Everhart,Glenn From: O'Malley, Brian Sent: Tuesday, April 28, 1998 6:24 AM To: Brian Trevey; Chris Wilson; Glenn Everhart; Scott Sweren Subject: FW: SANS Network Security Digest April, 1998 FYI. Scott will be attending the SANs conference in May so any questions/requests speak with him. Thanks. -----Original Message----- From: sans@clark.net [SMTP:sans@clark.net] Sent: Tuesday, April 28, 1998 3:29 AM To: O'Malley, Brian Subject: SANS Network Security Digest April, 1998 To: Brian O'Malley From: The SANS Institute Subj: The April SANS Digest -----BEGIN PGP SIGNED MESSAGE----- |-------------------------------------------------------------- | | @@@@ @@ @ @ @@@@ | | @ @ @ @@ @ @ | | @@@@ @ @ @ @ @ @@@@ Vol. 2, No. 3 | | @ @@@@@@ @ @ @ @ April 27, 1998 | | @ @ @ @ @ @@ @ @ | | @@@@ @ @ @ @ @@@@ | | The SANS Network Security Digest | | Editor: Michele Crabb | | Contributing Editors: | | Matt Bishop, Gene Spafford, Steve Bellovin, Gene Schultz | | Rob Kolstad, Marcus Ranum, Dorothy Denning, Dan Geer | | Peter Neumann, Fred Avolio, Bill Cheswick, Peter Galvin, | | David Harley, Jean Chouanard, John Stewart, Hank Kluepfel | - ----A Resource for Computer and Network Security Professionals--- CONTENTS: i) CALL FOR PAPERS FOR THE 4TH ANNUAL SANS NETWORK SECURITY CONFERENCE ii) LAST CHANCE TO REGISTER FOR SANS/SEEKING BOF IDEAS iii) NEW SANS NT DIGEST 1) MULTIPLE VULNERABILITIES IN BIND 2) IMPROPER USE OF /TMP IN PROGRAMS CAUSING SECURITY HOLES 3) ASCEND ROUTER DENIAL OF SERVICE ATTACK 4) BUFFER OVERFLOW VULNERABILITY IN SUIDPERL/SPERL PROGRAM 5) CRYPTOZILLA - NETSCAPE SOURCES INTEGRATED WITH CRYPTOGRAPHY 6) POSSIBLE MODIFIED SYNDROP ATTACK AFFECTING LINUX SYSTEMS 7) HP SECURITY PROBLEMS AND PATCHES 8) SUN SECURITY PROBLEMS AND PATCHES 9) SGI SECURITY PROBLEMS AND PATCHES 10) IBM SECURITY PROBLEMS AND PATCHES 11) NT/WIN95 SECURITY PROBLEMS AND PATCHES 12) FreeBSD/OpenBSD/BSD4.4 PROBLEMS AND PATCHES 13) QUICK TIDBITS 14) UPCOMING EVENTS ***************************************** i) CALL FOR PAPERS FOR THE 4TH ANNUAL SANS NETWORK SECURITY CONFERENCE to be held in Orlando, Florida, October 26-30, 1998. The CFP is posted at: Submissions are due By June 1st, 1998. - ---------------------------------------------------------------------- - ---------------------------------------------------------------------- ii) LAST CHANCE TO REGISTER FOR SANS/SEEKING BOF IDEAS Seeking ideas for birds-of-a-feather (BoF) sessions for SANS98 (Monterey May 7-15). If you are attending, please suggest topics - from management to technical -- from commercial products to best practices. Anything you feel is deserving of time. We'll circulate your ideas to all delegates. This is also the last full week you can register for SANS98, featuring courses you won't find anywhere else: intrusion detection using traffic analysis, NT security - a three day program, partner-nets, Securing Solaris, planning and implementing a secure remote access system, UNIX security threats and solutions, fundamentals of IPv6, networking Design myths and realities - 40 courses in all plus a five-track technical conference. For more information see the SANS Web page: >> - ---------------------------------------------------------------------- - ---------------------------------------------------------------------- iii) NEW SANS NT DIGEST As a continuous follow-up to "Windows NT Security: Step-by-Step," SANS initiated a new monthly digest for NT administrators. The first issue is posted at - ---------------------------------------------------------------------- - ---------------------------------------------------------------------- 1) MULTIPLE VULNERABILITIES IN BIND (4/9/98) Three different vulnerabilities in BIND were reported this month. They can allow a remote attacker to disrupt a name server or gain root-level access to a name server. All three problems can be fixed by upgrading to the latest version of BIND as soon as the vendor make it available. Check the CERT Advisory for a list of vendor reports. Note that many more vendors have made new versions available than are listed in the CERT Advisory. For more information see the CERT and CIAC Advisories at: - ------------------------------------------------------------------- - ------------------------------------------------------------------- 2) IMPROPER USE OF /TMP IN PROGRAMS CAUSING SECURITY HOLES. Over the past two months, large numbers of reports have come in regarding UNIX programs that use temporary files in /tmp. If coded improperly, such programs are vulnerable to a race condition where a symlink can be used to overwrite any program on the system to which the user has write privilege. This is of particular concern for suid root programs. Although, according to most recent reports, these race conditions are not currently being exploited, they are causing a great deal of concern because of the ease of possible exploitation and the number of programs potentially affected. Modification of the /tmp mechanism has been discussed as a way to prevent such problems, but it is unlikely to happen for a variety of reasons. As a result, the best protection is good programming practice. The most common recommendation is to use mkstemp. For more information, check out postings to the bugtraq mailing list at: - ------------------------------------------------------------------- - ------------------------------------------------------------------- 4) ASCEND ROUTER DENIAL OF SERVICE ATTACK (3/16/98) SNI reports that sending malformed packets to the "discard" port on Ascend routers can cause the router to freeze. They also report a second problem involving the SNMP "write" community string (set to "write" by default) which may enable an attacker to download the entire configuration file of an Ascend router. Router configuration files may contain access passwords and other sensitive information. The problem affects Ascend operating system versions 5.0Ap42 (MAX) and 5.0A (Pipeline). For more information see the Secure Networks Bulletin at: or the CIAC Bulletin at: - ------------------------------------------------------------------- - ------------------------------------------------------------------- 4) BUFFER OVERFLOW VULNERABILITY IN SUIDPERL/SPERL PROGRAM (4/8/98) A buffer overrun has been discovered in the suidperl/sperl program which is part of the Perl Distribution. A malicious local user can exploit the vulnerability to execute arbitrary commands as the 'root' user. This problem exists in all versions of Perl prior to 5.004. Perl is provided as part of the standard OS installation for many UNIX systems. This vulnerability is being actively exploited. For more information see the CIAC Bulletin at: If information for your vendor is not listed in that bulletin, contact your vendor or upgrade to Perl version 5.004. - ------------------------------------------------------------------- - ------------------------------------------------------------------- 5) CRYPTOZILLA - NETSCAPE SOURCES INTEGRATED WITH CRYPTOGRAPHY (4/2/98) The Mozilla Crypto Group is a project to put full-strength cryptographic functionality back into Mozilla, the free release of Netscape Communicator. Within 15 hours of the release of the source code for Netscape 5.0, the Mozilla Crypto Group made available cryptozilla", a Mozilla (free Netscape) with SSL enabled. Because this was developed outside the United States, US export restrictions do not affect this software. The first binary was built for RedHat Linux 4.2. Binaries for Windows NT and Windows 95 have also been created. For more information see: - ------------------------------------------------------------------- - ------------------------------------------------------------------- 6) POSSIBLE MODIFIED SYNDROP ATTACK AFFECTING LINUX SYSTEMS A few, very recent posts on bugtraq indicate that a modified syndrop attack may be affecting Linux systems running 2.0.33. At least one site has reported actual machine crashes. Alan Cox has found an 'off-by-one IP header' bug through which he has been able to duplicate the problem. This information and updates are posted on the bugtraq mailing list: - ------------------------------------------------------------------- - ------------------------------------------------------------------- 7) HP SECURITY PROBLEMS AND PATCHES The HP Electronic Support Center is located at: (US and Canada) (Europe) --------------- A) 3/30/98 - HP announces inetd vulnerability in HP-UX releases 9.x and 10.x. The problem can cause Inetd to terminate prematurely causing denial of service since networking is disabled. Patches are available from HP. For more information see the HP Security Bulletin 9803-077 or the the CIAC Bulletin at: Note - HP released a revised patch on 4/16/98 and announced the availability of a patch for HP-UX 10.16. - ------------------------------------------------------------------- - ------------------------------------------------------------------- 8) SUN SECURITY PROBLEMS AND PATCHES Sun Security Bulletins are available at: Sun Security Patches are available at: --------------- A) 3/11/98 - Sun announces patches for vulnerability in the ndd command that can be used to set TCP/IP kernel parameters. The vulnerability could allow an attacker to cause a denial of service attack. Patches are available for SunOS 5.6 and 5.6_x86. For more information see Sun Security Bulletin #165 at: --------------- B) 3/11/98 - Sun announces patches for a vulnerability in rpc.cmsd. The rpc.cmsd is a small database manager for appointment and resource- scheduling data. Its primary client is the Calendar Manager in Openwindows, and Calendar in CDE. This vulnerability may allow a local malicious user to overwrite files and gain root access. Patches are available for multiple Sun OS versions. For more information, see Sun Security Bulletin #166 at: --------------- C) 4/8/98 - Sun announces patches for rpcbind vulnerability in Solaris. The vulnerability results from the fact that rpcbind listens on UDP ports greater than 32770 in addition to UDP port 111. Hence a remote attacker can obtain remote RPC program information even if TCP or UDP port 111 is being filtered. The vulnerability can also allow an attacker to gain unauthorized access to hosts running vulnerable versions of the software. For more information see Sun Security Bulletin #167 at: - ------------------------------------------------------------------- - ------------------------------------------------------------------- 9) SGI SECURITY PROBLEMS AND PATCHES SGI maintains a security home page at: SGI patches are available at: ------------ A) 3/11/98 - SGI announces vulnerabilities in the startmidi/stopmidi, datman/cdman, cdplayer programs. Several buffer overruns have been discovered which could allow a local user to run arbitrary commands as the user 'root'. Workarounds and patches are available from SGI. For more information see the SGI Security Advisory 19980301-01-PX at: Note - Some of the following vulnerabilities were first reported in 1996 via AUSCERT Alerts and can be found on the AUSCERT sites at: ------------ B) 3/25/98 - SGI issued a follow-up to the CERT Bulletin CA-97.09 regarding vulnerabilities in IMAP/POP. SGI sells and supports the Netscape Mail/Messaging Servers for IRIX. SGI reported that their implementations of IMAP4 & POP3 do not have this vulnerability and no further action is required. For more information see the SGI Security Advisory at: Or the original CERT Advisory at: ------------ C) 3/26/98 - SGI announces Netscape Navigator security vulnerabilities. Several privacy vulnerabilities allow malicious web servers to obtain unauthorized access to cookie and form submission information. SGI recommends upgrading to Netscape 3.04 or later. This vulnerability is also known as the "Tracker Bug" or the "Bell Labs Privacy Bug". For more information see the SGI Security Advisory at: Or Netscape's information page at: ------------ D) 3/26/98 - SGI announces patch to a buffer overrun vulnerability in the pset program which may allow a local user to run commands as 'root'. This affects IRIX versions 5.x through 6.3. IRIX 6.4 does not have the pset(1M) command. Workarounds and patches are available from SGI for IRIX versions 5.3, 6.2 and 6.3. For more information see the SGI Security Advisory at: This vulnerability was first reported by CERT and AUSCERT in 1997. The CERT Advisory is available at: ------------ E) 4/2/98 - SGI announces a vulnerability in pfdisplay.cgi (sic) of the IRIS Performer which could allow any user (local or remote) to view files on the vulnerable system with privileges of the user 'nobody'. A temporary fix is to change the permissions on pfdisplay.cgi to 500. Patches are available for IRIX 6.2 - 6.4; other versions of IRIX are not vulnerable. For more information, see the SGI Security Advisory at: Note that newsgroup postings indicate that the patch described in the advisory above does not fix all the vulnerabilities in that program. The postings recommend limiting access to your domain if you are using SGI's CGI. For more information, see: ------------ F) 4/2/98 - SGI announces vulnerabilities in the lp(1) program. A potential buffer overflow condition has been identified in the lp(1) program and associated printing subsystem. A malicious local user could exploit the vulnerability and run commands as the user 'root'. For information see the SGI Security Advisory at: Lp buffer overrun problems were reported by AUSCERT in late 1996. The AUSCERT Advisory is available at: ------------ G) 4/2/98 - SGI announces vulnerability in the mailcap program under IRIX 6.3 & 6.4. The vulnerability may allow an SGI user browsing web pages or reading email to inadvertently download a "trojan horse" runtask(1M) or runexec(1M) descriptor file. The "trojan horse" descriptor file will execute a local System Manager Task with the privileges of the user and can lead to a local root compromise. For more information, see the SGI Security Advisory at: ------------ H) 4/6/98 - SGI announces suid_exec buffer overflow. This problem was previously discussed by AUSCERT in late 1996. The vulnerability condition could allow a local user to run arbitrary commands as the user 'root'. Patches will not be made available. The problem is expected to be resolved in the next version of the freeware software. SGI recommends disabling suid_exec until then. For more information see the SGI Security Advisory at: The AUSCERT Advisory can be found at: ------------ I) 4/6/98 - SGI announces vulnerability in suidperl/perl which ships with the SGI Freeware 1.0/2.0 CD. (More information in item 2 above.) ------------ J) 4/13/98 - SGI announces a vulnerability in the LicenseManager(1M) manager program allows it manipulate arbitrary root-owned files and to allow root access. A local user account is required. Patches are available for IRIX 5.3, 6.1 - 6.3. Other versions are not vulnerable. As a temporary workaround, remove the permissions from the program. For more information see the SGI Security Advisory at: See Quick Tidbit "E)" below for a bugtraq report related to SGI. - ------------------------------------------------------------------- 10) IBM SECURITY PROBLEMS AND PATCHES IBM maintains a security home page at: IBM maintains an on-line support center at: ------------ IBM has not released any security alerts since February 25, 1998, but see Quick TidBit "J)" below. - ------------------------------------------------------------------- - ------------------------------------------------------------------- 11) NT/WIN95 SECURITY PROBLEMS AND PATCHES The Microsoft Security Home Page is located at: Additional NT Security Related web pages may be found at: --------------- A) 3/31/98 - Microsoft announces patch for the IE 4.0 "Embed Issue." The patch protects Internet Explorer users against malicious Web pages which could cause IE 4.0 to crash through an exploit with the "EMBED" tag. See the MS Security Home Page for more information. --------------- B) 4/21/98 - Microsoft announces fix for the Netmeeting "Speed-dial Issue" According to the MS notice "a malicious Website author could link to a specially edited NetMeeting speed dial object and cause NetMeeting to crash. Once NetMeeting has crashed, a skilled hacker could run arbitrary code in the computer's memory." Netmeeting 1.0, 2.0 and 2.1 are vulnerable. See the MS Security Home Page for more information. --------------- C) 4/23/98 - Microsoft announces a hotfix release for the "LSA Secrets Vulnerability" which allows a local administrator to view the contents of the security information stored in the Local Security Authority (LSA) database under certain circumstances. The vulnerability effects NT versions 3.51 and 4.0. The hotfix is only for 4.0 -- the 3.51 hotfix is not available at this time. For more information see Microsoft bulletin at: - ------------------------------------------------------------------- - ------------------------------------------------------------------- 12) FreeBSD/OpenBSD/BSD4.4 PROBLEMS AND PATCHES OpenBSD's Security web page is at: FreeBSD maintains a security web page at: BSDI maintain a support web page at: --------------- A) 3/12/98 - FreeBSD announces vulnerability of FreeBSD versions to the LAND attack. Version affected are: 2.1.*, 2.2.0R, 2.2.1R, 2.2.5R, FreeBSD-stable and FreeBSD-current. The LAND attacks has been widely discussed over the last four months (including articles in the previous two SANS Digests). Patches are available from FreeBSD. For more information see the FreeBSD Security Alert at: Patches are available at: If you missed the articles on the LAND/Teardrop DoS type attacks, refer to the following web pages: --------------- B) 3/12/98 - FreeBSD announces security vulnerability in the mmap routine for FreeBSD versions FreeBSD 2.2.*, FreeBSD-stable and FreeBSD-current before 1998/03/11. This is an update to the mmap() vulnerability mentioned last month in SANS. The mmap() system call is used to map files to a memory address space. In some 4.4 BSD derived operating systems (such as FreeBSD, NetBSD, OpenBSD, and BSDI), a vulnerability exists within this system call that allows a user of a privileged group (kmem) to become root. This vulnerability also allows a root user to modify the secure level of a system. This setting normally prevents everyone, even root users, from making some security critical modifications to a normal system. For more information see the FreeBSD Security Alter at: Patches are available at: --------------- C) 4/4/98 - Transactions-TCP Denial of Service vulnerability. In FreeBSD (and presumably other OSes), Transactions-TCP is open to a new variant of a SYN-flood attack and in some cases can be used to run commands on an attacked machine. For details, see the bugtraq message at: --------------- D) 4/7/98 - BSDI server bug can cause DoS attacks. The BSDI inetd daemon can be crashed by commands run across the network. The problem can be resolved by applying the BSDI patch M310-009. For more information see the bugtraq postings listed below. Both BSDI-3.1 and BSDI-2.1 servers are vulnerable. Patches are available from BSDI at: - ------------------------------------------------------------------- - ------------------------------------------------------------------- 13) QUICK TIDBITS A) 3/28/98 - Easy Denial of Service (DoS) Attacks. Easy ways to initiate DoS attacks have been reported for most RPC programs, including those connected to a TCP port (telnet, netcat, rpc.pcnfsd, rpc.ypxfrd, rpc.portmap, and probably more.) The problems lie within the libc or glibc libraries and are not going to be easy to resolve. For more details see the bugtraq postings at: --------------- B) 3/20/98 - FrontPage98 Server Extensions for UNIX has a new release which fixes several security problems. --------------- C) 4/5/98 - Security holes in mailcap. Many mailcap-compatible UNIX mail clients have security holes. The mailcap mechanism is often poorly implemented, enabling a wide range of attacks - from 'harmless' changes to the screen, through the execution of arbitrary commands via an e-mail message. For more information see the bugtraq posting at: --------------- D) 4/6/98 - CEOs hear the unpleasant truth about computer security. Computer hackers breaking into government and corporate computers is estimated to be a $10 billion-a-year problem, so CEOs met in Atlanta in early April to hear what government and industry experts are doing about the problem. The CNN news article is posted at: --------------- E) 4/8/98 - SGI IRIX 6.3 ships with IPX protocol support that includes two binaries, ipxchk and ipxlink which are suid root. These programs have vulnerabilities that may allow root access. Although SGI never issued an alert, they have referenced a security problem with these programs in a separate patch. For protocol support, contact SGI directly. No security patch is currently available. For more information, see the bugtraq posting at: --------------- F) 4/11/98 - Recent discussions on the bugtraq mailing list have focused on writing secure software. The following links point to three articles that were described as good resources for people wishing to write secure software: --------------- G) 4/13/98 - The Smartcard Developer Association (SDA) and two U.C. Berkeley researchers demonstrated that the "secret" encrypted information in a cell phone can be extracted and then moved into another cell phone, which then has the same identity as the first. For more information, see the posting at: --------------- H) 3/12/98 - CIAC posts bulletin regarding Internet Cookies. CIAC has prepared an Information Bulletin on Internet Cookies, explaining what they are and what the are not. Depending on your experience you may find the information comforting or disheartening. The author explains that they cause "no damage to files or systems. Cookies are used only to identify a web user, though they may be used to track browsing habits. The CIAC Bulletin is available at: --------------- I) 3/18/98 - Posting on bugtraq regarding a denial of service attack in AIX 4.1 machines running ttdbserver. The attack can be initiated by anyone on the Internet without a login or password on the vulnerable system. The attack can result in a slowdown of the system or a complete crash of the system depending on the configuration of the machine being attacked. AIX inetd PATCH IX70400 fixes this problem. --------------- J) Sendmail 8.9.0 Beta is released for testing. This new version focuses on spam control techniques. You can get it at: - ------------------------------------------------------------------- - ------------------------------------------------------------------- 14) UPCOMING EVENTS A) SANS98, Monterey California, May 7-15, 1998. Widely regarded as the best source of practical security education for advanced technical professionals. See for a complete agenda including 40 courses and a five-track technical program. B) 10th Annual FIRST Conference, Monterrey, Mexico, June 22-26, 1998. See the web page: --------------- C) Call for participation in the Davis Workshop on "Intrusion Detection: Practice and Research," July, 1998, Davis, California. Limited to 12 US practitioners from large organizations and 12 researchers. Co-hosted by UC-Davis and the US NSWC-Dahlgren. For a submission package, email with the subject "Davis Workshop on ID". ********************* Copyright, 1998, The SANS Institute. No copying, forwarding or posting allowed without written permission. Email digest@sans.org for information on subscribing. You'll receive a complete subscription package and sample issue in return. The digest is available at no cost to practicing security, networking and system administration professionals in medium and large organizations. Archives of past issues are posted at -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNUU/yaNx5suARNUhAQGUBQP9HO2tFQUPERHjH5LidSpJk7bYSkowXThX qT7dYSCsHCnBm0DXQQTGT46yiK4JofwQy2+TvcnJQT3vFtFK2CIEut6z8Ji7P3Lw dyZsFtV/+6YUJaDuKpPl5qUdtco55PiwlYju1o/elNvSt7uWyKN0SxX38Aue1ssu 5fHD4vhSLuE= =ipRj -----END PGP SIGNATURE-----