outside the U.S. by contacting a
local IBM representative.
[End of IBM AIX Bulletin]
CIAC recently released CIAC NOTES 07 article (April 5, 1995) that is devoted to
SATAN. The article was based on beta-releases of SATAN and is applicable to the
current version 1.0 release of SATAN. There were no major operational changes
between the latest beta release and the current version 1.0 public release. By
configuring a system correctly, installing all the latest patches, and monitoring
system usage, most of SATAN's techniques can be countered, or at a minimum
detected. Unfortunately, complete protection from SATAN is difficult. Most of the
vulnerabilities it looks for are easily addressable, but some do not yet have
satisfactory solutions.
CIAC has recently written a program to defend against SATAN and other similar tools.
The program, called Courtney, monitors the connections to the ports probed by SATAN.
When an attack by SATAN takes place, the offending host will be reported.
CIAC has also make available the current release of SATAN
SATAN is made up of HyperText Markup Language (HTML) documents, C code, and Perl
scripts which generate HTML code dynamically. It requires an HTML viewer (Mosaic,
Netscape, or Lynx), a C compiler, and PERL version 5. The user simply interacts with
a WWW client, entering necessary data into forms. The control panel for SATAN
provides four hypertext options: Target Selection, Reporting & Data Analysis,
Documentation, and Configuration & Administration.
Refer to CIAC Notes 7 for an indepth look at SATAN.
________________________________________________________________________________
CIAC wishes to thank Randy S. Greenberg of IBM for their response to this
problem.
________________________________________________________________________________
CIAC is the computer security incident response team for the U.S. Department of
Energy. Services are available free of charge to DOE and DOE contractors.
For emergencies and off-hour assistance, DOE and DOE contractor sites can contact
CIAC 24-hours a day via an integrated voicemail and SKYPAGE number. To use this
service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The primary SKYPAGE PIN
number, 8550070 is for the CIAC duty person. A second PIN, 8550074 is for the CIAC
Project Leader. CIAC's FAX number is 510-423-8002, and the STU-III number is 510-
423-2604. Send E-mail to ciac@llnl.gov.
Previous CIAC notices, anti-virus software, and other information are available on
the CIAC Bulletin Board and the CIAC Anonymous FTP server. The CIAC Bulletin Board
is accessed at 1200 or 2400 baud at 510-423-4753 and 9600 baud at 510-423-3331. The
CIAC Anonymous FTP server is available on the Internet at ciac.llnl.gov (IP address
128.115.19.53).
CIAC has several self-subscribing mailing lists for electronic publications: CIAC-
BULLETIN, CIAC-NOTES , SPI-ANNOUNCE, and SPI-NOTES.To subscribe (add yourself) to
one of our mailing lists, send requests of the following form to ciac-
listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
ATTENTION!! CIAC now has a web server at http://ciac.llnl.gov.
This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the University of
California nor any of their employees, makes any warranty, express or implied, or
assumes any legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process disclosed, or
represents that its use would not infringe privately owned rights. Reference herein
to any specific commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government or the University
of California, and shall not be used for advertising or product endorsement
purposes.
CIAC BULLETINS ISSUED IN FY95 (Previous bulletins available from CIAC)
(F-01) SGI IRIX serial_ports Vulnerability
(F-02) Summary of HP Security Bulletins
(F-03) Restricted Distribution
(F-04) Security Vulnerabilities in DECnet/OSI for OpenVMS
(F-05) SCO Unix at, login, prwarn, sadc, and pt_chmod
Patches Available
(F-06) Novell UnixWare sadc, urestore, and suid_exec Vulnerabilities
(F-07) New and Revised HP Bulletins
(F-08) Internet Address Spoofing and Hijacked Session Attacks
(F-09) Unix /bin/mail Vulnerabilities
(F-10) HP-UX Remote Watch
(F-11) Unix NCSA httpd Vulnerability
(F-12) Kerberos Telnet Encryption Vulnerability
(F-13) Unix sendmail vulnerabilities
(F-14) HP-UX Malicious Code Sequences
(F-15) HP-UX "at" and "cron" vulnerabilities
(F-16) SGI IRIX Desktop Permissions Tool Vulnerability
(F-17) Limited Distribution
(F-18) MPE/iX Vulnerabilities
(F-19) Protecting HP-UX Systems Against SATAN
(F-20) Security Administrator Tool for Analyzing Networks (SATAN)
(F-21) Protecting SUN OS Systems Against SATAN
(F-22) SATAN Password Disclosure
CIAC NOTES ISSUED IN FY1995 (Previous Notes available from CIAC)
04c December 8, 1994
05d January 11, 1995
06 March 22, 1995
07 March 29, 1995
08 April 4, 1995
09 April 24, 1995
Frank Swift L-321 (Sent from Home)
Unclassified Computer Security Coordinator
Lawrence Livermore National Laboratory (LLNL)
7000 East Avenue L-321 Livermore CA 94550-9516
Voice: (510) 422-1463 FAX: (510) 423-0913
