CIAC documents FY 1993
Series D
ciacfy93.txt All public FY93 CIAC bulletins.
d-01.txt ciac-novel-access-rights
d-02.txt ciac-(limited-distribution)
d-03.txt ciac-vms-MONITOR-patch
d-04.txt ciac-sunos-18-patches
d-05.txt ciac-hp-NIS-ypbind
d-06.txt ciac-vms-disuser
d-07.txt ciac-(limited-distribution)
d-08.txt ciac-vms-v5-OS
d-09.txt ciac-vms-v5-OS-addendum
d-10.txt ciac-november-17-virus
d-11.txt ciac-sunos-patches-dni-pcnfs
d-12.txt ciac-(limited-distribution)
d-13.txt ciac-unix-wuarchive-ftp-daemon
d-14.txt ciac-(limited-distribution)
d-15.txt ciac-cisco-router-vulnerability
d-16.txt ciac-sunos-expreserve-vulnerability
d-17.txt ciac-(limited-distribution)
d-18.txt ciac-solaris-2.x-expreserve-patches
d-19.txt ciac-anonymous-ftp-server-attacks
d-20.txt ciac-summary-sunos-patches
d-21.txt ciac-novell-netware-login-patch
d-22.txt ciac-Satan-Bug-Virus
d-23.txt ciac-limited-distribution
d-24.txt ciac-sco-home-directory-vulnerability
d-25.txt ciac-automated-scanning-of-network-vulns
d-26.txt ciac-limited-distribution
_______________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
Novell NetWare Access Rights Vulnerability
OCT 14, 1992 0900 PDT Number D-01
________________________________________________________________________
PROBLEM: A vulnerability has been discovered which may allow any Novell
Netware user to obtain unauthorized privileges
PLATFORM: PC/MS-DOS with Novell NetWare 3.x, 2.x, and NetWare for UNIX
DAMAGE: Compromise of server integrity
SOLUTION: Obtain and apply software enhancements available from Novell;
prudent NetWare administration
________________________________________________________________________
Critical Facts about the Novell NetWare Access Rights Vulnerability
CIAC has learned of a network security threat that allows any Novell
user, equipped with a special program, to gain the access rights
assignable by any other user currently attached to the server. This
vulnerability affects NetWare 3.x, NetWare 2.x, and NetWare for Unix.
CIAC recommends that you obtain the Phase I security enhancements as
soon as they are available. They are scheduled to be released by
Novell by the end of October. NetWare 3.x and 2.x customers will be
able to obtain the enhancements via anonymous ftp from
ftp.IS.Sandy.Novell.COM (137.65.12.2) as well as via NetWire
(Compuserve) and NetWare Express (GE Information Services). NetWare
for Unix customers should contact the NetWare for Unix partner who
provided them the software. Help is available from the Novell
customer information line 1-800-NETWARE.
As a general precaution, and as an interim measure until the Phase I
patches are released, Novell recommends the following security
practices:
* Use the NetWare utility "SECURITY" to detect insecure access
points to the server.
* Require passwords on all accounts.
* Force periodic password changes.
* Require unique passwords.
* Limit access rights and security equivalences.
* Limit concurrent connections.
* Enforce login time restrictions.
* Enforce login station restrictions.
* Enable intruder detection.
* Secure unattended workstations to avoid unauthorized use.
In addition, CIAC recommends that you minimize or eliminate supervisor
activity concurrent with non-privileged connections until Phase I is
available; and further recommends that you activate all applicable
NetWare security features and install the most recent versions of
system software, client software, and other patches.
Novell informs us that to their knowledge programs to exploit this
vulnerability have not yet been found outside laboratories; and the
technique used to create the security threat, known as packet spoofing
or packet forging, is inherent to all client server architectures that
have not taken specific protective actions. CIAC believes that
because of the increasing publicity of this technique, the
vulnerability could soon be exploited by the hacker/cracker community.
CIAC would like to thank Novell for providing the security practices,
access information, and general support for our efforts concerning
this issue. We would also like to acknowledge the efforts of SURFnet
Computer Emergency Response Team CERT-NL for alerting us to this
situation.
For additional information or assistance, please contact CIAC at
(510) 422-8193 / FTS or send e-mail to ciac@llnl.gov. FAX messages
to: (510) 423-8002 / FTS.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your
agency's team will coordinate with CIAC.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, expressed or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.
======================================================================
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
LIMITED DISTRIBUTION BULLETIN
Internet Attack Advisory
October 23, 1992, 1500 PST Number D-02
If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages
to: (510) 423-8002.
For emergencies only, call 1-800-SKYPAGE and enter PIN number
855-0070 (primary) or 855-0074 (secondary).
The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400
baud at (510) 423-4753 and 9600 baud at (510) 423-3331.
Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.
Your agency's team will coordinate with CIAC.
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
Patch Available for VAX/VMS MONITOR Vulnerability
October 30, 1992, 0800 PST Number D-03
______________________________________________________________________________
PROBLEM: The MONITOR utility on VMS Versions 5.0 through 5.4-2 can be
used to obtain unauthorized privileges.
PLATFORM: VAX systems running the VMS operating system.
DAMAGE: An unprivileged user can obtain increased privileges.
SOLUTION: Upgrade to VMS version 5.4-3 (or higher); alternatively,
install a new SYS$SHARE:SPISHR.EXE or implement workarounds
given in CIAC Bulletin C-30.
______________________________________________________________________________
Critical Information about the MONITOR Patch
CIAC issued Bulletin C-30 on August 31, 1992, which described the VAX/VMS
MONITOR vulnerability in VMS Versions 5.0 through 5.4-2. Bulletin C-30
contained Digital Equipment Corporation (DEC) advisory SSRT-0200, which gave
workarounds.
This bulletin contains DEC's addendum, SSRT-0200-1, which announces the
availability of a kit to fix problems with the affected VMS versions. The
kit is identified as MONITOR$S01_050, MONITOR$S01_051, MONITOR$S01_052,
MONITOR$S01_053 and MONITOR$S01_054. It contains a new binary image of
SYS$SHARE:SPISHR.EXE, appropriate to the version of VMS being fixed. It is
available from DEC's Digital Services organization. In the U.S.A., it is
also available via DSIN or DSNlink as CSCPAT_1047.
DEC's advisory notice follows:
==============================================================================
21-OCT-1992 SSRT-0200-1 (ADDENDUM)
21-AUG-1992 SSRT-0200
SOURCE: Digital Equipment Corporation
AUTHOR: Software Security Response Team - U.S.
Colorado Springs USA
PRODUCT: VMS MONITOR V5.0 through V5.4-2
PROBLEM: Potential Security Vulnerability in VMS MONITOR Utility
SOLUTION: A VMS V5.0 through V5.4-2 remedial kit is now available
by contacting your normal Digital Services Support
organization.
NOTE: This problem has been corrected in VAX/VMS V5.4-3
(released in October 1991).
_____________________________________________________________________
The kit may be identified as MONTOR$S01_05* or CSCPAT_1047,
available via DSIN and DSNlink.
_____________________________________________________________________
Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved.
Published Rights Reserved Under the Copyright Laws of the United States.
________________________________________________________________________
ADVISORY ADDENDUM INFORMATION:
________________________________________________________________________
In August 1992, an advisory and article was distributed describing a
potential security vulnerability discovered in the VMS MONITOR utility.
Suggested workarounds to remove the vulnerability were provided. The
advisory was labeled SSRT-0200 "Potential Security Vulnerability in VMS
MONITOR Utility."
This addendum follows that advisory with information of the availability
of a kit containing a new SYS$SHARE:SPISHR.EXE for VMS V5.0-* through
VMS V5.4-2 and may be identified as MONTOR$S01_050 through MONTOR$S01_054
respectively from your Digital Services organization. In the U.S., the
kit is also identified as CSCPAT_1047, available via DSIN and DSNlink.
Note: This potential vulnerability does not exist in VMS V5.4-3 and later
versions of VMS. Digital strongly recommends that you upgrade to a
minimum of VMS V5.4-3, and further, to the latest release of VMS, V5.5-1
(released in July, 1992).
If you cannot upgrade to a minimum of VMS V5.4-3 at this time,
Digital strongly recommends that you install the available V5.0-*
through V5.4-2 patch kit on your system(s), available from your support
organization, to avoid any potential vulnerability.
You may obtain a kit for VMS V5.0 thru V5.4-2 by contacting your normal
Digital Services support organization (Customer Support Center, using
DSNlink or DSIN, or your local support office).
As always, Digital recommends that you periodically review your system
management and security procedures. Digital will continue to review and
enhance the security features of its products and work with customers to
maintain and improve the security and integrity of their systems.
________________________________________________________________________
End of Advisory SSRT-0200-1
==============================================================================
If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages
to: (510) 423-8002.
For emergencies only, call 1-800-SKYPAGE and enter PIN number
855-0070 (primary) or 855-0074 (secondary).
The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400
baud at (510) 423-4753 and 9600 baud at (510) 423-3331.
Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).
CIAC wishes to thank Rich Boren of DEC's Software Security Response
Team (SSRT) for the information used in this bulletin.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.
Your agency's team will coordinate with CIAC.
This document was prepared as an account of work sponsored by an agency
of the United States Government. Neither the United States Government
nor the University of California nor any of their employees, makes any
warranty, expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use
would not infringe privately owned rights. Reference herein to any
specific commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily constitute or
imply its endorsement, recommendation, or favoring by the United States
Government or the University of California. The views and opinions of
authors expressed herein do not necessarily state or reflect those of
the United States Government nor the University of California, and shall
not be used for advertising or product endorsement purposes.
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
18 New and Upgraded Security Patches Available For SunOS
November 11, 1992, 1200 PST Number D-04
______________________________________________________________________________
PROBLEMS: Various security vulnerabilities.
PLATFORMS: SunOS 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.3 and 5.0 (Solaris 2.0FCS).
DAMAGE: Unauthorized root access and privileges, denial of service,
other damage as noted below.
SOLUTION: Apply Sun Patches as described.
______________________________________________________________________________
Critical Information about SunOS Security Patches
CIAC has received information from Sun Microsystems regarding the
availability of the following eighteen security patches for SunOS
versions 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.3 and Solaris 2.0FCS (which
contains SunOS 5.0).
The patches are available through your local Sun Answer Center and
via anonymous ftp. In the U.S., ftp to ftp.uu.net and retrieve the
patches from the /systems/sun/sun-dist directory. In Europe, ftp to
mcsun.eu.net and retrieve the patches from the ~ftp/sun/fixes
directory. The patches are contained in compressed tar files named
[patch].tar.Z. For example, if you wish to obtain patch 100103-11,
the tarfile would be 100103-11.tar.Z. Each patch has been checksummed
using the SunOS "sum" command so its validity can be verified by the
end user. If you find that the checksum differs from that listed
below, please contact Sun Microsystems or CIAC for confirmation before
using the patch. To install the patches on your system, follow the
instructions contained in the README files which accompany each patch.
The following ten patches (except for the last, which is a new patch)
are new revisions, superseding older patch versions, and they all
include fixes for new bugs. All designated versions of SunOS should
be upgraded with these patches. Refer to the CIAC bulletins listed,
or contact CIAC for more information on each vulnerability. A brief
description of each patch is provided.
Patch Checksum SunOS Versions CIAC Bulletins
----- -------- -------------- --------------
100103-11 19847 6 4.1.3, 4.1.2, 4.1.1, 4.1 B-26
A shell script modifies file permissions to a more secure
mode. The script changes the permissions for two
additional files:
/var/yp/`domainname`/mail.aliases.dir and
/var/yp/`domainname`/mail.aliases.pag
100173-09 28314 788 4.1.3, 4.1.2, 4.1.1, 4.1 C-28
NFS jumbo patch - Repairs a problem when accessing NFS
mounted files as root. This patch requires that a new
kernel be configured, made and installed. The installer
needs to build a new kernel only once even if multiple
patches are installed, as long as all the object files
(".o" files) from all patches are loaded.
100267-09 55338 5891 4.1.1 (contact CIAC)
This is the international version of the libc replacement
with all 4.1.1 patches. New bug fixes include: innetgr may
acknowledge false netgroup membership, undefined symbols
when linking statically with "mblen()", mbtowc and mbstowcs
give different results for same character.
100305-10 28781 368 4.1.3, 4.1.2, 4.1.1, 4.1 B-30, B-33
Fix for lpr, lpd, lpstat -v, passwd, delete, and system.
This patch also contains a new bug fix for lpstat -v.
100377-05 29141 1076 4.1.3, 4.1.2, 4.1.1, 4.1 C-26, A-16
sendmail jumbo patch - Fixes sendmail, sendmail.mx
Remedies five new bugs in sendmail.
100507-04 57590 61 4.1.3, 4.1.2, 4.1.1 (contact CIAC)
tmpfs jumbo patch - Copying files from an NFS mounted
partition to a tmpfs mount can result in a security breach.
This patch requires that a new kernel be configured, made
and installed. The installer needs to build a new kernel
only once even if multiple patches are installed, as long
as all the object files (".o" files) from all patches are
loaded.
100513-01 20616 480 4.1.3, 4.1.2, 4.1.1, 4.1 B-10
tty jumbo patch - Consolidates many patches, including
security patch 100188-02 (TIOCCONS redirection of console
output/input). This patch requires that a new kernel be
configured, made and installed. The installer needs to
build a new kernel only once even if multiple patches are
installed, as long as all the object files (".o" files)
from all patches are loaded.
100201-06 13145 164 4.1.1, 4.1 (contact CIAC)
C2 jumbo patch - Fixes delay with yppasswd when running C2
with NIS, unprivileged access to environment variables, and
a problem where an image contains plaintext passwords and
passwd.adjunct file.
100564-05 00115 824 4.1.3, 4.1.2 (contact CIAC)
C2 jumbo patch - Fixes problem where an image contains
plaintext passwords and passwd.adjunct file.
100723-01 22726 1 Solaris 2.0FCS/SunOS 5.0 new patch
The Solaris 2.0FCS install leaves world-writable
directories. NOTE: this patch contains a README file only.
The README instructs the installer to run the following
command as root after the installation of
Solaris 2.0FCS/SunOS 5.0: #pkgchk -f
correcting directory and file attributes incorrectly
set during the installation process.
The following patch is an upgrade for compatibility with SunOS
versions 4.1.2 and 4.1.3. If you have a pre-4.1.2 system and have
previously loaded this patch, you need not apply this to your system.
100372-02 22739 712 4.1.3, 4.1.2, 4.1.1 (contact CIAC)
tfs and C2 do not work together. This patch is provided
for C2 security, and is only necessary if you use C2 with
tfs (translucent file service).
The following seven patches are upgraded to be compatible with SunOS
4.1.3. If you have a pre-4.1.3 system and have previously loaded
these patches, you need not apply these to your system.
100296-04 42492 40 4.1.3, 4.1.2, 4.1.1 C-06
Netgroup exports to world.
100482-03 27837 342 4.1.3, 4.1.2, 4.1.1, 4.1 C-25
ypserv, ypxfrd. Note: the /var/yp/securenets configuration
file provided with this patch does not support blank lines.
100383-05 52230 135 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.3 C-04, C-08
rdist security enhancement.
100567-04 15728 11 4.1.3, 4.1.2, 4.1.1, 4.1 C-28
icmp redirects, mfree panic. This patch requires that a new
kernel be configured, made and installed. The installer
needs to build a new kernel only once even if multiple
patches are installed, as long as all the object files
(".o" files) from all patches are loaded.
100630-01 28074 39 4.1.3, 4.1.2, 4.1.1, 4.1 C-26
100631-01 44444 25 4.1.3, 4.1.2, 4.1.1, 4.1 C-26
login, su, LD_ environment variables.
100630-01 is the international version of /bin/login for
systems not using the US Encryption Kit. /usr/bin/su and
/usr/5bin/su from the international version are suitable
for sites that use the US Encryption Kit.
100631-01 is the domestic version. To obtain 100631-01,
contact your local Sun Answer Center.
100633-01 33264 20 4.1.3, 4.1.2, 4.1.1 (contact CIAC)
Unbundled SunSHIELD ARM 1.0, "LD_" environment variables
can be used to exploit login/su, international version.
If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX
messages to: (510) 423-8002.
For emergencies only, call 1-800-SKYPAGE and enter PIN number
855-0070 (primary) or 855-0074 (secondary).
The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400
baud at (510) 423-4753 and 9600 baud at (510) 423-3331.
Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).
CIAC wishes to thank Ken Pon of Sun Microsystems for the information
used in this bulletin.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.
Your agency's team will coordinate with CIAC. The Forum of Incident
Response and Security Teams (FIRST) is a world-wide organization. A
list of FIRST member organizations and their constituencies can be
obtained by sending email to Docserver@First.Org with a null subject
line, and the first line of the message reading: send first-contacts.
This document was prepared as an account of work sponsored by an agency
of the United States Government. Neither the United States Government
nor the University of California nor any of their employees, makes any
warranty, expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use
would not infringe privately owned rights. Reference herein to any
specific commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily constitute or
imply its endorsement, recommendation, or favoring by the United States
Government or the University of California. The views and opinions of
authors expressed herein do not necessarily state or reflect those of
the United States Government nor the University of California, and shall
not be used for advertising or product endorsement purposes.
RESTRICTIONS: NONE
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
Revised Hewlett-Packard NIS ypbind Vulnerability
January 22, 1993, 1400 PST Number D-05
_________________________________________________________________________
PROBLEM: Allows unauthorized access to NIS data.
PLATFORM: HP/UX Operating System for series 300, 700, and 800 computers.
DAMAGE: Remote and local users can obtain unauthorized privileges.
SOLUTION: Install revised patches.
_________________________________________________________________________
Critical Information about Hewlett-Packard NIS ypbind
The inclosed advisory was issued by the Computer Emergency Response
Team Coordination Center (CERT/CC) and is an update to a previous
advisory CA-92:17.
=============================================================================
CA-93:01 CERT Advisory
January 13, 1993
Revised Hewlett-Packard NIS ypbind Vulnerability
-----------------------------------------------------------------------------
*** THIS IS A REVISED CERT ADVISORY ***
*** IT CONTAINS NEW INFORMATION REGARDING AVAILABILITY OF IMAGE KITS ***
*** SUPERSEDES CERT ADVISORY CA-92:17 ***
The CERT Coordination Center has received information concerning a
vulnerability in the NIS ypbind module for the Hewlett-Packard (HP)
HP/UX Operating System for series 300, 700, and 800 computers.
HP has provided revised patches for all of the HP/UX level 8 releases
(8.0, 8.02, 8.06, and 8.07). This problem is fixed in HP/UX 9.0.
The following patches have been superseded:
Patch ID Replaced by Patch ID
PHNE_1359 PHNE_1706
PHNE_1360 PHNE_1707
PHNE_1361 PHNE_1708
All HP NIS clients and servers running ypbind should obtain and
install the patch appropriate for their machine's architecture
as described below.
-----------------------------------------------------------------------------
I. Description
A vulnerability in HP NIS allows unauthorized access to NIS data.
II. Impact
Root on a remote host running any vendor's implementation of NIS
can gain root access on any local host running HP's NIS ypbind.
Local users of a host running HP's NIS ypbind can also gain root access.
III. Solution
1) All HP NIS clients and servers running ypbind should obtain and
install the patch appropriate for their machine's architecture.
These patches contain a version of ypbind that accepts ypset
requests only from a superuser port on the local host. This prevents
a non-superuser program from sending rogue ypset requests to ypbind.
The patches also include the mod from the superseded patches that
prevents a superuser on a remote system from issuing a ypset -h
command to the local system and binding the system to a rogue ypserver.
These patches may be obtained from HP via FTP (this is NOT
anonymous FTP) or the HP SupportLine. To obtain HP security
patches, you must first register with the HP SupportLine.
The registration instructions are available via anonymous FTP at
cert.org (192.88.209.5) in the file
"pub/vendors/hp/supportline_and_patch_retrieval".
The new patch files are:
Architecture Patch ID Filename Checksum
------------ -------- -------- --------
Series 300 PHNE_1706 /hp-ux_patches/s300_400/8.X/PHNE_1706 38955 212
Series 700 PHNE_1707 /hp-ux_patches/s700/8.X/PHNE_1707 815 311
Series 800 PHNE_1708 /hp-ux_patches/s800/8.X/PHNE_1708 56971 299
2) The instructions for installing the patch are provided in the
PHNE_xxxx.text file (this file is created after the patch has
been unpacked).
The checksums listed above are for the patch archive files from HP.
Once unpacked, each shell archive contains additional checksum
information in the file "patchfilename.text". This checksum is
applicable to the binary patch file "patchfilename.updt".
If you have any questions about obtaining or installing the patches,
contact the USA HP SupportLine at 415-691-3888, or your local HP
SupportLine number. Please note that the telephone numbers in this
advisory are appropriate for the USA and Canada.
-----------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Brian Kelley of Ford Motor
Company for bringing this vulnerability to our attention. We would also
like to thank Hewlett-Packard for their response to this problem.
-----------------------------------------------------------------------------
===========================================================================
CIAC would like to acknowledge the contributions of: CERT/CC.
For additional information or assistance, please contact CIAC at
(510)422-8193/FTS or send E-mail to ciac@llnl.gov. FAX messages to
(510)423-8002/FTS.
The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400
baud at (510) 423-4753 and 9600 baud at (510) 423-3331.
Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response team,
DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your
agency's team will coordinate with CIAC. The Forum of Incident Response
and Security Teams (FIRST) is a world-wide organization. A list of
FIRST member organizations and their constituencies can be obtained by
sending email to Docserver@First.Org with a null subject line, and the
first line of the message reading: send first-contacts.
This document was prepared as an account of work sponsored by an agency
of the United States Government. Neither the United States Government
nor the University of California nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights. Reference
herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by the
United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government or the University of
California, and shall not be used for advertising or product
endorsement purposes.
_______________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
Failure to disable user accounts for VMS 5.3 to 5.5-2
FEB 12, 1993 1400 PST Number D-06
________________________________________________________________________
PROBLEM: VMS systems configured to disable user accounts experiencing
break-in attempts may not disable those accounts, as required.
PLATFORM: VAXstations using DECwindows or Motif, VMS versions 5.3
through Open VMS 5.5-2.
DAMAGE: Unauthorized users could gain access given sufficient time.
SOLUTION: Apply patch CSCPAT_0239019 or physically secure workstations
if accounts are so configured.
________________________________________________________________________
Critical Facts about potential vulnerability in VMS VAXstations
CIAC has learned of a vulnerability in VAXstations running (Open) VMS
versions 5.3 through 5.5-2 when using VMS DECwindows or VMS DECwindows
MOTIF. The vulnerability applies to systems where the SYSGEN parameter
for disabling accounts under attack is enabled (i.e., LGI_BRK_DISUSER
is set to 1). If the "break-in limit," i.e, log-in failure count
threshold (SYSGEN parameter LGI_BRK_LIM) is exceeded during an interval
determined by an algorithm using LGI_BRK_TMO, the account will NOT be
disabled, allowing repeated attacks. Other security functions will
continue to work correctly, such as evasion and SYSUAF counts for
log-in failures, as well as security audit recording. The
vulnerability is not present when using non-local DECwindows or MOTIF
access via DECnet.
If you are not required to invoke automatic account disabling, CIAC
recommends that you secure your systems by prudently managing passwords
and effectively setting break-in detection and evasion SYSGEN
parameters. In most cases the default parameter settings are
adequate. You may further strengthen evasion security by
o reducing LGI_BRK_LIM (default 5 log-in attempts)
o increasing LGI_HID_TIM (default 300 seconds)
o increasing LGI_BRK_TMO (default 300 seconds)
o changing LGI_BRK_TERM to 0 (default is 1)
Be advised that each parameter change may increase the risk of denial
of service to legitimate users. If you have dial up access, make
certain that the parameter LGI_RETRY_LIM is not increased beyond its
default value of three.
In all cases, CIAC recommends that you first upgrade to the latest
version of Open VMS and windowing software (to correct other potential
vulnerabilities). To correct the potential vulnerability identified in
this bulletin, apply patch suite CSCPAT_0239019, available from
Digital. If you have DSNlink for VMS, use the DSNlink VTX Patch
Application. When prompted for a search string, use the keyword
CSCPAT_0239019. If you do not have DSNlink for VMS, contact your local
Digital office or your Digital Support Center for the patch.
If you cannot obtain or apply the patch, you should restrict
workstation physical access to authorized users.
For additional information or assistance, please contact CIAC at (510)
422-8193/FTS or send e-mail to ciac@llnl.gov. FAX messages to: (510)
423-8002/FTS.
The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud
at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC
bulletins and other information is available via anonymous ftp from
irbis.llnl.gov (ip address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
CIAC wishes to acknowledge Tom Moore and Mona Wecksung of Los Alamos
National Laboratory for bringing the vulnerability to our attention,
and Rich Boren of Digital's Software Security Response Team for leading
problem resolution efforts.
This document was prepared as an account of work sponsored by an agency
of the United States Government. Neither the United States Government
nor the University of California nor any of their employees, makes any
warranty, expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use
would not infringe privately owned rights. Reference herein to any
specific commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily constitute
or imply its endorsement, recommendation, or favoring by the United
States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government nor the University of
California, and shall not be used for advertising or product
endorsement purposes.
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
LIMITED DISTRIBUTION BULLETIN
(1) UNICOS Running MLS
(2) UNICOS Environment Variable
February 23, 1993, 1700 PST Number D-07
If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX
messages to: (510) 423-8002.
For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070
(primary) or 855-0074 (secondary).
The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud
at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC
bulletins and other information is available via anonymous ftp from
irbis.llnl.gov (ip address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
______________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
______________________________________________________
A D V I S O R Y N O T I C E
Potential Vulnerability in VMS V5 and
Derivative Operating Systems
FEB 23, 1993 1200 PST Number D-08
___________________________________________________________________________
PROBLEM: Malicious program simplifies exploitation of VMS vulnerability.
PLATFORM: Systems running VMS V5.0 through OpenVMS V5.5-2 and
OpenVMS AXP V1.0 (including all SEVMS V5.1 through V5.5-2).
DAMAGE: Authorized unprivileged users could obtain all system privileges.
SOLUTION: Apply patch available from Digital Equipment Corporation.
___________________________________________________________________________
Critical Information about Potential Vulnerability in VMS
CIAC has learned of a potential vulnerability in VMS, OpenVMS and Security
Enhanced VMS (SEVMS) as described in the following advisory (which was
requested to be distributed intact) from Digital Equipment Corporation:
========================== Begin DEC Advisory =============================
DATE: 23.FEB.1993
SOURCE: Digital Equipment Corporation
AUTHOR: Software Security Response Team
Colorado Springs USA
PRODUCT: VMS V5.0 through OpenVMS V5.5-2 & OpenVMS AXP V1.0
PROBLEM: Potential Security Vulnerability - OpenVMS
SOLUTION: A remedial kit is now available for OpenVMS AXP V1.0,
VMS V5.0 through OpenVMS Version 5.5-2 (including all SEVMS
versions V5.1 through V5.5-2 as applicable) by contacting
your normal Digital Services Support organization.
SEVERITY LEVEL: High
This potential vulnerability has been corrected in the next release of
OpenVMS, V6.0 and OpenVMS AXP, V1.5. For VMS Versions prior to V5.0,
Digital strongly recommends that you upgrade to a minimum of VMS V5.0
and further, to the latest release of OpenVMS V5.5-2.
_________________________________________________________________________
The remedial kits may be identified as:
VAXSYS01_U2050 VMS V5.0, V5.0-1, V5.0-2
VAXSYS01_U1051 VMS V5.1 thru V5.1-1
VAXSYS01_U1052 VMS V5.2, V5.2-1
VAXSYS01_U2053 VMS V5.3 thru V5.3-2
VAXSYS01_U3054 VMS V5.4 thru V5.4-3
VAXSYS02_U2055 OpenVMS V5.5 thru V5.5-2
AXPSYS01_010 OpenVMS AXP V1.0
_________________________________________________________________________
Copyright (c) Digital Equipment Corporation, 1993 All Rights Reserved.
Published Rights Reserved Under The Copyright Laws Of The United States.
_________________________________________________________________________
ADVISORY INFORMATION:
_________________________________________________________________________
This update kit corrects a potential security vulnerability in the VMS,
OpenVMS VAX and OpenVMS AXP operating systems. This potential
vulnerability may be further exploited in the form of a malicious program
that may allow authorized but unprivileged users to obtain all system
privileges, potentially giving the unprivileged user control of your
OpenVMS system and data.
NOTE:
The update kit must be applied if an update or installation is performed
for all versions prior to OpenVMS V6.0 or OpenVMS AXP V1.5. For VMS
Versions prior to VMS V5.0, Digital strongly recommends that you upgrade
to a minimum of VMS V5.0 and further to the latest release of OpenVMS
V5.5-2.
_________________________________________________________________________
PATCH KIT INFORMATION:
_________________________________________________________________________
Digital strongly recommends that you install the available kit on your
system(s), to avoid any potential vulnerability as a result of this
problem.
Customers with a Digital Services contract may obtain a kit for the
affected versions of OpenVMS by contacting your normal support
organizations.
- In the U.S. Customers may contact the Customer Support Center
at 1(800)354-9000 and request the appropriate kit for your version
of OpenVMS, or through DSNlink Text Search database using the
keyword text "Potential Security Vulnerability", or DSNlink VTX using
the patch number 1084
- Customers in other geographies should contact their normal Digital
Services support organizations.
As always, Digital recommends you to regularly review your system
management and security procedures. Digital will continue to review and
enhance security features, and work with our customers to further improve
the integrity of their systems.
=========================== End DEC Advisory ==============================
CIAC recommends that you follow the DEC advisory to obtain and install
the appropriate patch.
If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX
messages to: (510) 423-8002.
For emergencies and off-hour assistance call 1-800-SKYPAGE and enter
PIN number 855-0070 (primary) or 855-0074 (secondary).
The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud
at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC
bulletins and other information is available via anonymous ftp from
irbis.llnl.gov (ip address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, expressed or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.
______________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
____________________________________________________
I N F O R M A T I O N B U L L E T I N
OpenVMS Security Patch #1084 Problems
Addendum to CIAC Advisory D-08
MAR 2, 1993 1400 PST Number D-09
___________________________________________________________________________
PROBLEM: Systems with security patch #1084 installed will not boot after
performing certain system upgrades.
PLATFORM: VMS, OpenVMS VAX and SEVMS systems.
DAMAGE: System security is not affected.
SOLUTION: Restore the old files before upgrading or apply a patch to the
new IMAGE_MANAGEMENT.EXE file.
___________________________________________________________________________
Critical Information about OpenVMS VAX Patch Problems
CIAC has learned that applying specific system upgrades to VMS, OpenVMS VAX
and Security Enhanced VMS (SEVMS) which have been patched as described in CIAC
Advisory D-08 "Potential Vulnerability in VMS V5 and Derivative Operating
Systems, February 23, 1993" leaves systems which will not boot. The patch is
#1084 and the specific upgrades are: V5.3 to V5.3-1; V5.3-1 to V5.3-2; V5.5 to
V5.5-2; V5.5-1 to V5.5-2. All other upgrades are not affected.
This patch's installation procedure leaves the old IMAGE_MANAGEMENT.EXE and
PAGE_MANAGEMENT.EXE files in the SYS$COMMON:[SYS$LDR] directory. The system
can be restored for upgrade as long as these files have not been removed.
Prior to system upgrade, use rename to change the old files to a higher
version than the new files. Otherwise, take the corrective action described
in addendum SSRT 02.25-01 (see below). DEC requests that 02.25-01 be
redistributed intact.
========================== Begin DEC Addendum 02.25-01 ========================
SSRT 02.25 - 01 01.MAR.1993 Addendum Advisory
RE: SSRT 02.25 dated 23.FEB.1993
SOURCE: Digital Equipment Corporation
AUTHOR: Software Security Response Team
Colorado Springs, CO.
DESCRIPTION
------------
Digital has received information concerning a problem while upgrading
the OpenVMS VAX Version paths listed below.
OpenVMS VAX versions affected:
------------------------------
upgrade paths V5.3 to V5.3-1
V5.3-1 to V5.3-2
V5.5 to V5.5-2
V5.5-1 to V5.5-2
A problem will occur during an upgrade to a system that previously installed
the Security Kit identified as:
CSCPAT_1084010.A (combined kit for all OpenVMS VAX
Versions affected. DSNlink kit.)
VAXSYS01_U2053.A OpenVMS V5.3, V5.3-1, V5.3-2
VAXSYS02_U2055.A OpenVMS V5.5, V5.5-1, V5.5-2
NOTE:
*****
All other applicable versions of OpenVMS VAX and their supported upgrade paths
do not exhibit this symptom if the Security Kit (identified in an advisory
SSRT 02.25 dated 23.FEB.1993) was installed before upgrading to the next
higher version.
The Security Kit must be re-applied after all OpenVMS VAX upgrades for V5.0
through V5.5-2. Digital recommends that until OpenVMS VAX V6.0 or OpenVMS
AXP V1.5 is installed later this year, contact your Digital Services Support
organization to obtain the most current version of the applicable Security
Kit.
IMPACT
---------
Anyone who upgrades from OpenVMS VAX V5.3 to V5.3-1, V5.3-1 to V5.3-2,
V5.5 to V5.5-2, or V5.5-1 to V5.5-2 will experience an error directly related
to having the Security Kit installed prior to the OpenVMS VAX upgrades listed
above. The system will to fail to boot properly after the completion of the
upgrade.
SOLUTION
---------
If you renamed the images replaced following the installation of the Security
Kit, restore the saved images prior to upgrading OpenVMS VAX to the next
higher release then re-apply the Security Kit. The images replaced by
the Security Kit identified above are:
PAGE_MANAGEMENT.EXE & IMAGE_MANAGEMENT.EXE
and placed in the directory SYS$COMMON:[SYS$LDR]
WARNING: To prevent a similar problem ensure that no copies of the above
images exist in the SYS$SPECIFIC:[SYS$LDR] directory.
If the images replaced during the Security Kit installation cannot be restored
prior to your upgrade, enter the commands (as indicated below) after your
OpenVMS VAX upgrade completes.
**** IN EACH CASE, THE SOLUTION BELOW IS A POST OpenVMS VAX UPGRADE EVENT ****
!For OpenVMS VAX V5.3 upgrade paths
! V5.3 to V5.3-1
! V5.3-1 to V5.3-2
!
! At the point where the OpenVMS upgrade process has completed:
! From the systems console invoke a conversational boot then enter the
! remaining commands as shown and follow the instructions for re-booting.
>>>
>>> B/1 !YOUR PARTICULAR BOOT FOR CONVERSATIONAL MODE MAY BE DIFFERENT
SYSBOOT> SET/START=OPA0:
SYSBOOT> C
$
$ set noon
$ set default [vms$common.sys$ldr]
$ patch/update=(1) image_management.exe
SET ECO 1
REPL/INST 0A0F='BISB2 #01,B^1F(SP)'
'NOP'
EXIT
UPDATE
EXIT
Press the HALT button, reboot the system, and re-install the Security Kit and
reboot again for the installation to become effective.
----------------------------------------------------------------------------
!For OpenVMS VAX V5.5 upgrade paths
! V5.5 to V5.5-2
! V5.5-1 to V5.5-2
!
! At the point where the OpenVMS upgrade process has completed:
! From the systems console invoke a conversational boot then enter the
! remaining commands as shown and follow the instructions for re-booting.
>>>
>>> B/1 !YOUR PARTICULAR BOOT FOR CONVERSATIONAL MODE MAY BE DIFFERENT
SYSBOOT> SET/START=OPA0:
SYSBOOT> C
$ set noon
$ set default [vms$common.sys$ldr]
$ patch/update=(1) image_management.exe
SET ECO 1
REPL/INST 0A2F='BISB2 #01,B^1F(SP)'
'NOP'
EXIT
UPDATE
EXIT
$
Press the HALT button, reboot the system, and re-install the Security Kit and
reboot again for the installation to become effective.
-----------------------------------------------------------------------------
Copyright (c) Digital Equipment Corporation, 1993 All Rights Reserved.
Published Rights Reserved Under The Copyright Laws Of The United States.
=========================== End DEC Addendum 02.25-01 =========================
CIAC recommends that you follow the DEC advisory addendum if performing an
upgrade for the specific versions indicated. If you need additional
information, contact Mr. Richard Boren of DEC's Software Security Response
Team (SSRT) at 719-592-4689. CIAC wishes to thank Rich for supplying the
advisory used in this bulletin.
If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX
messages to: (510) 423-8002.
For emergencies and off-hour assistance call 1-800-SKYPAGE and enter
PIN number 855-0070 (primary) or 855-0074 (secondary).
The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud
at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC
bulletins and other information is available via anonymous ftp from
irbis.llnl.gov (ip address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
_______________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
November 17 Virus on MS DOS Computers
March 15, 1993 1000 PST Number D-10
__________________________________________________________________________
NAME: November 17 virus
ALIASES: NOV 17, 855
PLATFORM: MS DOS Computers
DAMAGE: On November 17 will destroy hard disk contents
SYMPTOMS: Files grow by 855, 768, 880, or 800 bytes
DETECTION/
ERADICATION: FPROT 207, Scan V102, Novi
__________________________________________________________________________
Critical Facts about the November 17 virus
The November 17 virus is a simplistic file infector virus which has
recently been discovered to be fairly widespread. This virus will
overwrite the hard disk on November 17 of any year.
Infection Mechanism
This virus is a file infector virus (see CIAC bulletins A-20, A-27,
A-29, B-35, and 3 bulletins from Fiscal Year 1989 for information on
similar file infector viruses). Upon execution of a virus-infected
program, NOV 17 will become memory resident at the top of memory and
inhabit 896 bytes of memory.
Once resident, it will infect any .COM and .EXE programs when the file
attributes are set or read, when the file is opened for READ, and upon
loading and execution. Therefore, if the virus is resident in memory,
and a new disk with clean executibles is copied, the original disk's
.EXE and .COM files will become infected if the disk is not
write-protected. It can easily be transferred via LAN's anytime an
executible file is opened or executed over the LAN. This virus will
not infect files with a filename of SCAN.EXE or CLEAN.EXE, and it will
not infect files that have the system bit set. It does not affect
data files.
Potential Damage
On November 17 of any year this virus will overwrite portions of the
C: drive or current drive, depending on the variant. On any other day
of the year this virus will simply replicate. Some variants will
cause this overwrite process to occur on days after November 17.
Detection and Eradication
Many recent versions of antivirus products will detect this virus.
Another method of direct detection is to search for the string
"SCAN.CLEAN.COMEXE", which can be found within the virus code of every
infection.
Until March of 1993, there had been no reports of this virus in the
United States. Because of this fact, some anti-virus products do not
detect the presence of it by name. Some products, such as Data
Physician Plus!, do detect when it they themselves become infected, at
which point a message such as "A virus has been detected, would you
like to continue?" may appear on the screen. This message means that
the antivirus product's self check mechanism has detected a
modification to itself, and at this point CIAC recommends that you
check the machine with a different antivirus product, or call CIAC for
additional information on virus handling.
Virus Variants
There are four known variants to this virus, all increase file lengths
by a different amount and take up a different amount of resident
memory. The variants increase file lengths of infected files by 768,
800, 880, and 855 bytes. The 768 variant is almost identical to the
original virus but takes up 800 bytes of memory; it was discovered in
May of 1992. The variant which adds 800 bytes to files takes up 832
bytes of memory, was discovered in March of 1993, and activates
November 17-30 of any year. The 880 variant, which uses 928 bytes of
memory, first seen in November, 1992, will activate on any date from
November 17-December 31 of any year. The 855 variant, also called
Nov17B, first seen in September of 1992, causes infected .EXE files to
hang the system when executed.
Due to the nature of this virus's infection mechanism, it is sometimes
not possible to remove the infection from a host program. CIAC
recommends that if this virus is discovered a copy be kept and then
all infected files be deleted and restored from backup.
For additional information or assistance, please contact CIAC at
(510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX
messages to (510) 423-8002 / FTS.
Previous CIAC bulletins and other information are available via anonymous
ftp from irbis.llnl.gov (IP address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
_______________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
Sun Security Patches and Software Updates
March 19, 1993 1400 PST Number D-11
__________________________________________________________________________
PROBLEM: Security vulnerabilities in SunOS, DNI, and PC-NFS.
PLATFORM: All Sun platforms running SunOS 4.0.3 or later, including
Solaris 2.0 and 2.1.
DAMAGE: Unauthorized root access, denial of service, and other
as detailed below.
SOLUTION: Apply Sun patches and/or obtain software upgrades.
__________________________________________________________________________
Critical Facts about Sun Security Patches and Software Upgrades
CIAC has received information from Sun Microsystems regarding the
availability of new and updated security patches for the SunOS
operating system. Sun Microsystems has also announced the availability
of new versions of its DECnet Interface (DNI) and PC-NFS software
packages that correct security vulnerabilities of previous releases.
PATCH INFORMATION
=================
Sun security patches are available through your local Sun Answer Center
and via anonymous ftp. In the U.S., ftp to ftp.uu.net and retrieve the
patches from the /systems/sun/sun-dist directory. In Europe, ftp to
mcsun.eu.net and retrieve the patches from the /sun/fixes directory.
The patches are contained in compressed tarfiles named [patch].tar.Z.
For example, if you wish to obtain patch 100891-01, the corresponding
compressed tarfile would be named 100891-01.tar.Z.
Each compressed tarfile has been checksummed using the SunOS "sum"
command. After retrieving each patch, the checksum should be recomputed
and compared to those listed in this bulletin. If you find that the
checksum for a patch differs from those listed below, please contact
Sun Microsystems or CIAC for confirmation before using the patch.
To install the patches, follow the instructions contained in the README
files that accompany each patch.
Patches Providing New or Additional Security Features
=====================================================
The following patches are either new security patches or new versions of
existing patches that provide additional security features or support
additional Sun platforms. CIAC recommends the installation of all
applicable security patches.
Patch Checksum SunOS Versions
----- -------- --------------
100891-01 33195 3075 4.1.3
libc replacement - Corrects insecure handling of netgroups
and fixes a bug in xlock that could cause it to crash and
leave the system unprotected.
100884-01 03775 2610 5.1 (Solaris 2.1)
Closes security vulnerability with the srmmu window handler.
100833-02 49753 155 5.1 (Solaris 2.1)
Required for use of Sun's unbundled Basic Security Module
(BSM) with Solaris 2.1.
100623-03 56063 141 4.1.2, 4.1.3
UFS Jumbo Patch - Non-random file handles can be guessed.
This patch should be applied after the most recent version
of 100173.
100448-01 29285 5 4.1.1, 4.1.2, 4.1.3
OpenWindows 3.0 loadmodule Patch - This release adds
support for SunOS 4.1.3. Sites running SunOS 4.1.1 or
4.1.2 do not need to install this patch again if it was
previously installed.
100305-11 38582 500 4.1, 4.1.1, 4.1.2, 4.1.3
This patch fixes incorrect user ID checking in
/usr/ucb/lpr.
100121-09 57589 360 4.1
NFS Jumbo Patch - This patch adds support for sun4e
architectures. Other architectures need not reinstall
the patch if a previous version was installed.
Patches Updated with Non-security Features
==========================================
The following security patches have been updated with non-security
related enhancements. Systems with previous versions of these patches
already installed do not need install the new versions unless the
additional non-security related enhancements are desired.
Patch Checksum SunOS Versions
----- -------- --------------
100513-02 34315 483 4.1, 4.1.1, 4.1.2, 4.1.3
Jumbo tty Patch - This release fixes a tty bug that can
cause system crashes. Previous releases corrected a
vulnerability that allowed console input and output
to be redirected.
100482-04 06594 342 4.1, 4.1.1, 4.1.2, 4.1.3
ypserv and ypxfrd security patch - Corrects incorrect
DNS lookup failures when a host is up but has no
nameserver running. Previous releases of this patch
corrected a condition that allowed NIS to distribute maps,
including the password map, to anyone. Note: the
/var/yp/securenets configuration file cannot contain blank
lines.
100452-28 07299 1688 4.1, 4.1.1, 4.1.2, 4.1.3
XView 3.0 Jumbo Patch - This release fixes several
OpenWindows and XView bugs, including problems with
mailtool and filemgr. Previous releases corrected a
problem with cmdtool that allowed the disclosure of
passwords.
100383-06 58984 121 4.0.3, 4.1, 4.1.1, 4.1.2, 4.1.3
rdist Patch - This release allows /usr/ucb/rdist to
transfer hard linked files. Previous releases of this
patch corrected a bug that allowed users to gain root
access.
100224-06 57647 54 4.1.1, 4.1.2, 4.1.3
/bin/mail Jumbo Patch - This release corrects a problem
that caused /bin/mail to crash. Previous releases
corrected a problem that allowed /bin/mail to be used to
invoke a root shell.
100173-10 48086 788 4.1.1, 4.1.2, 4.1.3
NFS Jumbo Patch - This release corrects poor NFS write
append performance. Previous versions of this patch
corrected a bug with the handling of setuid programs
copied to NFS file systems.
DECnet Interface (DNI) Update
=============================
Versions of Sun's DNI product prior to 7.0.1 are known to have two
security vulnerabilities:
- dni_rc_ins creates an rc script with world writable permissions.
- Files copied to VAX/VMS systems using dnicp are assigned
incorrect permissions.
To close the vulnerabilities, Sun recommends that you upgrade to DNI
version 7.0.1. Sun has distributed the upgrade free of charge to all
customers with a DNI support contract. Those customers not on
software support should obtain the upgrade through their standard Sun
sales channels.
PC-NFS Update
=============
The PC-NFS printing and authentication daemon pcnfsd allows
unauthorized access to the system. It is recommended that sites with
pcnfsd installed upgrade to the latest version.
The latest version of pcnfsd may be obtained free of charge via
anonymous ftp from bcm.tmc.edu in the /pcnfs directory and from
src.doc.ic.ac.uk in the /pub/sun/pc-nfs directory in a file named
pcnfsd.93.02.16.tar.Z.
For additional information or assistance, please contact CIAC at
(510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX
messages to (510) 423-8002 / FTS.
Previous CIAC bulletins and other information are available via
anonymous ftp from irbis.llnl.gov (IP address 128.115.19.60).
CIAC wishes to thank Ken Pon and Mark Allen of Sun Microsystems for
their assistance in the preparation of this bulletin.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
VENDOR RESTRICTED
FOR DEPARTMENT OF ENERGY CRAY SITES ONLY
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
LIMITED DISTRIBUTION BULLETIN
(1) UNICOS Running MLS (update to CIAC D-07)
(2) UNICOS Operator Group
April 2, 1993, 1000 PST Number D-12
If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX
messages to: (510) 423-8002.
For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070
(primary) or 855-0074 (secondary).
Previous CIAC bulletins and other information is available via anonymous
ftp from irbis.llnl.gov (ip address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
RESTRICTIONS: NONE
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
ADVISORY NOTICE
wuarchive FTP daemon vulnerability
April 09, 1993, 1030 PDT Number D-13
__________________________________________________________________________
PROBLEM: The wuarchive FTP daemon allows unauthorized access.
PLATFORM: UNIX systems running the wuarchive FTP daemon.
DAMAGE: Unauthorized access to the system.
SOLUTION: Disable daemon, then patch or install new version.
__________________________________________________________________________
Critical Facts about wuarchive FTP Daemon Vulnerability
CIAC has learned that Washington University's wuarchive FTP server
contains a serious security vulnerability, allowing any user (remote or
local) to gain access with the privileges of any user on the system,
including root. If you are running any version of the wuarchive server
prior to April 8, 1993, CIAC recommends that you disable it
immediately, then either apply the patch, or replace it with the new
version.
PATCH
-----
Apply the following patch to your existing wuarchive ftpd sources,
recompile and install.
*** ftpd.c.orig
--- ftpd.c
***************
*** 413,418 ****
--- 413,420 ----
end_login();
}
+ anonymous = 0;
+
if (!strcasecmp(name, "ftp") || !strcasecmp(name, "anonymous")) {
if (checkuser("ftp") || checkuser("anonymous")) {
reply(530, "User %s access denied.", name);
NEW VERSION
-----------
The new version is available for anonymous ftp from wuarchive.wustl.edu
(128.252.135.4) in the directory /packages/wuarchive-ftpd and from
irbis.llnl.gov (128.115.19.60) in /pub/util. The file is named
wu-ftpd-2.0.tar.Z and has a checksum (obtained using the "sum" command)
of 56984 169. This release includes full documentation for installation
and configuration. See wu-ftpd-2.0/INSTALL, wu-ftpd-2.0/NOTES and
wu-ftpd-2.0/doc/README for more information on how to install and
operate this ftp server.
For additional information or assistance, please contact CIAC at
(510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX messages
to (510) 423-8002 / FTS.
CIAC would like to acknowledge the contributions of CERT Coordination
Center in the preparation of this bulletin.
Previous CIAC bulletins and other information is available via anonymous
ftp from irbis.llnl.gov (ip address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
VENDOR RESTRICTED
FOR DEPARTMENT OF ENERGY CRAY SITES ONLY
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
LIMITED DISTRIBUTION BULLETIN
(1) UNICOS Cleantmp Utility
(2) UNICOS X11 Client xterm
April 29, 1993, 1400 PDT Number D-14
If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX
messages to: (510) 423-8002.
For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070
(primary) or 855-0074 (secondary).
Previous CIAC bulletins and other information is available via anonymous
ftp from irbis.llnl.gov (ip address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Vulnerability in Cisco Routers used as Firewalls
May 12, 1993 1500 PDT Number D-15
__________________________________________________________________________
PROBLEM: Under certain circumstances, Cisco routers will pass IP source
routed packets that should be denied.
PLATFORM: Cisco routers -- software releases 8.2, 8.3, 9.0, 9.1, and 9.17.
DAMAGE: Unauthorized packets may be passed.
SOLUTION: Apply upgrade or use access lists.
__________________________________________________________________________
Critical Information about vulnerability in Cisco routers
CIAC has learned that under certain circumstances Cisco routers will
pass IP source routed packets that should be denied, potentially
passing unauthorized packets. This vulnerability affects Cisco
routers with software releases 8.2, 8.3, 9.0, 9.1, and 9.17 using the
"no IP source-route" command. CIAC recommends that sites using Cisco
routers for firewall protection apply upgrades as indicated below. If
you are unable to upgrade immediately, you may use access lists to deny
unauthorized packets.
This vulnerability is fixed in Cisco software releases 8.3(7.2),
9.0(5), 9.1(4), 9.17(2.1), and all later releases. Sites using
release 8.2 need to upgrade to a later release; release 8.3 should
apply update (8); release 9.0, update (5); release 9.1, update (4);
and release 9.17, update (3). Those customers having a maintenance
contract may obtain these releases through Cisco's Customer
Information On-Line (CIO). Other customers may obtain them through
Cisco's Technical Assistance Center (800.553.2447 -- Internet:
tac@cisco.com) or by contacting their local Cisco distributor.
Contact Cisco's Technical Assistance Center for more information.
For additional information or assistance, please contact CIAC at
(510)422-8193/FTS or send E-mail to ciac@llnl.gov. FAX messages to
(510)423-8002/FTS.
CIAC wishes to thank the CERT Coordination Center for the information
used in this bulletin.
Previous CIAC Bulletins and other information are available via
anonymous ftp from irbis.llnl.gov (IP address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, expressed or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
ADVISORY NOTICE
Vulnerability in SunOS expreserve Utility
June 11, 1993 0001 PDT Number D-16
__________________________________________________________________________
PROBLEM: The expreserve utility allows unauthorized access to system
files.
PLATFORM: Sun workstations running SunOS versions 4.1, 4.1.1, 4.1.2,
4.1.3, 5.0, 5.1, and 5.2.
DAMAGE: Local users can gain root access.
SOLUTION: Disable expreserve immediately, then install patch from Sun.
__________________________________________________________________________
Critical Information about the expreserve Vulnerability
CIAC has learned that the expreserve utility in SunOS versions 4.1,
4.1.1, 4.1.2, 4.1.3, 5.0, 5.1, and 5.2 contains a serious
vulnerability that allows any file on the system to be overwritten.
This vulnerability can be used to obtain root access to the system.
CIAC strongly recommends that the expreserve utility be disabled
immediately, and that patched versions be installed as they become
available. Sun Microsystems has released patch 101080-01 which
corrects the vulnerability in SunOS 4.x systems. CIAC will announce
future patches as they become available.
Disabling expreserve
--------------------
To prevent use of the expreserve utility, execute the following command
as root:
/bin/chmod a-x /usr/lib/expreserve
The expreserve command normally is used to recover vi editor files
when vi terminates unexpectedly. Disabling expreserve will disable
this recovery feature. Users of vi should be advised of this
temporary change and encouraged to save their work frequently.
Patching SunOS version 4.x
--------------------------
Sun Microsystems has made available a patched version of expreserve
for SunOS Versions 4.1, 4.1.1, 4.1.2, and 4.1.3 that corrects this
vulnerability. It is available both through your local Sun Answer
Center and anonymous ftp. In the U.S., ftp to ftp.uu.net and retrieve
the file /systems/sun/sun-dist/101080-01.tar.Z. In Europe, ftp to
mcsun.eu.net and retrieve the file /sun/fixes/101080-01.tar.Z. After
retrieving the patch, its checksum may be verified using the following
command:
/bin/sum 101080-01.tar.Z
The sum command should return a checksum of 45221 13. Note that Sun
Microsystems occasionally updates patch files, resulting in a changed
checksum. Should you find that your checksum differs, please contact
CIAC or Sun Microsystems for verification before installing the
patch.
The patch may be extracted using the following commands:
/usr/ucb/uncompress 101080-01.tar.Z
/bin/tar xvf 101080-01.tar
To install the patch on your system, follow the instructions contained
in the README file that accompanies the patch.
For additional information or assistance, please contact CIAC at
(510)422-8193/FTS or send E-mail to ciac@llnl.gov. FAX messages to
(510)423-8002/FTS.
CIAC wishes to acknowledge the contributions of the CERT Coordination
Center and Sun Microsystems in the preparation of this bulletin.
Previous CIAC bulletins and other information are available via
anonymous ftp from irbis.llnl.gov (IP 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, expressed or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.
VENDOR RESTRICTED
FOR DEPARTMENT OF ENERGY CRAY SITES ONLY
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
LIMITED DISTRIBUTION BULLETIN
June 17, 1993, 1500 PDT Number D-17
If you require additional assistance or wish to report a vulnerability,
call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX
messages to: (510) 423-8002.
For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070
(primary) or 855-0074 (secondary).
Previous CIAC bulletins and other information is available via anonymous
ftp from irbis.llnl.gov (ip address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
Solaris 2.x expreserve patches available
July 1, 1993 0900 PDT Number D-18
__________________________________________________________________________
PROBLEM: The expreserve utility allows unauthorized access to system
files.
PLATFORM: Sun workstations running Solaris 2.0, 2.1, and 2.2
(SunOS 5.0, 5.1, and 5.2).
DAMAGE: Local users can gain root access.
SOLUTION: Disable expreserve immediately, then install patch from Sun.
__________________________________________________________________________
Critical Information about the expreserve Vulnerability
CIAC has learned that Sun Microsystems has released three new security
patches for Solaris 2.x systems to remove the vulnerability in the
expreserve utility described in CIAC Advisory D-16. This vulnerability
allows local users to overwrite the contents of any file, regardless
of file ownership, and can be used to obtain root access to the system.
CIAC continues to recommend that the expreserve utility be disabled
until the appropriate patched version can be installed.
Disabling expreserve
--------------------
To prevent use of the expreserve utility, execute the following command
as root:
/bin/chmod a-x /usr/lib/expreserve
The expreserve command normally is used to recover editor files when
vi, ex, or edit terminate unexpectedly. Disabling expreserve will
disable this recovery feature. Users of these editors should be
advised of this temporary change and encouraged to save their work
frequently.
Patching Solaris 2.x (SunOS 5.x)
--------------------------------
Sun Microsystems has released three Solaris 2.x expreserve patches:
Checksums
Patch ID Solaris Version /usr/bin/sum /usr/ucb/sum
--------- --------------- ------------ ------------
101119-01 Solaris 2.0 61863 54 47944 27
101089-01 Solaris 2.1 4501 54 07227 27
101090-01 Solaris 2.2 44985 54 02491 27
These patches, along with all other Sun security patches, are
available both through your local Sun Answer Center and anonymous
ftp. In the U.S., ftp to ftp.uu.net and retrieve the patches from the
directory /systems/sun/sun-dist. In Europe, ftp to mcsun.eu.net and
retrieve the patches from the /sun/fixes directory.
After retrieving a patch, its checksum may be verified using the sum
command. Note that Sun Microsystems occasionally updates patch files,
resulting in a changed checksum. Should you find that your checksums
differ, please contact CIAC or Sun Microsystems for verification
before installing the patch.
To install the patch on your system, follow the instructions contained
in the README file that accompanies the patch.
For additional information or assistance, please contact CIAC at
(510)422-8193 or send E-mail to ciac@llnl.gov. FAX messages to
(510)423-8002.
Previous CIAC bulletins and other information are available via
anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60).
CIAC wishes to acknowledge the contributions of Sun Microsystems in
the preparation of this bulletin.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, expressed or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
Wide-spread Attacks on Anonymous FTP Servers
July 15, 1993 1100 PDT Number D-19
__________________________________________________________________________
PROBLEM: Wide-spread abuse of anonymous FTP servers.
PLATFORM: All systems supporting TCP/IP networking and anonymous FTP.
DAMAGE: Unauthorized access to data, denial of service.
SOLUTION: Verify that anonymous FTP has been properly configured.
__________________________________________________________________________
Critical Information about Attacks on Anonymous FTP Servers
The CERT Coordination Center has released the enclosed advisory
describing a large number of attacks on improperly configured
anonymous FTP servers. The attacks described can result in compromise
of the system, excessive use of disk space resulting in denial of
service, or the transfer of sensitive or copyrighted information.
CIAC recommends that sites examine local systems to ensure that any
operating FTP servers are configured in a secure fashion.
Please note that while the CERT Advisory primarily addresses the
configuration of anonymous FTP on UNIX systems, a number of other
operating systems also support FTP servers, including OpenVMS using
packages such as MultiNet, and MS-DOS and Macintosh systems using
communications software such as NCSA Telnet or FTPd. The
configuration of FTP servers on these machines also requires careful
attention in order to avoid unauthorized or undesired use.
CIAC recommends the following guidelines for the configuration of
FTP servers:
1. If a system has no need to provide FTP service for other
machines on the network, the server should be disabled. This
will prevent unauthorized access to the system using FTP.
For example, to disable NCSA Telnet's FTP server, place the
statement "ftp=no" in the configuration file config.tel. On
most UNIX systems, removing the line for ftpd from the file
/etc/inetd.conf and then restarting inetd will disable the FTP
server.
2. If an FTP server is necessary, the need for anonymous service
should be evaluated. Anonymous FTP allows access to some of
the system's file space without requiring a password for
authentication, and unless carefully controlled can lead to
abuse of the system. If an anonymous FTP server is not
required on a particular host, that feature should be disabled.
Both MultiNet on OpenVMS systems and the FTP software on most
UNIX systems disable anonymous service by default. An account
with username "ftp" ("ANONYMOUS" in MultiNet) must be created
before anonymous logins will be accepted. The converse is true
of NCSA Telnet; unauthenticated logins are accepted by default
when the FTP server is enabled. A file containing authorized
usernames and passwords must be created using the telpass
utility in order to disable anonymous connections.
3. If an anonymous FTP server is necessary, the access of
anonymous connections should be restricted to a carefully
controlled number of files and the ability of a remote user to
store files on the server should be disabled or limited.
For example, the Macintosh program FTPd allows access controls
to be specified for each user, including anonymous users. The
set of accessible drives, folders, and files that a user is
permitted to work with, as well as the operations that they
may perform, can be carefully controlled, thus avoiding
unwanted or unauthorized access.
For additional information or assistance with the configuration of a
specific FTP server, please contact CIAC at (510) 422-8193 or send
E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002.
[Beginning of CERT Advisory]
===========================================================================
CA-93:10 CERT Advisory
July 14, 1993
Anonymous FTP Activity
---------------------------------------------------------------------------
The CERT Coordination Center has been receiving a continuous stream of
reports from sites that are experiencing unwanted activities within their
anonymous FTP areas. We recognize that this is not a new problem, and we
have been striving to handle requests for assistance on a one-to-one basis
with the reporting administrator. However, since this activity does not seem
to be diminishing, CERT believes that a broad distribution of information
concerning this problem and corresponding solution suggestions should help
to address the widespread nature of this activity.
We are seeing three types of activity regarding anonymous FTP areas.
A. Improper configurations leading to system compromise.
B. Excessive transfer of data causing deliberate over-filling of
disk space thus leading to denial of service.
C. Use of writable areas to transfer copyrighted software and other
sensitive information.
This advisory provides an updated version of the anonymous FTP configuration
guidelines that is available from CERT. The purpose of these guidelines is
to assist system administrators at sites that offer anonymous FTP services.
These guidelines are intended to aid a system administrator in configuring
anonymous FTP capabilities so as to minimize unintended use of services or
resources. Systems administrators should be aware that anonymous FTP
capabilities should be configured and managed according to the policies
established for their site.
You may obtain future copies of these guidelines through anonymous FTP from
cert.org in /pub/tech_tips/anonymous_ftp.
---------------------------------------------------------------------------
ANONYMOUS FTP CONFIGURATION GUIDELINES
Anonymous FTP can be a valuable service if correctly configured and
administered. The first section of this document provides general guidance in
initial configuration of an anonymous FTP area. The second section addresses
the issues and challenges involved when a site wants to provide writable
directories within their anonymous FTP areas. The third section provides
information about previous CERT advisories related to FTP services.
The following guidelines are a set of suggested recommendations that have been
beneficial to many sites. CERT recognizes that there will be sites that have
unique requirements and needs, and that these sites may choose to implement
different configurations.
I. Configuring anonymous FTP
A. FTP daemon
Sites should ensure that they are using the most recent version
of their FTP daemon.
B. Setting up the anonymous FTP directories
The anonymous FTP root directory (~ftp) and its subdirectories
should not be owned by the ftp account or be in the same group as
the ftp account. This is a common configuration problem. If any of
these directories are owned by ftp or are in the same group as the
ftp account and are not write protected, an intruder will be able to
add files (such as a .rhosts file) or modify other files. Many sites
find it acceptable to use the root account. Making the ftp root
directory and its subdirectories owned by root, part of the system
group, and protected so that only root has write permission will help
to keep your anonymous FTP service secure.
Here is an example of an anonymous FTP directory setup:
drwxr-xr-x 7 root system 512 Mar 1 15:17 ./
drwxr-xr-x 25 root system 512 Jan 4 11:30 ../
drwxr-xr-x 2 root system 512 Dec 20 15:43 bin/
drwxr-xr-x 2 root system 512 Mar 12 16:23 etc/
drwxr-xr-x 10 root system 512 Jun 5 10:54 pub/
Files and libraries, especially those used by the FTP daemon and
those in ~ftp/bin and ~ftp/etc, should have the same protections
as these directories. They should not be owned by ftp or be in the
same group as the ftp account; and they should be write protected.
C. Using proper password and group files
We strongly advise that sites not use the system's /etc/passwd file as
the password file or the system's /etc/group as the group file in the
~ftp/etc directory. Placing these system files in the ~ftp/etc
directory will permit intruders to get a copy of these files.
These files are optional and are not used for access control.
We recommend that you use a dummy version of both the ~ftp/etc/passwd
and ~ftp/etc/group files. These files should be owned by root. The
dir command uses these dummy versions to show owner and group
names of the files and directories instead of displaying arbitrary
numbers.
Sites should make sure that the ~/ftp/etc/passwd file contains no
account names that are the same as those in the system's /etc/passwd
file. These files should include only those entries that are relevant
to the FTP hierarchy or needed to show owner and group names. In
addition, ensure that the password field has been cleared. The
examples below show the use of asterisks (*) to clear the password
field.
Below is an example of a passwd file from the anonymous FTP area on
cert.org:
ssphwg:*:3144:20:Site Specific Policy Handbook Working Group::
cops:*:3271:20:COPS Distribution::
cert:*:9920:20:CERT::
tools:*:9921:20:CERT Tools::
ftp:*:9922:90:Anonymous FTP::
nist:*:9923:90:NIST Files::
Here is an example group file from the anonymous FTP area on cert.org:
cert:*:20:
ftp:*:90:
II. Providing writable directories in your anonymous FTP configuration
There is a risk to operating an anonymous FTP service that permits
users to store files. CERT strongly recommends that sites do not
automatically create a "drop off" directory unless thought has been
given to the possible risks of having such a service. CERT has received
many reports where these directories have been used as "drop off"
directories to distribute bootlegged versions of copyrighted software or
to trade information on compromised accounts and password files. CERT
has also received numerous reports of files systems being maliciously
filled causing denial of service problems.
This section discusses three ways to address these problems. The first is
to use a modified FTP daemon. The second method is to provide restricted
write capability through the use of special directories. The third method
involves the use of a separate directory.
A. Modified FTP daemon
If your site is planning to offer a "drop off" service, CERT suggests
using a modified FTP daemon that will control access to the "drop off"
directory. This is the best way to prevent unwanted use of writable
areas. Some suggested modifications are:
1. Implement a policy where any file dropped off cannot
be accessed until the system manager examines the file
and moves it to a public directory.
2. Limit the amount of data transferred in one session.
3. Limit the overall amount of data transferred based on
available disk space.
4. Increase logging to enable earlier detection of abuses.
For those interested in modifying the FTP daemon, source code is
usually available from your vendor. Public domain sources are
available from:
wuarchive.wustl.edu ~ftp/packages/wuarchive-ftpd
ftp.uu.net ~ftp/systems/unix/bsd-sources/libexec/ftpd
gatekeeper.dec.com ~ftp/pub/DEC/gwtools/ftpd.tar.Z
The CERT Coordination Center has not formally reviewed, evaluated,
or endorsed the FTP daemons described. The decision to use the FTP
daemons described is the responsibility of each user or organization,
and we encourage each organization to thoroughly evaluate these
programs before installation or use.
B. Using protected directories
If your site is planning to offer a "drop off" service and is unable
to modify the FTP daemon, it is possible to control access by using a
maze of protected directories. This method requires prior coordination
and cannot guarantee protection from unwanted use of the writable FTP
area, but has been used effectively by many sites.
Protect the top level directory (~ftp/incoming) giving only execute
permission to the anonymous user (chmod 751 ~ftp/incoming). This will
permit the anonymous user to change directory (cd), but will not allow
the user to view the contents of the directory.
drwxr-x--x 4 root system 512 Jun 11 13:29 incoming/
Create subdirectories in the ~ftp/incoming using names known only
between your local users and the anonymous users that you want to
have "drop off" permission. The same care used in selecting passwords
should be taken in selecting these subdirectory names because the
object is to choose names that cannot be easily guessed. Please do not
use our example directory names of jAjwUth2 and MhaLL-iF.
drwxr-x-wx 10 root system 512 Jun 11 13:54 jAjwUth2/
drwxr-x-wx 10 root system 512 Jun 11 13:54 MhaLL-iF/
This will prevent the casual anonymous FTP user from writing files in
your anonymous FTP file system. It is important to realize that this
method does not protect a site against the result of intentional or
accidental disclosure of the directory names. Once a directory name
becomes public knowledge, this method provides no protection at all
from unwanted use of the area. Should a name become public, a site
may choose to either remove or rename the writable directory.
C. Using a single disk drive
If your site is planning to offer a "drop off" service and is
unable to modify the FTP daemon, it may be desirable to limit
the amount of data transferred to a single file system mounted
as ~ftp/incoming.
If possible, dedicate a disk drive and mount it as ~ftp/incoming.
If this dedicated disk becomes full, it will not cause a denial
of service problem.
The system administrator should monitor this directory (~ftp/incoming)
on a continuing basis to ensure that it is not being misused.
III. Related CERT Advisories
The following CERT Advisories directly relate to FTP daemons or impact
on providing FTP service:
CA-93:06.wuarchive.ftpd.vulnerability
CA-92:09.AIX.anonymous.ftp.vulnerability
CA-88:01.ftpd.hole
Past advisories are available for anonymous FTP from cert.org.
Copyright (c) Carnegie Mellon University 1993
---------------------------------------------------------------------------
[End of CERT Advisory]
Previous CIAC Bulletins and other information are available via
anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, expressed or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
Summary of SunOS Security Patches
August 6, 1993 1200 PDT Number D-20
__________________________________________________________________________
PROBLEM: Security vulnerabilities in all versions of SunOS.
PLATFORM: All Sun Microsystems workstations.
DAMAGE: Unauthorized access to system and files, denial of service.
SOLUTION: Apply appropriate security patches.
__________________________________________________________________________
Critical Information about SunOS Security Patches
This bulletin is an update to CIAC Bulletin C-29.
CIAC has compiled a list of all security related patches currently available
from Sun Microsystems. The patches have been grouped by SunOS version and
are detailed below. CIAC recommends the installation of any applicable
patches that either are not currently present on a system or are present in
the form of an older version of the patch.
Sun security patches are available through both your Sun Answer Center and
anonymous FTP. In the U.S., ftp to ftp.uu.net (IP 192.48.96.9) and retrieve
the patches from the directory /systems/sun/sun-dist. In Europe, ftp to
mcsun.eu.net (IP 192.16.202.1) and retrieve the patches from the /sun/fixes
directory. The patches are contained in compressed tarfiles with filenames
based on the ID number of the patch (e.g. patch 100085-03 is contained in the
file 100085-03.tar.Z), and must be retrieved using FTP's binary transfer
mode.
After obtaining the patches, compute the checksum of each compressed tarfile
and compare with the values indicated below. For example, the command
"/usr/bin/sum 100085-03.tar.Z" should return "44177 740". Please note that
Sun Microsystems occasionally updates patch files, resulting in a changed
checksum. If you should find a checksum that differs from those listed
below, please contact Sun Microsystems or CIAC for verification before using
the patch.
The patches may be extracted from the compressed tarfiles using the commands
uncompress and tar. For example, to extract patch 100085-03 from the
compressed tarfile 100085-03.tar.Z, execute the commands "uncompress
100085-03.tar.Z" and "tar xvf 100085-03.tar".
For specific instructions regarding the installation of a particular patch,
consult the README file accompanying each patch. As multiple patches may
affect the same files, it is recommended that patches be installed
chronologically by revision date, with the exception of patches for which an
explicit order is specified.
=======================
SunOS 5.2 (Solaris 2.2)
=======================
Patch ID Last Revised Checksum Description
--------- ------------ ---------- -------------------------------------
101090-01 28-Jun-93 44985 54 expreserve can overwrite any file
=======================
SunOS 5.1 (Solaris 2.1)
=======================
Patch ID Last Revised Checksum Description
--------- ------------ ---------- -------------------------------------
100833-02 12-Jan-93 24412 309 C2 auditing missing in some programs
100840-01 12-Jan-93 25050 220 sendmail bypasses mailhost
100884-01 12-Feb-93 63299 5220 Security fixes for sun4m machines
101089-01 28-Jun-93 4501 54 expreserve can overwrite any file
=======================
SunOS 5.0 (Solaris 2.0)
=======================
Patch ID Last Revised Checksum Description
--------- ------------ ---------- -------------------------------------
100723-01 24-Aug-92 49406 2 Incorrect permissions after install
101119-01 28-Jun-93 61863 54 expreserve can overwrite any file
===========
SunOS 4.1.3
===========
Patch ID Last Revised Checksum Description
--------- ------------ ---------- -------------------------------------
100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole
100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability
100296-04 18-Jun-92 42492 40 File systems exported incorrectly
100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability
100372-02 8-Sep-92 22739 712 tfs fails under C2
100377-05 15-Sep-92 29141 1076 sendmail security holes
100103-11 29-Sep-92 19847 6 Permissions incorrect on many files
100567-04 27-Oct-92 15728 11 ICMP packets can be forged
100564-05 11-Nov-92 00115 824 C2 jumbo patch
100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone
100513-02 2-Dec-92 34315 483 Console can be redirected
100623-03 11-Dec-92 56063 141 NFS file handles can be guessed
100173-10 7-Jan-93 48086 788 NFS jumbo patch
100383-06 26-Jan-93 58984 121 rdist can create setuid root files
100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords
100305-11 12-Feb-93 38582 500 The lp daemon can delete system files
100891-01 19-Feb-93 33195 3075 Netgroup and xlock vulnerabilities
100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells
101080-01 9-Jun-93 45221 13 expreserve can overwrite any file
===========
SunOS 4.1.2
===========
Patch ID Last Revised Checksum Description
--------- ------------ ---------- -------------------------------------
100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability
100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole
100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability
100630-01 18-May-92 28074 39 Environment variables vulnerability
100633-01 22-May-92 33264 20 Environment variables with Sun's ARM
100296-04 18-Jun-92 42492 40 File systems exported incorrectly
100376-04 16-Jul-92 12884 100 Integer division vulnerability
100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability
100372-02 8-Sep-92 22739 712 tfs fails under C2
100377-05 15-Sep-92 29141 1076 sendmail security holes
100103-11 29-Sep-92 19847 6 Permissions incorrect on many files
100567-04 27-Oct-92 15728 11 ICMP packets can be forged
100564-05 11-Nov-92 00115 824 C2 jumbo patch
100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone
100513-02 2-Dec-92 34315 483 Console can be redirected
100623-03 11-Dec-92 56063 141 NFS file handles can be guessed
100173-10 7-Jan-93 48086 788 NFS jumbo patch
100383-06 26-Jan-93 58984 121 rdist can create setuid root files
100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords
100305-11 12-Feb-93 38582 500 The lp daemon can delete system files
100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells
101080-01 9-Jun-93 45221 13 expreserve can overwrite any file
===========
SunOS 4.1.1
===========
Patch ID Last Revised Checksum Description
--------- ------------ ---------- -------------------------------------
100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability
100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability
100125-05 8-Jul-91 41964 164 telnet permits password capture
100424-01 12-Nov-91 63070 50 NFS file handles can be guessed
100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole
100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability
100630-01 18-May-92 28074 39 Environment variables vulnerability
100633-01 22-May-92 33264 20 Environment variables with Sun's ARM
100296-04 18-Jun-92 42492 40 File systems exported incorrectly
100376-04 16-Jul-92 12884 100 Integer division vulnerability
100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability
100372-02 8-Sep-92 22739 712 tfs fails under C2
100377-05 15-Sep-92 29141 1076 sendmail security holes
100103-11 29-Sep-92 19847 6 Permissions incorrect on many files
100567-04 27-Oct-92 15728 11 ICMP packets can be forged
100201-06 5-Nov-92 13145 164 C2 jumbo patch
100267-09 6-Nov-92 55338 5891 Netgroup membership check fails
100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone
100513-02 2-Dec-92 34315 483 Console can be redirected
100173-10 7-Jan-93 48086 788 NFS jumbo patch
100383-06 26-Jan-93 58984 121 rdist can create setuid root files
100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords
100305-11 12-Feb-93 38582 500 The lp daemon can delete system files
100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells
101080-01 9-Jun-93 45221 13 expreserve can overwrite any file
=========
SunOS 4.1
=========
Patch ID Last Revised Checksum Description
--------- ------------ ---------- -------------------------------------
100101-02 7-Aug-90 42872 34 ptrace security vulnerability
100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability
100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability
100125-05 8-Jul-91 41964 164 telnet permits password capture
100630-01 18-May-92 28074 39 Environment variables vulnerability
100376-04 16-Jul-92 12884 100 Integer division vulnerability
100377-05 15-Sep-92 29141 1076 sendmail security holes
100103-11 29-Sep-92 19847 6 Permissions incorrect on many files
100567-04 27-Oct-92 15728 11 ICMP packets can be forged
100201-06 5-Nov-92 13145 164 C2 jumbo patch
100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone
100513-02 2-Dec-92 34315 483 Console can be redirected
100383-06 26-Jan-93 58984 121 rdist can create setuid root files
100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords
100305-11 12-Feb-93 38582 500 The lp daemon can delete system files
100121-09 24-Feb-93 57589 360 NFS jumbo patch
101080-01 9-Jun-93 45221 13 expreserve can overwrite any file
======================
SunOS 4.0.3 and 4.0.3c
======================
Patch ID Last Revised Checksum Description
--------- ------------ ---------- -------------------------------------
100100-01 30-Jul-90 43821 588 sendmail permits root level access
100101-02 7-Aug-90 42872 34 ptrace security vulnerability
100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability
100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability
100125-05 8-Jul-91 41964 164 telnet permits password capture
100383-06 26-Jan-93 58984 121 rdist can create setuid root files
============
SunOS 4.0.2i
============
Patch ID Last Revised Checksum Description
--------- ------------ ---------- -------------------------------------
100108-01 22-Aug-90 50309 146 sendmail security vulnerability
=====================
SunOS 4.0.1 and 4.0.2
=====================
Patch ID Last Revised Checksum Description
--------- ------------ ---------- -------------------------------------
100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability
For additional information or assistance, please contact CIAC at
(510) 423-9878 or send E-mail to ciac@llnl.gov. FAX messages to
(510) 423-8002.
Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
_______________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
Novell NetWare LOGIN.EXE Security Patch
September 7, 1993 1140 PDT Number D-21
________________________________________________________________________
PROBLEM: A security vulnerability has been discovered in the login
procedure of NetWare 4.x
PLATFORM: PC/MS-DOS with Novell NetWare 4.x
DAMAGE: User accounts may be readily compromised
SOLUTION: Obtain and install replacement LOGIN.EXE v4.02
________________________________________________________________________
Critical Facts about the LOGIN.EXE vulnerability
CIAC has learned of a vulnerability within Novell's LOGIN.EXE program
which can allow compromise of user accounts. This vulnerability
affects NetWare 4.x only, and does not affect NetWare 2.x, 3.x, nor
Netware for Unix. Operation of the vulnerable LOGIN.EXE may cause the
inadvertant compromise of a user's name and password. Further details
of this vulnerability are contained in the text file included with the
patch.
The patch (LOGIN.EXE) and text file (SECLOG.TXT) are created by
executing the distribution file SECLOG.EXE, a self-extracting archive.
After extracting the files, the dir command should produce the
following output.
SECLOG EXE 166276 xx-xx-xx xx:xxx
LOGIN EXE 354859 08-25-93 11:43a
SECLOG TXT 5299 09-02-93 11:16a
To install the patch, follow the directions contained in the text file
SECLOG.TXT, and then instruct all your users to change their
passwords.
CIAC recommends that you replace your current LOGIN.EXE with the
security enhanced version as soon as possible. This patch is
available via anonymous FTP as SECLOG.EXE on irbis.llnl.gov in the
~pub/ciac/pcvirus directory, and on CIAC's bulletin board Felicia. It
can also be retrieved via anonymous FTP from first.org in the
~pub/software directory. This file is also available at no charge
through NetWare resellers, on NetWire in Library 14 of the NOVLIB
forum, or by calling 1-800-NETWARE. NetWare customers outside the
U.S. may call Novell at 303-339-7027 or 31-55-384279 or fax a request
for LOGIN.EXE v4.02 to Novell at 303-330-7655 or 31-55-434455. Include
company name, contact name, mailing address and phone number in the
fax request.
CIAC would like to acknowledge the efforts of Richard Colby of
Chem Nuclear Geotech, Inc. for discovering this vulnerability, and the
efforts of Novell in the resolution of this issue.
For additional information or assistance, please contact CIAC at
(510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages
to: (510) 423-8002.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, expressed or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.
_______________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
Satan Bug Virus on MS-DOS computers
September 4, 1993 1000 PDT Number D-22
__________________________________________________________________________
NAME: Satan Bug virus
PLATFORM: MS-DOS/PC-DOS Computers
TYPE: Memory resident, polymorphic, encrypted
DAMAGE: Infects .COM, .EXE, .SYS, and .OVL files. Damages infected
files, makes LANs inaccessible by damaging the LAN drivers.
SYMPTOMS: Files grow at each infection, file dates change, files on LAN
file servers become inaccessible.
DETECTION: DataPhysician Plus 4.0B, Scan V106, Norton AntiVirus 2.1 with
August 1993 virus definitions.
__________________________________________________________________________
Critical Facts about the Satan Bug Virus
CIAC has been alerted that the Satan Bug virus, a new virus previously thought
to be contained, has been located at multiple sites in the "wild." The Satan
Bug virus is an encrypted, polymorphic virus that infects all .COM, .EXE,
.SYS, and .OVL files on MS-DOS/PC-DOS computers.
Infection Mechanism
When an infected file is run, the virus installs itself in memory, and then
infects COMMAND.COM. Thereafter, whenever an executable file is opened or
executed it is infected with the virus. Infected files grow in size from 2.9K
to 5.4K bytes, and the creation date is increased by 100 years.
Potential Damage
It does not appear that this virus does any intentional damage, but infected
files may be inoperative. In addition, the virus is not easily removed from
infected files, requiring that they be replaced with uninfected copies from
backup disks (See Appendix). The virus damages network drivers, making it
impossible for a machine to connect to a network and use network services.
Detection
Anti-virus scanners dated before August 1993 that use virus signature scanning
will not be able to recognize this virus. Anti-virus scanners that use file
signature scanning should be able to detect that the files have been changed,
but will not be able to name the virus. Most anti-virus scanner vendors are
updating their programs at this time, so scanners dated after August 1993
should be able to detect the virus by name. As of the release of this
bulletin, McAfee's SCANV 106 and Norton AntiVirus version 2.1 with the August
1993 virus definitions update are known to detect it. The DataPhysician Plus
package (VirHunt, ResScan) version 4.0B is in final testing and will be
available soon.
Warning
If you run an infected anti-virus scanner, nearly every executable file on
your disk will be infected. Virus scanners must open a file to scan it, and if
this virus is in memory, the act of opening the file for scanning will infect
it. Most scanners first check themselves to see if they are infected with a
virus, and display a "Virus Found" or "File Damaged" message when they start
up. If this happens, do not scan your disk with this scanner. Even if the
scanner claims that it can remove the virus from itself, don't scan your disk
with it. The memory resident portion of the virus will still infect your disk.
To scan a computer infected with a memory resident virus like the Satan Bug
virus, you must boot the computer with a clean (uninfected), locked floppy
that contains a clean version of the virus scanner software. Delete any
infected files the scanner finds, and replace them with fresh copies. See the
Appendix for more information.
For More Information or Assistance
If you require additional information or assistance, please contact CIAC at:
Phone: (510) 422-8193 / FTS
FAX: (510) 423-8002 / FTS
E-mail: ciac@llnl.gov.
Previous CIAC bulletins and other information are available via anonymous ftp from
irbis.llnl.gov (ip address 128.115.19.60).
CIAC wishes to thank Bill Kenny of DDI, Joe Wells of Symantec and David Proulx
of NAVCERT for their help in preparing this bulletin.
---------------------------------------------------------------------------
Appendix - Scanners, Encrypted Viruses and Removing Memory Resident Viruses
The following appendix answers some frequently asked questions about virus
scanners, encrypted viruses, and disinfecting hard disks.
Anti-Virus Scanners
Virus scanners use two different methods for detecting infected files;
scanning for virus signatures, and scanning for changes in executable files. A
signature scanner must have a string of bytes or signature that it can detect
in a file that uniquely identifies a virus. If a virus does not contain a
known signature, then the scanner will not detect it. File scanners look at a
files attributes, creation date and time, length, checksum, file header, and
other properties to determine if a file has changed. A file scanner can detect
a new virus, but can not tell what virus it is. Actually, a file scanner can
not tell if a file is infected by a virus only that a file has changed in some
way. However, any changes in executable files should be viewed with a lot of
suspicion. Few executable files rewrite themselves after installation. None of
the DOS utility programs (FORMAT, ASSIGN, etc.) should ever change during
normal use, so view changes there as a probable virus infection.
Problems Removing Encrypted Viruses
Encrypted viruses like the Satan Bug are particularly difficult to remove from
an infected program. Most viruses of this type attach themselves to the end of
a program, and then remove a small piece from the beginning of the program and
insert code there that causes the virus code to be run first. When the virus
code completes running, it executes the small piece of code it removed from
the beginning of the program and then continues with the original program.
That way, when you run an infected program, you will only notice a slight
hesitation at the beginning when the virus code runs, and then the infected
program runs like normal.
Encrypted viruses store this piece of the normal program within the virus code
and then encrypt the virus code. For an anti-virus program to be able to patch
an infected program, it must be able to decrypt the encrypted virus to find
the piece of missing code so that it can be put back where it belongs. The
Satan Bug virus has up to nine levels of encryption, the level being different
for each infection. Decrypting this much code is a very difficult process, so
most anti-virus programs are not expected to be able to repair programs
infected with the Satan Bug virus.
On the other hand, some file signature scanning programs may save enough of
the scanned files to be able to repair an infected program. The Data Physician
Plus package does save a sufficient amount of information to be able to repair
a program infected with the Satan Bug virus. However, you must have created
the file signature file before your program was infected. Again, if at all
possible, you should always replace infected files rather than repairing them
to insure that you have undamaged copies.
Disinfecting Hard Disks Infected With a Memory Resident Program Virus
In order to disinfect a disk infected with a memory resident program virus,
you first need to get the virus out of memory, then you need to scan the disk
with an uninfected copy of the Virus Scanner. To get the virus out of memory,
boot your computer with a clean, locked boot disk. Then you can scan the hard
disk using an anti-virus scanner, also located on a locked disk. The following
steps can be used to disinfect systems infected with memory resident program
viruses such as the Satan Bug. It is also applicable to non-memory resident
program viruses, but is not applicable to boot sector viruses and partition
table viruses which need additional steps.
1. You need a locked, uninfected emergency boot floppy disk that contains
the virus scanner, FORMAT.EXE, SYS.COM, and FDISK.COM, any disk
management software needed to access your hard disk such as
DiskManager. You also need simple CONFIG.SYS and AUTOEXEC.BAT files
that let you bring up your system in a limited way, and any
backup/restore software you may use. You need to have made this disk
before your system gets infected, or make it on some other uninfected
machine.
2. Boot the infected computer with the locked, uninfected floppy.
3. Run the copy of the virus scanner on the uninfected floppy and scan the
hard disks on the infected computer.
4. Once the scan has completed, delete any infected files the scanner
found and scan the disk again. Repeat this step until no more infected
or changed files are found. Alternately, you can let the scanner
disinfect all the files if it can, but this is not always possible
or preferable.
5. When the scanner indicates that the hard disk is clean: Restore the
system using the SYS command. This step replaces the invisible system
files, COMMAND.COM, and the boot sector.
6. Restore any deleted executables from your locked master disks
or backup sets.
7. Scan the disk again with your virus scanner. Note that at this point,
the scanner may detect changes in some files because you have copied in
new versions. If the scanner detects a virus, then delete the infected
file. Later you will need to scan your source disk for that infected
file, to see if it is infected as well.
8. Remove the emergency floppy and reboot the computer. Your computer
should boot up correctly.
9. Insert the emergency floppy and run the scanner again just to be sure
you have gotten every infected file.
10. Start scanning any floppy disks that may have been infected by your
computer. Keep in mind that the virus could have been active for months
before you discovered it.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
VENDOR RESTRICTED
FOR DEPARTMENT OF ENERGY CRAY SITES ONLY
DO NOT DISTRIBUTE
_______________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Limited Distribution Bulletin
Cray UltraNet Security Vulnerability
September 5, 1993 1000 PDT Number D-23
For additional information or assistance, please contact CIAC at
(510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX
messages to (510) 423-8002 / FTS.
Cray Research Inc. provided the information used in this bulletin.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
SCO Home Directory Vulnerability
September 17, 1993 1115 PDT Number D-24
__________________________________________________________________________
PROBLEM: Home directories for "dos" and "asg" accounts insecure.
PLATFORM: Systems using SCO Operating Systems (see list below).
DAMAGE: Unauthorized system access, including privileged access.
SOLUTION: Apply workaround described below.
__________________________________________________________________________
Critical Information about SCO Home Directory Vulnerability
CIAC has received information of a vulnerability in SCO Operating Systems
that may permit unauthorized access to the "dos" and "asg" accounts. The
following SCO products are affected by this vulnerability:
SCO UNIX System V/386 Release 3.2 Operating System
SCO UNIX System V/386 Release 3.2 Operating System Version 2.0
SCO UNIX System V/386 Release 3.2 Operating System version 4.x
SCO UNIX System V/386 Release 3.2 Operating System Version 4.0 with
Maintenance Supplement Version 4.1 and/or Version 4.2
SCO Network Bundle Release 4.x
SCO Open Desktop Release 1.x
SCO Open Desktop Release 2.0
SCO Open Desktop Lite Release 3.0
SCO Open Desktop Release 3.0
SCO Open Server Network System Release 3.0
SCO Open Server Enterprise System Release 3.0
The vulnerability results from the fact that the default home directories
for the "dos" and "asg" accounts are /tmp and /usr/tmp respectively, both
of which are writeable by all system users. This situation may allow
unauthorized users to gain access to these accounts and the files that
they own. The access may also be used to gain privileged access to the
system.
CIAC recommends that sites apply the following workaround to all affected
systems:
1. Log onto the system as "root".
2. Choose the following sequence of menu selections from the System
Administration Shell, which is invoked by typing "sysadmsh":
a. Accounts-->User-->Examine-->
[select the "dos" account]-->Identity
-->Home directory-->Create-->Path-->
[change it to /usr/dos instead of /tmp]-->confirm
b. Accounts-->User-->Examine-->
[select the "asg" account]-->Identity
-->Home directory-->Create-->Path-->
[change it to /usr/asg instead of /usr/tmp]-->confirm
Sites should also take steps to verify that the "dos" and "asg" accounts
have not been compromised. The following command will display recent
logins to either of the accounts:
last | egrep "dos|asg"
Should any login sessions be displayed, it is likely that the system has
been compromised. The modification times of the DOS binaries on the
system should also be examined for evidence of recent modifications. If
any evidence of compromise exists, CIAC strongly recommends that the DOS
package of Operating System Extended Utilities be removed and re-installed
using custom(ADM).
If you have further questions regarding this vulnerability, you may
contact SCO Support and ask for more information concerning the "Home
Directory Security Vulnerability." SCO may be reached as follows:
Electronic mail: support@sco.COM
USA/Canada: 6am-5pm Pacific Daylight Time (PDT)
-----------
1-800-347-4381 (voice)
1-408-427-5443 (fax)
Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific
------------------------------------------------ Daylight Time
(PDT)
1-408-425-4726 (voice)
1-408-427-5443 (fax)
Europe, Middle East, Africa: 9am-5:30pm British Standard Time (BST)
----------------------------
+44 (0)923 816344 (voice)
+44 (0)923 817781 (fax)
For additional information or assistance, please contact CIAC at
(510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to
(510) 423-8002.
Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).
CIAC would like to acknowledge the efforts of both Christopher Durham of
the Santa Cruz Operation and the CERT Coordination Center in the
resolution of this issue.
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
ADVISORY NOTICE
Automated Scanning of Network Vulnerabilities
September 30, 1993 1000 PDT Number D-25
__________________________________________________________________________
PROBLEM: Automated attacks on networked computers.
PLATFORM: All systems supporting TCP/IP networking.
DAMAGE: Unauthorized access to information and computer resources.
SOLUTION: Examine machines for vulnerabilities detailed below and apply
fixes as needed.
__________________________________________________________________________
Critical Information about Automated Network Scanning Software
CIAC has learned that software allowing automated scanning of networked
computers for security vulnerabilities was recently made publicly
available on the Internet. The software package, known as ISS or Internet
Security Scanner, will interrogate all computers within a specified IP
address range, determining the security posture of each with respect to
several common system vulnerabilities. The software was designed as a
security tool for system and network administrators. However, given its
wide distribution and ability to scan remote networks, CIAC feels that it
is likely ISS will also be used to locate vulnerable hosts for malicious
reasons.
While none of the vulnerabilities ISS checks for are new, their
aggregation into a widely available automated tool represents a higher
level of threat to networked machines. CIAC has analyzed the operation of
the program and strongly recommends that administrators take this
opportunity to re-examine systems for the vulnerabilities described below.
Also detailed below are available security tools that may assist in the
detection and prevention of malicious use of ISS. Finally, common
symptoms of an ISS attack are outlined to allow detection of malicious
use.
ISS Vulnerabilities
-------------------
The following vulnerabilities are tested for by the ISS tool.
Administrators should verify the state of their systems and perform
corrective actions as indicated.
Default Accounts The accounts "guest" and "bbs", if they exist, should
have non-trivial passwords. If login access to these
accounts is not needed, they should be disabled by
placing a "*" in the password field and the string
"/bin/false" in the shell field in /etc/passwd. See
the system manual entry for "passwd" for more
information on changing passwords and disabling
accounts.
For example, the /etc/passwd entry for a disabled guest
account should resemble the following:
guest:*:2311:50:Guest User:/home/guest:/bin/false
lp Account The account "lp", if it exists, should not allow logins.
It should be disabled by placing a "*" in the password
field and the string "/bin/false" in the shell field in
/etc/passwd.
Decode Alias Mail aliases for decode and uudecode should be disabled
on UNIX systems. If the file /etc/aliases contains
entries for these programs, they should be disabled by
placing a "#" at the beginning of the line and then
executing the command "newaliases". Consult the manual
page for "aliases" for more information on UNIX mail
aliases.
A disabled decode alias should appear as follows:
# decode: "|/usr/bin/uudecode"
Sendmail The sendmail commands "wiz" and "debug" should be
disabled. This may be verified by executing the
following commands:
% telnet hostname 25
220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 PDT
wiz
You wascal wabbit! Wandering wizards won't win!
(or 500 Command unrecognized)
quit
% telnet hostname 25
220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 PDT
debug
500 Command unrecognized
quit
If the "wiz" command returns "Please pass, oh mighty
wizard", your system is vulnerable to attack. The
command should be disabled by adding a line to the
sendmail.cf configuration file containing the string:
OW*
If the "debug" command responds with the string
"200 Debug set", you should immediately obtain a newer
version of sendmail software from your vendor.
Anonymous FTP Anonymous FTP allows users without accounts to have
restricted access to certain directories on the system.
The availability of anonymous FTP on a given system may
be determined by executing the following commands:
% ftp hostname
Connected to hostname.
220 host FTP server ready.
Name (localhost:jdoe): anonymous
530 User anonymous unknown.
Login failed.
The above results indicate that anonymous FTP is not
enabled. If the system instead replies with the
string "331 Guest login ok" and then prompts for a
password, anonymous FTP access is enabled.
The configuration of systems allowing anonymous FTP
should be checked carefully, as improperly configured
FTP servers are frequently attacked. Refer to CIAC
Bulletin D-19 for more information.
NIS SunOS 4.x machines using NIS are vulnerable unless the
patch 100482 has been installed. See CIAC Bulletin
C-25 for more information regarding this patch.
NFS Filesystems exported under NFS should be mountable only
by a restricted set of hosts. The UNIX "showmount"
command will display the filesystems exported by a given
host:
% /usr/etc/showmount -e hostname
export list for hostname:
/usr hosta:hostb:hostc
/usr/local (everyone)
The above output indicates that this NFS server is
exporting two partitions: /usr, which can be mounted by
hosta, hostb, and hostc; and /usr/local which can be
mounted by anyone. In this case, access to the
/usr/local partition should be restricted. Consult the
system manual entry for "exports" or "NFS" for more
information.
rusers The UNIX rusers command displays information about
accounts currently active on a remote system. This may
provide an attacker with account names or other
information useful in mounting an attack. To check for
the availability of rusers information on a particular
machine, execute the following command:
% rusers -l hostname
hostname: RPC: Program not registered
If the above example had instead generated a list of
user names and login information, a rusers server is
running on the host. The server may be disabled by
placing a "#" at the beginning of the appropriate line
in the file /etc/inetd.conf and then sending the SIGHUP
signal to the inetd process. For example, a disabled
rusers entry might appear as follows:
#rusersd/2 dgram rpc/udp wait root /usr/etc/rusersd rusersd
rexd The UNIX remote execution server rexd provides only
minimal authentication and is easily subverted. It
should be disabled by placing a "#" at the beginning of
the rexd line in the file /etc/inetd.conf and then
sending the SIGHUP signal to the inetd process. The
disabled entry should resemble the following:
#rexd/1 stream rpc/tcp wait root /usr/etc/rexd rexd
Available Tools
---------------
There are several available security tools that may be used to prevent or
detect malicious use of ISS. They include the following:
SPI SPI, the Security Profile Inspector, will detect the
system vulnerabilities described above, as well as many
others. U.S. Government agencies interested in
obtaining SPI should send E-mail to spi@cheetah.llnl.gov
or call (510) 422-3881 for more information.
COPS The COPS security tool will also detect the
vulnerabilities described above. It is available via
anonymous FTP from ftp.cert.org in the directory
/pub/tools/cops/1.04.
ISS Running ISS on your systems will provide you with the
same information an attacker would obtain, allowing you
to correct vulnerabilities before they can be exploited.
Note that the current version of the software is known
to function poorly on some operating systems. If you
should have difficulty using the software, please contact
CIAC for assistance. ISS may be obtained via anonymous
FTP from ftp.uu.net in the directory
/usenet/comp.sources.misc/volume39/iss.
TCP Wrappers Access to most UNIX network services can be more closely
controlled using software known as a TCP wrapper. The
wrapper provides additional access control and flexible
logging features that may assist in both the prevention
and detection of network attacks. This software is
available via anonymous FTP from ftp.win.tue.nl in the
file /pub/security/tcp_wrappers_6.0.shar.Z
Detecting an ISS Attack
-----------------------
Given the wide distribution of the ISS tool, CIAC feels that remote
attacks are likely to occur. Such attacks can cause system warnings to be
generated that may prove useful in tracking down the source of the attack.
The most probable indicator of an ISS attack is a mail message sent to
"postmaster" on the scanned system similar to the following:
From: Mailer-Daemon@hostname (Mail Delivery Subsystem)
Subject: Returned mail: Unable to deliver mail
Message-Id: <9309291633.AB04591@>
To: Postmaster@hostname
----- Transcript of session follows -----
<<< VRFY guest
550 guest... User unknown
<<< VRFY decode
550 decode... User unknown
<<< VRFY bbs
550 bbs... User unknown
<<< VRFY lp
550 lp... User unknown
<<< VRFY uudecode
550 uudecode... User unknown
<<< wiz
500 Command unrecognized
<<< debug
500 Command unrecognized
421 Lost input channel to remote.machine
----- No message was collected -----
If you should receive such a message, it is likely that your machine and
others on your network have been scanned for vulnerabilities. You should
immediately contact your computer security officer or CIAC for assistance
in assessing the damage and taking corrective action.
For additional information or assistance, please contact CIAC at
(510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to
(510) 423-8002.
Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
VENDOR RESTRICTED
FOR DEPARTMENT OF ENERGY CRAY SITES ONLY
DO NOT DISTRIBUTE
_______________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Limited Distribution Bulletin
September 30, 1993 1500 PDT Number D-26
For additional information or assistance, please contact CIAC at
(510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX
messages to (510) 423-8002 / FTS.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.