From: cool@eklektix.com Date: Wed, 25 Nov 1998 01:29:27 -0500 (EST) To: cool@eklektix.com Subject: SANS Security Digest Vol. 2 Num. 10 To: Liz Coolbaugh SD145502 From: Rob Kolstad, SANS E-mail Duplicate Eliminator Happy Thanksgiving to our USA readers. Here is the November SANS Security Digest -- please don't confuse it with the NT Digest which should be mailed out shortly, as well. This digest kicks off our one month subscription drive! Please share this issue widely so that everyone can find out about our monthly missive. Subscriptions are free and easily obtained by sending a note with the subject `subscribe' to <digest@sans.org>. I've eliminated hundreds of duplicates and updated addresses for those who have moved. Please send change and duplicate notifications (with your SD numbers!) to <sans@clark.net>. Unsubscribe by sending your SD number to <autosans@clark.net> with a subject of `unsubscribe digest'. RK -----BEGIN PGP SIGNED MESSAGE----- ================================================================= | @@@@ @@ @ @ @@@@ | | @ @ @ @@ @ @ | | @@@@ @ @ @ @ @ @@@@ Vol. 2, No. 10 | | @ @@@@@@ @ @ @ @ November 21 ,1998 | | @ @ @ @ @ @@ @ @ | | @@@@ @ @ @ @ @@@@ | | The SANS Network Security Digest | | Editor: Michele Crabb | | Guest Editor: Michael Kuhn | | Contributing Editors: | | Matt Bishop, Gene Spafford, Steve Bellovin, Gene Schultz, | | Bill Cheswick, Marcus Ranum, Dorothy Denning, Dan Geer, | | Rob Kolstad, Peter Neumann, David Harley, Jean Chouanard, | | Fred Avolio, Peter Galvin, John Stewart, Liz Coolbaugh, | | Mark Edmead, Michael Kuhn | ====A Resource for Computer and Network Security Professionals=== CONTENTS: i) FINAL CALL FOR PAPERS FOR ID99 ii) FINAL CALL FOR PAPERS FOR SANS99 iii) MEMBERSHIP DRIVE MONTH 1) BUFFER OVERFLOW VULNERABILITY IN NETSCAPE 2) VULNERABILITY IN HP OPENVIEW 3) SECURITY PATCH FOR SSH-1.2.26 KERBEROS CODE 3a)TROJAN HORSE INVOLVING SSH 4) WEB FRAMES EXPLOIT (FRAMESPOOF) 5) HP SECURITY PROBLEMS AND PATCHES 6) SUN SECURITY PROBLEMS AND PATCHES 7) SGI SECURITY PROBLEMS AND PATCHES 8) WINDOWS/NT/WIN95/WIN98 SECURITY PROBLEMS AND PATCHES 9) FREEBSD/OPENBSD/BSD4.4 PROBLEMS AND PATCHES 10) LINUX SECURITY PROBLEMS AND PATCHES 11) CISCO SECURITY PROBLEMS AND PATCHES ***************************************** i. FINAL CALL FOR PAPERS FOR ID99 The SANS Third Intrusion Detection and Response Conference and Workshop, February 9-13, San Diego, California. Thanks to all the people who have submitted papers and course proposals for the program. We now have an impressive collection of courses on Intrusion Detection and Response and on Penetration Testing (and also some great new ones on NT Security). And the papers that have been submitted for the workshop are interesting and practical. We are still hoping to receive additional user-experience papers in two areas: automated response systems and forensics. If you have real- world experience with either of these, please submit a short abstract. Instructions at http://www.sans.org/id/call.htm. ============================================================================ ii. FINAL Call FOR PAPERS FOR SANS99 The Eighth System Administration, Networking, and Security Conference, Baltimore Inner Harbor, May 9-15, 1999. Presenting a paper at SANS is one of the best ways to give something back to the community, and it can also help your career. We have many great proposals, but we are hoping for more. Instructions at http://www.sans.org/callforpapers.htm. ============================================================================ iii. MEMBERSHIP DRIVE MONTH It's our Christmas membership drive! Please pass this digest around to your colleagues and ask them to sign up by sending a note with the subject `subscribe sans digest' to <autosans@clark.net>. Signing up during the next 30 days will also include them in the January mailing so they will get them their own copies of the semi-annual SANS Network Security Roadmap poster. There's no cost for the Digest or the Poster for people who are registered. ============================================================================ 1) BUFFER OVERFLOW VULNERABILITY IN NETSCAPE (10/23/98) Reported in Bugtraq, A buffer overflow vulnerability in netscape versions 3.0 to 4.5 has been identified by Dan Brumleve <nothing@shout.net>. Netscape is working on patches. A news.com story detailing this can be found at: http://www.news.com/News/Item/0,4,27856,00.html?owv Also, a Linux netscape sample exploit has been published at: http://www.shout.net/~nothing/buffer-overflow-1/index.html ============================================================================ 2) VULNERABILITY IN HP OPENVIEW (11/02/98) Internet Security Systems (ISS) X-Force announced research that has revealed a vulnerability in HP OpenView. ISS found that the hidden community (string) is readable and may allow access to the SNMP MIB tree including variable modification and network discovery. SNMP agent configuration and data collection can be modified, resulting in disruption and/or DoS of the SNMP process. This vulnerability is present in HP OpenView Version 5.02. Earlier versions are believed to be vulnerable. HP-UX 9.X and HP-UX 10.X SNMP agents are vulnerable if OpenView is installed. OpenView for Solaris 2.X is also vulnerable. OpenView for Windows NT is not vulnerable. Patches are available from HP. For more information and patches refer to the ISS Advisory at: http://www.iss.net/xforce/alerts/advise12.html ============================================================================ 3) SECURITY PATCH FOR SSH-1.2.26 KERBEROS CODE (11/05/98) Concerns about buffer overflow problems in sshd has prompted extensive code searches of the ssh code by its' developers, SSH Communications Security, Finland, and others. As reported by Tatu Ylonen of SSH Comm., a buffer overflow condition does exist that he has found (Bugtraq, Nov. 5, 1998,02:38). An extensive list of caveats was included by Tatu as to the fact that this is an extremely difficult vulnerability to exploit. Nonetheless, a patch workaround is listed in the Bugtraq communications and a promise to make a new release available quickly. More information can be found in Bugtraq thread at: http://www.geek-girl.com/bugtraq/1998_4/0315.html ============================================================================ 3a) 11/17/98 - TROJAN HORSE INVOLVING SSH Report on BugTraq from SSH developer about the "sshdwarez" (also known as "sshdexp") Trojan posted on bugtraq actually has nothing to do with SSH. It does not exploit any vulnerability in any version of SSH. It is simply a program that, if run as root, adds two new entries in /etc/passwd and sends mail back to the hacker's account at hotmail.com. No action is required from SSH users. Just do not run the sshdwarez Trojan. More information can be found on the Bugtraq thread at: http://www.netspace.org (Look it up in the third week of November) Additional information can be found at: http://www.ssh.fi/sshprotocols2/ ============================================================================ 4) 11/17/98 - WEB FRAMES EXPLOIT (FRAMESPOOF) SecureXpert Labs has discovered a security hole in the implementation of HTML frames. All recent versions of Netscape Navigator and MS Internet Explorer and any Web site using frames are vulnerable and can be exploited. The "framespoof" vulnerability is breathtaking in its scope and simplicity. It is a bug in the security policy browsers implement. The bug was announced by Dr. Richard Reiner,CEO of SecureXpert Labs' parent company FSCInternet. SecureXpert has posted two sample exploits, one that requires JavaScript and one that relies on nothing but HTML. Both demonstrate how unauthorized information can be displayed in the frame of a known and trusted site. SecureXpert will be working with Netscape and Microsoft on client side fixes for the problem. More information can be found at: http://www.securexpert.com/framespoof/index.html http://www.securexpert.com/framespoof/start.html http://www.securexpert.com/framespoof/tech.html The original notice from TBTF can be found at: http://tbtf.com/archive/11-17-98.html ============================================================================ 5) HP SECURITY PROBLEMS AND PATCHES The HP Electronic Support Center is located at: http://us-support.external.hp.com/ (US and Canada) http://europe-support.external.hp.com/ (Europe) The HP Patch Site http://us-ffs.external.hp.com/ftp/export/patches/hp-ux_patch_matrix --------------- A) 10/28/98 - HP has announced a Denial-of-Service (DoS) vulnerability in HP SharedX Receiver Service (recserv). This was reported in the October SANS Digest, but is now official from HP. Certain messages targeted to the service port could result in excessive CPU utilization, and a DoS. Vulnerable platforms are HP 9000 series 700/800. Patches are available via anonymous ftp at: <us-ffs.external.hp.com> in path: ~ftp/export/patches/hp-ux_patch_matrix For additional information refer to the HP Security Bulletin HPSBUX9810-086. Or the CIAC Bulletin at: http://ciac.llnl.gov/ciac/bulletins/j-015.shtml --------------- B) 11/02/98 - Internet Security Systems (ISS) X-Force announced research that has revealed vulnerability in HP Openview. ISS found that hidden community (string) is readable and may allow access to the SNMP MIB tree including variable modification and network discovery. SNMP agent configuration and data collection can be modified, resulting in disruption and/or DoS of the SNMP process. This vulnerability is present in HP OpenView Version 5.02. Earlier versions are believed to be vulnerable. HP-UX 9.X and HP-UX 10.X SNMP agents are vulnerable if OpenView is installed. Patches are available. For more information and patch location refer to the ISS Advisory at: http://www.iss.net/xforce/alerts/advise12.html --------------- C) 11/16/98 - HP announced the release of patches for a vulnerability in the vacation program shipped with HP-UX in /usr/bin/vacation. The vacation misunderstands it's inputs and invokes sendmail with the wrong parameters. Both sendmail 5.6.5 and 8.7.6 are vulnerable to this malady. Also the vacation program ignores a TO: header when the "O" is upper case. HP-UX versions 9.X, 10.X and 11.0 on HP9000 Series 7/800 are all vulnerable. This information is contained in the HP Security Bulletin HPSBUX9811-087. Patches are available on the HP Patch site. ============================================================================ 6) SUN SECURITY PROBLEMS AND PATCHES Sun security bulletins are available at: http://sunsolve.Sun.COM/pub-cgi/secbul.pl Sun Security Patches are available at: http://sunsolve.sun.com/sunsolve/pubpatches/patches.html --------------- A) 10/21/98 - Sun announced the release of patches for a vulnerability in the IMAP server process (Sun Internet Mail Server(tm) (SIMS) versions 3.2 and 2.0). Certain versions of SIMS are subject to buffer overflow problems as identified by the CERT Advisory CA-98.09 (8/8/98) which discussed servers under the SIMS server process. Patches are available for Sun SIMS versions 3.2, 3.2_x86, 2.0, and 2.0_x86. For more information refer to Sun Security Bulletin #177 at: http://sunsolve.sun.com/pub-cgi/us/sec2html?secbull/177 --------------- B) 11/9/98 - Sun announced a vulnerability in SNMP involving the compromise of hidden community strings. Sun Solstice Enterprise Agents(SEA) software package supports both SNMP and DMI protocols. SNMP allows remote management of systems and devices on a network. SNMP relies on files known as Management Information Bases (MIBs). MIB access is controlled by community strings. Compromise of a default community string in the Sun SNMP subagent may be exploited remotely opening the door for root level privileges. Patches and work arounds for Solaris versions 2.4, 2.5.1, 2.5.1_x86, 2.6, and 2.6_x86, running versions of SEA, are available. For more information refer to Sun Security Bulletin #178 at: http://sunsolve.sun.com/pub-cgi/us/sec2html?secbull/178 Or the ISS Security Advisory at: http://www.iss.net/xforce/alerts/advise11.html --------------- C) 11/18/98 - Sun Microsystems announced (Security Bulletin #00179) a vulnerability in the setuid root utility rdist used to distribute files from one host to another. Several buffer overflow vulnerabilities have been discovered which could be exploited by an attacker to gain root access. Solaris versions: 2.6, 2.6_x86, 2.5.1, 2.5.1_x86, 2.5, 2.5_x86, 2.4, 2.4_x86 and 2.3 and SunOS versions: 4.1.4 and 4.1.3_U1 are vulnerable. More information can be found at: http://sunsolve.Sun.COM/pub-cgi/us/sec2html?secbull/179 Patches are available on the Sun Patch Site. ============================================================================ 7) SGI SECURITY PROBLEMS AND PATCHES SGI maintains a security home page at: http://www.sgi.com/Support/security/security.html SGI patches are available at: ftp://ftp.sgi.com/security/ ------------ A) 10/21/98 - SGI announced the identification of a vulnerability in the routed(1m) daemon, affecting IRIX 3.x, 4.x, 5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1, 6.2, 6.3 and 6.4. By appending routed(1M) debug and tracing information to arbitrary files on the system, an attacker could cause significant disruption of a system. This is considered a High Risk since no local account is required for exploit. Patches are available. For more information, refer to the SGI Security Advisory at: ftp://sgigate.sgi.com/security/19981004-01-PX Or the CIAC Bulletin at: http://ciac.llnl.gov/ciac/bulletins/j-012.shtml ------------ B) 10/22/98 - SGI announced a vulnerability in autofsd, a RPC server which handles mount/unmount requests for the autofs file system. IRIX versions 6.2, 6.3, 6.4, 6.5 are affected. Other versions may be affected as well. SGI is still investigating. SGI suggests the temporary fix detailed in their Security Advisory be followed. For additional information refer to the advisory at: ftp://sgigate.sgi.com/security/19981005-01-A Or the CIAC Bulletin at: http://ciac.llnl.gov/ciac/bulletins/j-013.shtml ------------ C) 10/26/98 - SGI issued an update on the CERT Advisory CA-98.12 "Remotely Exploitable Buffer Overflow Vulnerability in mountd". SGI's investigation found no vulnerability to this issue in any version of IRIX, Unicos and Unicos/mk, and no further action is required. For Additional information refer to the SGI Security Advisory at: ftp://sgigate.sgi.com/security/19981006-01-I ============================================================================ 8) WINDOWS/NT/WIN95/WIN98 SECURITY PROBLEMS AND PATCHES The Microsoft Security page is located at: http://www.microsoft.com/security/ Additional NT Security Related web pages may be found at: http://ntbugtraq.ntadvice.com/archives/default.asp http://www.ntsecurity.net/ --------------- A) 10/23/98 - Microsoft has announced the availability of patches to fix a vulnerability in the way Internet Explorer 4 determines what security zone a target server is in. This vulnerability (Dotless IP Addresses), if exploited, can cause Internet Explorer's Security Zone feature to treat an Internet zone website as if it were on an Intranet zone. Patches are available for the affected versions: Internet Explorer 4.0, 4.01 and 4.01 SP1 on NT 4.0 and Windows 95, Windows 98 with integrated Internet Explorer, Internet Explorer 4.0 and 4.01 for Windows 3.1 and NT 3.51 and Internet Explorer 4.01 for UNIX. For more information refer to the Microsoft Security Bulletin MS98-016 at: http://www.microsoft.com/security/bulletins/ms98-016.htm Or at NtBugTraq archive site for October 1998, listed above. --------------- B) 11/03/98 - Microsoft announced Dial-Up Networking Security Upgrade for Windows 98. This upgrade enhances the protection of dial-up and VPN connections via password management and data encryption. For more information see the Microsoft Knowledge Base article #Q189771 at: http://support.microsoft.com/support/kb/articles/q189/7/71.asp --------------- C) 11/18/98 - Microsoft released an updated version of the patch for the "Untrusted Scripted Paste" vulnerability that was discussed in the October SANS Digest. The updated patch fixes the original vulnerability as well as a newly-discovered variant. It is recommended that all users -- including those who downloaded the original patch before November 18 - -- download and install the update. Microsoft Internet Explorer 4.01 and 4.01 SP1 on Windows NT (r) 4.0, Windows (r) 95, Microsoft Windows 98, with integrated Internet Explorer, Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51 are all vulnerable. This vulnerability does not affect Internet Explorer 3.x or 4.0 on any platform or any Macintosh or UNIX versions of Internet Explorer. This vulnerability could also affect software that uses HTML functionality provided by Internet Explorer, even if Internet Explorer is not used as your default browser. All customers that have affected versions of Internet Explorer on their systems should install this patch. More information can be found in the Microsoft Knowledge Base (KB) article Q169245, (Update available for "Untrusted Scripted Paste" Issue) at: http://support.microsoft.com/support/kb/articles/q169/2/45.asp The bulletin reference is at: http://www.microsoft.com/security/services/bulletin.asp ============================================================================ 9) FreeBSD/OpenBSD/BSD4.4 PROBLEMS AND PATCHES BSDI maintains a support web page at: http://www.BSDI.COM/support/ FreeBSD maintains a security web page at: http://www.freebsd.org/security/security.html OpenBSD's Security web page is at http://www.openbsd.org/security.html NetBSD's Security web page is at: http://www.NetBSD.ORG/Security/ --------------- A) 11/04/98 - FreeBSD Security Officer reported on Bugtraq an IP fragment re-assembly code error that may cause a kernel panic. By creating and sending a pair of malformed (UDP) IP packets, the UDP datagram can cause a server to panic or crash and reboot, creating a Denial of Service. Exploit programs are reported to be circulating. Versions affected are only FreeBSD 3.0 and FreeBSD-current before October 27, 1998. For more information, including patch availability, refer to the Bugtraq message at: http://www.geek-girl.com/bugtraq/1998_4/0306.html ============================================================================ 10) LINUX SECURITY PROBLEMS AND PATCHES Red Hat Linux maintain a support page at: http://www.redhat.com/support/ Redhat ftp site: ftp://updates.redhat.com/ Debian GNU/Linux maintain a security web page at: http://www.debian.org/security/ --------------- A) 11/01/98 - Debian Linux reports a buffer overflow in logging vulnerability for secure shell daemon (sshd). There is minimal information, indicating that ssh is vulnerable. No list of affected OS versions was given. (This may be related to the rootshell investigation and report of buffer overflow problem in sshd following their investigation of their compromised system. See Tidbits for more information on rootshell.) For information on the Debian advisory, refer to: http://www.debian.org/security/1998/19981101 --------------- B) 11/06/98 - Redhat Linux announced a security fix for a file descriptor leak in the svgalib. The problem was reported on the BUGTRAQ security list. Redhat Linux users should upgrade to the new packages available under the updates directory on the Redhat Linux ftp site. For more information refer to the Redhat Errata notes at: http://www.redhat.com/support/docs/rhl/intel/rh52-errata-general.html#svgalib And more at the General Errata page: http://www.redhat.com/support/docs/rhl/rh52-errata-general.html --------------- C) 11/06/98 - Redhat Linux reported a fix to a buffer overflow problem in package zgv by which an attacker could gain root privileges. Users of Redhat Linux should upgrade to the new packages available under the updates directory on the Redhat Linux ftp site. And more information on Redhat Errata general notes at: http://www.redhat.com/support/docs/rhl/rh52-errata-general.html ============================================================================ 11) CISCO PROBLEMS AND PATCHES Cisco Systems maintains an Internet Security Advisories page at: http://www.cisco.com/warp/public/779/largeent/security/advisory.html --------------- A) 11/05/98 - CISCO announced two vulnerabilities which affect a subset of the IOS DFS access list. IOS Versions 11.1, 11.2, 11.3 and some variations on 7xxx series Cisco routers configured for distributed fast switching, are affected. Exploit may allow users to send packets to unauthorized networks or access (attack) other devices. Risk is medium and no known exploits have occurred. Users of an affected network would probably only notice that they could reach network devices that they couldn't reach previously because the access lists applied to filter those interfaces are not working. For detailed information and fixes refer to the CISCO Field Notice at: http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml Or CIAC Information Bulletin at: http://ciac.llnl.gov/ciac/bulletins/j-016.shtml --------------- B) 11/05/98 - CISCO announced maintenance release of IOS version 11.1CC and 11.1(21)CC to correct some twenty or more software defects. Complete information on the fixes, updates, versions, etc., involved is available at: http://www.cisco.com/warp/public/770/fa111-21cc1.shtml ============================================================================ 12) QUICK TIDBITS A) 10/19/98 - Microsoft announced availability of Security Configuration Manager from the NT Service Pack 4 CD for download. Security Configuration Manager (SCM) provides an editor, Security Configuration Editor (SCE), a GUI or command line interface for use in configuring security policy. SCM can be used to inspect existing NT systems to identify system security settings. For more information see the articles at: http://www.microsoft.com/ntserver/nts/downloads/recommended/nt4svcpk4/nt4svcpk 4.asp http://www.microsoft.com/ntserver/nts/news/msnw/nt4sp4mktbulletin.asp And general information can be found at: http://www.microsoft.com/security/ntprod.htm For information on real world experiences with SP4 and SCM visit the Ntbugtraq site: http://ntbugtraq.ntadvice.com/default.asp?p=page%5Fdefault%2Easp%3Fid%3D36 --------------- B) 10/26/98 - IBM announced a vulnerability in the automountd daemon affecting AIX 4.3.x versions. Commands could be run as root by both local and remote users, if exploited. Exploits have been made public, so the risk is High. IBM suggests disabling automountd and applying the temporary fix described in their Security Vulnerability Alert at: http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA- E01-1998:004.1.txt Details of the fix can be found in CIAC Information Bulletin J-014 at: http://ciac.llnl.gov/cgi-bin/index/bulletins?j-014.shtml --------------- C) 11/22/98 - SANS Digest Creator and Editor, Michele Crabb, weds long-time beau and best friend, Jesse Guel! The couple will honeymoon in Ixtapa-Zihuatanejo, Kona Hawaii and Kuai Hawaii until 12/12/98. ********************** Copyright, 1998, The SANS Institute. This issue may be forwarded for the purposes of encouraging new subscribers. No posting allowed without prior written permission (ask <sans@clark.net> for permission). Email <digest@sans.org> for information on subscribing. You'll receive a free subscription package and sample issue in return. To unsubscribe, email autosans@clark.net with the subject `unsubscribe security digest'. The digest is available at no cost to practicing security, networking and system administration professionals in medium and large organizations. -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNlsB3qNx5suARNUhAQF40gP/Tw56FhGG5iG5yB/K+sHT4t1sNs5NVxWS GdIHLHptGryLjv2oST0uac4GA87tpGfpl5ZOO7WfoCVl9mCEIjd0wUAF3SHt+enL MEi+kybWFfJDVg/1xJgb2nPCviUG3/l2t99Kj3IdSnqJ7N2oPhanwVQwF0gNaCxH 1iWGWgt0p9w= =2Jw0 -----END PGP SIGNATURE-----