- ---------------------------------------------------------------------------
CERT* Summary CS-97.05
August 26, 1997
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
incident response team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Recent Activity
- ---------------
Since the last regularly-scheduled CERT Summary issued in May, we have seen
the following trends in incidents reported to us.
1. Continuing IMAP Exploits
The CERT Coordination Center continues to receive daily reports of attempts to
exploit a vulnerability in certain implementations of IMAP. This vulnerability
was the subject of our most recent CERT Summary, "CS-97.04 - Special Edition,"
which can be found at
ftp://info.cert.org/pub/cert_summaries/CS-97.04
Intruders continue to scan large blocks of network addresses for vulnerable
systems. Because we continue to receive reports of root compromises
resulting from vulnerable versions of the IMAP server, we encourage you to
take immediate action to address this vulnerability.
We encourage you to review our advisory describing the vulnerability and
suggesting corrective actions:
ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop
2. Increased Denial-of-Service Attacks
The CERT/CC is receiving more frequent and varied reports of denial-of-service
attacks. Intruders are exploiting vulnerabilities addressed in previous CERT
advisories, and using IP spoofing to hide the origin of the attacks. Recently
we published a new tech tip that provides an overview of denial-of-service
attacks and information that may help you respond to them:
ftp://info.cert.org/pub/tech_tips/denial_of_service
Recently a number of networks around the Internet have been the victim of a
denial-of-service attack involving forged ICMP echo request packets
(i.e., "ping" packets) directed to a broadcast address. Each machine
responding to the broadcast packet will generate an ICMP echo reply packet
directed to the address of the original forged echo request packet. This can
generate a large amount of traffic for the sites involved.
We encourage you to defend yourself against this problem by filtering
broadcast ping packets (or all broadcast packets) at your router or
firewall. If filtering broadcast packets at your router is not a viable
option, you may be able to configure your operating system to ignore broadcast
ICMP packets. You should consult either your documentation or your vendor to
see what variables can be set on all local machines so that broadcast IP
traffic (and more specifically broadcast ICMP traffic) is ignored, thus
negating the attack.
We also strongly encourage you to filter outbound packets at your router to
prevent packets with forged source addresses from leaving your network.
For more information on this kind of packet filtering and IP spoofing attacks,
please see
ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding
ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing
3. Increased Use of IRC in Root Compromises
We have received a significant number of reports that intruders are
compromising machines at the root level and then installing Internet Relay
Chat (IRC) clients or servers. If you discover unauthorized IRC clients,
servers, or robots running on your systems, we encourage you to check for
signs of compromise using our Intruder Detection Checklist, available at
ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
This document will help you methodically check your systems for signs of
compromise; it offers pointers to other resources and suggestions on how to
proceed in the event of a compromise.
4. Increased Exploitation of IRIX Buffer Overflows
Buffer overflow vulnerabilities on IRIX systems are being exploited in many
incidents reported to the CERT/CC. These vulnerabilities are described in a
recent CERT advisory:
ftp://info.cert.org/pub/cert_advisories/CA-97.21.sgi_buffer_overflow
Vulnerable programs discussed in the advisory include df, pset, eject,
login/scheme, ordist, and xlock.
We encourage you to apply the patches or workarounds described in Section III
of the advisory and to regularly check with your vendor for security updates.
5. Continuing INND Exploits
We continue to receive reports of widespread, large-scale attacks on NNTP
(Network News Transport Protocol) servers, as reported in the March 1997
special edition CERT Summary CS-97.02:
ftp://info.cert.org/pub/cert_summaries/CS-97.02
Our advisory describing two vulnerabilities present in INND versions prior to
1.5.1sec2 is available at
ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd
We strongly recommend that you do *not* try to test your own systems by
attempting to exploit the vulnerability. Many of the INND attacks reported to
us were the result of sites testing their own servers and inadvertently
releasing their test on the Internet. To determine whether or not your version
of INND is vulnerable, please consult the advisory (CA-97.08.innd).
The latest supported version of INN, 1.5.1sec2, addresses vulnerabilities that
existed in previous versions. For a pointer to the latest version of INN, see
the UPDATES section in CA-97.08.innd or
ftp://info.cert.org/pub/latest_sw_versions/inn
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (May 28, 1997).
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-97.15.sgi_login Describes a vulnerability in
the SGI login program when
the LOCKOUT parameter is set
to a number greater than zero.
CA-97.16.ftpd Describes a vulnerability in
some versions of ftpd
distributed and installed
under various UNIX
platforms.
CA-97.17.sperl Addresses a buffer overflow
condition in suidperl (sperl)
built from Perl 4.n and Perl
5.n distributions on UNIX
systems.
CA-97.18.at This advisory addresses a
buffer overflow condition in
some versions of the at(1)
program.
CA-97.20.javascript Reports a vulnerability in
JavaScript that enables
remote attackers to monitor a
user's Web activities.
CA-97.21.sgi_buffer_overflow Describes 6 buffer overflow
problems in SGI IRIX
systems. Problems affect the
df, pset, eject, login/scheme,
ordist, and xlock programs.
CA-97.22.bind Describes a vulnerability in
all versions of BIND before
release 8.1.1, suggests
several solutions, and
provides pointers to the
current version. Supersedes
CA-96.02.bind.
ftp://info.cert.org/pub/cert_bulletins/
VB-97.03.sun A Sun Security Bulletin
announcing patches for a
vulnerability in rpcbind
VB-97.04.hp Information from
Hewlett-Packard on a
vulnerability in the chfn
executable in HP 9000 Series
700/800s running versions of
HP-US 9.X and 10.X
VB-97.05.lynx Information from members of
the lynx-dev mailing list
about a vulnerability in
temporary files that enables
users to replace the temporary
file with a symbolic link or
with another file
VB-97.06.lynx Information from members of
the lynx-dev mailing list
about a vulnerability in Lynx
downloading that enables users
to read or execute arbitrary
files regardless of
restrictions set by the system
administrator
ftp://info.cert.org/pub/cert_summaries/
CS-97.04 Special edition CERT Summary
about large-scale attacks
involving a vulnerability in
some implementations of IMAP
ftp://info.cert.org/pub/latest_sw_versions/
apache URLs and MD5 checksum for
Apache 1.2.1
bind URLs and MD5 checksum for
BIND 8.8.1
inn URL and MD5 checksum for inn
1.5.1sec2
NetBIOS URLs and MD5 checksums for
NetBIOS Security Kit v1.0
sendmail URLs and MD5 checksum for
sendmail 8.8.7
ftp://info.cert.org/pub/tech_tips/
denial_of_service Provides a general overview of
attacks in which the primary
goal of the attack is to deny
the victim(s) access to a
particular resource, as well
as information that may help
you respond to such an attack.
ftp://info.cert.org/pub/tools/
NetBIOS/ NetBIOS tar and zip files
* Updated Files
cert_faq Updated the recommended
reading list in Section B.11.
ftp://info.cert.org/pub/cert_advisories/
CA-96.04.corrupt_info_from_servers Updated the URL pointing to
the current version of BIND.
CA-96.06.cgi_example_code Added information about other
cgi programs being exploited.
CA-96.21.tcp_syn_flooding Added information from Linux.
CA-96.26.ping Updated information from Sun
Microsystems, Inc.
CA-96.27.hp_sw_install Added information from
Hewlett-Packard Company.
CA-97.04.talkd Updated information from
Silicon Graphics Inc. and Sun
Microsystems, Inc.
CA-97.06.rlogin-term Updated information from
Hewlett-Packard Company.
CA-97.08.innd Added information about the
latest release of innd.
CA-97.09.imap_pop Added information from
NetManage, Inc. Clarified
information in introduction
and description sections.
CA-97.10.nls Added other phrases for the
the NLS acronym. Updated the
entry for Cray Research - A
Silicon Graphics Company.
CA-97.13.xlock Added information from
Berkeley Software Design, Inc.
(BSDI) and Silicon Graphics
Inc. (SGI). Updated
information from Sun
Microsystems, Inc.
CA-97.16.ftpd Added information from
Sun Microsystems, Inc.,
Digital Equipment Corporation,
and Silicon Graphics, Inc.
CA-97.17.sperl Added information from
Sun Microsystems, Inc.
CA-97.18.at Added information from
Digital Equipment Corporation,
Hewlett-Packard Company,
and Data General Corporation.
CA-97.20.javascript Added information from
Netscape Communications
Corporation and Microsoft.
CA-97.21.sgi_buffer_overflow Clarified wrapper
information. Updated
information from Silicon
Graphics, Inc.
CA-97.22.bind Clarified that version 4.9.6
is not vulnerable. Noted
reasons that sites should
upgrade to version 8.1.1.
ftp://info.cert.org/pub/cert_advisories/obsolete_advisories
CA-96.02.bind Moved to obsolete advisories
directory; superseded by
CA-97.22.bind.
ftp://info.cert.org/pub/cert_bulletins/
VB-97.05.lynx Added acknowledgement of
original reporter of the
problem.
VB-97.06.lynx Added acknowledgement of
original reporter of the
problem.
ftp://info.cert.org/pub/legal_stuff Copyright, trademark, and
related information
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University. Conditions apply; they can be found
in http://www.cert.org/legal_stuff.html and
ftp://info.cert.org/pub/legal_stuff
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
*CERT is registered in the U.S. Patent and Trademark Office.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNALx7XVP+x0t4w7BAQEgfAQAgLKDyXfaqe2CtWaIeoSLYWPCZOv1tD9f
XvzQd2nME6w7A9mUCdBtP/7bKNP85dyqADcwNNAtpWk2gPp9qDQIYpPys1sHKnin
0OMUf3vGM/xaxHRDquAfrIOIppcvgDfjB6uO3sUOFV0L0HZhbxOh1aaBLZ9+rTWp
e0NO5sAR9rs=
=fHlN
-----END PGP SIGNATURE-----