[61] in Intrusion Detection Systems
CIAC BULLETIN F-19 (2/2)
daemon@ATHENA.MIT.EDU (Frank Swift (510-422-1463))
Wed Apr 5 20:43:36 1995
Date: Wed, 5 Apr 1995 11:21:26 -0700
To: ids@uow.edu.au
From: uncl@llnl.gov (Frank Swift (510-422-1463))
Reply-To: ids@uow.edu.au
Date: Wed, 5 Apr 1995 09:19:24 -0700
Errors-To: listmanager@cheetah.llnl.gov
Reply-To: ssparks@llnl.gov
Originator: ciac-bulletin@cheetah.llnl.gov
Sender: ciac-bulletin@cheetah.llnl.gov
Precedence: bulk
From: ssparks@llnl.gov (Sandy Sparks)
To: uncl@llnl.gov
Subject: CIAC BULLETIN F-19
X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas
+<hostname>" where <hostname> is the name of a host.
Client-side authentication is also available in the xauth authority file
utility, which uses the MIT-MAGIC- COOKIE-1 protocol.
K. NTP vulnerabilities and HP-DCE/9000
1. The Problem
When Satan is run to analyze the vulnerabilities of an HP-UX system
whose time is synchronized by NTP, the time of the system can be set
forward by several years. This vulnerability can affect DCE cells that
use NTP as a time source, either with the dts_ntp_provider or with the
dts_null_provider running on an NTP client. In this event, the Cell
Directory Service (CDS) can become locked at this future date, rendering
the DCE cell inoperable.
2. Fixing the Problem
Hewlett-Packard recommends you configure your HP-DCE/9000 systems to use
either the dts_spectracom_provider or to use the dts_null_provider
without NTP. Further information on how to use NTP in conjunction with
DTS is available from your HP support contact.
.......................................................................
II. Additional Advice on Network Security
SATAN is quite extensible, so it is probable that these issues will
become important during the impending growth of the program.
A. Fingerd
Running fingerd can allow outsiders to find login names (finger
@system.domain), helping them to build up information on users.
1. The problem
The default setting for fingerd in the /etc/inetd.conf file is as
follows:
#finger stream tcp nowait bin /etc/fingerd fingerd
If you uncomment this line to enable fingerd, an intruder can use this
program to discover user information on your system.
2. Fixing the problem
This vulnerability can easily be closed by adding access control to
/usr/adm/inetd.sec for this service, such as the following line:
finger allow 10.3-5 192.34.56.5 ahost anetwork
B. Inetd and /usr/adm/inetd.sec
The two important functions of a TCP wrapper program are connection
logging and access control.
1. /usr/adm/inetd.sec
Use inetd.sec to list which outside hosts and networks are permitted to
use services.
When inetd accepts a connection from a remote system, it checks the
address of the host requesting the service against the list of hosts to
be allowed or denied access to the specific service (see inetd(1M)). The
file inetd.sec allows the system administrator to control which hosts
(or networks in general) are allowed to use the system remotely. This
file constitutes an extra layer of security in addition to the normal
checks done by the services. It precedes the security of the servers;
that is, a server is not started by the Internet daemon unless the host
requesting the service is a valid host according to inetd.sec.
2. Inetd logging
Be sure to start inetd with logging turned on (inetd -l) by modifying
the /etc/netlinkrc line for inetd from:
[ -x /etc/inetd ] && /etc/inetd && /bin/echo "inetd \c"
to be:
[ -x /etc/inetd ] && /etc/inetd -l && /bin/echo "inetd \c"
C. Passwords
If you ftp or telnet or rlogin across an insecure network, your password
has traveled cleartext across networks which might be traced by
sniffers. Change your password as soon as possible.
D. Message Off
Execute 'mesg n' in each user's shell rc script (.kshrc, .cshrc, or
.shrc, etc) to turn off each shell from being world writable.
E. Denial of Service Attacks
Denial of service attacks are always possible: the best way to deal with
this is to react to intrusions by adding intruder source hosts/networks
into the DENY listings in the inetd.sec. There is no proactive way to
avoid this without disabling networking altogether.
F. IP Spoofing
Many of the above attacks can be combined with IP spoofing to allow
false IP authentication to occur. Configure firewall routers to prevent
externally initiated connections, as described in the recent CERT
bulletin (CA-95:01).
G. RIP Updates
Gated can be configured to only listen to routing updates from trusted
gateways on all versions of HP-UX. By default, gated would listen to
routing updates from any source; this offers the potential for abuse.
1. HP-UX 8.x: Gated 1.9
Gated.conf can be modified to permit only certain sources of routing
information:
trustedripgateways gateway [ gateway ] ... trustedhellogateways gateway
[ gateway ] ...
When these clauses are specified, gated will only listen to RIP or HELLO
information respectively from these RIP or HELLO gateways.
2. HP-UX 9.x: Gated 2.1
Gated.conf can also be modified to permit certain sources of routing
information. For distance vector IGPs (RIP and HELLO) and redirects
(ICMP), the trustedgateways clause supplies a list of gateways providing
valid routing information; routing packets from others are ignored. This
defaults to all gateways on the attached networks.
See the man page on your system for more details.
H. Controlling Root Access
The file /etc/securetty can be used to control who can login to a system
as root. By creating a file of this name containing the text "console",
users of the system can only login as root by being at the console of
the machine. See the man page for login(1) for more details.
I. DNS Searchlist / RFC 1535
By default, a hostname lookup using the DNS resolver will proceed by
appending the current domain to the hostname, attempting a lookup, and
on failure, remove the leftmost part of the current domain, and retry.
RFC 1535 mentions that there are possible attacks on this approach.
All current versions of HP-UX use this behavior as default.
This behavior can be modified by using a "search" keyword in the
/etc/resolv.conf file to specify the exact domain search procedure.
(such as "search cup.hp.com hp.com")
J. Vulnerability in rusersd configuration
1. The problem
The default setting for rusersd in the /etc/inetd.conf file is as
follows:
#rpc dgram udp wait root /usr/etc/rpc.rusersd 100002 1-2 rpc.rusersd
If you uncomment this line to enable rusersd, an intruder can use this
program to discover user account names on your system. Although this
information is of marginal significance, it does add to the intruder's
list of information about your system.
2. Fixing the problem
This vulnerability can easily be closed by adding access control to
inetd.sec for this service, such as the following line:
ruserd allow 10.3-5 192.34.56.5 ahost anetwork
Then modify the inetd.conf line to add the "-e" option. This option
causes the rpc.rusersd program to exit after serving each RPC request.
rpc dgram udp wait root /usr/etc/rpc.rusersd 100002 1-2 rpc.rusersd -e
K. Bootpd
1. The problem
A bootp request from a client is sent to an inetd server which returns
information on a boot file. Although this information is of marginal
significance, it does add to the intruder's list of information about
your system.
2. Fixing the problem
The exposure to this vulnerability can be minimized by only starting
bootpd from inetd (and NOT as a standalone program from /etc/netbsdsrc
with the "-s" option) and using /usr/adm/inetd.sec to control access to
this service. Adding a line such as:
bootps allow 10.3-5 192.34.56.5 ahost anetwork
to /usr/adm/inetd.sec will only allow the specified hosts and networks
to make bootp requests.
Then modify the inetd.conf line to add a small timeout, say one minute.
This means that after a client has made a bootp request, the bootpd will
exit after one minute. Modify the /etc/inetd.conf line to add the
-t<timeout in minutes> option:
bootps dgram udp wait root /etc/bootpd bootpd -t1
.......................................................................
III. HP-UX Patch Information
Hewlett-Packard recommends that all customers concerned with the
security of their HP-UX systems apply the appropriate patches or perform
the actions described above as soon as possible.
Since the first HP Security Bulletin in November, 1993, Hewlett- Packard
has issued 25 HP-UX security bulletins. A patch matrix showing all the
patches referenced in these bulletins is available from HPSL (see
instructions in Section IV.) In addition to these patches, a number of
other patches related to security were released before November 1993.
Customers are advised to consult the patch catalog and install all
applicable patches (security and otherwise) to ensure that their systems
are protected. If this is not possible, customers should consider
upgrading to the latest current HP-UX release.
How to Install the Patches (for HP-UX 8.x and 9.y)
1. Determine which patch is appropriate for your hardware platform
and operating system, as mentioned above.
2. Hewlett Packard's HP-UX patches are available via email
and World Wide Web
To obtain a copy of the HP SupportLine email service user's guide, send
the following in the TEXT PORTION OF THE MESSAGE to
support@support.mayfield.hp.com (no Subject is required):
send guide
The user's guide explains the process for downloading HP-UX patches via
email and other services available.
World Wide Web service for downloading of patches is available via our
URL:
http://support.mayfield.hp.com
3. Apply the patch to your HP-UX system.
4. Examine /tmp/update.log for any relevant WARNINGs or ERRORs. This
can be done as follows:
a. At the shell prompt, type "tail -60 /tmp/update.log | more" b. Page
through the next three screens via the space bar, looking
for WARNING or ERROR messages.
.......................................................................
IV. HP SupportLine and HP Security Bulletins
To subscribe to automatically receive future NEW HP Security Bulletins
from the HP SupportLine mail service via electronic mail, send an email
message to:
support@support.mayfield.hp.com (no Subject is required)
Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE.
Here are some basic instructions you may want to use:
To add your name to the subscription list for new security bulletins,
send the following in the TEXT PORTION OF THE MESSAGE:
subscribe security_info
To retrieve the index of all HP Security Bulletins issued to date, send
the following in the TEXT PORTION OF THE MESSAGE:
send security_info_list
To get a patch matrix of current HP-UX and BLS security patches
referenced by either Security Bulletin or Platform/OS, put the following
in the text portion of your message:
send hp-ux_patch_matrix
World Wide Web service for browsing of bulletins is available via our
URL:
http://support.mayfield.hp.com
Choose "Support news", then under Support news, choose "Security
Bulletins"
.......................................................................
V. To report new security vulnerabilities, send email to
security-alert@hp.com
______________________________________________________________________
[End HP Bulletin]
______________________________________________________________________
CIAC is the computer security incident response team for the U.S.
Department of Energy. Services are available free of charge to DOE and
DOE contractors.
For emergencies and off-hour assistance, DOE and DOE contractor sites
can contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE
number. To use this service, dial 1-510-422-8193 or 1-800-759-7243
(SKYPAGE). The primary SKYPAGE PIN number, 8550070 is for the CIAC duty
person. A second PIN, 8550074 is for the CIAC Project Leader. CIAC's FAX
number is 510-423-8002, and the STU-III number is 510-423-2604. Send E-
mail to ciac@llnl.gov.
Previous CIAC notices, anti-virus software, and other information are
available on the CIAC Bulletin Board and the CIAC Anonymous FTP server.
The CIAC Bulletin Board is accessed at 1200 or 2400 baud at 510-423-4753
and 9600 baud at 510-423-3331. The CIAC Anonymous FTP server
is available on the Internet at ciac.llnl.gov (IP address
128.115.19.53).
CIAC has several self-subscribing mailing lists for electronic
publications: CIAC-BULLETIN, CIAC-NOTES , SPI-ANNOUNCE, and SPI-NOTES.To
subscribe (add yourself) to one of our mailing lists, send requests of
the following form to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
ATTENTION!! CIAC now has a web server at http://ciac.llnl.gov.
______________________________________________________________________
This document was prepared as an account of work sponsored by an agency
of the United States Government. Neither the United States Government
nor the University of California nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights. Reference herein
to any specific commercial products, process, or service by trade name,
trademark, manufacturer, or otherwise, does not necessarily constitute
or imply its endorsement, recommendation or favoring by the United
States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government or the University of California,
and shall not be used for advertising or product endorsement purposes.
CIAC BULLETINS ISSUED IN FY95 (Previous bulletins available from CIAC)
(F-01) SGI IRIX serial_ports Vulnerability
(F-02) Summary of HP Security Bulletins
(F-03) Restricted Distribution
(F-04) Security Vulnerabilities in DECnet/OSI for OpenVMS
(F-05) SCO Unix at, login, prwarn, sadc, and pt_chmod Patches
Available
(F-06) Novell UnixWare sadc, urestore, and suid_exec Vulnerabilities
(F-07) New and Revised HP Bulletins
(F-08) Internet Address Spoofing and Hijacked Session Attacks
(F-09) Unix /bin/mail Vulnerabilities
(F-10) HP-UX Remote Watch
(F-11) Unix NCSA httpd Vulnerability
(F-12) Kerberos Telnet Encryption Vulnerability
(F-13) Unix sendmail vulnerabilities
(F-14) HP-UX Malicious Code Sequences
(F-15) HP-UX 'at' and 'cron' vulnerabilities
(F-16) SGI IRIX Desktop Permissions Tool Vulnerability
(F-17) Cray TCP/IP Sequence Number Spoofing
(F-18) MPE/iX Vulnerabilities
(F-19) Protecting HP-UX Systems Against SATAN
CIAC NOTES ISSUED IN FY1995 (Previous Notes available from CIAC)
04c December 8, 1994
05d January 11, 1995
06 March 22, 1995
07 March 29, 1995
08 April 4, 1995
-----------------------------------------------------------------------------
Sandy Sparks, CIAC Manager ssparks@llnl.gov
510.422.6856
Computer Incident Advisory Capability (CIAC)
Lawrence Livermore National Laboratory
P.O. Box 808
510.422.8193
Livermore, CA 94551 510.423.8002 (FAX)
ciac@llnl.gov
------------------------------------------------------------------------------
