-----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------------- CERT(*) Summary CS-96.6 November 26, 1996 Last Revised: October 2, 1997 Updated copyright statement The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - ---------------------------------------------------------------------------- Recent Activity - --------------- Since the September CERT Summary, we have noticed these continuing trends in incidents reported to us. 1. cgi-bin/phf Exploits We continue to see frequent reports of attempts to exploit the vulnerability in the CGI example program "phf". The phf program, which is installed by default with several implementations of httpd servers, contains a weakness that can allow intruders to execute arbitrary commands on the server. The most common attack involves an attempt to retrieve the httpd server's /etc/passwd file, and sample scripts for exploiting this vulnerability in phf have been widely posted on the Internet. While we are encouraged to see that the majority of the recently reported attacks have failed (because the attacked sites had already removed the phf program), the steady reports of continuing attacks indicate that these phf exploits are still being widely attempted. For more information about this vulnerability, see ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code For related information about protecting your password files, please see ftp://info.cert.org/pub/tech_tips/passwd_file_protection 2. Continuing Linux Exploits We continue to see incidents in which Linux machines have been the victims of root compromises. In many of these incidents, the compromised systems were unpatched or misconfigured, and the intruders exploited well-known vulnerabilities for which CERT advisories have been published. If you are running Linux, we strongly urge you to keep current with all security patches and workarounds. If your system has been root compromised, we also recommend that you review ftp://info.cert.org/pub/tech_tips/root_compromise Further, you may want to monitor the Linux newsgroups and mailing lists for security patches and workarounds. More information can be found at http://bach.cis.temple.edu/linux/linux-security/ - ---------------------------------- What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (September 24, 1996). * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-96.22.bash_vuls Addresses two problems with the GNU Project's Bourne Again SHell (bash): one in yy_string_get() and one in yy_readline_get(). CA-96.23.workman_vul Describes a vulnerability in the WorkMan compact disc-playing program that affects UNIX System V Release 4.0 and derivatives and Linux systems. CA-96.24.sendmail.daemon.mode Addresses a vulnerability that allows intruders to gain root privileges. Includes patch and upgrade information. ftp://info.cert.org/pub/cert_bulletins/ VB-96.17.linux Linux Security FAQ Update from Alexander Yuriev. Includes information about a mount/umount vulnerability. VB-96.18.sun Addresses vulnerabilities in the libc and libnsl libraries of Solaris 2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1) from Sun Microsystems, Inc. Includes patch information. ftp://info.cert.org/pub/latest_sw_versions/ bash Added information on bash 1.14.7. sendmail Added information on sendmail 8.8.3. * Updated Files ftp://info.cert.org/pub/ Sysadmin_Tutorial.announcement Added date of next course offering. ftp://info.cert.org/pub/cert_advisories/ CA-94:01.ongoing.network.monitoring.attacks Clarified introductory information. Added a pointer to the CERT tech tip on root compromises. CA-95:02.binmail.vulnerabilities Removed Appendices B & C, which contained outdated information. In section B, added information that mail.local is now part of sendmail. Added a pointer to sendmail. CA-96.09.rpc.statd Updated information from Silicon Graphics Inc. CA-96.20.sendmail_vul Added a pointer to CA-96.24. CA-96.21.tcp_syn_flooding Revised second paragraph of introduction for clarity. Added new information for Silicon Graphics Inc. (SGI), Berkeley Software Design, Inc. (BSDI), Sun Microsystems, Inc. Revised appendix information on reserved private network numbers. Added pointer to information in ftp://info.cert.org/pub/vendors. CA-96.22.bash_vuls Added Appendix A containing information from IBM Corporation, LINUX, and Silicon Graphics, Inc. (SGI). Removed patch for problem in yy_readline_get, as the problem described for yy_string_get is not exploitable for yy_readline_get. ftp://info.cert.org/pub/tools/mail.local/ README Added information that mail.local is now a part of sendmail. Added a pointer to sendmail. ftp://info.cert.org/pub/tools/sendmail/ sendmail.8.8.3.patch sendmail.8.8.3.tar.Z sendmail.8.8.3.tar.gz sendmail.8.8.3.tar.sig ftp://info.cert.org/pub/vendors/hp/ HP.contact_info Replaced instructions for subscribing by email with the new URLs people must use. - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - ------------------------------------------------------------------------------ Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. CERT is registered in the U.S. Patent and Trademark Office. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History: Oct 02, 1997 Updated copyright history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNDgCFXVP+x0t4w7BAQH4kAP+MpxqZxWSPOsdIbNNnq+gCri7vzzFbyMq spt1s0B1/3nOLXW9chKrjEVa+/ovCLR32ajiqX3or8jtoqZF7S7TwbGByg3//wyc ICqoSNMoiny4A6KgSfxQ4H2UBF0nlDDRJwOTlC+w7WelnmWWlqrzSvqclOKB8llF NDmVncj1oJs= =Shb0 -----END PGP SIGNATURE-----