![[LWN Logo]](/images/lwn.banner.gif)
From: cool@eklektix.com
Date: Wed, 25 Nov 1998 01:29:27 -0500 (EST)
To: cool@eklektix.com
Subject: SANS Security Digest Vol. 2 Num. 10
To: Liz Coolbaugh SD145502
From: Rob Kolstad, SANS E-mail Duplicate Eliminator
Happy Thanksgiving to our USA readers. Here is the November SANS
Security Digest -- please don't confuse it with the NT Digest which
should be mailed out shortly, as well.
This digest kicks off our one month subscription drive! Please share
this issue widely so that everyone can find out about our monthly
missive. Subscriptions are free and easily obtained by sending a note
with the subject `subscribe' to <digest@sans.org>.
I've eliminated hundreds of duplicates and updated addresses for those
who have moved. Please send change and duplicate notifications (with
your SD numbers!) to <sans@clark.net>. Unsubscribe by sending your SD
number to <autosans@clark.net> with a subject of `unsubscribe digest'.
RK
-----BEGIN PGP SIGNED MESSAGE-----
=================================================================
| @@@@ @@ @ @ @@@@ |
| @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @ @@@@ Vol. 2, No. 10 |
| @ @@@@@@ @ @ @ @ November 21 ,1998 |
| @ @ @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @@@@ |
| The SANS Network Security Digest |
| Editor: Michele Crabb |
| Guest Editor: Michael Kuhn |
| Contributing Editors: |
| Matt Bishop, Gene Spafford, Steve Bellovin, Gene Schultz, |
| Bill Cheswick, Marcus Ranum, Dorothy Denning, Dan Geer, |
| Rob Kolstad, Peter Neumann, David Harley, Jean Chouanard, |
| Fred Avolio, Peter Galvin, John Stewart, Liz Coolbaugh, |
| Mark Edmead, Michael Kuhn |
====A Resource for Computer and Network Security Professionals===
CONTENTS:
i) FINAL CALL FOR PAPERS FOR ID99
ii) FINAL CALL FOR PAPERS FOR SANS99
iii) MEMBERSHIP DRIVE MONTH
1) BUFFER OVERFLOW VULNERABILITY IN NETSCAPE
2) VULNERABILITY IN HP OPENVIEW
3) SECURITY PATCH FOR SSH-1.2.26 KERBEROS CODE
3a)TROJAN HORSE INVOLVING SSH
4) WEB FRAMES EXPLOIT (FRAMESPOOF)
5) HP SECURITY PROBLEMS AND PATCHES
6) SUN SECURITY PROBLEMS AND PATCHES
7) SGI SECURITY PROBLEMS AND PATCHES
8) WINDOWS/NT/WIN95/WIN98 SECURITY PROBLEMS AND PATCHES
9) FREEBSD/OPENBSD/BSD4.4 PROBLEMS AND PATCHES
10) LINUX SECURITY PROBLEMS AND PATCHES
11) CISCO SECURITY PROBLEMS AND PATCHES
*****************************************
i. FINAL CALL FOR PAPERS FOR ID99
The SANS Third Intrusion Detection and Response Conference and Workshop,
February 9-13, San Diego, California. Thanks to all the people who have
submitted papers and course proposals for the program. We now have an
impressive collection of courses on Intrusion Detection and Response and
on Penetration Testing (and also some great new ones on NT Security). And
the papers that have been submitted for the workshop are interesting and
practical. We are still hoping to receive additional user-experience papers
in two areas: automated response systems and forensics. If you have real-
world experience with either of these, please submit a short abstract.
Instructions at http://www.sans.org/id/call.htm.
============================================================================
ii. FINAL Call FOR PAPERS FOR SANS99
The Eighth System Administration, Networking, and Security Conference,
Baltimore Inner Harbor, May 9-15, 1999. Presenting a paper at SANS is
one of the best ways to give something back to the community, and it can
also help your career. We have many great proposals, but we are hoping
for more. Instructions at http://www.sans.org/callforpapers.htm.
============================================================================
iii. MEMBERSHIP DRIVE MONTH
It's our Christmas membership drive! Please pass this digest around to
your colleagues and ask them to sign up by sending a note with the
subject `subscribe sans digest' to <autosans@clark.net>. Signing up
during the next 30 days will also include them in the January mailing so
they will get them their own copies of the semi-annual SANS Network
Security Roadmap poster. There's no cost for the Digest or the Poster
for people who are registered.
============================================================================
1) BUFFER OVERFLOW VULNERABILITY IN NETSCAPE (10/23/98)
Reported in Bugtraq, A buffer overflow vulnerability in netscape
versions 3.0 to 4.5 has been identified by Dan Brumleve <nothing@shout.net>.
Netscape is working on patches. A news.com story detailing this can be
found at:
http://www.news.com/News/Item/0,4,27856,00.html?owv
Also, a Linux netscape sample exploit has been published at:
http://www.shout.net/~nothing/buffer-overflow-1/index.html
============================================================================
2) VULNERABILITY IN HP OPENVIEW (11/02/98)
Internet Security Systems (ISS) X-Force announced research that
has revealed a vulnerability in HP OpenView. ISS found that the hidden
community (string) is readable and may allow access to the SNMP MIB tree
including variable modification and network discovery. SNMP agent
configuration and data collection can be modified, resulting in disruption
and/or DoS of the SNMP process. This vulnerability is present in HP
OpenView Version 5.02. Earlier versions are believed to be vulnerable.
HP-UX 9.X and HP-UX 10.X SNMP agents are vulnerable if OpenView is
installed. OpenView for Solaris 2.X is also vulnerable. OpenView for
Windows NT is not vulnerable.
Patches are available from HP. For more information and patches refer to
the ISS Advisory at:
http://www.iss.net/xforce/alerts/advise12.html
============================================================================
3) SECURITY PATCH FOR SSH-1.2.26 KERBEROS CODE (11/05/98)
Concerns about buffer overflow problems in sshd has prompted extensive
code searches of the ssh code by its' developers, SSH Communications
Security, Finland, and others. As reported by Tatu Ylonen of SSH Comm., a
buffer overflow condition does exist that he has found (Bugtraq, Nov. 5,
1998,02:38). An extensive list of caveats was included by Tatu as to the
fact that this is an extremely difficult vulnerability to exploit.
Nonetheless, a patch workaround is listed in the Bugtraq communications
and a promise to make a new release available quickly. More information can
be found in Bugtraq thread at:
http://www.geek-girl.com/bugtraq/1998_4/0315.html
============================================================================
3a) 11/17/98 - TROJAN HORSE INVOLVING SSH
Report on BugTraq from SSH developer about the "sshdwarez" (also known as
"sshdexp") Trojan posted on bugtraq actually has nothing to do with SSH.
It does not exploit any vulnerability in any version of SSH. It is simply
a program that, if run as root, adds two new entries in /etc/passwd and
sends mail back to the hacker's account at hotmail.com. No action is
required from SSH users. Just do not run the sshdwarez Trojan. More
information can be found on the Bugtraq thread at:
http://www.netspace.org (Look it up in the third week of November)
Additional information can be found at:
http://www.ssh.fi/sshprotocols2/
============================================================================
4) 11/17/98 - WEB FRAMES EXPLOIT (FRAMESPOOF)
SecureXpert Labs has discovered a security hole in the implementation of
HTML frames. All recent versions of Netscape Navigator and MS Internet
Explorer and any Web site using frames are vulnerable and can be exploited.
The "framespoof" vulnerability is breathtaking in its scope and simplicity.
It is a bug in the security policy browsers implement. The bug was announced
by Dr. Richard Reiner,CEO of SecureXpert Labs' parent company FSCInternet.
SecureXpert has posted two sample exploits, one that requires JavaScript
and one that relies on nothing but HTML. Both demonstrate how unauthorized
information can be displayed in the frame of a known and trusted site.
SecureXpert will be working with Netscape and Microsoft on client side fixes
for the problem. More information can be found at:
http://www.securexpert.com/framespoof/index.html
http://www.securexpert.com/framespoof/start.html
http://www.securexpert.com/framespoof/tech.html
The original notice from TBTF can be found at:
http://tbtf.com/archive/11-17-98.html
============================================================================
5) HP SECURITY PROBLEMS AND PATCHES
The HP Electronic Support Center is located at:
http://us-support.external.hp.com/ (US and Canada)
http://europe-support.external.hp.com/ (Europe)
The HP Patch Site
http://us-ffs.external.hp.com/ftp/export/patches/hp-ux_patch_matrix
---------------
A) 10/28/98 - HP has announced a Denial-of-Service (DoS) vulnerability in
HP SharedX Receiver Service (recserv). This was reported in the October
SANS Digest, but is now official from HP. Certain messages targeted to
the service port could result in excessive CPU utilization, and a DoS.
Vulnerable platforms are HP 9000 series 700/800. Patches are available
via anonymous ftp at:
<us-ffs.external.hp.com> in path:
~ftp/export/patches/hp-ux_patch_matrix
For additional information refer to the HP Security Bulletin HPSBUX9810-086.
Or the CIAC Bulletin at:
http://ciac.llnl.gov/ciac/bulletins/j-015.shtml
---------------
B) 11/02/98 - Internet Security Systems (ISS) X-Force announced research that
has revealed vulnerability in HP Openview. ISS found that hidden community
(string) is readable and may allow access to the SNMP MIB tree including
variable modification and network discovery. SNMP agent configuration and
data collection can be modified, resulting in disruption and/or DoS of the
SNMP process. This vulnerability is present in HP OpenView Version 5.02.
Earlier versions are believed to be vulnerable. HP-UX 9.X and HP-UX 10.X
SNMP agents are vulnerable if OpenView is installed. Patches are available.
For more information and patch location refer to the ISS Advisory at:
http://www.iss.net/xforce/alerts/advise12.html
---------------
C) 11/16/98 - HP announced the release of patches for a vulnerability in
the vacation program shipped with HP-UX in /usr/bin/vacation. The vacation
misunderstands it's inputs and invokes sendmail with the wrong parameters.
Both sendmail 5.6.5 and 8.7.6 are vulnerable to this malady. Also the
vacation program ignores a TO: header when the "O" is upper case. HP-UX
versions 9.X, 10.X and 11.0 on HP9000 Series 7/800 are all vulnerable.
This information is contained in the HP Security Bulletin HPSBUX9811-087.
Patches are available on the HP Patch site.
============================================================================
6) SUN SECURITY PROBLEMS AND PATCHES
Sun security bulletins are available at:
http://sunsolve.Sun.COM/pub-cgi/secbul.pl
Sun Security Patches are available at:
http://sunsolve.sun.com/sunsolve/pubpatches/patches.html
---------------
A) 10/21/98 - Sun announced the release of patches for a vulnerability in
the IMAP server process (Sun Internet Mail Server(tm) (SIMS) versions 3.2
and 2.0). Certain versions of SIMS are subject to buffer overflow problems
as identified by the CERT Advisory CA-98.09 (8/8/98) which discussed
servers under the SIMS server process. Patches are available for Sun SIMS
versions 3.2, 3.2_x86, 2.0, and 2.0_x86. For more information refer to
Sun Security Bulletin #177 at:
http://sunsolve.sun.com/pub-cgi/us/sec2html?secbull/177
---------------
B) 11/9/98 - Sun announced a vulnerability in SNMP involving the compromise
of hidden community strings. Sun Solstice Enterprise Agents(SEA) software
package supports both SNMP and DMI protocols. SNMP allows remote management
of systems and devices on a network. SNMP relies on files known as
Management Information Bases (MIBs). MIB access is controlled by community
strings. Compromise of a default community string in the Sun SNMP subagent
may be exploited remotely opening the door for root level privileges.
Patches and work arounds for Solaris versions 2.4, 2.5.1, 2.5.1_x86, 2.6,
and 2.6_x86, running versions of SEA, are available. For more information
refer to Sun Security Bulletin #178 at:
http://sunsolve.sun.com/pub-cgi/us/sec2html?secbull/178
Or the ISS Security Advisory at:
http://www.iss.net/xforce/alerts/advise11.html
---------------
C) 11/18/98 - Sun Microsystems announced (Security Bulletin #00179) a
vulnerability in the setuid root utility rdist used to distribute files
from one host to another. Several buffer overflow vulnerabilities have been
discovered which could be exploited by an attacker to gain root access.
Solaris versions: 2.6, 2.6_x86, 2.5.1, 2.5.1_x86, 2.5, 2.5_x86, 2.4,
2.4_x86 and 2.3 and SunOS versions: 4.1.4 and 4.1.3_U1 are vulnerable.
More information can be found at:
http://sunsolve.Sun.COM/pub-cgi/us/sec2html?secbull/179
Patches are available on the Sun Patch Site.
============================================================================
7) SGI SECURITY PROBLEMS AND PATCHES
SGI maintains a security home page at:
http://www.sgi.com/Support/security/security.html
SGI patches are available at:
ftp://ftp.sgi.com/security/
------------
A) 10/21/98 - SGI announced the identification of a vulnerability in the
routed(1m) daemon, affecting IRIX 3.x, 4.x, 5.0.x, 5.1.x, 5.2, 5.3,
6.0.x, 6.1, 6.2, 6.3 and 6.4. By appending routed(1M) debug and tracing
information to arbitrary files on the system, an attacker could cause
significant disruption of a system. This is considered a High Risk since
no local account is required for exploit. Patches are available. For more
information, refer to the SGI Security Advisory at:
ftp://sgigate.sgi.com/security/19981004-01-PX
Or the CIAC Bulletin at:
http://ciac.llnl.gov/ciac/bulletins/j-012.shtml
------------
B) 10/22/98 - SGI announced a vulnerability in autofsd, a RPC server which
handles mount/unmount requests for the autofs file system. IRIX versions
6.2, 6.3, 6.4, 6.5 are affected. Other versions may be affected as well.
SGI is still investigating. SGI suggests the temporary fix detailed in
their Security Advisory be followed. For additional information refer to
the advisory at:
ftp://sgigate.sgi.com/security/19981005-01-A
Or the CIAC Bulletin at:
http://ciac.llnl.gov/ciac/bulletins/j-013.shtml
------------
C) 10/26/98 - SGI issued an update on the CERT Advisory CA-98.12
"Remotely Exploitable Buffer Overflow Vulnerability in mountd". SGI's
investigation found no vulnerability to this issue in any version of
IRIX, Unicos and Unicos/mk, and no further action is required. For
Additional information refer to the SGI Security Advisory at:
ftp://sgigate.sgi.com/security/19981006-01-I
============================================================================
8) WINDOWS/NT/WIN95/WIN98 SECURITY PROBLEMS AND PATCHES
The Microsoft Security page is located at:
http://www.microsoft.com/security/
Additional NT Security Related web pages may be found at:
http://ntbugtraq.ntadvice.com/archives/default.asp
http://www.ntsecurity.net/
---------------
A) 10/23/98 - Microsoft has announced the availability of patches to fix a
vulnerability in the way Internet Explorer 4 determines what security zone
a target server is in. This vulnerability (Dotless IP Addresses), if
exploited, can cause Internet Explorer's Security Zone feature to treat an
Internet zone website as if it were on an Intranet zone. Patches are
available for the affected versions: Internet Explorer 4.0, 4.01 and 4.01
SP1 on NT 4.0 and Windows 95, Windows 98 with integrated Internet Explorer,
Internet Explorer 4.0 and 4.01 for Windows 3.1 and NT 3.51 and Internet
Explorer 4.01 for UNIX. For more information refer to the Microsoft
Security Bulletin MS98-016 at:
http://www.microsoft.com/security/bulletins/ms98-016.htm
Or at NtBugTraq archive site for October 1998, listed above.
---------------
B) 11/03/98 - Microsoft announced Dial-Up Networking Security Upgrade for
Windows 98. This upgrade enhances the protection of dial-up and VPN
connections via password management and data encryption. For more
information see the Microsoft Knowledge Base article #Q189771 at:
http://support.microsoft.com/support/kb/articles/q189/7/71.asp
---------------
C) 11/18/98 - Microsoft released an updated version of the patch for the
"Untrusted Scripted Paste" vulnerability that was discussed in the October
SANS Digest. The updated patch fixes the original vulnerability as well
as a newly-discovered variant. It is recommended that all users --
including those who downloaded the original patch before November 18 - --
download and install the update. Microsoft Internet Explorer 4.01 and
4.01 SP1 on Windows NT (r) 4.0, Windows (r) 95, Microsoft Windows 98, with
integrated Internet Explorer, Microsoft Internet Explorer 4.01 for Windows
3.1 and Windows NT 3.51 are all vulnerable. This vulnerability does not
affect Internet Explorer 3.x or 4.0 on any platform or any Macintosh or
UNIX versions of Internet Explorer. This vulnerability could also affect
software that uses HTML functionality provided by Internet Explorer, even if
Internet Explorer is not used as your default browser. All customers that
have affected versions of Internet Explorer on their systems should install
this patch. More information can be found in the Microsoft Knowledge Base
(KB) article Q169245, (Update available for "Untrusted Scripted Paste"
Issue) at:
http://support.microsoft.com/support/kb/articles/q169/2/45.asp
The bulletin reference is at:
http://www.microsoft.com/security/services/bulletin.asp
============================================================================
9) FreeBSD/OpenBSD/BSD4.4 PROBLEMS AND PATCHES
BSDI maintains a support web page at:
http://www.BSDI.COM/support/
FreeBSD maintains a security web page at:
http://www.freebsd.org/security/security.html
OpenBSD's Security web page is at
http://www.openbsd.org/security.html
NetBSD's Security web page is at:
http://www.NetBSD.ORG/Security/
---------------
A) 11/04/98 - FreeBSD Security Officer reported on Bugtraq an IP fragment
re-assembly code error that may cause a kernel panic. By creating and
sending a pair of malformed (UDP) IP packets, the UDP datagram can cause
a server to panic or crash and reboot, creating a Denial of Service.
Exploit programs are reported to be circulating. Versions affected are
only FreeBSD 3.0 and FreeBSD-current before October 27, 1998. For more
information, including patch availability, refer to the Bugtraq message at:
http://www.geek-girl.com/bugtraq/1998_4/0306.html
============================================================================
10) LINUX SECURITY PROBLEMS AND PATCHES
Red Hat Linux maintain a support page at:
http://www.redhat.com/support/
Redhat ftp site:
ftp://updates.redhat.com/
Debian GNU/Linux maintain a security web page at:
http://www.debian.org/security/
---------------
A) 11/01/98 - Debian Linux reports a buffer overflow in logging vulnerability
for secure shell daemon (sshd). There is minimal information, indicating
that ssh is vulnerable. No list of affected OS versions was given. (This
may be related to the rootshell investigation and report of buffer overflow
problem in sshd following their investigation of their compromised
system. See Tidbits for more information on rootshell.)
For information on the Debian advisory, refer to:
http://www.debian.org/security/1998/19981101
---------------
B) 11/06/98 - Redhat Linux announced a security fix for a file descriptor
leak in the svgalib. The problem was reported on the BUGTRAQ security
list. Redhat Linux users should upgrade to the new packages available
under the updates directory on the Redhat Linux ftp site. For more
information refer to the Redhat Errata notes at:
http://www.redhat.com/support/docs/rhl/intel/rh52-errata-general.html#svgalib
And more at the General Errata page:
http://www.redhat.com/support/docs/rhl/rh52-errata-general.html
---------------
C) 11/06/98 - Redhat Linux reported a fix to a buffer overflow problem in
package zgv by which an attacker could gain root privileges. Users of Redhat
Linux should upgrade to the new packages available under the updates directory
on the Redhat Linux ftp site.
And more information on Redhat Errata general notes at:
http://www.redhat.com/support/docs/rhl/rh52-errata-general.html
============================================================================
11) CISCO PROBLEMS AND PATCHES
Cisco Systems maintains an Internet Security Advisories page at:
http://www.cisco.com/warp/public/779/largeent/security/advisory.html
---------------
A) 11/05/98 - CISCO announced two vulnerabilities which affect a subset of
the IOS DFS access list. IOS Versions 11.1, 11.2, 11.3 and some variations
on 7xxx series Cisco routers configured for distributed fast switching, are
affected. Exploit may allow users to send packets to unauthorized networks
or access (attack) other devices. Risk is medium and no known exploits have
occurred. Users of an affected network would probably only notice that they
could reach network devices that they couldn't reach previously because the
access lists applied to filter those interfaces are not working. For detailed
information and fixes refer to the CISCO Field Notice at:
http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml
Or CIAC Information Bulletin at:
http://ciac.llnl.gov/ciac/bulletins/j-016.shtml
---------------
B) 11/05/98 - CISCO announced maintenance release of IOS version 11.1CC and
11.1(21)CC to correct some twenty or more software defects. Complete
information on the fixes, updates, versions, etc., involved is available at:
http://www.cisco.com/warp/public/770/fa111-21cc1.shtml
============================================================================
12) QUICK TIDBITS
A) 10/19/98 - Microsoft announced availability of Security Configuration
Manager from the NT Service Pack 4 CD for download. Security Configuration
Manager (SCM) provides an editor, Security Configuration Editor (SCE), a GUI
or command line interface for use in configuring security policy. SCM can
be used to inspect existing NT systems to identify system security settings.
For more information see the articles at:
http://www.microsoft.com/ntserver/nts/downloads/recommended/nt4svcpk4/nt4svcpk
4.asp
http://www.microsoft.com/ntserver/nts/news/msnw/nt4sp4mktbulletin.asp
And general information can be found at:
http://www.microsoft.com/security/ntprod.htm
For information on real world experiences with SP4 and SCM visit the
Ntbugtraq site:
http://ntbugtraq.ntadvice.com/default.asp?p=page%5Fdefault%2Easp%3Fid%3D36
---------------
B) 10/26/98 - IBM announced a vulnerability in the automountd daemon
affecting AIX 4.3.x versions. Commands could be run as root by both local
and remote users, if exploited. Exploits have been made public, so the
risk is High. IBM suggests disabling automountd and applying the temporary
fix described in their Security Vulnerability Alert at:
http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-
E01-1998:004.1.txt
Details of the fix can be found in CIAC Information Bulletin J-014 at:
http://ciac.llnl.gov/cgi-bin/index/bulletins?j-014.shtml
---------------
C) 11/22/98 - SANS Digest Creator and Editor, Michele Crabb, weds
long-time beau and best friend, Jesse Guel! The couple will honeymoon
in Ixtapa-Zihuatanejo, Kona Hawaii and Kuai Hawaii until 12/12/98.
**********************
Copyright, 1998, The SANS Institute. This issue may be forwarded for
the purposes of encouraging new subscribers. No posting allowed without
prior written permission (ask <sans@clark.net> for permission).
Email <digest@sans.org> for information on subscribing. You'll receive
a free subscription package and sample issue in return.
To unsubscribe, email autosans@clark.net with the subject `unsubscribe
security digest'.
The digest is available at no cost to practicing security, networking
and system administration professionals in medium and large organizations.
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNlsB3qNx5suARNUhAQF40gP/Tw56FhGG5iG5yB/K+sHT4t1sNs5NVxWS
GdIHLHptGryLjv2oST0uac4GA87tpGfpl5ZOO7WfoCVl9mCEIjd0wUAF3SHt+enL
MEi+kybWFfJDVg/1xJgb2nPCviUG3/l2t99Kj3IdSnqJ7N2oPhanwVQwF0gNaCxH
1iWGWgt0p9w=
=2Jw0
-----END PGP SIGNATURE-----