Subject: May SANS Security Digest Vol. 3 Num. 5 Fr: Rob the SANS Mailing List Guy Here's the May SANS Network Security Digest. I hope your spring is going well! RK -----BEGIN PGP SIGNED MESSAGE----- ================================================================= | | | @@@@ @@ @ @ @@@@ | | @ @ @ @@ @ @ | | @@@@ @ @ @ @ @ @@@@ Vol. 3, No. 5 | | @ @@@@@@ @ @ @ @ May 20, 1999 | | @ @ @ @ @ @@ @ @ | | @@@@ @ @ @ @ @@@@ | | | | The SANS Network Security Digest | | Editor: Michele D. Crabb-Guel | | | | Contributing Editors: | | Fred Avolio, Steve Bellovin, Matt Bishop, | | Bill Cheswick, Jean Chouanard, Liz Coolbaugh, | | Dorothy Denning, Dan Geer, Mark Edmead, Rob Kolstad, | | Richard Jackson, Peter Neumann, Alan Paller, | | Marcus Ranum,Gene Schultz, Gene Spafford, John Stewart | | | ====A Resource for Computer and Network Security Professionals=== CONTENTS: i) Updated Intrusion Detection FAQ ii) Final Tutorial Selection for Network Security 1999 (NS99) iii) SANS Roles and Responsibilities Survey iv) Summaries of the SANS99 Technical Conference v) June 1 Web Briefing 1) CIAC ISSUES INFORMATION BULLETIN 2) HP SECURITY PROBLEMS AND PATCHES 3) SUN SECURITY PROBLEMS AND PATCHES 4) SGI SECURITY PROBLEMS AND PATCHES 5) IBM AIX SECURITY PROBLEMS AND PATCHES 6) COMPAQ SECURITY PROBLEMS AND PATCHES 7) NT/WIN95/WIN98 SECURITY PROBLEMS AND PATCHES 8) BSDI/FreeBSD/NetBSD/OpenBSD PROBLEMS AND PATCHES 9) LINUX SECURITY PROBLEMS AND PATCHES 10) CISCO SECURITY PROBLEMS AND PATCHES 11) GENERAL VIRUS INFORMATION 12) QUICK TIDBITS ***************************************** i) Updated Intrusion Detection FAQ The new Intrusion Detection FAQ has been updated to version 0.6 at http://www.sans.org/IDFAQ/ID_FAQ.htm; thanks to Stephen Northcutt and his cast of dozens of volunteers. ======================================================================= ii) Final Tutorial Selection for Network Security 1999 (NS99) Final selections for courses at Network Security 99 (New Orleans, October 3-10) have been made. They include the highest rated programs from SANS99 plus several new ones that were vetted at SANS99 including Forensics, Hacker Tools, and Cisco Security Features. For those who require long lead times, the NS99 registration form is posted at https://www.sans.org/ns99register.htm, though the supporting web pages are not quite ready yet. If you register for the conference and at least one course before June 30, you'll get an extra gift certificate for books at Amazon.com. ======================================================================= iii) SANS Roles and Responsibilities Survey The SANS 1999 Security Roles and Responsibilities Survey aims to create a chart that correlates job titles with job functions and responsibilities. It takes 12-15 minutes to fill in for four positions. Those who participate receive results of the survey during June. ======================================================================= iv) Summaries of the SANS99 Technical Conference Chris Calabrese created a session-by-session easy-to-read review of the SANS99 (Baltimore, May 7-9) sessions he attended, and it is posted at http://www.sans.org/sans99sum.htm. It's so well written it almost feels like you were there. ======================================================================= v) June 1 Web Briefing See http://www.sans.org/jun1.htm to register for the June 1 web briefing. The first hour of this two-parter is: What The Attackers Know About You: Anatomy of A Christmas '98 Attack which goes behind the scenes and illuminates the processes, skills, and thinking of a sophisticated attacker. Part 2, the second hour, is the first SANS ToolTalk: How to Get Maximum Value Out of TripWire. ======================================================================= 1) CIAC ISSUES INFORMATION BULLETIN (05/17/1999) CIAC released an Information Bulletin regarding web security. They continue to receive daily reports regarding web sites that have been hacked. Many of these hacks could be avoided by using good security practices. The information bulletin outlines a number of tips to better secure your web server. For more information see the CIAC Information Bulletin at: http://ciac.llnl.gov/ciac/bulletins/j-042.shtml ======================================================================= 2) HP SECURITY PROBLEMS AND PATCHES The HP Electronic Support Center is located at: http://us-support.external.hp.com/ (US and Canada) http://europe-support.external.hp.com/ (Europe) Note: Log into the HP Electronic Support Center prior to accessing a specific support page as identified below. --------------- HP last released a security bulletin on 04/20/1999. ======================================================================= 3) SUN SECURITY PROBLEMS AND PATCHES Sun Security Bulletins are available at: http://sunsolve.sun.com/pub-cgi/secBulletin.pl Sun Security Patches are available at: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access/ --------------- Sun last released a security bulletin on 02/10/1999. ======================================================================= 4) SGI SECURITY PROBLEMS AND PATCHES SGI maintains a security home page at: http://www.sgi.com/Support/security/security.html SGI patches are available at: ftp://ftp.sgi.com/security/ --------------- SGI last released a security advisory on 03/10/1999. ======================================================================= 5) IBM AIX SECURITY PROBLEMS AND PATCHES IBM maintains a security home page: http://www.brs.ibm.com/services/brs/ers/brspwers.nsf/Info/Resources/ IBM maintains an on-line support center: http://service.boulder.ibm.com/cgi-bin/support/rs6000.support/databases/ --------------- A) IBM has not released any ERS Alerts recently; however they continue to release security related APARS (Authorized Problem Analysis Reports) on a regular basis. For general APAR information see: http://service.boulder.ibm.com/cgi-bin/support/rs6000.support/databases For latest security APAR, you need to enter the key word 'security' into the search window, and put an appropriate date range (e.g, April 1999 to May 1999), and select on word stems. The list is then displayed. Important APARS to review for the last month include: IX86764 - Linking Users to membership group problem IX71110 - VSD Driver Security Enhancements IX89365 - Security related updates in AIX 4.3 IX89364 - Security related updates in AIX 4.2 IX89362 - Security related updates in AIX 4.1 There is a Bugtraq article on the AIX fixes at: http://www.geek-girl.com/bugtraq/1999_2/0375.html ======================================================================= 6) COMPAQ SECURITY PROBLEMS AND PATCHES Compaq Tru64 UNIX, OpenVMS, Ultrix, and Windows patches located at: http://ftp.service.digital.com/public/ --------------- A) 5/11/99 - Compaq announced a Tru64 UNIX vulnerability in /usr/dt/bin/dtlogin which may allow users to gain root privileges. Versions affected are V4.0B, V4.0D, V4.0E, V4.0F. A patch is available for the affected versions. The Compaq reference number is SSRT0600U. For more information see the page: http://ftp.service.digital.com/public/osf/v4.0b/ssrt0600u.README/ --------------- B) 5/7/99 - Compaq updated an announcement about a Tru64 UNIX vulnerability in /usr/tcb/bin/edauth which may allow users to gain unauthorized security information. Versions affected are V3.2G, V4.0, V4.0A, V4.0B, V4.0C, V4.0D, V4.0E. A patch is available for the affected versions. The Compaq reference number is SSRT0600U. For more information see the page: http://ftp.service.digital.com/public/osf/v4.0b/ssrt0588u.README/ ======================================================================= 7) NT/WIN95/WIN98 SECURITY PROBLEMS AND PATCHES The Microsoft Security page is located at: http://www.microsoft.com/security/ Additional NT Security Related web pages may be found at: http://www.ntbugtraq.com/ http://www.ntbugtraq.com/ntfixes.asp http://www.ntsecurity.net/ --------------- A) 05/20/1999 - Microsoft released a patch that corrects a security vulnerability in the Window NT Remote Access Service (RAS) on client machines. The vulnerability, which results from a "malformed phonebook entry", could leave the client vulnerable to a denial of service attack and under certain conditions, allow a remote user to execute arbitrary code. Affected software versions NT 4.0. For more information refer to the Microsoft Security Bulletin (MS99-016) at: http://www.microsoft.com/security/bulletins/ms99-016.asp --------------- B) 05/17/1999 - Microsoft released a patch that corrects the "Malformed Help File" vulnerability. The vulnerability, which results >from the ability to write an unchecked buffer (hence the malformed files), may allow a user to run arbitrary code on an Windows NT. The patch will prevent the code from being executed but does prevent the writing of the files. For more information refer to the Microsoft Security Bulletin (MS99-015) at: http://www.microsoft.com/security/bulletins/ms99-015.asp --------------- C) 05/07/1999 - Microsoft released a patch to correct a vulnerability in the Excel 97 virus warning mechanism. The virus warning feature in Excel 97 is intended to warn the user before launching/opening an external file. However, under certain conditions, this feature can be bypassed. For more information refer to the Microsoft Security Bulletin (MS99-014) at: http://www.microsoft.com/security/bulletins/ms99-014.asp A Microsoft Knowledge Base article is also available at: http://support.microsoft.com/support/kb/articles/q231/3/04.asp --------------- D) 05/07/199 & 05/14/1999 - Microsoft released a bulletin and later an update, regarding a "file viewers" vulnerability. The vulnerability, which is present in some viewers that are shipped as part of IIS or the Site Server, may allow a web site visitor to view files on the server if they are able to guess the name of the file and have access rights to the file as granted by NT ACLs. The vulnerability does not allow the web site visitor to modify or upload files. Affected versions are Site Server 3.0 (this version is included with the Commerce Edition), MS Commercial Internet System 2.0, MS BackOffice Server 4.0 and 5.0 and MS IIS 4.0. Patches are not available at this time; however, there are steps customers can take to eliminate the vulnerability from their site. For more information, see the Microsoft Security Bulletin (MS99-013) at: http://www.microsoft.com/security/bulletins/ms99-013.asp A Microsoft Knowledge Base article is available at: http://support.microsoft.com/support/kb/articles/q231/3/68.asp --------------- E) 04/21/1999 - Microsoft released patches for IE versions 4.0 and 5.0 that correct three separate vulnerabilities. The first vulnerability is similar to the cross-frame security vulnerability where a malformed URL can be used to execute a script on a server web site. The second vulnerability, which only affects IE 5.0, is a new variant of the "untrusted script paste" problem. The third problem involves the "IMG SRC" tag in HTML which identifies and loads HTML file. However, the tag can be used to point to any file type, thus potentially exposing sensitive information. Affected versions are IE 4.0 and 5.0 on win95, win98 and NT 4.0 platforms. For more information see the Microsoft Security Bulletin (MS99-012) at: http://www.microsoft.com/security/bulletins/ms99-012.asp --------------- F) 04/21/1999 - Microsoft released a patch for the DHTML edit vulnerability. The DHTML edit control is an Active X control that allows users to edit HTML text and view how it might look in a web browser. The vulnerability results from the fact that users can be tricked into loading and view sensitive information into the edit window and hence upload it to the operator's web site. Affected versions are IE version 5.0 on win95, win98 and NT 4.0 and IE 4.0 users who have downloaded the control and are running on the following platforms: win95, win98, and x86 version of NT 4.0. The patch corrects the problem by allowing a web site running the safe scripting area to upload the data only if the requesting host is in the same domain. For more information, see the Microsoft Security Bulletin (MS99-011) at: http://www.microsoft.com/security/bulletins/ms99-011.asp A Microsoft Knowledge Base article is available at: http://support.microsoft.com/support/kb/articles/q226/3/26.asp ======================================================================= 8) BSDI/FreeBSD/NetBSD/OpenBSD PROBLEMS AND PATCHES BSDI maintains a support web page at: http://www.BSDI.COM/support/ FreeBSD maintains a security web page at: ftp://ftp.cdrom.com/pub/FreeBSD/CERT/advisories/ NetBSD's Security web page is at: http://www.NetBSD.ORG/Security/ OpenBSD's Security web page is at: http://www.openbsd.org/security.html --------------- BSDI: No updates for this period. FreeBSD: No updates for this period. NetBSD: A) 04/21/1999 - NetBSD released a patch for the SVR4 compatibility device create vulnerability. The script, which creates the devices, has an error whereby it creates a device with the wrong Major number. The erroneous device may allow users "to arbitrarily read or write data stored on the NetBSD portion of the first IDE disk" Affected versions of NetBSD 1.3.3 and NetBSD-Current prior to 19990420. For more information, see the NetBSD release note (SA1999-009) at: http://www.NetBSD.ORG/Security/advisory.html Or the Bugtraq article at: http://www.geek-girl.com/bugtraq/1999_2/0215.html --------------- B) 04/13/1999 - NetBSD released a patch for file a system locking vulnerability that results in a system panic or hang. There are certain kernal operations, such a creating a symbolic link, which may cause the kernal to panic and hang. Affected versions prior to NetBSD Current on 19990409 are vulnerable. For more information see NetBSD release note (SA1999-008) at: http://www.NetBSD.ORG/Security/advisory.html Or the Bugtraq article at: http://www.geek-girl.com/bugtraq/1999_2/0109.html ======================================================================= 9) LINUX SECURITY PROBLEMS AND PATCHES Caldera OpenLinux security information can be found at: http://www.caldera.com/news/security/index.html Debian GNU/Linux maintain a security web page at: http://www.debian.org/security/ Red Hat Linux maintain a support page at: http://www.redhat.com/support/ Red Hat ftp site: ftp://updates.redhat.com/ The latest Slackware release and patches can be found at: ftp://cdrom.com/pub/linux/ S.u.S.E. information can be found at: http://www.suse.com/ --------------- Caldera: A) 04/30/1999 - Caldera released a security advisory regarding a directory change permission in the rsync program. Under certain circumstances, rsync may change the permissions of a user's home directory which may allow other users to view sensitive files that they would normally not have access to view. Vulnerable versions are OpenLinux 1.0, 1.1, 1.2, 1.3 and 2.2 running rsync versions prior to 2.3.1. Version 2.3.1-1.i286.rpm corrects the problem. Users can also manually change the permissions on their home directory should they discover they are incorrect. For more information, see the Caldera Advisory at: http://www.calderasystems.com/news/security/CSSA-1999:010.0.txt --------------- B) 04/27/1999 - Caldera released a security advisory regarding incorrect permissions on the /etc/shadow file that will allow anyone to view the file. Vulnerable versions include OpenLinux 2.2 previous to coas-1.0-8. The problem can be corrected by doing a "chmod 600 /etc/shadow" or by installing the coas-1.0-8 package. For more information see the Caldera Advisory at: http://www.calderasystems.com/news/security/CSSA-1999:009.0.txt Or the Bugtraq article at: http://www.geek-girl.com/bugtraq/1999_2/0291.html --------------- C) 04/20/1999 - Caldera released an advisory regarding buffer overflows in the procmail program. This problem was first discussed on the Bugtraq mailing list on 04/06/1999. A patch is available from Caldera. For more information see the Caldera Advisory at: http://www.calderasystems.com/news/security/CSSA-1999:007.0.txt --------------- Debian: A) 04/22/1999 - Debian Unix reported a buffer overflow problem with procmail. This is the same procmail problem discussed on the Bugtraq mailing list on 04/06/1999. A corrected version is available from Debian at: http://www.debian.org/security/1999/19990422 --------------- Red Hat: A) 05/11/1999 - Red Hat announced a fix for a security vulnerability in the xscreensaver package shipped with Linux 6.0. In the shipped version, several security checks were disabled. For more information see: http://www.redhat.com/corp/support/errata/rh60-errata-general.html --------------- B) 04/16/1999 - Red Hat released security fixes for three separate programs: NFS, procmail and lpr. For more information see the Red Hat Errata notes at: http://www.redhat.com/corp/support/errata/rh52-errata-general.html http://www.redhat.com/corp/support/errata/rh51-errata-general.html http://www.redhat.com/corp/support/errata/rh50-errata-general.html http://www.redhat.com/corp/support/errata/rh42-errata-general.html --------------- S.u.S.E.: No reports this period. ======================================================================= 10) CISCO PROBLEMS AND PATCHES Cisco Systems maintains an Internet Security Advisories page at: http://www.cisco.com/warp/public/791/sec_incident_response.shtml --------------- Cisco last released an Internet Security Advisory on 04/13/1999. ======================================================================= 11) GENERAL VIRUS INFORMATION We will only include items on viruses that have been widely discussed. This is not meant to be an all-inclusive update on recent virus problems and solutions. Virus information is available from a variety of sites, including: http://www.antivirus.com/ http://www.avpve.com/ http://www.drsolomon.com/ http://www.datafellows.com/ http://www.nai.com/ http://www.sophos.com/ http://www.symantec.com/avcenter/ Good sources for virus myths and hoaxes are: http://www.kumite.com/myths/ http://ciac.llnl.gov/ciac/CIACHoaxes.html --------------- A) The CIH/Chernobyl virus received lots of press this past month as April 26th came and went. The hardest hit region was the far east. There are a number of variants of the CIH virus, some can overwrite the hardisk and the flash BIOS of an infected computer, resulting in a complete loss of data. Various anti-virus product vendors published alerts concerning CIH and its variants. For more information see the following resources: http://www.avertlabs.com/public/datafiles/valerts/vinfo/spacefiller411.asp http://www.datafellows.com/cih/ http://www.symantec.com/avcenter/venc/data/cih.html http://www.symantec.com/avcenter/kill_cih.html http://www.virusbtn.com/VirusInformation/cih.html CERT released an Incident Note (IN-99-03) on April 26th regarding the CIH/Chernobyl virus. The note provides a description of the virus and suggests some possible solutions along with URLs for vendor related information. The Incident Note can be found at: http://www.cert.org/incident_notes/IN-99-03.html ======================================================================= 12) QUICK TIDBITS A) 05/14/1999 - ssh version 1.2.27 is released. This release includes a number of bug fixes and enhancements. For for the full list, see the bugtraq article at: http://www.geek-girl.com/bugtraq/1999_2/0476.html --------------- B) 05/11/1999 - An article appeared on Bugtraq describing two security vulnerabilities in INN 2.0 and higher. The first vulnerability may allow a news user to execute arbitrary programs as root if they can control the behavior of the inndstart program. The solution requires a source code change to the inndstart.c module. The second vulnerability results >from the fact that the inndstart program is not installed in a directory which is only accessible by the user news. The solution for this problem requires the inndstart program to be installed in a directory with 0700 permissions. Versions 1.7.2 and lower are not effected by both vulnerabilities. For more information, see the Bugtraq article at: http://www.geek-girl.com/bugtraq/1999_2/0431.html --------------- C) 05/10/1999 - During the opening session of the SANS99 Technical Conference, Alan Paller and Rob Kolstad presented SANS Technology Leadership Awards to the editors of Bugtraq, NTBugtraq and the SANS Digest as "The Three Most Valuable Security Publications". During the Fall of 1998, the SANS Community was asked to rate which security information sources provided them with the most useful information. The list included such publications as InfoWorld, SysAdmin, and others. However, the three most selected choices were write-ins. The individuals who received the awards were: Elias Levey (a.k.a Aleph1), Editor of Bugtraq Russ Cooper, Editor of NTBugtraq Michele D. Crabb-Guel, Primary editor of the SANS Digest --------------- D) 05/06/1999 - ISS released an XForce Alert reporting multiple vulnerabilities in Oracle 8. The vulnerabilities, which involve insecure file creation and manipulation, may allow malicious local users to exploit the Oracle administrative tools and gain access to view, modify and append information. For more information see the ISS Xforce Alert at: http://www.iss.net/xforce/alerts/advise26.html --------------- E) 05/02/1999 - Article published on advances in cryptographic code breaking by an Israeli scientist. Adi Shamir, one of the worlds foremost cryptographers and the "S" in RSA public-key cryptosystem will soon introduce a design for a device that will be able to quickly crack the private keys in public-key cryptography for key sizes of 512 bits or less. The paper that describes the device was first presented during EUROCRYPT rump session. For more information see: http://www.rsa.com/rsalabs/html/twinkle.html The paper is available at: http://jya.com/twinkle.htm --------------- F) 04/28/1999 - The UK Government announced their completion of the evaluation of NT 4.0 under the ITSEC regime and has awarded it a rating of E3/F-C2. For more information see the summary posted by MS at: http://www.microsoft.com/security/issues/e3fc2summary.asp --------------- G) 04/07/199 - rsync version 3.2.1 was released. This version corrects a security vulnerability with transferring empty directories. For more information see: http://rsync.samba.org/cgi-bin/rsync?findid=1706#themesg --------------- H) 04/06/1999 - procmail version 3.13.1 was released. This version corrects several buffer overflow problems and eliminates keyword conflicts with newer versions of gcc. The new version may be downloaded from: http:/www.procmail.org/procmail.tar.gz For more information, see the Bugtraq article at: http://www.geek-girl.com/bugtraq/1999_2/0040.html --------------- I) Kurt Seifried has published a Linux Administrators Security Guide (LASG). Check it out at: https://www.seifried.org/lasg/ --------------- J) nmap 2.2-BETA4 is now available. For more information on nmap and to download the new version, go to: http://www.insecure.org/nmap/index.html#download ****************** Copyright 1999, The SANS Institute. No copying, forwarding, or posting allowed without written permission (write for permission). Email for information on subscribing. You'll receive a free subscription package and sample issue in return. To unsubscribe or change address, forward this note to with appropriate instructions. The digest is available at no cost to practicing security, networking and system administration professionals in medium and large organizations. Archives of past issues are posted at http://www.sans.org/digest.htm . -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBN0Sn1qNx5suARNUhAQFbrgQAllPqW2KVLug24tjBrn15AeswUJYfki4O +BnW90NxPAvNU2En1uMfgkv9qVdEzRFnMTlhD9hQ9VOg11BP7cmQ3wKpVgwUMZG5 wuERE9TWe70701DrjgvVm4eMA9Nffr4cAKvg807Sn/C/JkLwYBwOA7BwBT9LXqTR pcuA+CqZtXk= =h2FJ -----END PGP SIGNATURE-----