CA-95:06.README Issue date: June 9, 1995 This file is a supplement to CERT advisory CA-95:06, "Security Administrator Tool for Analyzing Networks (SATAN)," distributed on April 3, 1995. We will update this file as additional information becomes available. Advisory CA-95:06 was based on our examination of beta version 0.51 of SATAN; this README contains updated information based on SATAN version 1.1.1, which was released on April 11, 1995. Note to users of LINUX SATAN: There was a posting to USENET that a Trojan horse was introduced into a version of LINUX SATAN binaries archived on ftp.epinet.com. CERT staff have not verified that this Trojan horse exists; however, if you are using LINUX SATAN and believe your version may be compromised, we suggest you obtain additional information from ftp://ftp.epinet.com/pub/linux/security For convenience, the following two paragraphs are a summary of the updates that are more fully described in the sections below. * Additions: reference to CA-95:07a.vulnerability.in.satan (Introduction) information on a SATAN probe for unrestricted modems (Sec. 4) a note on tools for detecting probes (Sec. 6) where to get a copy of SATAN (Sec. 7) checksums for SATAN and documentation (Sec. 7) where to send comments about SATAN (Sec. 8) * Corrections: pathnames corrected (Sec. 3) There is an extraneous colon after the hostname in some URLs. (Sec. 4, Sec. 5) Although this shouldn't affect your ability to reach our site, try removing the colon (after info.cert.org) if you are having difficulty. For example, change ftp://info.cert.org:/pub/tech_tips to ftp://info.cert.org/pub/tech_tips Addendum to Introduction ------------------------ After the release of SATAN 1.0, we published a separate advisory, CA-95:07, superseded by CA-95:07a, describing a vulnerability in SATAN. If you do not already have a copy of CA-95:07a, we strongly urge you to obtain a copy from ftp://info.cert.org/pub/cert_advisories/CA-95:07a.REVISED.satan.vul As we receive new information about SATAN, we will place it in README files ftp://info.cert.org/pub/cert_advisories/CA-95:06.README ftp://info.cert.org/pub/cert_advisories/CA-95:07a.README We encourage you to check our README files regularly for updates to all advisories relating to your site. Correction to Section 3. How to Prepare for the Release of SATAN ---------------------------------------------------------------- The pathnames should read ftp://info.cert.org/pub/tech_tips/security_info ftp://info.cert.org/pub/tech_tips/anonymous_ftp ftp://info.cert.org/pub/tech_tips/packet_filtering Addendum to Section 4. Vulnerabilities Probed by SATAN ------------------------------------------------------ The information in CERT advisory CA-95:06 was based on our examination of SATAN beta version 0.51. The information in this README file is based on our examination of SATAN 1.1.1. This version of SATAN also probes for unrestricted modems, so Sec. 4 should now have an item 12: 12. Unrestricted dial-out modem available via TCP. Place modems behind a firewall or put password or other extra authentication on them (such as S/Key or one-time passwords). For information on one-time passwords, see CERT advisory CA-94:01, Appendix B. The following information should be added to Item #8 in Sec. 4: A TCP/IP wrapper program is available from ftp://info.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.2.tar.Z Addendum to Section 6. Detecting Probes --------------------------------------- New tools are becoming available on the network to help you detect probes, but the CERT staff has not evaluated them. Although detection tools can be helpful, keep in mind that their effectiveness depends on the nature and availability of your logs and that the tools may become less effective as SATAN is modified. The most important thing you can do is take preventive action to secure your systems. Addendum to Section 7. Using SATAN ---------------------------------- In addition, the following precautions will help you minimize the risks of running SATAN: * Install all relevant security patches for the system on which you will run SATAN. * Ensure that the SATAN directory tree cannot be read by users other than root. * Execute SATAN only from the console of the system on which it is installed (e.g., do not run SATAN from an X terminal, from a diskless workstation, or from a remote host). * Ensure that the SATAN directory tree is not NFS-mounted from a remote system. * It is best to run SATAN from a system that does not support multiple users. Addendum to Section 8. Getting more information about SATAN ----------------------------------------------------------- The SATAN authors report that SATAN 1.1.1 is available from many sites, including: ftp://ftp.win.tue.nl/pub/security/satan-1.1.1.tar.Z ftp://ftp.win.tue.nl/pub/security/satan-1.1.1.README ftp://ftp.win.tue.nl/pub/security/satan_doc.tar.Z ftp://ftp.win.tue.nl/pub/security/satan_doc.README To get a current list of sites, send mail to: majordomo@wzv.win.tue.nl and put in the body of your message get satan mirror-sites You can also use archie to locate sites that have SATAN. MD5 checksums for SATAN: satan-1.1.1.README = 3f935e595ab85ee28b327237f1d55287 satan-1.1.1.tar.Z = de2d3d38196ba6638b5d7f37ca8c54d7 satan-1.1.1.tar.Z.asc = a9261070885560ec11e6cc1fe0622243 satan_doc.README = 4ebe05abc3268493cdea0da786bc9589 satan_doc.tar.Z = 951d8bfca033eeb483a004a4f801f99a satan_doc.tar.Z.asc = 3216053386f72347956f2f91d6c1cb7c