Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FWD: SANS Security Digest Vol. 3 No. 3
- From: Paul Howell
- Date: Thu Mar 18 07:48:07 1999
------- Forwarded Message
Date: Wed, 17 Mar 1999 23:35:44 -0500 (EST)
Message-Id: <199903180435.XAA13516@shell.clark.net>
To: grue@merit.edu
Subject: SANS Security Digest Vol. 3 No. 3
To: Paul Howell SD519142
Enclosed please find your SANS Network Security Digest for March, 1999.
- -----BEGIN PGP SIGNED MESSAGE-----
=================================================================
| |
| @@@@ @@ @ @ @@@@ |
| @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @ @@@@ Vol. 3, No. 3 |
| @ @@@@@@ @ @ @ @ March 17, 1999 |
| @ @ @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @@@@ |
| |
| The SANS Network Security Digest |
| Editor: Michele D. Crabb-Guel |
| Guest Editor: Liz Coolbaugh |
| |
| Contributing Editors: |
| Matt Bishop, Gene Spafford, Steve Bellovin, Gene Schultz, |
| Bill Cheswick, Marcus Ranum, Dorothy Denning, Dan Geer, |
| Rob Kolstad, Peter Neumann, David Harley, Jean Chouanard, |
| Fred Avolio, Peter Galvin, John Stewart, Liz Coolbaugh, |
| Mark Edmead, Michael Kuhn |
| |
====A Resource for Computer and Network Security Professionals===
CONTENTS:
i) Three types of events coming up in Intrusion Detection
ii) Windows NT Security web briefing on March 17th
1) BUFFER OVERFLOWS IN FTP SERVERS
2) BUFFER OVERFLOWS IN LSOF
3) LATEST CERT SUMMARY RELEASED
4) HP SECURITY PROBLEMS AND PATCHES
5) SUN SECURITY PROBLEMS AND PATCHES
6) SGI SECURITY PROBLEMS AND PATCHES
7) IBM AIX SECURITY PROBLEMS AND PATCHES
8) NT/WIN95 SECURITY PROBLEMS AND PATCHES
9) BSDI/FreeBSD/NetBSD/OpenBSD PROBLEMS AND PATCHES
10) LINUX SECURITY PROBLEMS AND PATCHES
11) CISCO SECURITY PROBLEMS AND PATCHES
12) GENERAL VIRUS INFORMATION
13) QUICK TIDBITS
*****************************************
i) Three types of events coming up in Intrusion Detection:
(a) Practitioners who want to master intrusion detection will find six
full days of in-depth, practical education on intrusion detection
including basic and advanced courses, tools courses, and hacker
methods courses at SANS99
(http://www.sans.org/sans99/coursetopic.htm). SANS99 will also
offer multiple programs on forensics and the unique IDNet where the
leading vendors will showcase their newest tools while hackers (who
don't want to go to jail) will try to gain fame by breaking in.
(b) Case studies in intrusion detection processes and tools that work
and don't work and similar practical, from-the-trenches information
is the focus of technical presentations at SANS99 in Baltimore in
May (http://www.sans.org/sans99/techcon.htm) and also being sought
in the Call for Papers for SANS Network Security 99
(see http://www.sans.org/ns99call.htm ) in New Orleans the first week of
October. Practical papers on any area of network security are
welcome.
(c) Advanced research and development in intrusion detection is the
topic an important research conference at Purdue University (W. Lafayette,
IN) in early September. It has limited space and is meant to be the
state of the art research sharing program. Call for papers:
http://www.zurich.ibm.com/pub/Other/RAID/
=======================================================================
ii) Windows NT Security web briefing on March 17th
ISS has started a useful web-based education program, and you can listen
at your convenience. The first one, an hour in length, has in-depth
coverage of the widespread Windows NT exploits called BackOrifice and
NetBus, what they are, what they do, and how to fight them.
It will begin at 1 p.m. EST March 17th and about three hours later will
be archived so you may listen and see the visuals whenever it is
convenient for you. ISS asks you to answer some questions to register.
Reistration site is http://www.iss.net/webinars/reg.php3 .
=======================================================================
1) BUFFER OVERFLOWS IN FTP SERVERS (02/11/1999)
CERT released an advisory concerning buffer overflows in several popular
ftp server programs -- wuftpd and ProFTPD. The buffer overflows can be
exploited by a malicious remote user to gain root access on the ftp
server. Versions noted in the advisory include:
wuftpd 2.4.2-academ BETA-18
ProFTPD 1.2.Opre1
Patches are available for both versions.
The Wu-ftp program is installed by default on many popular UNIX variants
such as RedHat and Slackware.
For more information see the CERT Advisory at:
http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html
This was initially discussed in the February SANS Digest, but only
mentioned wu-ftpd in a general sense. Several vendors have released new
versions since those announcements:
NetBSD:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/
NetBSD-SA1999-003.txt.a sc
Caldera OpenLinux:
http://www.calderasystems.com/news/security/CSSA-1999:004.0.txt
Debian GNU/Linux:
http://www.debian.org/security/1999/19990210
Slackware Linux:
ftp://ftp.cdrom.com/pub/linux/slackware-current/ChangeLog.txt
=======================================================================
2) BUFFER OVERFLOWS IN LSOF PROGRAM (02/17/1999)
A potential problem with the "lsof" program was announced on several
mailing lists and quickly fixed by the author. The canonical "lsof"
distribution, including patches, can be found at:
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
The original posting of the vulnerability was provided by a group called
"HERT" that, despite its WWW page and name, is not affiliated in any
way with the FIRST association (http://www.first.org) of vendor,
government, and community response teams. The HERT web page is at:
http://www.hert.org
Vendor reports on the problem include:
NetBSD (02/28/1999):
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/
NetBSD-SA1999-005.txt.asc
Red Hat Linux (02/19/1999):
http://charlotte.redhat.com/support/docs/rhl/rh52-errata-general.html#lsof
Debian GNU/Linux (02/20/1999):
http://www.debian.org/security/1999/19990220a
=======================================================================
3) LATEST CERT SUMMARY RELEASED (02/23/1999)
CERT released their latest summary, which focuses on continuing problems
with intruders using tools to scan networks for multiple vulnerabilities,
particularly since these tools continue to become more sophisticated.
A variety of well-known scanning tools are mentioned and pointers are
provided to more specific information on dealing with these tools. The
bulletin is available at:
http://www.cert.org/summaries/CS-99-01.html
=======================================================================
4) HP SECURITY PROBLEMS AND PATCHES
The HP Electronic Support Center is located at:
http://us-support.external.hp.com/ (US and Canada)
http://europe-support.external.hp.com/ (Europe)
Note: Log into the HP Electronic Support Center prior to accessing a
specific support page as identified below.
---------------
A) 03/04/1999 - Hewlett Packard has reported NES3.6 on VVOS contains a
security vulnerability that can cause excessive CPU resource utilization.
The symptoms of the problem are poor server performance. Patches are
available and Hewlett Packard recommends that anyone using an HP9000
Series 700/800 machine running HP-UX 10.24 (VVOS) with VirtualVault
A.03.50 should install the patches. More information is available from
the HP Daily Security Digest, a copy of which has been stored for
non-commercial, public access at:
http://www.eklektix.com/sans/1999/03/hp.html
=======================================================================
5) SUN SECURITY PROBLEMS AND PATCHES
Sun Security Bulletins are available at:
http://sunsolve.sun.com/pub-cgi/secbul.pl
Sun Security Patches are available at:
http://sunsolve.sun.com/sunsolve/pubpatches/patches.html
Sun has not issued and new Security Bulletins since 02/10/1999.
=======================================================================
6) SGI SECURITY PROBLEMS AND PATCHES
SGI maintains a security home page at:
http://www.sgi.com/Support/security/security.html
SGI patches are available at:
ftp://ftp.sgi.com/security/
---------------
A) 03/10/1999 - SGI has investigated reported problems with buffer
overflows in the X server which can lead to a root compromise. They
indicate that no workaround for the problem is available. A patch is
required in order to address the problem properly. For patch information
and more details, see the SGI Security Advisory at:
ftp://sgigate.sgi.com/security/19990301-01-PX
Or see the CIAC Bulletin at:
http://ciac.llnl.gov/ciac/bulletins/j-033.shtml
---------------
B) 02/19/1999 - SGI updated their Advisory regarding a vulnerability in
the ToolTalk RPC service daemon. The specific program is called
rpc.ttdbserverd which contains a buffer overflow bug that would allow a
malicious remote user to gain root privileges on the system. Patches are
available for the problem or people can simply remove the service from
the inetd.conf file. For more information, see the SGI Security Advisory
at:
ftp://sgigate.sgi.com/security/19981101-01-PX
CIAC also issued a bulletin that can found at:
http://www.ciac.org/ciac/bulletins/i-091.shtml
---------------
C) 02/02/1999 - SGI released a informational-only bulletin describing the
security features that are available in IRIX 6.5. Some of the standard
security features in IRIX 6.5 were previously only available as commercial
add-ons. There are also several enhances security features. For more
information consult the SGI Security Advisory at:
ftp://sgigate.sgi.com/security/19990201-01-I
=======================================================================
7) IBM AIX SECURITY PROBLEMS AND PATCHES
IBM maintains a security home page:
http://www.ers.ibm.com/tech-info/index.html
IBM maintains an on-line support center:
http://service.software.ibm.com/support./rs6000
---------------
A) 02/11/1999 - IBM has not released any ERS Alerts since 10/26/1998;
however they have released security related APARS (Authorized Problem
Analysis Reports). IBM's latest Security-related APAR report is
available at:
http://service.boulder.ibm.com/cgi-bin/support/rs6000.support/databases
=======================================================================
8) NT/WIN95 SECURITY PROBLEMS AND PATCHES
The Microsoft Security page is located at:
http://www.microsoft.com/security/
Additional NT Security Related web pages may be found at:
http://www.ntbugtraq.com/
http://www.ntbugtraq.com/ntfixes.asp
http://www.ntsecurity.net/
---------------
A) 02/25/1999 - David Litchfield, aka mnemonix, wrote a report on
vulnerabilities with SLMail version 3.2 or 3.1 when the remote
Administration Service is enabled. It allows any user to bypass NTFS
file system permissions and read any file on the system not actively
locked by another process. The file can be then made available to anyone
on the Internet. This vulnerability is associated with the Finger
service, long known in the Unix community as a potential source of
security problems. This vulnerability can allow the finger service to
be enabled, even if it has been disabled previously and opens up
possibilities of many denial-of-service and other attacks. The
recommended solution to this problem is to disable Remote Administration.
If this is not possible, other possible measures are outlined in the
full report, available at:
http://www.ntsecurity.net/scripts/load.asp?iD=/security/slmail3132.htm
---------------
B) 02/22/1999 - A patch which fixes a security vulnerability in the
Taskpads feature was released by Microsoft. Taskpads comes with the
Microsoft(tm) Windows(rm) 98 Resource Kit, Windows 98 Resource Kit
Sampler, and BackOffice(tm) Resource Kit, second edition. Only customers
who have installed one of these products and also browse the web are
vulnerable. The problem can allow a malicious web site operator to
execute binaries on the vulnerable machine. The patch from Microsoft
removes the Taskpads feature. For more information, check out Microsoft's
bulletin at:
http://www.microsoft.com/security/bulletins/ms99-007.asp
or the equivalent CIAC bulletin at:
http://www.ciac.org/ciac/bulletins/j-030.shtml
---------------
C) 02/22/1999 - ArcServeIT from Computer Associates is reported to use
an easily decipherable form for passwords passed across the network when
doing network backups, according to this report:
http://www.ntsecurity.net/scripts/load.asp?iD=/security/arcserve.htm
This makes the passwords vulnerable to network sniffers. Only programs
using stock NT agents are impacted; both Exchange and SQL backup agents
appear not to be vulnerable. Computer Associates released a patch for
this problem the next day, for which more information is available at:
http://support.cai.com/Download/patches/asnt.html
The original Bugtraq report is available at:
http://www.geek-girl.com/bugtraq/1999_1/0843.html
---------------
D) 02/19/1999, updated 03/05/1999 - All versions of NT are vulnerable
to a bug that can allow a user to gain administrative privileges on the
machine. A registry change was recommended as a temporary measure in
the original bulletin, but the updated bulletin provides pointers to a
now-available hotfix which changes the default access control settings
on the computer to eliminate this vulnerability. For more information,
check out Microsoft's updated bulletin at:
http://www.microsoft.com/security/bulletins/ms99-006.asp
The original Bugtraq post that covered this issue is available at:
http://www.geek-girl.com/bugtraq/1999_1/0771.html
=======================================================================
9) BSDI/FreeBSD/NetBSD/OpenBSD PROBLEMS AND PATCHES
BSDI maintain a support web page at:
http://www.BSDI.COM/support/
FreeBSD maintains a security web page at:
ftp://ftp.cdrom.com/pub/FreeBSD/CERT/advisories/
OpenBSD's Security web page is at
http://www.openbsd.org/security.html
NetBSD's Security web page is at:
http://www.NetBSD.ORG/Security/
---------------
No FreeBSD security reports have been released since 11/04/1998.
A) NetBSD: 02/28/1999 - NetBSD published an advisory on the traceroute
problem found this month, where traceroute could be used to generate
untraceable packet floods. For more information and updates, check out
their advisory at:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/
NetBSD-SA1999-004.txt.asc
---------------
B) OpenBSD: 02/23/1999 - OpenBSD has released a patch to cover a buffer
overflow in ping(8). Their patch information is available at:
http://www.openbsd.org/errata.html#ping
---------------
C) OpenBSD: 02/25/1999 - OpenBSD has released a patch to prevent a
possible machine crash when link(2) is used on FFS. More information
is available at:
http://www.openbsd.org/errata.html#nlink
=======================================================================
10) LINUX SECURITY PROBLEMS AND PATCHES
Caldera OpenLinux security information can be found at:
http://www.caldera.com/news/security/index.html
Debian GNU/Linux maintain a security web page at:
http://www.debian.org/security/
Red Hat Linux maintain a support page at:
http://www.redhat.com/support/
Redhat ftp site:
ftp://updates.redhat.com/
The latest Slackware release and patches can be found at
ftp://cdrom.com/pub/linux
S.u.S.E. information can be found at:
http://www.suse.com
---------------
Caldera:
A) 03/01/1999 - The KDE Multimedia library has a /tmp race problem,
which can allow any file on the system to potentially be erased or
replaced. An upgrade to the kdelibs-1.1-2 packages fixes this problem.
For more information, see:
http://www.calderasystems.com/news/security/CSSA-1999:005.0.txt
---------------
B) 02/24/1999 - A buffer overflow in dosemu can be exploited via the
TERM and TERMINFO environment variables. If dosemu is installed setuid
root, this can lead to a root compromise. The Dosemu team has been
unable to fix this security problem so far. It is recommended, therefore,
that dosemu be installed as a non-suid binary. For more information,
check out:
http://www.calderasystems.com/news/security/CSSA-1999:006.0.txt
---------------
C) 01/19/1999 - Caldera issued a security advisory regarding a problem
with a buffer overflow in the ftp client. The overflow can be used to
possibly crash the ftp server and potentially compromise user data.
Only the netkit-ftp package is affected, the ncftp package is not. An
updated netkit-ftp package is available. For more information, check
out:
http://www.calderasystems.com/news/security/CSSA-1999:002.1.txt
---------------
Debian reports:
A) 02/20/1999 - An updated wget package was released by Debian in
response to reports of problems with invalid attempts to change the
permissions on symlinks. The potential impact of this problem is not
discussed, but more information is available at:
http://www.debian.org/security/1999/19990220
---------------
B) 02/18/1999 - A root exploit in the eterm package was found in the
version of Debian scheduled for release on March 19th. Other Debian
releases were not impacted and the package has been fixed. For more
information, check:
http://www.debian.org/security/1999/19990218
---------------
C) 02/15/1999 - Two buffer overflow problems were found in the super
package. If this package is installed on your Debian system, it is
recommended that you update your packages immediately. More information
is available at:
http://www.debian.org/security/1999/19990215a
or the equivalent CIAC bulletin at:
http://www.ciac.org/ciac/bulletins/j-031.shtml
---------------
D) 02/15/1999 - The maintainer of the cfengine package found that it
was vulnerable to a potential symlink attack. The upstream author has
been notified but has not released an updated package as of yet. In
the meantime, the Debian packages have been fixed. For more information,
check out:
http://www.debian.org/security/1999/19990215
Slackware has no official security reports pages. However, a scan of
their reported updates to the current version of slackware indicate that
it contains fixes for the wu-ftpd and pine exploits reported over the
last month.
=======================================================================
11) CISCO PROBLEMS AND PATCHES
Cisco Systems maintains an Internet Security Advisories page at:
http://www.cisco.com/warp/public/791/sec_incident_response.shtml
---------------
03/11/1999 - Cisco announced two vulnerabilities in the Cisco 7xx
product family. The first deals with a potential denial of service attack
involving tcp connections to the telnet port of the 7xx routers. Excessive
packets will cause the router to automatically reload. The second
vulnerability deals with the simple http server which is enabled by
default on the 7xx routers. The server is used to make configuration
changes. This is the intended behavior but some customers may be unaware
that the service is enabled by default. For more information see the
Cisco Field Notice at:
http://www.cisco.com/warp/public/770/7xxconn-pub.shtml
Or see the CIAC Bulletin at:
http://www.ciac.org/ciac/bulletins/j-034.shtml
=======================================================================
12) GENERAL VIRUS INFORMATION
We will only include items on viruses that have been widely discussed.
This is not meant to be an all-inclusive update on recent virus problems
and solutions.
Virus information is available from a variety of sites, including:
http://www.antivirus.com/
http://www.avpve.com/
http://www.drsolomon.com/
http://www.datafellows.com/
http://www.nai.com/
http://www.sophos.com/
http://www.symantec.com/avcenter/
Good sources for virus myths and hoaxes are:
http://www.kumite.com/myths/
http://ciac.llnl.gov/ciac/CIACHoaxes.html
---------------
A) 02/26/1999 - CIAC issues an update on Windows Backdoor programs,
labeled "Windows Backdoors Update II". It covers a new version of NetBus
which has been released, as well as a general vulnerability assessment
in regards to such Backdoor programs. You can find it at:
http://www.ciac.org/ciac/bulletins/j-032.shtml
=======================================================================
13) QUICK TIDBITS
1) 03/07/1999 - The New York Times published an article covering
Microsoft's response to a critical privacy issue, involving a unique
identifying number for their software products and a vast database of
information of personal information that they have collected about their
customers. The combination of the two raises large concerns about the
invasion of privacy of individual users. The article is available at:
http://www.nytimes.com/library/tech/99/03/biztech/articles/07soft.html
---------------
2) 03/03/1999 - The Black Hat Briefings '99 is a Computer Security
Conference scheduled for July 7th and 8th in Las Vegas, Nevada. This
year, in addition to topics such as intrusion detection and computer
forensics, they will have a special track just for the CEO and CIO.
For more information, check out:
http://www.blackhat.com/
---------------
3) 02/27/1999 - ShadowCon October 1999 is a DoD-sponsored Intrusion
Detection and Information Assurance conference and workshop, with no
charge for attendance. It is scheduled October 26th and 27th, 1999 at
the Naval Surface Warfare Center in Dahlgren, Virginia. For more
information, check out:
http://www.nswc.navy.mil/ISSEC/CID/shadowcon.html
---------------
4) 02/26/1999 - Cobalt Networks released a security patch for their
Cobalt RaQ to deal with a password security problem reported originally
in Wired Magazine and the San Jose Mercury News. The original problem
is obscure, but can be triggered by user actions, allowing unauthorized
access to password information. For more information and pointers to
Cobalt's fix, check:
http://www.cobaltnet.com/security.html
---------------
5) 02/25/1999 - Wired News published an article on the reappearance of
the Cryptography bill, introduced last year to ease restrictions on
export of cryptographic technologies but defeated. This year, they
claim to have bipartisan support from over 205 members. The article is
available at:
http://www.wired.com/news/print_version/politics/story/18132.html?wnpg=all
---------------
6) 02/19/1999 - The Triactive Remote Management Software, which provides
the ability to remotely control a remote Windows 95/98/NT client, will,
under some circumstances, store the administrator password in plain
text. For more information, check out:
http://www.geek-girl.com/bugtraq/1999_1/0824.html
******************
Copyright 1999, The SANS Institute. No copying, forwarding, or posting
allowed without written permission (write <sans@clark.net> for
permission).
Email <digest@sans.org> for information on subscribing. You'll receive
a free subscription package and sample issue in return. To unsubscribe
or change address, forward this note to <autosans@clark.net> with
appropriate instructions.
The digest is available at no cost to practicing security, networking
and system administration professionals in medium and large organizations.
Archives of past issues are posted at http://www.sans.org/digest.htm .
- -----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNu/KTaNx5suARNUhAQG/SwQAsdH4px/XGHezCEU3J/jSLQf3DIRNykWh
WnnkL7jdMnj5a5WbyX6sEazR7PYiv9M6ej05XZiEazLI2AdCWJMv4PER1UEUHgGw
N/nL/DfRCjPl60mKkmI9z1hxKnvAFv8MwG/wX6UPZYJf3+V6LacPPcRwCCn1KGco
T4kbRAKJqCg=
=hn80
- -----END PGP SIGNATURE-----
SANS Bookstore
The SANS bookstore has several interesting SANS guides in stock:
* 14 Steps to Avoiding Disaster with Your Web Site
* SANS 1998 System Administration and Network Security Salary Survey
* Windows NT Security: Step-by-Step
* Intrusion Detection: Shadow Style -- A Primer for Intrusion Detection
* Computer Security Incident Handling: Step-by-Step
* Windows NT Power Tools: Administrator Consensus
Order them from the bookstore just one click away from www.sans.org!
==========================================================================
Alan Paller & Rob Kolstad The SANS Institute sans@clark.net 301-951-0102
- ----- Upcoming Events: ------------------------ Current Publications: ----
SANS '99 (Baltimore, 5/99) SANS Network Security Digest
Network Security 99 (New Orleans, 10/99) The SANS NT Digest
Windows NT Security: Step-by-Step
Incident Handling: Step-by-Step Intrusion Detection: Shadow Style
WindowsNT Power Tools: Consensus 1998 SANS Salary Survey
See http://www.sans.org for info and bookstore
------- End of Forwarded Message
|
