-----BEGIN PGP SIGNED MESSAGE----- CERT(*) Summary CS-96.05 September 24, 1996 Last Revised: October 2, 1997 Updated copyright statement The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Clarification to CS-96.04 - ------------------------- In our previous CERT Summary, we said that the intruder community is developing new techniques and tools to analyze programs for potential vulnerabilities even in the absence of source code. We did not mean to imply that all developers of these techniques in the wider technical community are members of the intruder community, nor that they intend their work to be used by the intruder community. Recent Activity and Trends - -------------------------- Since the July CERT Summary, we have noticed these trends in incidents reported to us. 1. Denial of Service Attacks Instructions for executing denial-of-service attacks and programs to implement such attacks have recently been widely distributed. Since this information was published, we have noticed a significant and rapid increase in the number of denial-of-service attacks executed against sites. To learn more about denial-of-service attacks and how to limit them, see ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding To monitor and log an attack, you can use a tool such as Argus. For more information regarding Argus, see ftp://info.cert.org/pub/tech_tips/security_tools 2. Continuing Linux Exploitations We continue to see incidents in which Linux machines are the victims of break-ins leading to root compromises. In many of these incidents, the systems were misconfigured and/or the intruders exploited well-known vulnerabilities for which CERT advisories have been published. If you are running Linux, we strongly urge you to keep up to date with patches and security workarounds. We also recommend that you review ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks ftp://info.cert.org/pub/tech_tips/root_compromise Further, you may want to monitor the Linux newsgroups and mailing lists for security patches and workarounds. More information can be found at http://bach.cis.temple.edu/linux/linux-security/ 3. PHF Exploits At least weekly, and often daily, we see reports of password files being obtained illegally by intruders who have exploited a vulnerability in the PHF cgi-bin script. The script is installed by default with several implementations of httpd servers, and it contains a weakness that allows intruders to retrieve the password file for the machine running the httpd server. The vulnerability is described in ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code Once the intruders retrieve the password file, they may attempt to crack the passwords found in the file. For information about protecting your password files, please see ftp://info.cert.org/pub/tech_tips/passwd_file_protection 4. Software Piracy We have received frequent reports regarding software piracy since the last CERT Summary was issued. Although software piracy is beyond the scope of the mission of the CERT Coordination Center, it is often associated with compromised hosts or accounts because intruders sometimes use compromised hosts to distribute pirated software. News of illegal collections of software circulates quickly within the underground community, which may focus unwanted attention on a site used for software piracy. We encourage you to periodically check your systems for signs of software piracy. To learn more, please examine our relevant tech tips: ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config To learn more about detecting and preventing security breaches, please see ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist - ---------------------------------- What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (July 23, 1996). * README Files Incorporated into Advisories As of August 30, 1996, we no longer put advisory updates into README files. We now revise the advisories themselves. In addition, we have updated past advisories with information from their README files. We urge you to check advisories regularly for updates that relate to your site. * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-96.14.rdist_vul CA-96.15.Solaris_KCMS_vul CA-96.16.Solaris_admintool_vul CA-96.17.Solaris_vold_vul CA-96.18.fm_fls CA-96.19.expreserve CA-96.20.sendmail_vul CA-96.21.tcp_syn_flooding ftp://info.cert.org/pub/cert_bulletins/ VB-96.12.freebsd VB-96.13.hp VB-96.14.sgi VB-96.15.sco VB-96.16.transarc ftp://info.cert.org/pub/latest_sw_versions swatch ftp://info.cert.org/pub/tech_tips UNIX_configuration_guidelines These replace the security_info file intruder_detection_checklist (the CERT Security Checklist). security_tools ftp://info.cert.org/pub/vendors/ hp/HPSBUX9607-033 Added Hewlett-Packard bulletin about a security vulnerability in expreserve. * Updated Files ftp://info.cert.org/pub/cert_advisories/ CA-96.02.bind In the appendix, updated Sun Microsystems, Inc. patch information. In section I, added information about the next release of bind and the IsValid program. CA-96.08.pcnfsd Updated URL for IBM Corporation, updated Hewlett-Packard Company patch information, and modified NEC Corporation patch information. CA-96.09.rpc.statd Updated URL for IBM Corporation, removed a workaround for SunOS 4.x (patches now available), updated information on Hewlett-Packard Company, and added patch information for NEC Corporation. Also updated opening paragraph. CA-96.14.rdist_vul In Appendix A, added note under Silicon Graphics, Inc. about using the find command, updated the Hewlett-Packard Company entry, added information about Digital Equipment Corporation, and added an IBM Corporation URL. CA-96.15.Solaris_KCMS_vul In Introduction, added information about Solaris 2.5.1. CA-96.18.fm_fls Added vendor information to Appendix A. Added Section III.B, which provides another possible solution to the problem. CA-96.19.expreserve In Appendix A, added information for Silicon Graphics Inc. and Sun Microsystems, Inc. CA-96.20.sendmail_vul Added to Sec. III.B instructions on configuring sendmail at sites that use '&' in the gecos filed of /etc/passwd. Added to Sec. III.C a note on uid for "mailnull" user. In the appendix, added information from FreeBSD, Inc. and Berkeley Software Design, Inc. (BSDI). ftp://info.cert.org/pub/FIRST first-contacts ftp://info.cert.org/pub/latest_sw_versions rdist-patch-status Updated information for Hewlett-Packard Company and NeXT Software, Inc. information. Updated rdist version information in Section II.G. sendmail ftp://info.cert.org/pub/tech_tips root_compromise - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - ------------------------------------------------------------------------------ Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. CERT is registered in the U.S. Patent and Trademark Office. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History: Oct 02, 1997 Updated copyright history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNDgB+XVP+x0t4w7BAQGMvQQAqF3Io10v2dwqi+/PuGVAR4u1OqxUIq2Q 12+JRwiHpmDSkIc2neqmanI6Ifk5zTGIvzyObPETYaKonxz0KqjW/iwm+MbCAN9V m5Kp1/8VgvhDymUx/sep0OIn2VusCEVhvcVcVIQ7OQtXrPVlib5yD4m4vGc1mJyJ X8LG259U4/4= =E6f3 -----END PGP SIGNATURE-----