Subject: [Fwd: SANS Digest Vol. 6 #2]
To: None <tech-security@NetBSD.ORG>
From: Scott Bartram <scottb@iis.com>
List: tech-security
Date: 07/24/1998 11:21:54
This is a multi-part message in MIME format.
--------------C448A89A304B48CFEB8C15DE
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Although the Table of Contents doesn't mention it explicitly, SANS has
added us to the *BSD section...
scott
--------------C448A89A304B48CFEB8C15DE
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
(Netscape Messaging Server 3.5) with ESMTP id AAA38AA
for <scottb@iis.com>; Fri, 24 Jul 1998 10:39:51 -0400
by gort.iis.com (8.8.8/8.8.5) with ESMTP id KAA12749
for <scottb@iis.com>; Fri, 24 Jul 1998 10:44:11 -0400 (EDT)
by ice.clark.net (8.8.8/8.8.8) with ESMTP id KAA07428
for <scottb@iis.com>; Fri, 24 Jul 1998 10:45:17 -0400 (EDT)
From: "SANS Inst." <sans@clark.net>
Date: Fri, 24 Jul 1998 10:44:05 -0400 (EDT)
Message-Id: <199807241444.KAA21698@shell.clark.net>
To: scottb@iis.com
Subject: SANS Digest Vol. 6 #2
To: Scott Bartram
From: Rob Kolstad, SANS Institute
Enclosed please find your copy of the latest issue of the SANS Network
Security Digest.
SANS News: The SANS Institute has a new e-mail processor and it is I:
Rob Kolstad. I am automating some tasks so that we can devote more
personal time to those tasks that require the human touch. Please feel
free to write to me at sans@clark.net with any suggestions you might
have on how better we can serve you.
RK
-----BEGIN PGP SIGNED MESSAGE-----
- -----------------------------------------------------------------
| @@@@ @@ @ @ @@@@ |
| @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @ @@@@ Vol. 2, No. 6 |
| @ @@@@@@ @ @ @ @ July 22, 1998 |
| @ @ @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @@@@ |
| The SANS Network Security Digest |
| Editor: Michele Crabb |
| July Guest Editor: Liz Coolbaugh |
| Contributing Editors: |
| Matt Bishop, Gene Spafford, Steve Bellovin, Gene Schultz |
| Bill Cheswick, Marcus Ranum, Dorothy Denning, Dan Geer |
| Rob Kolstad, Peter Neumann, David Harley, Jean Chouanard |
| Fred Avolio, Peter Galvin, John Stewart, Liz Coolbaugh |
| Mark Edmead, Michael Kuhn |
- ----A Resource for Computer and Network Security Professionals---
CONTENTS:
i) SHADOW: FREE SOFTWARE FOR INTRUSION DETECTION
ii) FIVE NEW COOPERATIVE RESEARCH PROJECTS FROM SANS
1) CERT RELEASES BULLETIN ON QPOPPER VULNERABILITY
2) RECENT INCREASE IN NETWORK SCANNING USING MSCAN
3) DISTRIBUTED DOS ATTACK AGAINST NIS/NIS+ BASED NETWORKS
4) VERSION 1.3 OF TRIPWIRE IS RELEASED
5) 56 BIT CRACKED IN LESS THAN THREE DAYS
6) BUFFER OVERFLOW VULNERABILITY IN IMAPD SEVER
7) HP SECURITY PROBLEMS AND PATCHES
8) SUN SECURITY PROBLEMS AND PATCHES
9) SGI SECURITY PROBLEMS AND PATCHES
10) NT/WIN95 SECURITY PROBLEMS AND PATCHES
11) FREEBSD/OPENBSD/BSD4.4 PROBLEMS AND PATCHES
12) LINUX SECURITY PROBLEMS AND PATCHES
13) VIRUS UPDATE INFORMATION
14) QUICK TIDBITS
*****************************************
*****************************************
i) SHADOW: FREE SOFTWARE FOR INTRUSION DETECTION
In the past 60 hours announcements of SHADOW availability were reported
on ABC, InfoWorld, and C-NET - three top on-line news services. SHADOW
is the SANS Institute's cooperative software development project that
created a robust, public-domain intrusion detection and analysis system.
Over 1,100 people requested the documentation within the first 36 hours.
You may get the SHADOW documentation by emailing info@sans.org with
subject "SHADOW description." If you later download the SHADOW
software, please be prepared to provide feedback to the SANS Institute
on its operation and any problems you found.
Courses on intrusion detection and incident handling, to help you
understand and implement SHADOW or other ID tools, are scheduled
beginning on Monday in San Francisco, Thursday in New York, and
next month in Washington DC. They are taught by the top-rated teacher
of intrusion detection, Stephen Northcutt. Stephen also manages one
of the two most successful ID analysis teams in the US government.
July 27-28 San Francisco <http://www.sans.org/sf/sf.htm#NT-209>
July 30-31 New York <http://www.sans.org/ny/ny.htm#NT-209>
August 24-25 Washington <http://www.sans.org/dc2/dc2.htm#NT-209>
- ----------------------------------------------------------------------
- ----------------------------------------------------------------------
ii) FIVE NEW COOPERATIVE RESEARCH PROJECTS FROM SANS
SANS conducts research in which practitioners share the challenges
they face and the lessons they have learned. All 52,000 SANS subscribers
and alumni may participate in one or more of the five new 1998 Summer
Research projects. If you provide substantive help, you'll receive a
free copy of the resulting research report, which will be in the style
of the widely acclaimed "Windows NT Security: Step-by-Step" guide
published earlier this spring. The new projects are posted at
<http://www.sans.org/summer.htm>
They include:
SCR98-4 Virtual Private Networks: Step-by-Step
SCR98-5 Securing Solaris: Step-by-Step
SCR98-6 Metrics and Benchmarking for Measuring Computer Security
SCR98-7 Intrusion Detection and Vulnerability Analysis Tools:
Comparison and Assessment
SCR98-8 Firewall Troubleshooting: Step-by-Step
Participation for these projects closes July 31, 1998.
- ----------------------------------------------------------------------
- ----------------------------------------------------------------------
1) CERT RELEASES BULLETIN ON QPOPPER VULNERABILITY (07/14/98)
In the June SANS Digest we discussed the security vulnerabilities
reported with buffer overflows in POP servers based on Qualcomm's
qpopper. The vulnerability may allow a malicious remote user to gain
root access. All versions of qpopper prior to 5.2 are known to be
vulnerable. Patches are available from Qualcomm at:
<ftp://ftp.qualcomm.com/Eudora/servers/unix/popper/>
For more information see the CERT Bulletin at:
<http://www.ciac.org/ciac/bulletins/i-069.shtml>
- -------------------------------------------------------------------
- ------------------------------------------------------------------
2) RECENT INCREASE IN NETWORK SCANNING USING MSCAN (07/20/98)
AUSCERT released an advisory concerning recent widespread use of
a new tool called mscan (or multiscan). The mscan tool is similar
to other network scanning tools that allow you to scan complete ranges
of IP addresses to look for well-known vulnerabilities. Mscan is known
to detect the following vulnerabilities:
statd
nfs
cgi-bin programs such as phf, cgi-test and handler
X11
POP3
IMAP
DNS and BIND
finger
These vulnerabilities have been discussed in vendor alerts,
CERT/CIAC Bulletins, as well as in previous SANS Digests.
For more information refer to the AUSCERT Advisory at:
<ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-98.01.mscan>
Or the CIAC Bulletin at:
<http://www.ciac.org/ciac/bulletins/i-073.shtml>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
3) DISTRIBUTED DOS ATTACK AGAINST NIS/NIS+ BASED NETWORKS (06/29/98)
The ISS XFORCE team issued an alert describing a new style of distributed
DoS attack against NIS/NIS+ based networks via the finger daemon. The
implementation scheme for the finger service in a NIS environment allows
any user to disrupt an entire NIS-based network by doing finger queries
to multiple NIS clients. Although the problem lies in the finger service,
the attack causes long duration, network-wide congestion and resource
exhaustion on NIS servers. The problem can be alleviated by disabling
finger. No vendor patches have been reported so far. For more information,
see the Xforce Bulletin at:
<http://www.iss.net/xforce/alerts/nis-attack.html>
or the CIAC Bulletin at:
<http://www.ciac.org/ciac/bulletins/i-070.shtml>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
4) VERSION 1.3 OF TRIPWIRE IS RELEASED (07/20/98)
On July 20, Visual Computing(tm) released version 1.3 of Tripwire(R)
for Unix and Linux systems. This is an enhanced version of the
"traditional" Tripwire many people have been using for years. Visual
Computing is also soliciting feedback from customers for the 1.5 release
of Tripwire (scheduled for release in September, 1998), which will work
on Windows as well as on Unix.
Purdue University licensed the Tripwire source code and trademark to
Visual Computing in December of 1997. Gene Kim, one of the authors of
the original Purdue Tripwire, is VP of Visual Computing. According
to Dr. Gene Spafford, "This arrangement was made to ensure that Tripwire
possibly the most widely used intrusion detection system in the world
would continue to be maintained and ported to new platforms."
Details of the 1.3 and 1.5 releases, plus tech support, are
available from:
<http://www.visualcomputing.com/tripwire/>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
5) 56 BIT CRACKED IN LESS THAN THREE DAYS (07/17/98)
Electronic Frontier Foundation researchers cracked 56 bit DES in
three days using a machine they built for less than $250,000. The
machine dubbed "The DES Cracker" which is an ordinary PC computer
connected to a array of custom chips, is able to read Des encrypted
information by finding the key used to encrypt the data. The
previous record for cracking DES was 39 days and was done with a
network of thousands of machines. According to EFF Executive
Director Barry Steinhardt, "[We] built the EFF DES Cracker to counter
the claim made by U.S. government officials that governments cannot
decrypt information when protected by DES, or that it would take
multi-million-dollar networks of computers months to decrypt one message.
The government has used that claim to justify policies of weak encryption
and 'key recovery,' which erode privacy and security in the digital age,"
said. It is now time for an honest and fully informed debate, which we
believe will lead to a reversal of these policies."
The full article can be found at:
<http://www.eff.org/descracker.html>
Other information can found at:
<http://www.eff.org/descracker>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
6) BUFFER OVERFLOW VULNERABILITY IN IMAPD SEVER (07/20/98)
CERT released an advisory announcing a new vulnerability in some
implementations of IMAP servers. There is a buffer overflow in the
library code which is part of the University of Washington's IMAP
server that handles SASL server-level authentication. All versions
of the UofW server prior to imap-4.1 that support SASL, and all
variants based on this version, are vulnerable. In addition,
any V10.234 server that was distributed as part of the Pine 4.0
distribution is vulnerable as well. The vulnerability may allow a
remote user to execute arbitrary processes on the local host with the
privileges of the process running the IMAP server. For additional
information and list of vendors whose products are known to be
vulnerable, see the CERT Advisory at:
<http://www.cert.org/advisories/CA-98.09.imapd.html>
The problem has been fixed in Pine 4.1. If you are using the IMAPD
server, update your version to the one listed below:
<ftp://ftp.cac.washington.edu/mail/imap.tar.Z>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
7) HP SECURITY PROBLEMS AND PATCHES
The HP Electronic Support Center is located at:
<http://us-support.external.hp.com/> (US and Canada)
<http://europe-support.external.hp.com/> (Europe)
---------------
A) 06/25/98 - RSI announced the discovery of three vulnerabilities in
the HP-UX rlpdaemon which could allow a remote user to gain unauthorized
access to stored files in the rlp home directory. This problem affects
releases HP-UX 9.x and 10.x. No patch is available at this time. For
more refer to the RSI Alert Advisory at:
<http://www.repsec.com/advisory/0006.html>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
8) SUN SECURITY PROBLEMS AND PATCHES
Sun Security Bulletins are available at:
<http://sunsolve.sun.com/pub-cgi/secbul.pl>
Sun Security Patches are available at:
<http://sunsolve.sun.com/sunsolve/pubpatches/patches.html>
---------------
A) 07/15/98 - Sun announced release of patches for the libnsl module
which is the Network Services Library. The patch corrects several
buffer overflow vulnerabilities which may be exploited to gain root
access. Patches are available for SunOS 5.6, 5.5.1, 5.5 and 5.4.
A patch for SunOS 5.3 is expected within 8 weeks. For more information
see the Sun Security Bulletin #00172 at:
<http://sunsolve1.Sun.COM/pub-cgi/us/sec2html?secbull/172>
---------------
B) 07/15/98 - Sun announced the release of patches for the System
administration applications package, SUNWadmap for O/S versions
5.6 (3/98 and 5/98 Update release). A vulnerability was discovered
in one of the routines which could be exploited to gain root access.
For more information see Sun Security Bulletin #00173 at:
<http://sunsolve1.Sun.COM/pub-cgi/us/sec2html?secbull/173>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
9) SGI SECURITY PROBLEMS AND PATCHES
SGI maintains a security home page at:
<http://www.sgi.com/Support/security/security.html>
SGI patches are available at:
<ftp://ftp.sgi.com/security/>
------------
A) 06/26/98 - SGI acknowledged the mailx(1) buffer overrun
vulnerability that had been publicly reported by several
individuals and discussed in the Internet newsgroups.
SGI said it is investigating the problem. No patches are
available at this time. For more information, refer to the
SGI advisory is at:
<ftp://sgigate.sgi.com/security/19980605-01-A>
------------
B) 06/26/98 - SGI acknowledged a vulnerability in Public-Key
Cryptography Standard #1 (PKCS#1) reported by CERT CA-98.07
and discussed in the June SANS Digest. SGI is investigating
the problem at this time. The SGI advisory is at:
<ftp://sgigate.sgi.com/security/19980606-01-A>
For more information, refer to the CERT Advisory at:
<ftp://ftp.cert.org/pub/cert_advisories/CA-98.07.PKCS>
------------
C) 07/20/98 - SGI reports vulnerabilities in the ioconfig and
disk_bandwidth programs for IRIX 6.4. Both of these programs are
installed by default and would normally be used by a system
administrator. However, the recently discovered vulnerability may
allow a local user to gain root privileges. No workaround is yet
available. SGI strongly encourages people to change the
permission mode to "500" on the following two files:
/sbin/ioconfig and /sbin/disk_bandwidth
For more information see the SGI Advisory at:
<ftp://sgigate.sgi.com/security/19980701-01-P>
------------
D) 07/20/98 - SGI announces new patch for the mailcap vulnerability
first reported in April 1998. The previous patch has an error.
For more information see the SGI Advisory at:
<ftp://sgigate.sgi.com/security/19980403-02-PX>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
10) NT/WIN95 SECURITY PROBLEMS AND PATCHES
The Microsoft Security page is located at:
<http://www.microsoft.com/security/>
Additional NT Security Related web pages may be found at:
<http://ntbugtraq.ntadvice.com/archives/default.asp>
<http://www.ntsecurity.net/>
---------------
A) 06/26/98 - RSA Data Security discovered a vulnerability that
affects properly implemented versions of the SSL protocol. The
Microsoft Product Security Response Team has produced an update that
will work with the following Microsoft Internet server software:
Microsoft Internet Information Server 3.0 and 4.0
Microsoft Site Server 3.0 Commerce Edition
Microsoft Site Server Enterprise Edition
Microsoft Exchange 5.0 and 5.5 (for SSL-enabled POP3 and SMTP)
Updating to a new SCHANNEL.DLL will resolve this vulnerability for
the listed Microsoft server products. More information is available at:
<http://www.microsoft.com/security/bulletins/ms98-002.htm>
---------------
B) 06/26/98 - Computer Associates listed a security patch for
InocuLAN 4 for Windows NT which resolves a problem with a hidden share
file called CHEYUPD$ created by InocuLAN. This hidden share is used to
distribute signature file updates when InocuLAN starts. The patch was
created to eliminate the possibilities of this hidden share being used
for purposes other than originally intended. For more information, see:
<http://www.cheyenne.com/CheyTech/techbases/ilnt/cheyupd$.html>
---------------
C) 07/08/98 - Microsoft acknowledged a bug in Microsoft Internet
Information Server (IIS) which had been reported in BugTraq. Web
clients that connect to IIS can read the contents of any NTFS file in
an IIS v-root directory to which they have been granted "read access".
They can read these files even if the file is marked for "applications
mappings", such as those used with Active Server Pages scripts. A
hotfix is available for Microsoft Internet Information Server versions
3.0 and 4.0, and several administrative workarounds are also listed at:
<http://www.microsoft.com/security/bulletins/ms98-003.htm>
CIAC also released a bulletin on the topic:
<http://www.ciac.org/ciac/bulletins/i-068.shtml>
---------------
D) 07/10/98 - A report was posted to BugTraq which outlined a
security problem in both SLmail 3.0 for Windows NT and SLmail 2.6 for
Windows 95. Seattle Labs has fixed the problem and will send a beta
version of the fix to you if you contact them directly. For more
information, see a copy of the BugTraq posting:
<http://lwn.net/980716/slmail.html>
---------------
E) 07/01/98 - Microsoft announced a new email notification system for
security problems with Microsoft products. This service is similar to
the email notification provided by other large vendors such as Sun, SGI
and HP. To subscribe to the service, send email to
<microsoft_security-subscribe-request@announce.microsoft.com>
and you will be sent a confirmation notice.
- -------------------------------------------------------------------
- -------------------------------------------------------------------
11) FreeBSD/OpenBSD/BSD4.4 PROBLEMS AND PATCHES
BSDI maintains a support web page at:
<http://www.BSDI.COM/support/>
FreeBSD maintains a security web page at:
<ftp://ftp.cdrom.com/pub/FreeBSD/CERT/advisories/>
OpenBSD's Security web page is at
<http://www.openbsd.org/security.html>
NetBSD's Security web page is at:
<http://www.NetBSD.ORG/Security/>
---------------
A) 06/27/8 - NetBSD reported a security problem due to a bug in the
at(1) program, where any local user can queue any file on the system
for execution by /bin/sh, readable by root. As at(1) returns errors
to the submitter, it is possibly that they may obtain parts of the file.
Patches and/or workarounds can be found at:
<ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-004.txt
.asc>
---------------
B) 06/02/98 - OpenBSD reported a problem with some non-allocated
file descriptors. The problem impacts the use of setuid and setgid
programs. A patch which forces setuid and setgid processes to have
some descriptors in fd slots 0, 1, and 2 is available. For more
information refer to the OpenBSD Errata at:
<http://www.openbsd.org/errata.html#fdalloc>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
12) LINUX SECURITY PROBLEMS AND PATCHES
Red Hat Linux maintain a support page at:
<http://www.redhat.com/support/>
Debian Linux maintain a security web page at:
<http://www.debian.org/security/>
---------------
A) 06/{23,30}/98 - Security problems in several programs were found by
the Linux security audit project. The program list includes:
elm
mailx
metmail
bind
slang
tin
Red Hat issued new RPMs for 4.2, 5.0 and 5.1, all architectures,
to which they recommend users upgrade. For more information see the
Red Hat Errata notes at:
<http://www.redhat.com/support/docs/rhl/rh51-errata-general.html>
<http://www.redhat.com/support/docs/rhl/rh50-errata-general.html>
<http://www.redhat.com/support/docs/rhl/rh42-errata-general.html>
---------------
G) 07/02/8 - Security problems have been found in the libtermcap module
which can allow a root compromise. Red Hat recommends that all users
upgrade to the latest RPMs. For more information, see the Red Hat
Errata note at:
<http://www.redhat.com/support/docs/rhl/rh51-errata-general.html#libtermcap>
<http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#libtermcap>
<http://www.redhat.com/support/docs/rhl/rh42-errata-general.html#libtermcap>
---------------
H) 07/02/98 - Serious security problems have been found in all
versions of samba shipped with Red Hat Linux. Red Hat recommends
immediately upgrading samba, if you are using it, and has provided
RPMs for Red Hat 4.2, 5.0 and 5.1. For more information, see the
page at:
<http://lwn.net/980716/sambasec.html>
- -------------------------------------------------------------------
- -------------------------------------------------------------------
13) VIRUS UPDATE INFORMATION
Virus information is available from a variety of sites, including:
<http://www.DataFellows.com/>
<http://www.sophos.com/>
<http://www.drsolomon.com/>
<http://www.symantec.com/>
<http://www.avpve.com/>
<http://www.nai.com/>
---------------
A) 06/17/98 - Sophos reported the "StrangeDays" virus, a macro
virus which migrates between Word and Excel environments and contains
a warhead which causes all files to be deleted on the 26th day of the
month. The virus works only in versions of Word and Excel that use
Visual Basic for applications. More information can be found at:
<http://www.sophos.com/companyinfo/pressrel/uk/19980617strangedays.html>
---------------
B) 06/30/98 - Several vendors reported a new virus, known as CIH, which
infects Win95 and Win98 EXE files. The virus, which has three known
variants, has the capacity to overwrite system start-up routines and
wipe data on hard disks. The virus also attempts to overwrite the
Flash BIOS chip, which renders the computer unable to boot until the
chip has been reprogrammed. More information can be found at:
<http://www.sophos.com/>
<http://www.datafellows.com/v-descs/cih.htm>
---------------
C) In May of 1998 CIAC released a new version of its virus update
white paper. The paper is available on line at:
<http://ciac.llnl.gov/ciac/documents/CIAC-2301_Virus_Information_Update_5-98.pd
f
- ------------------------------------------------------------------
- -------------------------------------------------------------------
15) QUICK TIDBITS
A) 06/29/98 - News.com reported that Hotmail and Excite have a
privacy hole that inadvertently exposes account name information,
making it easily available to spammers. The hole was confirmed by
an Excite executive, but no action to change the situation has
been announced. For more information, see the news story at:
<http://www.news.com/News/Item/0,4,23710,00.html?st.ne.fd.mdh>
---------------
B) 07/01/98 - Crypto-Gram is the name of a new newsletter on cryptography
issued by Bruce Schneier, author of Applied Cryptography. The newsletter
is free. Subscribe at:
<http://www.counterpane.com/crypto-gram.html>
---------------
C) 07/15/98 - CIAC released a bulletin describing a security flaw in the
loginout module of OpenVMS V7.1. The vulnerability can be exploited
by a malicious local user to gain root access. For more information see
the CIAC Bulletin at:
<http://www.ciac.org/ciac/bulletins/i-071.shtml>
Patches are available at the DEC ftp site:
<http://www.service.digital.com/public/vms/>
**********************
Copyright, 1998, The SANS Institute. No copying, forwarding or posting
allowed without written permission. Email digest@sans.org for information
on subscribing. You'll receive a free subscription package and sample
issue in return.
The digest is available at no cost to practicing security, networking
and system administration professionals in medium and large
organizations.
Archives of past issues are posted at <http://www.sans.org/digest.htm>
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNbd+YqNx5suARNUhAQHm/gP/R2021Vjd0x96wb1lW0bIl2a21gAxO6kl
3seiZBNVYWCUQiygi/OY6OeM7atTGXKOIiIZnDQLUfOmPz3wstDEoYbPx/Y+Z4qY
IzLHesPtXPvM46J2NFnwjyfzTKDr78nvzY9zhzYV+Si21SI/UNX7+84xmBm4NAgi
aN2fNdiQANE=
=DNe/
-----END PGP SIGNATURE-----
--------------C448A89A304B48CFEB8C15DE--