-----BEGIN PGP SIGNED MESSAGE----- - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- ======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE OUTSIDE ADVISORY REDISTRIBUTION 25 July 1996 12:00 GMT Number: ERS-OAR-E01-1996:006.1 =============================================================================== The IBM-ERS Outside Advisory Redistribution is designed to provide customers of the IBM Emergency Response Service with access to the security advisories sent out by other computer security incident response teams, vendors, and other groups concerned about security. IBM makes no representations and assumes no responsibility for the contents or accuracy of the advisories themselves. IBM-ERS is forwarding the following information from the CERT Coordination Center. Contact information for the CERT Coordination Center is included in the forwarded text below; please contact them if you have any questions or need further information. =============================================================================== ********************** FORWARDED INFORMATION STARTS HERE ********************** CERT(sm) Summary CS-96.04 July 23, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Increasing Sophistication of Intruder Community Expertise - --------------------------------------------------------- In earlier summaries, we noted that the intruder community was analyzing operating system source code to develop increasingly sophisticated and effective exploitation techniques. The intruder community is now developing new techniques to analyze programs for potential vulnerabilities even in the absence of source code. This can be done with a tool that traces system calls and subroutine calls within a program, thus allowing a person to match such calls against command line parameters. Although there is little that sites can do in direct response to this information, it does highlight the importance of staying up to date with security patches and workarounds for your operating systems and applications. Operating System Concerns - ------------------------- We receive reports relating to incident activity from many different sites using a wide variety of operating systems. Because of problems we see that directly relate to operating systems, we felt it worthwhile to make a few observations about choosing an operating system. For information on this subject, see ftp://info.cert.org/pub/tech_tips/choose_operating_sys Forged Advisories - ----------------- Occasionally, we see forged advisories on various newsgroups or other distribution lists. If you have the Pretty Good Privacy (PGP) program, you can determine whether or not an advisory is genuine by checking the PGP signature. We use PGP to sign all our advisories. To verify that a CERT advisory is authentic, 1. Get the CERT public key from ftp://info.cert.org/pub/CERT_PGP.key 2. Verify the authenticity of the document by checking the PGP signature. To do this, enter the following command: %pgp You should see a message that includes the statement Good signature from user "CERT Coordination Center ". Signature made Recent Activity and Trends - -------------------------- Since the May CERT Summary, we have seen these continuing trends in incidents reported to us. 1. Linux root compromises At least once a week we see reports of Linux machines that suffer break-ins leading to root compromises. In many of these incidents, the systems were misconfigured, and/or the intruders exploited well-known vulnerabilities (for which CERT advisories have been published); the intruders then installed Trojan horse programs and/or network monitoring programs (packet sniffers). If you are running Linux, we strongly urge you to keep up to date with patches and security workarounds. We recommend that you also review ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks ftp://info.cert.org/pub/cert_advisories/CA-94:01.README Further, you may want to monitor the Linux newsgroups and mailing lists for security patches and workarounds. More information can be found at http://bach.cis.temple.edu/linux/linux-security/ 2. Telnetd in Linux systems We have noticed an increase in the exploitation of a vulnerability in the telnetd environment on unpatched Linux-based systems. If you have not patched your system(s) for this vulnerability, we urge you to review CERT advisory CA-95:14 and the associated README file and install the patch or workaround provided. ftp://info.cert.org/pub/cert_advisories/CA-95:14.Telnetd_Environment_Vulnerability ftp://info.cert.org/pub/cert_advisories/CA-95:14.README 3. Password Cracking We continue to receive daily reports of unauthorized site access as a result of compromised accounts and/or "cracked" passwords. For information about protecting your password files, please see ftp://info.cert.org/pub/tech_tips/passwd_file_protection 4. Sendmail attacks Although discussed in previous summaries, we continue to receive reports each week about intruders who attempt to exploit sendmail vulnerabilities. We have published several advisories on sendmail. If you have not addressed the vulnerabilities in sendmail, we urge you to review these advisories and take appropriate action. All advisories, including sendmail advisories, can be found at ftp://info.cert.org/pub/cert_advisories/ In many of these attempts, intruders are trying to obtain password files. For information on protecting your password files, see ftp://info.cert.org/pub/tech_tips/passwd_file_protection We have had many questions about when to use the sendmail restricted shell program (smrsh). You should run smrsh with any UNIX system that is running sendmail, regardless of vendor or version. smrsh is now included as part of the current sendmail distribution (effective with version 8.7.1). We strongly urge you to upgrade to the latest version of sendmail. See ftp://info.cert.org/pub/latest_sw_versions/sendmail 5. cgi-bin vulnerabilities Since our last summary, we've seen an increase in the number of reports relating to vulnerabilities in cgi-bin programs. Any cgi-bin program that relies on escape_shell_cmd() to prevent exploitation of shell-based library calls may be vulnerable to attack. For more information about cgi-bin vulnerabilities and patches, please see ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code ftp://info.cert.org/pub/cert_advisories/CA-96.06.README There have been discussions in several public forums about the problem of general-purpose interpreters being placed in the cgi-bin directory. If these interpreters are accessible in the cgi-bin directory of a Web server, then a remote user can execute any command the interpreters can execute on that server. For more details and patch information, see ftp://info.cert.org/pub/cert_advisories/CA-96.11.interpreters_in_cgi_bin_dir 6. Mail spamming/spoofing attacks We receive at least three incidents each week of mail spamming and/or spoofing attacks. For information on responding to and recovering from such activity, see ftp://info.cert.org/pub/tech_tips/email_bombing_spamming ftp://info.cert.org/pub/tech_tips/email_spoofing What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (May 22, 1996). * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-96.10.nis+_configuration CA-96.10.README CA-96.11.interpreters_in_cgi_bin_dir CA-96.11.README CA-96.12.suidperl_vul CA-96.12.README CA-96.13.dip_vul CA-96.13.README ftp://info.cert.org/pub/cert_bulletins/ VB-96.08.sgi VB-96.09.freebsd VB-96.10.sco VB-96.11.freebsd ftp://info.cert.org/pub/tech_tips/ choose_operating_sys Things to consider when choosing an operating system for your site ftp://info.cert.org/pub/tools/ ifstatus Added the ifstatus program ftp://info.cert.org/pub/vendors/ sun/sun_bulletin_00135 Added bulletin from Sun Microsystems, Inc. dec/dec-96.0383 Added bulletin from Digital Equipment Corporation * Updated Files ftp://info.cert.org/pub/cert_advisories/ CA-95:13.README Added vendor information for Digital Equipment Corporation and Silicon Graphics, Inc. CA-96.04.README Added information about the next release of BIND CA-96.08.README Added vendor information for Digital Equipment Corporation, NEC Corporation, and Data Design Systems, Inc. Added patch information for FreeBSD, Inc. CA-96.09.README Added vendor information for Digital Equipment Corporation. Added pointers to Silicon Graphics, Inc. release notes and Sun Microsystems, Inc. patches CA-96.12.README Added vendor information for FreeBSD, NEC Corporation, and Digital Equipment Corporation ftp://info.cert.org/pub/FIRST/ first-contacts Updated contact information ftp://info.cert.org/pub/latest_sw_versions/ bind Added pointer to version 4.9.4 ifstatus Added pointer to ifstatus If you use any of the software listed in this directory, we recommend that you upgrade to the current versions. Among other changes, these new versions address security weaknesses present in previous versions. If you have any questions about the software listed in this directory, please contact the vendor for more information. - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. *********************** FORWARDED INFORMATION ENDS HERE *********************** =============================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, IBM-ERS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Recovery Services organization, the IBM Internet Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Internet Emergency Response Service, send an electronic mail message to ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4). IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, Integrated Systems Solutions Corporation, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBMfdf5/WDLGpfj4rlAQGkAgP/Yv3hh6UcsPwh4jX+lGFRgTvP3OY1acEs FHbX6NZF1f9ZQg58wjE20Xgn+j/SvDCgLc5TxsX+qWFkGHck8Iyqt8eX/Av5ipzy NeJybAF6e73/n5c5VeWixAEcOpqGw+XWtIVekQFPlG+luSjfb1axg+FyTLM0gNFG yO2HOnASPVE= =cS9n -----END PGP SIGNATURE-----