CIAC documents FY 1993 Series D ciacfy93.txt All public FY93 CIAC bulletins. d-01.txt ciac-novel-access-rights d-02.txt ciac-(limited-distribution) d-03.txt ciac-vms-MONITOR-patch d-04.txt ciac-sunos-18-patches d-05.txt ciac-hp-NIS-ypbind d-06.txt ciac-vms-disuser d-07.txt ciac-(limited-distribution) d-08.txt ciac-vms-v5-OS d-09.txt ciac-vms-v5-OS-addendum d-10.txt ciac-november-17-virus d-11.txt ciac-sunos-patches-dni-pcnfs d-12.txt ciac-(limited-distribution) d-13.txt ciac-unix-wuarchive-ftp-daemon d-14.txt ciac-(limited-distribution) d-15.txt ciac-cisco-router-vulnerability d-16.txt ciac-sunos-expreserve-vulnerability d-17.txt ciac-(limited-distribution) d-18.txt ciac-solaris-2.x-expreserve-patches d-19.txt ciac-anonymous-ftp-server-attacks d-20.txt ciac-summary-sunos-patches d-21.txt ciac-novell-netware-login-patch d-22.txt ciac-Satan-Bug-Virus d-23.txt ciac-limited-distribution d-24.txt ciac-sco-home-directory-vulnerability d-25.txt ciac-automated-scanning-of-network-vulns d-26.txt ciac-limited-distribution _______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Novell NetWare Access Rights Vulnerability OCT 14, 1992 0900 PDT Number D-01 ________________________________________________________________________ PROBLEM: A vulnerability has been discovered which may allow any Novell Netware user to obtain unauthorized privileges PLATFORM: PC/MS-DOS with Novell NetWare 3.x, 2.x, and NetWare for UNIX DAMAGE: Compromise of server integrity SOLUTION: Obtain and apply software enhancements available from Novell; prudent NetWare administration ________________________________________________________________________ Critical Facts about the Novell NetWare Access Rights Vulnerability CIAC has learned of a network security threat that allows any Novell user, equipped with a special program, to gain the access rights assignable by any other user currently attached to the server. This vulnerability affects NetWare 3.x, NetWare 2.x, and NetWare for Unix. CIAC recommends that you obtain the Phase I security enhancements as soon as they are available. They are scheduled to be released by Novell by the end of October. NetWare 3.x and 2.x customers will be able to obtain the enhancements via anonymous ftp from ftp.IS.Sandy.Novell.COM (137.65.12.2) as well as via NetWire (Compuserve) and NetWare Express (GE Information Services). NetWare for Unix customers should contact the NetWare for Unix partner who provided them the software. Help is available from the Novell customer information line 1-800-NETWARE. As a general precaution, and as an interim measure until the Phase I patches are released, Novell recommends the following security practices: * Use the NetWare utility "SECURITY" to detect insecure access points to the server. * Require passwords on all accounts. * Force periodic password changes. * Require unique passwords. * Limit access rights and security equivalences. * Limit concurrent connections. * Enforce login time restrictions. * Enforce login station restrictions. * Enable intruder detection. * Secure unattended workstations to avoid unauthorized use. In addition, CIAC recommends that you minimize or eliminate supervisor activity concurrent with non-privileged connections until Phase I is available; and further recommends that you activate all applicable NetWare security features and install the most recent versions of system software, client software, and other patches. Novell informs us that to their knowledge programs to exploit this vulnerability have not yet been found outside laboratories; and the technique used to create the security threat, known as packet spoofing or packet forging, is inherent to all client server architectures that have not taken specific protective actions. CIAC believes that because of the increasing publicity of this technique, the vulnerability could soon be exploited by the hacker/cracker community. CIAC would like to thank Novell for providing the security practices, access information, and general support for our efforts concerning this issue. We would also like to acknowledge the efforts of SURFnet Computer Emergency Response Team CERT-NL for alerting us to this situation. For additional information or assistance, please contact CIAC at (510) 422-8193 / FTS or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002 / FTS. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ====================================================================== _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ LIMITED DISTRIBUTION BULLETIN Internet Attack Advisory October 23, 1992, 1500 PST Number D-02 If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Patch Available for VAX/VMS MONITOR Vulnerability October 30, 1992, 0800 PST Number D-03 ______________________________________________________________________________ PROBLEM: The MONITOR utility on VMS Versions 5.0 through 5.4-2 can be used to obtain unauthorized privileges. PLATFORM: VAX systems running the VMS operating system. DAMAGE: An unprivileged user can obtain increased privileges. SOLUTION: Upgrade to VMS version 5.4-3 (or higher); alternatively, install a new SYS$SHARE:SPISHR.EXE or implement workarounds given in CIAC Bulletin C-30. ______________________________________________________________________________ Critical Information about the MONITOR Patch CIAC issued Bulletin C-30 on August 31, 1992, which described the VAX/VMS MONITOR vulnerability in VMS Versions 5.0 through 5.4-2. Bulletin C-30 contained Digital Equipment Corporation (DEC) advisory SSRT-0200, which gave workarounds. This bulletin contains DEC's addendum, SSRT-0200-1, which announces the availability of a kit to fix problems with the affected VMS versions. The kit is identified as MONITOR$S01_050, MONITOR$S01_051, MONITOR$S01_052, MONITOR$S01_053 and MONITOR$S01_054. It contains a new binary image of SYS$SHARE:SPISHR.EXE, appropriate to the version of VMS being fixed. It is available from DEC's Digital Services organization. In the U.S.A., it is also available via DSIN or DSNlink as CSCPAT_1047. DEC's advisory notice follows: ============================================================================== 21-OCT-1992 SSRT-0200-1 (ADDENDUM) 21-AUG-1992 SSRT-0200 SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team - U.S. Colorado Springs USA PRODUCT: VMS MONITOR V5.0 through V5.4-2 PROBLEM: Potential Security Vulnerability in VMS MONITOR Utility SOLUTION: A VMS V5.0 through V5.4-2 remedial kit is now available by contacting your normal Digital Services Support organization. NOTE: This problem has been corrected in VAX/VMS V5.4-3 (released in October 1991). _____________________________________________________________________ The kit may be identified as MONTOR$S01_05* or CSCPAT_1047, available via DSIN and DSNlink. _____________________________________________________________________ Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved. Published Rights Reserved Under the Copyright Laws of the United States. ________________________________________________________________________ ADVISORY ADDENDUM INFORMATION: ________________________________________________________________________ In August 1992, an advisory and article was distributed describing a potential security vulnerability discovered in the VMS MONITOR utility. Suggested workarounds to remove the vulnerability were provided. The advisory was labeled SSRT-0200 "Potential Security Vulnerability in VMS MONITOR Utility." This addendum follows that advisory with information of the availability of a kit containing a new SYS$SHARE:SPISHR.EXE for VMS V5.0-* through VMS V5.4-2 and may be identified as MONTOR$S01_050 through MONTOR$S01_054 respectively from your Digital Services organization. In the U.S., the kit is also identified as CSCPAT_1047, available via DSIN and DSNlink. Note: This potential vulnerability does not exist in VMS V5.4-3 and later versions of VMS. Digital strongly recommends that you upgrade to a minimum of VMS V5.4-3, and further, to the latest release of VMS, V5.5-1 (released in July, 1992). If you cannot upgrade to a minimum of VMS V5.4-3 at this time, Digital strongly recommends that you install the available V5.0-* through V5.4-2 patch kit on your system(s), available from your support organization, to avoid any potential vulnerability. You may obtain a kit for VMS V5.0 thru V5.4-2 by contacting your normal Digital Services support organization (Customer Support Center, using DSNlink or DSIN, or your local support office). As always, Digital recommends that you periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ________________________________________________________________________ End of Advisory SSRT-0200-1 ============================================================================== If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). CIAC wishes to thank Rich Boren of DEC's Software Security Response Team (SSRT) for the information used in this bulletin. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN 18 New and Upgraded Security Patches Available For SunOS November 11, 1992, 1200 PST Number D-04 ______________________________________________________________________________ PROBLEMS: Various security vulnerabilities. PLATFORMS: SunOS 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.3 and 5.0 (Solaris 2.0FCS). DAMAGE: Unauthorized root access and privileges, denial of service, other damage as noted below. SOLUTION: Apply Sun Patches as described. ______________________________________________________________________________ Critical Information about SunOS Security Patches CIAC has received information from Sun Microsystems regarding the availability of the following eighteen security patches for SunOS versions 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.3 and Solaris 2.0FCS (which contains SunOS 5.0). The patches are available through your local Sun Answer Center and via anonymous ftp. In the U.S., ftp to ftp.uu.net and retrieve the patches from the /systems/sun/sun-dist directory. In Europe, ftp to mcsun.eu.net and retrieve the patches from the ~ftp/sun/fixes directory. The patches are contained in compressed tar files named [patch].tar.Z. For example, if you wish to obtain patch 100103-11, the tarfile would be 100103-11.tar.Z. Each patch has been checksummed using the SunOS "sum" command so its validity can be verified by the end user. If you find that the checksum differs from that listed below, please contact Sun Microsystems or CIAC for confirmation before using the patch. To install the patches on your system, follow the instructions contained in the README files which accompany each patch. The following ten patches (except for the last, which is a new patch) are new revisions, superseding older patch versions, and they all include fixes for new bugs. All designated versions of SunOS should be upgraded with these patches. Refer to the CIAC bulletins listed, or contact CIAC for more information on each vulnerability. A brief description of each patch is provided. Patch Checksum SunOS Versions CIAC Bulletins ----- -------- -------------- -------------- 100103-11 19847 6 4.1.3, 4.1.2, 4.1.1, 4.1 B-26 A shell script modifies file permissions to a more secure mode. The script changes the permissions for two additional files: /var/yp/`domainname`/mail.aliases.dir and /var/yp/`domainname`/mail.aliases.pag 100173-09 28314 788 4.1.3, 4.1.2, 4.1.1, 4.1 C-28 NFS jumbo patch - Repairs a problem when accessing NFS mounted files as root. This patch requires that a new kernel be configured, made and installed. The installer needs to build a new kernel only once even if multiple patches are installed, as long as all the object files (".o" files) from all patches are loaded. 100267-09 55338 5891 4.1.1 (contact CIAC) This is the international version of the libc replacement with all 4.1.1 patches. New bug fixes include: innetgr may acknowledge false netgroup membership, undefined symbols when linking statically with "mblen()", mbtowc and mbstowcs give different results for same character. 100305-10 28781 368 4.1.3, 4.1.2, 4.1.1, 4.1 B-30, B-33 Fix for lpr, lpd, lpstat -v, passwd, delete, and system. This patch also contains a new bug fix for lpstat -v. 100377-05 29141 1076 4.1.3, 4.1.2, 4.1.1, 4.1 C-26, A-16 sendmail jumbo patch - Fixes sendmail, sendmail.mx Remedies five new bugs in sendmail. 100507-04 57590 61 4.1.3, 4.1.2, 4.1.1 (contact CIAC) tmpfs jumbo patch - Copying files from an NFS mounted partition to a tmpfs mount can result in a security breach. This patch requires that a new kernel be configured, made and installed. The installer needs to build a new kernel only once even if multiple patches are installed, as long as all the object files (".o" files) from all patches are loaded. 100513-01 20616 480 4.1.3, 4.1.2, 4.1.1, 4.1 B-10 tty jumbo patch - Consolidates many patches, including security patch 100188-02 (TIOCCONS redirection of console output/input). This patch requires that a new kernel be configured, made and installed. The installer needs to build a new kernel only once even if multiple patches are installed, as long as all the object files (".o" files) from all patches are loaded. 100201-06 13145 164 4.1.1, 4.1 (contact CIAC) C2 jumbo patch - Fixes delay with yppasswd when running C2 with NIS, unprivileged access to environment variables, and a problem where an image contains plaintext passwords and passwd.adjunct file. 100564-05 00115 824 4.1.3, 4.1.2 (contact CIAC) C2 jumbo patch - Fixes problem where an image contains plaintext passwords and passwd.adjunct file. 100723-01 22726 1 Solaris 2.0FCS/SunOS 5.0 new patch The Solaris 2.0FCS install leaves world-writable directories. NOTE: this patch contains a README file only. The README instructs the installer to run the following command as root after the installation of Solaris 2.0FCS/SunOS 5.0: #pkgchk -f correcting directory and file attributes incorrectly set during the installation process. The following patch is an upgrade for compatibility with SunOS versions 4.1.2 and 4.1.3. If you have a pre-4.1.2 system and have previously loaded this patch, you need not apply this to your system. 100372-02 22739 712 4.1.3, 4.1.2, 4.1.1 (contact CIAC) tfs and C2 do not work together. This patch is provided for C2 security, and is only necessary if you use C2 with tfs (translucent file service). The following seven patches are upgraded to be compatible with SunOS 4.1.3. If you have a pre-4.1.3 system and have previously loaded these patches, you need not apply these to your system. 100296-04 42492 40 4.1.3, 4.1.2, 4.1.1 C-06 Netgroup exports to world. 100482-03 27837 342 4.1.3, 4.1.2, 4.1.1, 4.1 C-25 ypserv, ypxfrd. Note: the /var/yp/securenets configuration file provided with this patch does not support blank lines. 100383-05 52230 135 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.3 C-04, C-08 rdist security enhancement. 100567-04 15728 11 4.1.3, 4.1.2, 4.1.1, 4.1 C-28 icmp redirects, mfree panic. This patch requires that a new kernel be configured, made and installed. The installer needs to build a new kernel only once even if multiple patches are installed, as long as all the object files (".o" files) from all patches are loaded. 100630-01 28074 39 4.1.3, 4.1.2, 4.1.1, 4.1 C-26 100631-01 44444 25 4.1.3, 4.1.2, 4.1.1, 4.1 C-26 login, su, LD_ environment variables. 100630-01 is the international version of /bin/login for systems not using the US Encryption Kit. /usr/bin/su and /usr/5bin/su from the international version are suitable for sites that use the US Encryption Kit. 100631-01 is the domestic version. To obtain 100631-01, contact your local Sun Answer Center. 100633-01 33264 20 4.1.3, 4.1.2, 4.1.1 (contact CIAC) Unbundled SunSHIELD ARM 1.0, "LD_" environment variables can be used to exploit login/su, international version. If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). CIAC wishes to thank Ken Pon of Sun Microsystems for the information used in this bulletin. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to Docserver@First.Org with a null subject line, and the first line of the message reading: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. RESTRICTIONS: NONE _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Revised Hewlett-Packard NIS ypbind Vulnerability January 22, 1993, 1400 PST Number D-05 _________________________________________________________________________ PROBLEM: Allows unauthorized access to NIS data. PLATFORM: HP/UX Operating System for series 300, 700, and 800 computers. DAMAGE: Remote and local users can obtain unauthorized privileges. SOLUTION: Install revised patches. _________________________________________________________________________ Critical Information about Hewlett-Packard NIS ypbind The inclosed advisory was issued by the Computer Emergency Response Team Coordination Center (CERT/CC) and is an update to a previous advisory CA-92:17. ============================================================================= CA-93:01 CERT Advisory January 13, 1993 Revised Hewlett-Packard NIS ypbind Vulnerability ----------------------------------------------------------------------------- *** THIS IS A REVISED CERT ADVISORY *** *** IT CONTAINS NEW INFORMATION REGARDING AVAILABILITY OF IMAGE KITS *** *** SUPERSEDES CERT ADVISORY CA-92:17 *** The CERT Coordination Center has received information concerning a vulnerability in the NIS ypbind module for the Hewlett-Packard (HP) HP/UX Operating System for series 300, 700, and 800 computers. HP has provided revised patches for all of the HP/UX level 8 releases (8.0, 8.02, 8.06, and 8.07). This problem is fixed in HP/UX 9.0. The following patches have been superseded: Patch ID Replaced by Patch ID PHNE_1359 PHNE_1706 PHNE_1360 PHNE_1707 PHNE_1361 PHNE_1708 All HP NIS clients and servers running ypbind should obtain and install the patch appropriate for their machine's architecture as described below. ----------------------------------------------------------------------------- I. Description A vulnerability in HP NIS allows unauthorized access to NIS data. II. Impact Root on a remote host running any vendor's implementation of NIS can gain root access on any local host running HP's NIS ypbind. Local users of a host running HP's NIS ypbind can also gain root access. III. Solution 1) All HP NIS clients and servers running ypbind should obtain and install the patch appropriate for their machine's architecture. These patches contain a version of ypbind that accepts ypset requests only from a superuser port on the local host. This prevents a non-superuser program from sending rogue ypset requests to ypbind. The patches also include the mod from the superseded patches that prevents a superuser on a remote system from issuing a ypset -h command to the local system and binding the system to a rogue ypserver. These patches may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP SupportLine. To obtain HP security patches, you must first register with the HP SupportLine. The registration instructions are available via anonymous FTP at cert.org (192.88.209.5) in the file "pub/vendors/hp/supportline_and_patch_retrieval". The new patch files are: Architecture Patch ID Filename Checksum ------------ -------- -------- -------- Series 300 PHNE_1706 /hp-ux_patches/s300_400/8.X/PHNE_1706 38955 212 Series 700 PHNE_1707 /hp-ux_patches/s700/8.X/PHNE_1707 815 311 Series 800 PHNE_1708 /hp-ux_patches/s800/8.X/PHNE_1708 56971 299 2) The instructions for installing the patch are provided in the PHNE_xxxx.text file (this file is created after the patch has been unpacked). The checksums listed above are for the patch archive files from HP. Once unpacked, each shell archive contains additional checksum information in the file "patchfilename.text". This checksum is applicable to the binary patch file "patchfilename.updt". If you have any questions about obtaining or installing the patches, contact the USA HP SupportLine at 415-691-3888, or your local HP SupportLine number. Please note that the telephone numbers in this advisory are appropriate for the USA and Canada. ----------------------------------------------------------------------------- The CERT Coordination Center wishes to thank Brian Kelley of Ford Motor Company for bringing this vulnerability to our attention. We would also like to thank Hewlett-Packard for their response to this problem. ----------------------------------------------------------------------------- =========================================================================== CIAC would like to acknowledge the contributions of: CERT/CC. For additional information or assistance, please contact CIAC at (510)422-8193/FTS or send E-mail to ciac@llnl.gov. FAX messages to (510)423-8002/FTS. The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to Docserver@First.Org with a null subject line, and the first line of the message reading: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Failure to disable user accounts for VMS 5.3 to 5.5-2 FEB 12, 1993 1400 PST Number D-06 ________________________________________________________________________ PROBLEM: VMS systems configured to disable user accounts experiencing break-in attempts may not disable those accounts, as required. PLATFORM: VAXstations using DECwindows or Motif, VMS versions 5.3 through Open VMS 5.5-2. DAMAGE: Unauthorized users could gain access given sufficient time. SOLUTION: Apply patch CSCPAT_0239019 or physically secure workstations if accounts are so configured. ________________________________________________________________________ Critical Facts about potential vulnerability in VMS VAXstations CIAC has learned of a vulnerability in VAXstations running (Open) VMS versions 5.3 through 5.5-2 when using VMS DECwindows or VMS DECwindows MOTIF. The vulnerability applies to systems where the SYSGEN parameter for disabling accounts under attack is enabled (i.e., LGI_BRK_DISUSER is set to 1). If the "break-in limit," i.e, log-in failure count threshold (SYSGEN parameter LGI_BRK_LIM) is exceeded during an interval determined by an algorithm using LGI_BRK_TMO, the account will NOT be disabled, allowing repeated attacks. Other security functions will continue to work correctly, such as evasion and SYSUAF counts for log-in failures, as well as security audit recording. The vulnerability is not present when using non-local DECwindows or MOTIF access via DECnet. If you are not required to invoke automatic account disabling, CIAC recommends that you secure your systems by prudently managing passwords and effectively setting break-in detection and evasion SYSGEN parameters. In most cases the default parameter settings are adequate. You may further strengthen evasion security by o reducing LGI_BRK_LIM (default 5 log-in attempts) o increasing LGI_HID_TIM (default 300 seconds) o increasing LGI_BRK_TMO (default 300 seconds) o changing LGI_BRK_TERM to 0 (default is 1) Be advised that each parameter change may increase the risk of denial of service to legitimate users. If you have dial up access, make certain that the parameter LGI_RETRY_LIM is not increased beyond its default value of three. In all cases, CIAC recommends that you first upgrade to the latest version of Open VMS and windowing software (to correct other potential vulnerabilities). To correct the potential vulnerability identified in this bulletin, apply patch suite CSCPAT_0239019, available from Digital. If you have DSNlink for VMS, use the DSNlink VTX Patch Application. When prompted for a search string, use the keyword CSCPAT_0239019. If you do not have DSNlink for VMS, contact your local Digital office or your Digital Support Center for the patch. If you cannot obtain or apply the patch, you should restrict workstation physical access to authorized users. For additional information or assistance, please contact CIAC at (510) 422-8193/FTS or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002/FTS. The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. CIAC wishes to acknowledge Tom Moore and Mona Wecksung of Los Alamos National Laboratory for bringing the vulnerability to our attention, and Rich Boren of Digital's Software Security Response Team for leading problem resolution efforts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ LIMITED DISTRIBUTION BULLETIN (1) UNICOS Running MLS (2) UNICOS Environment Variable February 23, 1993, 1700 PST Number D-07 If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. ______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ ______________________________________________________ A D V I S O R Y N O T I C E Potential Vulnerability in VMS V5 and Derivative Operating Systems FEB 23, 1993 1200 PST Number D-08 ___________________________________________________________________________ PROBLEM: Malicious program simplifies exploitation of VMS vulnerability. PLATFORM: Systems running VMS V5.0 through OpenVMS V5.5-2 and OpenVMS AXP V1.0 (including all SEVMS V5.1 through V5.5-2). DAMAGE: Authorized unprivileged users could obtain all system privileges. SOLUTION: Apply patch available from Digital Equipment Corporation. ___________________________________________________________________________ Critical Information about Potential Vulnerability in VMS CIAC has learned of a potential vulnerability in VMS, OpenVMS and Security Enhanced VMS (SEVMS) as described in the following advisory (which was requested to be distributed intact) from Digital Equipment Corporation: ========================== Begin DEC Advisory ============================= DATE: 23.FEB.1993 SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team Colorado Springs USA PRODUCT: VMS V5.0 through OpenVMS V5.5-2 & OpenVMS AXP V1.0 PROBLEM: Potential Security Vulnerability - OpenVMS SOLUTION: A remedial kit is now available for OpenVMS AXP V1.0, VMS V5.0 through OpenVMS Version 5.5-2 (including all SEVMS versions V5.1 through V5.5-2 as applicable) by contacting your normal Digital Services Support organization. SEVERITY LEVEL: High This potential vulnerability has been corrected in the next release of OpenVMS, V6.0 and OpenVMS AXP, V1.5. For VMS Versions prior to V5.0, Digital strongly recommends that you upgrade to a minimum of VMS V5.0 and further, to the latest release of OpenVMS V5.5-2. _________________________________________________________________________ The remedial kits may be identified as: VAXSYS01_U2050 VMS V5.0, V5.0-1, V5.0-2 VAXSYS01_U1051 VMS V5.1 thru V5.1-1 VAXSYS01_U1052 VMS V5.2, V5.2-1 VAXSYS01_U2053 VMS V5.3 thru V5.3-2 VAXSYS01_U3054 VMS V5.4 thru V5.4-3 VAXSYS02_U2055 OpenVMS V5.5 thru V5.5-2 AXPSYS01_010 OpenVMS AXP V1.0 _________________________________________________________________________ Copyright (c) Digital Equipment Corporation, 1993 All Rights Reserved. Published Rights Reserved Under The Copyright Laws Of The United States. _________________________________________________________________________ ADVISORY INFORMATION: _________________________________________________________________________ This update kit corrects a potential security vulnerability in the VMS, OpenVMS VAX and OpenVMS AXP operating systems. This potential vulnerability may be further exploited in the form of a malicious program that may allow authorized but unprivileged users to obtain all system privileges, potentially giving the unprivileged user control of your OpenVMS system and data. NOTE: The update kit must be applied if an update or installation is performed for all versions prior to OpenVMS V6.0 or OpenVMS AXP V1.5. For VMS Versions prior to VMS V5.0, Digital strongly recommends that you upgrade to a minimum of VMS V5.0 and further to the latest release of OpenVMS V5.5-2. _________________________________________________________________________ PATCH KIT INFORMATION: _________________________________________________________________________ Digital strongly recommends that you install the available kit on your system(s), to avoid any potential vulnerability as a result of this problem. Customers with a Digital Services contract may obtain a kit for the affected versions of OpenVMS by contacting your normal support organizations. - In the U.S. Customers may contact the Customer Support Center at 1(800)354-9000 and request the appropriate kit for your version of OpenVMS, or through DSNlink Text Search database using the keyword text "Potential Security Vulnerability", or DSNlink VTX using the patch number 1084 - Customers in other geographies should contact their normal Digital Services support organizations. As always, Digital recommends you to regularly review your system management and security procedures. Digital will continue to review and enhance security features, and work with our customers to further improve the integrity of their systems. =========================== End DEC Advisory ============================== CIAC recommends that you follow the DEC advisory to obtain and install the appropriate patch. If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies and off-hour assistance call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ ____________________________________________________ I N F O R M A T I O N B U L L E T I N OpenVMS Security Patch #1084 Problems Addendum to CIAC Advisory D-08 MAR 2, 1993 1400 PST Number D-09 ___________________________________________________________________________ PROBLEM: Systems with security patch #1084 installed will not boot after performing certain system upgrades. PLATFORM: VMS, OpenVMS VAX and SEVMS systems. DAMAGE: System security is not affected. SOLUTION: Restore the old files before upgrading or apply a patch to the new IMAGE_MANAGEMENT.EXE file. ___________________________________________________________________________ Critical Information about OpenVMS VAX Patch Problems CIAC has learned that applying specific system upgrades to VMS, OpenVMS VAX and Security Enhanced VMS (SEVMS) which have been patched as described in CIAC Advisory D-08 "Potential Vulnerability in VMS V5 and Derivative Operating Systems, February 23, 1993" leaves systems which will not boot. The patch is #1084 and the specific upgrades are: V5.3 to V5.3-1; V5.3-1 to V5.3-2; V5.5 to V5.5-2; V5.5-1 to V5.5-2. All other upgrades are not affected. This patch's installation procedure leaves the old IMAGE_MANAGEMENT.EXE and PAGE_MANAGEMENT.EXE files in the SYS$COMMON:[SYS$LDR] directory. The system can be restored for upgrade as long as these files have not been removed. Prior to system upgrade, use rename to change the old files to a higher version than the new files. Otherwise, take the corrective action described in addendum SSRT 02.25-01 (see below). DEC requests that 02.25-01 be redistributed intact. ========================== Begin DEC Addendum 02.25-01 ======================== SSRT 02.25 - 01 01.MAR.1993 Addendum Advisory RE: SSRT 02.25 dated 23.FEB.1993 SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team Colorado Springs, CO. DESCRIPTION ------------ Digital has received information concerning a problem while upgrading the OpenVMS VAX Version paths listed below. OpenVMS VAX versions affected: ------------------------------ upgrade paths V5.3 to V5.3-1 V5.3-1 to V5.3-2 V5.5 to V5.5-2 V5.5-1 to V5.5-2 A problem will occur during an upgrade to a system that previously installed the Security Kit identified as: CSCPAT_1084010.A (combined kit for all OpenVMS VAX Versions affected. DSNlink kit.) VAXSYS01_U2053.A OpenVMS V5.3, V5.3-1, V5.3-2 VAXSYS02_U2055.A OpenVMS V5.5, V5.5-1, V5.5-2 NOTE: ***** All other applicable versions of OpenVMS VAX and their supported upgrade paths do not exhibit this symptom if the Security Kit (identified in an advisory SSRT 02.25 dated 23.FEB.1993) was installed before upgrading to the next higher version. The Security Kit must be re-applied after all OpenVMS VAX upgrades for V5.0 through V5.5-2. Digital recommends that until OpenVMS VAX V6.0 or OpenVMS AXP V1.5 is installed later this year, contact your Digital Services Support organization to obtain the most current version of the applicable Security Kit. IMPACT --------- Anyone who upgrades from OpenVMS VAX V5.3 to V5.3-1, V5.3-1 to V5.3-2, V5.5 to V5.5-2, or V5.5-1 to V5.5-2 will experience an error directly related to having the Security Kit installed prior to the OpenVMS VAX upgrades listed above. The system will to fail to boot properly after the completion of the upgrade. SOLUTION --------- If you renamed the images replaced following the installation of the Security Kit, restore the saved images prior to upgrading OpenVMS VAX to the next higher release then re-apply the Security Kit. The images replaced by the Security Kit identified above are: PAGE_MANAGEMENT.EXE & IMAGE_MANAGEMENT.EXE and placed in the directory SYS$COMMON:[SYS$LDR] WARNING: To prevent a similar problem ensure that no copies of the above images exist in the SYS$SPECIFIC:[SYS$LDR] directory. If the images replaced during the Security Kit installation cannot be restored prior to your upgrade, enter the commands (as indicated below) after your OpenVMS VAX upgrade completes. **** IN EACH CASE, THE SOLUTION BELOW IS A POST OpenVMS VAX UPGRADE EVENT **** !For OpenVMS VAX V5.3 upgrade paths ! V5.3 to V5.3-1 ! V5.3-1 to V5.3-2 ! ! At the point where the OpenVMS upgrade process has completed: ! From the systems console invoke a conversational boot then enter the ! remaining commands as shown and follow the instructions for re-booting. >>> >>> B/1 !YOUR PARTICULAR BOOT FOR CONVERSATIONAL MODE MAY BE DIFFERENT SYSBOOT> SET/START=OPA0: SYSBOOT> C $ $ set noon $ set default [vms$common.sys$ldr] $ patch/update=(1) image_management.exe SET ECO 1 REPL/INST 0A0F='BISB2 #01,B^1F(SP)' 'NOP' EXIT UPDATE EXIT Press the HALT button, reboot the system, and re-install the Security Kit and reboot again for the installation to become effective. ---------------------------------------------------------------------------- !For OpenVMS VAX V5.5 upgrade paths ! V5.5 to V5.5-2 ! V5.5-1 to V5.5-2 ! ! At the point where the OpenVMS upgrade process has completed: ! From the systems console invoke a conversational boot then enter the ! remaining commands as shown and follow the instructions for re-booting. >>> >>> B/1 !YOUR PARTICULAR BOOT FOR CONVERSATIONAL MODE MAY BE DIFFERENT SYSBOOT> SET/START=OPA0: SYSBOOT> C $ set noon $ set default [vms$common.sys$ldr] $ patch/update=(1) image_management.exe SET ECO 1 REPL/INST 0A2F='BISB2 #01,B^1F(SP)' 'NOP' EXIT UPDATE EXIT $ Press the HALT button, reboot the system, and re-install the Security Kit and reboot again for the installation to become effective. ----------------------------------------------------------------------------- Copyright (c) Digital Equipment Corporation, 1993 All Rights Reserved. Published Rights Reserved Under The Copyright Laws Of The United States. =========================== End DEC Addendum 02.25-01 ========================= CIAC recommends that you follow the DEC advisory addendum if performing an upgrade for the specific versions indicated. If you need additional information, contact Mr. Richard Boren of DEC's Software Security Response Team (SSRT) at 719-592-4689. CIAC wishes to thank Rich for supplying the advisory used in this bulletin. If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies and off-hour assistance call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin November 17 Virus on MS DOS Computers March 15, 1993 1000 PST Number D-10 __________________________________________________________________________ NAME: November 17 virus ALIASES: NOV 17, 855 PLATFORM: MS DOS Computers DAMAGE: On November 17 will destroy hard disk contents SYMPTOMS: Files grow by 855, 768, 880, or 800 bytes DETECTION/ ERADICATION: FPROT 207, Scan V102, Novi __________________________________________________________________________ Critical Facts about the November 17 virus The November 17 virus is a simplistic file infector virus which has recently been discovered to be fairly widespread. This virus will overwrite the hard disk on November 17 of any year. Infection Mechanism This virus is a file infector virus (see CIAC bulletins A-20, A-27, A-29, B-35, and 3 bulletins from Fiscal Year 1989 for information on similar file infector viruses). Upon execution of a virus-infected program, NOV 17 will become memory resident at the top of memory and inhabit 896 bytes of memory. Once resident, it will infect any .COM and .EXE programs when the file attributes are set or read, when the file is opened for READ, and upon loading and execution. Therefore, if the virus is resident in memory, and a new disk with clean executibles is copied, the original disk's .EXE and .COM files will become infected if the disk is not write-protected. It can easily be transferred via LAN's anytime an executible file is opened or executed over the LAN. This virus will not infect files with a filename of SCAN.EXE or CLEAN.EXE, and it will not infect files that have the system bit set. It does not affect data files. Potential Damage On November 17 of any year this virus will overwrite portions of the C: drive or current drive, depending on the variant. On any other day of the year this virus will simply replicate. Some variants will cause this overwrite process to occur on days after November 17. Detection and Eradication Many recent versions of antivirus products will detect this virus. Another method of direct detection is to search for the string "SCAN.CLEAN.COMEXE", which can be found within the virus code of every infection. Until March of 1993, there had been no reports of this virus in the United States. Because of this fact, some anti-virus products do not detect the presence of it by name. Some products, such as Data Physician Plus!, do detect when it they themselves become infected, at which point a message such as "A virus has been detected, would you like to continue?" may appear on the screen. This message means that the antivirus product's self check mechanism has detected a modification to itself, and at this point CIAC recommends that you check the machine with a different antivirus product, or call CIAC for additional information on virus handling. Virus Variants There are four known variants to this virus, all increase file lengths by a different amount and take up a different amount of resident memory. The variants increase file lengths of infected files by 768, 800, 880, and 855 bytes. The 768 variant is almost identical to the original virus but takes up 800 bytes of memory; it was discovered in May of 1992. The variant which adds 800 bytes to files takes up 832 bytes of memory, was discovered in March of 1993, and activates November 17-30 of any year. The 880 variant, which uses 928 bytes of memory, first seen in November, 1992, will activate on any date from November 17-December 31 of any year. The 855 variant, also called Nov17B, first seen in September of 1992, causes infected .EXE files to hang the system when executed. Due to the nature of this virus's infection mechanism, it is sometimes not possible to remove the infection from a host program. CIAC recommends that if this virus is discovered a copy be kept and then all infected files be deleted and restored from backup. For additional information or assistance, please contact CIAC at (510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002 / FTS. Previous CIAC bulletins and other information are available via anonymous ftp from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Sun Security Patches and Software Updates March 19, 1993 1400 PST Number D-11 __________________________________________________________________________ PROBLEM: Security vulnerabilities in SunOS, DNI, and PC-NFS. PLATFORM: All Sun platforms running SunOS 4.0.3 or later, including Solaris 2.0 and 2.1. DAMAGE: Unauthorized root access, denial of service, and other as detailed below. SOLUTION: Apply Sun patches and/or obtain software upgrades. __________________________________________________________________________ Critical Facts about Sun Security Patches and Software Upgrades CIAC has received information from Sun Microsystems regarding the availability of new and updated security patches for the SunOS operating system. Sun Microsystems has also announced the availability of new versions of its DECnet Interface (DNI) and PC-NFS software packages that correct security vulnerabilities of previous releases. PATCH INFORMATION ================= Sun security patches are available through your local Sun Answer Center and via anonymous ftp. In the U.S., ftp to ftp.uu.net and retrieve the patches from the /systems/sun/sun-dist directory. In Europe, ftp to mcsun.eu.net and retrieve the patches from the /sun/fixes directory. The patches are contained in compressed tarfiles named [patch].tar.Z. For example, if you wish to obtain patch 100891-01, the corresponding compressed tarfile would be named 100891-01.tar.Z. Each compressed tarfile has been checksummed using the SunOS "sum" command. After retrieving each patch, the checksum should be recomputed and compared to those listed in this bulletin. If you find that the checksum for a patch differs from those listed below, please contact Sun Microsystems or CIAC for confirmation before using the patch. To install the patches, follow the instructions contained in the README files that accompany each patch. Patches Providing New or Additional Security Features ===================================================== The following patches are either new security patches or new versions of existing patches that provide additional security features or support additional Sun platforms. CIAC recommends the installation of all applicable security patches. Patch Checksum SunOS Versions ----- -------- -------------- 100891-01 33195 3075 4.1.3 libc replacement - Corrects insecure handling of netgroups and fixes a bug in xlock that could cause it to crash and leave the system unprotected. 100884-01 03775 2610 5.1 (Solaris 2.1) Closes security vulnerability with the srmmu window handler. 100833-02 49753 155 5.1 (Solaris 2.1) Required for use of Sun's unbundled Basic Security Module (BSM) with Solaris 2.1. 100623-03 56063 141 4.1.2, 4.1.3 UFS Jumbo Patch - Non-random file handles can be guessed. This patch should be applied after the most recent version of 100173. 100448-01 29285 5 4.1.1, 4.1.2, 4.1.3 OpenWindows 3.0 loadmodule Patch - This release adds support for SunOS 4.1.3. Sites running SunOS 4.1.1 or 4.1.2 do not need to install this patch again if it was previously installed. 100305-11 38582 500 4.1, 4.1.1, 4.1.2, 4.1.3 This patch fixes incorrect user ID checking in /usr/ucb/lpr. 100121-09 57589 360 4.1 NFS Jumbo Patch - This patch adds support for sun4e architectures. Other architectures need not reinstall the patch if a previous version was installed. Patches Updated with Non-security Features ========================================== The following security patches have been updated with non-security related enhancements. Systems with previous versions of these patches already installed do not need install the new versions unless the additional non-security related enhancements are desired. Patch Checksum SunOS Versions ----- -------- -------------- 100513-02 34315 483 4.1, 4.1.1, 4.1.2, 4.1.3 Jumbo tty Patch - This release fixes a tty bug that can cause system crashes. Previous releases corrected a vulnerability that allowed console input and output to be redirected. 100482-04 06594 342 4.1, 4.1.1, 4.1.2, 4.1.3 ypserv and ypxfrd security patch - Corrects incorrect DNS lookup failures when a host is up but has no nameserver running. Previous releases of this patch corrected a condition that allowed NIS to distribute maps, including the password map, to anyone. Note: the /var/yp/securenets configuration file cannot contain blank lines. 100452-28 07299 1688 4.1, 4.1.1, 4.1.2, 4.1.3 XView 3.0 Jumbo Patch - This release fixes several OpenWindows and XView bugs, including problems with mailtool and filemgr. Previous releases corrected a problem with cmdtool that allowed the disclosure of passwords. 100383-06 58984 121 4.0.3, 4.1, 4.1.1, 4.1.2, 4.1.3 rdist Patch - This release allows /usr/ucb/rdist to transfer hard linked files. Previous releases of this patch corrected a bug that allowed users to gain root access. 100224-06 57647 54 4.1.1, 4.1.2, 4.1.3 /bin/mail Jumbo Patch - This release corrects a problem that caused /bin/mail to crash. Previous releases corrected a problem that allowed /bin/mail to be used to invoke a root shell. 100173-10 48086 788 4.1.1, 4.1.2, 4.1.3 NFS Jumbo Patch - This release corrects poor NFS write append performance. Previous versions of this patch corrected a bug with the handling of setuid programs copied to NFS file systems. DECnet Interface (DNI) Update ============================= Versions of Sun's DNI product prior to 7.0.1 are known to have two security vulnerabilities: - dni_rc_ins creates an rc script with world writable permissions. - Files copied to VAX/VMS systems using dnicp are assigned incorrect permissions. To close the vulnerabilities, Sun recommends that you upgrade to DNI version 7.0.1. Sun has distributed the upgrade free of charge to all customers with a DNI support contract. Those customers not on software support should obtain the upgrade through their standard Sun sales channels. PC-NFS Update ============= The PC-NFS printing and authentication daemon pcnfsd allows unauthorized access to the system. It is recommended that sites with pcnfsd installed upgrade to the latest version. The latest version of pcnfsd may be obtained free of charge via anonymous ftp from bcm.tmc.edu in the /pcnfs directory and from src.doc.ic.ac.uk in the /pub/sun/pc-nfs directory in a file named pcnfsd.93.02.16.tar.Z. For additional information or assistance, please contact CIAC at (510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002 / FTS. Previous CIAC bulletins and other information are available via anonymous ftp from irbis.llnl.gov (IP address 128.115.19.60). CIAC wishes to thank Ken Pon and Mark Allen of Sun Microsystems for their assistance in the preparation of this bulletin. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. VENDOR RESTRICTED FOR DEPARTMENT OF ENERGY CRAY SITES ONLY _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ LIMITED DISTRIBUTION BULLETIN (1) UNICOS Running MLS (update to CIAC D-07) (2) UNICOS Operator Group April 2, 1993, 1000 PST Number D-12 If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. RESTRICTIONS: NONE _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ ADVISORY NOTICE wuarchive FTP daemon vulnerability April 09, 1993, 1030 PDT Number D-13 __________________________________________________________________________ PROBLEM: The wuarchive FTP daemon allows unauthorized access. PLATFORM: UNIX systems running the wuarchive FTP daemon. DAMAGE: Unauthorized access to the system. SOLUTION: Disable daemon, then patch or install new version. __________________________________________________________________________ Critical Facts about wuarchive FTP Daemon Vulnerability CIAC has learned that Washington University's wuarchive FTP server contains a serious security vulnerability, allowing any user (remote or local) to gain access with the privileges of any user on the system, including root. If you are running any version of the wuarchive server prior to April 8, 1993, CIAC recommends that you disable it immediately, then either apply the patch, or replace it with the new version. PATCH ----- Apply the following patch to your existing wuarchive ftpd sources, recompile and install. *** ftpd.c.orig --- ftpd.c *************** *** 413,418 **** --- 413,420 ---- end_login(); } + anonymous = 0; + if (!strcasecmp(name, "ftp") || !strcasecmp(name, "anonymous")) { if (checkuser("ftp") || checkuser("anonymous")) { reply(530, "User %s access denied.", name); NEW VERSION ----------- The new version is available for anonymous ftp from wuarchive.wustl.edu (128.252.135.4) in the directory /packages/wuarchive-ftpd and from irbis.llnl.gov (128.115.19.60) in /pub/util. The file is named wu-ftpd-2.0.tar.Z and has a checksum (obtained using the "sum" command) of 56984 169. This release includes full documentation for installation and configuration. See wu-ftpd-2.0/INSTALL, wu-ftpd-2.0/NOTES and wu-ftpd-2.0/doc/README for more information on how to install and operate this ftp server. For additional information or assistance, please contact CIAC at (510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002 / FTS. CIAC would like to acknowledge the contributions of CERT Coordination Center in the preparation of this bulletin. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. VENDOR RESTRICTED FOR DEPARTMENT OF ENERGY CRAY SITES ONLY _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ LIMITED DISTRIBUTION BULLETIN (1) UNICOS Cleantmp Utility (2) UNICOS X11 Client xterm April 29, 1993, 1400 PDT Number D-14 If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Vulnerability in Cisco Routers used as Firewalls May 12, 1993 1500 PDT Number D-15 __________________________________________________________________________ PROBLEM: Under certain circumstances, Cisco routers will pass IP source routed packets that should be denied. PLATFORM: Cisco routers -- software releases 8.2, 8.3, 9.0, 9.1, and 9.17. DAMAGE: Unauthorized packets may be passed. SOLUTION: Apply upgrade or use access lists. __________________________________________________________________________ Critical Information about vulnerability in Cisco routers CIAC has learned that under certain circumstances Cisco routers will pass IP source routed packets that should be denied, potentially passing unauthorized packets. This vulnerability affects Cisco routers with software releases 8.2, 8.3, 9.0, 9.1, and 9.17 using the "no IP source-route" command. CIAC recommends that sites using Cisco routers for firewall protection apply upgrades as indicated below. If you are unable to upgrade immediately, you may use access lists to deny unauthorized packets. This vulnerability is fixed in Cisco software releases 8.3(7.2), 9.0(5), 9.1(4), 9.17(2.1), and all later releases. Sites using release 8.2 need to upgrade to a later release; release 8.3 should apply update (8); release 9.0, update (5); release 9.1, update (4); and release 9.17, update (3). Those customers having a maintenance contract may obtain these releases through Cisco's Customer Information On-Line (CIO). Other customers may obtain them through Cisco's Technical Assistance Center (800.553.2447 -- Internet: tac@cisco.com) or by contacting their local Cisco distributor. Contact Cisco's Technical Assistance Center for more information. For additional information or assistance, please contact CIAC at (510)422-8193/FTS or send E-mail to ciac@llnl.gov. FAX messages to (510)423-8002/FTS. CIAC wishes to thank the CERT Coordination Center for the information used in this bulletin. Previous CIAC Bulletins and other information are available via anonymous ftp from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ ADVISORY NOTICE Vulnerability in SunOS expreserve Utility June 11, 1993 0001 PDT Number D-16 __________________________________________________________________________ PROBLEM: The expreserve utility allows unauthorized access to system files. PLATFORM: Sun workstations running SunOS versions 4.1, 4.1.1, 4.1.2, 4.1.3, 5.0, 5.1, and 5.2. DAMAGE: Local users can gain root access. SOLUTION: Disable expreserve immediately, then install patch from Sun. __________________________________________________________________________ Critical Information about the expreserve Vulnerability CIAC has learned that the expreserve utility in SunOS versions 4.1, 4.1.1, 4.1.2, 4.1.3, 5.0, 5.1, and 5.2 contains a serious vulnerability that allows any file on the system to be overwritten. This vulnerability can be used to obtain root access to the system. CIAC strongly recommends that the expreserve utility be disabled immediately, and that patched versions be installed as they become available. Sun Microsystems has released patch 101080-01 which corrects the vulnerability in SunOS 4.x systems. CIAC will announce future patches as they become available. Disabling expreserve -------------------- To prevent use of the expreserve utility, execute the following command as root: /bin/chmod a-x /usr/lib/expreserve The expreserve command normally is used to recover vi editor files when vi terminates unexpectedly. Disabling expreserve will disable this recovery feature. Users of vi should be advised of this temporary change and encouraged to save their work frequently. Patching SunOS version 4.x -------------------------- Sun Microsystems has made available a patched version of expreserve for SunOS Versions 4.1, 4.1.1, 4.1.2, and 4.1.3 that corrects this vulnerability. It is available both through your local Sun Answer Center and anonymous ftp. In the U.S., ftp to ftp.uu.net and retrieve the file /systems/sun/sun-dist/101080-01.tar.Z. In Europe, ftp to mcsun.eu.net and retrieve the file /sun/fixes/101080-01.tar.Z. After retrieving the patch, its checksum may be verified using the following command: /bin/sum 101080-01.tar.Z The sum command should return a checksum of 45221 13. Note that Sun Microsystems occasionally updates patch files, resulting in a changed checksum. Should you find that your checksum differs, please contact CIAC or Sun Microsystems for verification before installing the patch. The patch may be extracted using the following commands: /usr/ucb/uncompress 101080-01.tar.Z /bin/tar xvf 101080-01.tar To install the patch on your system, follow the instructions contained in the README file that accompanies the patch. For additional information or assistance, please contact CIAC at (510)422-8193/FTS or send E-mail to ciac@llnl.gov. FAX messages to (510)423-8002/FTS. CIAC wishes to acknowledge the contributions of the CERT Coordination Center and Sun Microsystems in the preparation of this bulletin. Previous CIAC bulletins and other information are available via anonymous ftp from irbis.llnl.gov (IP 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. VENDOR RESTRICTED FOR DEPARTMENT OF ENERGY CRAY SITES ONLY _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ LIMITED DISTRIBUTION BULLETIN June 17, 1993, 1500 PDT Number D-17 If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Solaris 2.x expreserve patches available July 1, 1993 0900 PDT Number D-18 __________________________________________________________________________ PROBLEM: The expreserve utility allows unauthorized access to system files. PLATFORM: Sun workstations running Solaris 2.0, 2.1, and 2.2 (SunOS 5.0, 5.1, and 5.2). DAMAGE: Local users can gain root access. SOLUTION: Disable expreserve immediately, then install patch from Sun. __________________________________________________________________________ Critical Information about the expreserve Vulnerability CIAC has learned that Sun Microsystems has released three new security patches for Solaris 2.x systems to remove the vulnerability in the expreserve utility described in CIAC Advisory D-16. This vulnerability allows local users to overwrite the contents of any file, regardless of file ownership, and can be used to obtain root access to the system. CIAC continues to recommend that the expreserve utility be disabled until the appropriate patched version can be installed. Disabling expreserve -------------------- To prevent use of the expreserve utility, execute the following command as root: /bin/chmod a-x /usr/lib/expreserve The expreserve command normally is used to recover editor files when vi, ex, or edit terminate unexpectedly. Disabling expreserve will disable this recovery feature. Users of these editors should be advised of this temporary change and encouraged to save their work frequently. Patching Solaris 2.x (SunOS 5.x) -------------------------------- Sun Microsystems has released three Solaris 2.x expreserve patches: Checksums Patch ID Solaris Version /usr/bin/sum /usr/ucb/sum --------- --------------- ------------ ------------ 101119-01 Solaris 2.0 61863 54 47944 27 101089-01 Solaris 2.1 4501 54 07227 27 101090-01 Solaris 2.2 44985 54 02491 27 These patches, along with all other Sun security patches, are available both through your local Sun Answer Center and anonymous ftp. In the U.S., ftp to ftp.uu.net and retrieve the patches from the directory /systems/sun/sun-dist. In Europe, ftp to mcsun.eu.net and retrieve the patches from the /sun/fixes directory. After retrieving a patch, its checksum may be verified using the sum command. Note that Sun Microsystems occasionally updates patch files, resulting in a changed checksum. Should you find that your checksums differ, please contact CIAC or Sun Microsystems for verification before installing the patch. To install the patch on your system, follow the instructions contained in the README file that accompanies the patch. For additional information or assistance, please contact CIAC at (510)422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510)423-8002. Previous CIAC bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC wishes to acknowledge the contributions of Sun Microsystems in the preparation of this bulletin. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Wide-spread Attacks on Anonymous FTP Servers July 15, 1993 1100 PDT Number D-19 __________________________________________________________________________ PROBLEM: Wide-spread abuse of anonymous FTP servers. PLATFORM: All systems supporting TCP/IP networking and anonymous FTP. DAMAGE: Unauthorized access to data, denial of service. SOLUTION: Verify that anonymous FTP has been properly configured. __________________________________________________________________________ Critical Information about Attacks on Anonymous FTP Servers The CERT Coordination Center has released the enclosed advisory describing a large number of attacks on improperly configured anonymous FTP servers. The attacks described can result in compromise of the system, excessive use of disk space resulting in denial of service, or the transfer of sensitive or copyrighted information. CIAC recommends that sites examine local systems to ensure that any operating FTP servers are configured in a secure fashion. Please note that while the CERT Advisory primarily addresses the configuration of anonymous FTP on UNIX systems, a number of other operating systems also support FTP servers, including OpenVMS using packages such as MultiNet, and MS-DOS and Macintosh systems using communications software such as NCSA Telnet or FTPd. The configuration of FTP servers on these machines also requires careful attention in order to avoid unauthorized or undesired use. CIAC recommends the following guidelines for the configuration of FTP servers: 1. If a system has no need to provide FTP service for other machines on the network, the server should be disabled. This will prevent unauthorized access to the system using FTP. For example, to disable NCSA Telnet's FTP server, place the statement "ftp=no" in the configuration file config.tel. On most UNIX systems, removing the line for ftpd from the file /etc/inetd.conf and then restarting inetd will disable the FTP server. 2. If an FTP server is necessary, the need for anonymous service should be evaluated. Anonymous FTP allows access to some of the system's file space without requiring a password for authentication, and unless carefully controlled can lead to abuse of the system. If an anonymous FTP server is not required on a particular host, that feature should be disabled. Both MultiNet on OpenVMS systems and the FTP software on most UNIX systems disable anonymous service by default. An account with username "ftp" ("ANONYMOUS" in MultiNet) must be created before anonymous logins will be accepted. The converse is true of NCSA Telnet; unauthenticated logins are accepted by default when the FTP server is enabled. A file containing authorized usernames and passwords must be created using the telpass utility in order to disable anonymous connections. 3. If an anonymous FTP server is necessary, the access of anonymous connections should be restricted to a carefully controlled number of files and the ability of a remote user to store files on the server should be disabled or limited. For example, the Macintosh program FTPd allows access controls to be specified for each user, including anonymous users. The set of accessible drives, folders, and files that a user is permitted to work with, as well as the operations that they may perform, can be carefully controlled, thus avoiding unwanted or unauthorized access. For additional information or assistance with the configuration of a specific FTP server, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. [Beginning of CERT Advisory] =========================================================================== CA-93:10 CERT Advisory July 14, 1993 Anonymous FTP Activity --------------------------------------------------------------------------- The CERT Coordination Center has been receiving a continuous stream of reports from sites that are experiencing unwanted activities within their anonymous FTP areas. We recognize that this is not a new problem, and we have been striving to handle requests for assistance on a one-to-one basis with the reporting administrator. However, since this activity does not seem to be diminishing, CERT believes that a broad distribution of information concerning this problem and corresponding solution suggestions should help to address the widespread nature of this activity. We are seeing three types of activity regarding anonymous FTP areas. A. Improper configurations leading to system compromise. B. Excessive transfer of data causing deliberate over-filling of disk space thus leading to denial of service. C. Use of writable areas to transfer copyrighted software and other sensitive information. This advisory provides an updated version of the anonymous FTP configuration guidelines that is available from CERT. The purpose of these guidelines is to assist system administrators at sites that offer anonymous FTP services. These guidelines are intended to aid a system administrator in configuring anonymous FTP capabilities so as to minimize unintended use of services or resources. Systems administrators should be aware that anonymous FTP capabilities should be configured and managed according to the policies established for their site. You may obtain future copies of these guidelines through anonymous FTP from cert.org in /pub/tech_tips/anonymous_ftp. --------------------------------------------------------------------------- ANONYMOUS FTP CONFIGURATION GUIDELINES Anonymous FTP can be a valuable service if correctly configured and administered. The first section of this document provides general guidance in initial configuration of an anonymous FTP area. The second section addresses the issues and challenges involved when a site wants to provide writable directories within their anonymous FTP areas. The third section provides information about previous CERT advisories related to FTP services. The following guidelines are a set of suggested recommendations that have been beneficial to many sites. CERT recognizes that there will be sites that have unique requirements and needs, and that these sites may choose to implement different configurations. I. Configuring anonymous FTP A. FTP daemon Sites should ensure that they are using the most recent version of their FTP daemon. B. Setting up the anonymous FTP directories The anonymous FTP root directory (~ftp) and its subdirectories should not be owned by the ftp account or be in the same group as the ftp account. This is a common configuration problem. If any of these directories are owned by ftp or are in the same group as the ftp account and are not write protected, an intruder will be able to add files (such as a .rhosts file) or modify other files. Many sites find it acceptable to use the root account. Making the ftp root directory and its subdirectories owned by root, part of the system group, and protected so that only root has write permission will help to keep your anonymous FTP service secure. Here is an example of an anonymous FTP directory setup: drwxr-xr-x 7 root system 512 Mar 1 15:17 ./ drwxr-xr-x 25 root system 512 Jan 4 11:30 ../ drwxr-xr-x 2 root system 512 Dec 20 15:43 bin/ drwxr-xr-x 2 root system 512 Mar 12 16:23 etc/ drwxr-xr-x 10 root system 512 Jun 5 10:54 pub/ Files and libraries, especially those used by the FTP daemon and those in ~ftp/bin and ~ftp/etc, should have the same protections as these directories. They should not be owned by ftp or be in the same group as the ftp account; and they should be write protected. C. Using proper password and group files We strongly advise that sites not use the system's /etc/passwd file as the password file or the system's /etc/group as the group file in the ~ftp/etc directory. Placing these system files in the ~ftp/etc directory will permit intruders to get a copy of these files. These files are optional and are not used for access control. We recommend that you use a dummy version of both the ~ftp/etc/passwd and ~ftp/etc/group files. These files should be owned by root. The dir command uses these dummy versions to show owner and group names of the files and directories instead of displaying arbitrary numbers. Sites should make sure that the ~/ftp/etc/passwd file contains no account names that are the same as those in the system's /etc/passwd file. These files should include only those entries that are relevant to the FTP hierarchy or needed to show owner and group names. In addition, ensure that the password field has been cleared. The examples below show the use of asterisks (*) to clear the password field. Below is an example of a passwd file from the anonymous FTP area on cert.org: ssphwg:*:3144:20:Site Specific Policy Handbook Working Group:: cops:*:3271:20:COPS Distribution:: cert:*:9920:20:CERT:: tools:*:9921:20:CERT Tools:: ftp:*:9922:90:Anonymous FTP:: nist:*:9923:90:NIST Files:: Here is an example group file from the anonymous FTP area on cert.org: cert:*:20: ftp:*:90: II. Providing writable directories in your anonymous FTP configuration There is a risk to operating an anonymous FTP service that permits users to store files. CERT strongly recommends that sites do not automatically create a "drop off" directory unless thought has been given to the possible risks of having such a service. CERT has received many reports where these directories have been used as "drop off" directories to distribute bootlegged versions of copyrighted software or to trade information on compromised accounts and password files. CERT has also received numerous reports of files systems being maliciously filled causing denial of service problems. This section discusses three ways to address these problems. The first is to use a modified FTP daemon. The second method is to provide restricted write capability through the use of special directories. The third method involves the use of a separate directory. A. Modified FTP daemon If your site is planning to offer a "drop off" service, CERT suggests using a modified FTP daemon that will control access to the "drop off" directory. This is the best way to prevent unwanted use of writable areas. Some suggested modifications are: 1. Implement a policy where any file dropped off cannot be accessed until the system manager examines the file and moves it to a public directory. 2. Limit the amount of data transferred in one session. 3. Limit the overall amount of data transferred based on available disk space. 4. Increase logging to enable earlier detection of abuses. For those interested in modifying the FTP daemon, source code is usually available from your vendor. Public domain sources are available from: wuarchive.wustl.edu ~ftp/packages/wuarchive-ftpd ftp.uu.net ~ftp/systems/unix/bsd-sources/libexec/ftpd gatekeeper.dec.com ~ftp/pub/DEC/gwtools/ftpd.tar.Z The CERT Coordination Center has not formally reviewed, evaluated, or endorsed the FTP daemons described. The decision to use the FTP daemons described is the responsibility of each user or organization, and we encourage each organization to thoroughly evaluate these programs before installation or use. B. Using protected directories If your site is planning to offer a "drop off" service and is unable to modify the FTP daemon, it is possible to control access by using a maze of protected directories. This method requires prior coordination and cannot guarantee protection from unwanted use of the writable FTP area, but has been used effectively by many sites. Protect the top level directory (~ftp/incoming) giving only execute permission to the anonymous user (chmod 751 ~ftp/incoming). This will permit the anonymous user to change directory (cd), but will not allow the user to view the contents of the directory. drwxr-x--x 4 root system 512 Jun 11 13:29 incoming/ Create subdirectories in the ~ftp/incoming using names known only between your local users and the anonymous users that you want to have "drop off" permission. The same care used in selecting passwords should be taken in selecting these subdirectory names because the object is to choose names that cannot be easily guessed. Please do not use our example directory names of jAjwUth2 and MhaLL-iF. drwxr-x-wx 10 root system 512 Jun 11 13:54 jAjwUth2/ drwxr-x-wx 10 root system 512 Jun 11 13:54 MhaLL-iF/ This will prevent the casual anonymous FTP user from writing files in your anonymous FTP file system. It is important to realize that this method does not protect a site against the result of intentional or accidental disclosure of the directory names. Once a directory name becomes public knowledge, this method provides no protection at all from unwanted use of the area. Should a name become public, a site may choose to either remove or rename the writable directory. C. Using a single disk drive If your site is planning to offer a "drop off" service and is unable to modify the FTP daemon, it may be desirable to limit the amount of data transferred to a single file system mounted as ~ftp/incoming. If possible, dedicate a disk drive and mount it as ~ftp/incoming. If this dedicated disk becomes full, it will not cause a denial of service problem. The system administrator should monitor this directory (~ftp/incoming) on a continuing basis to ensure that it is not being misused. III. Related CERT Advisories The following CERT Advisories directly relate to FTP daemons or impact on providing FTP service: CA-93:06.wuarchive.ftpd.vulnerability CA-92:09.AIX.anonymous.ftp.vulnerability CA-88:01.ftpd.hole Past advisories are available for anonymous FTP from cert.org. Copyright (c) Carnegie Mellon University 1993 --------------------------------------------------------------------------- [End of CERT Advisory] Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Summary of SunOS Security Patches August 6, 1993 1200 PDT Number D-20 __________________________________________________________________________ PROBLEM: Security vulnerabilities in all versions of SunOS. PLATFORM: All Sun Microsystems workstations. DAMAGE: Unauthorized access to system and files, denial of service. SOLUTION: Apply appropriate security patches. __________________________________________________________________________ Critical Information about SunOS Security Patches This bulletin is an update to CIAC Bulletin C-29. CIAC has compiled a list of all security related patches currently available from Sun Microsystems. The patches have been grouped by SunOS version and are detailed below. CIAC recommends the installation of any applicable patches that either are not currently present on a system or are present in the form of an older version of the patch. Sun security patches are available through both your Sun Answer Center and anonymous FTP. In the U.S., ftp to ftp.uu.net (IP 192.48.96.9) and retrieve the patches from the directory /systems/sun/sun-dist. In Europe, ftp to mcsun.eu.net (IP 192.16.202.1) and retrieve the patches from the /sun/fixes directory. The patches are contained in compressed tarfiles with filenames based on the ID number of the patch (e.g. patch 100085-03 is contained in the file 100085-03.tar.Z), and must be retrieved using FTP's binary transfer mode. After obtaining the patches, compute the checksum of each compressed tarfile and compare with the values indicated below. For example, the command "/usr/bin/sum 100085-03.tar.Z" should return "44177 740". Please note that Sun Microsystems occasionally updates patch files, resulting in a changed checksum. If you should find a checksum that differs from those listed below, please contact Sun Microsystems or CIAC for verification before using the patch. The patches may be extracted from the compressed tarfiles using the commands uncompress and tar. For example, to extract patch 100085-03 from the compressed tarfile 100085-03.tar.Z, execute the commands "uncompress 100085-03.tar.Z" and "tar xvf 100085-03.tar". For specific instructions regarding the installation of a particular patch, consult the README file accompanying each patch. As multiple patches may affect the same files, it is recommended that patches be installed chronologically by revision date, with the exception of patches for which an explicit order is specified. ======================= SunOS 5.2 (Solaris 2.2) ======================= Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 101090-01 28-Jun-93 44985 54 expreserve can overwrite any file ======================= SunOS 5.1 (Solaris 2.1) ======================= Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100833-02 12-Jan-93 24412 309 C2 auditing missing in some programs 100840-01 12-Jan-93 25050 220 sendmail bypasses mailhost 100884-01 12-Feb-93 63299 5220 Security fixes for sun4m machines 101089-01 28-Jun-93 4501 54 expreserve can overwrite any file ======================= SunOS 5.0 (Solaris 2.0) ======================= Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100723-01 24-Aug-92 49406 2 Incorrect permissions after install 101119-01 28-Jun-93 61863 54 expreserve can overwrite any file =========== SunOS 4.1.3 =========== Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100296-04 18-Jun-92 42492 40 File systems exported incorrectly 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100377-05 15-Sep-92 29141 1076 sendmail security holes 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100564-05 11-Nov-92 00115 824 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100623-03 11-Dec-92 56063 141 NFS file handles can be guessed 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100891-01 19-Feb-93 33195 3075 Netgroup and xlock vulnerabilities 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file =========== SunOS 4.1.2 =========== Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100630-01 18-May-92 28074 39 Environment variables vulnerability 100633-01 22-May-92 33264 20 Environment variables with Sun's ARM 100296-04 18-Jun-92 42492 40 File systems exported incorrectly 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100377-05 15-Sep-92 29141 1076 sendmail security holes 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100564-05 11-Nov-92 00115 824 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100623-03 11-Dec-92 56063 141 NFS file handles can be guessed 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file =========== SunOS 4.1.1 =========== Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100424-01 12-Nov-91 63070 50 NFS file handles can be guessed 100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100630-01 18-May-92 28074 39 Environment variables vulnerability 100633-01 22-May-92 33264 20 Environment variables with Sun's ARM 100296-04 18-Jun-92 42492 40 File systems exported incorrectly 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100377-05 15-Sep-92 29141 1076 sendmail security holes 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100201-06 5-Nov-92 13145 164 C2 jumbo patch 100267-09 6-Nov-92 55338 5891 Netgroup membership check fails 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file ========= SunOS 4.1 ========= Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100101-02 7-Aug-90 42872 34 ptrace security vulnerability 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100630-01 18-May-92 28074 39 Environment variables vulnerability 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100377-05 15-Sep-92 29141 1076 sendmail security holes 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100201-06 5-Nov-92 13145 164 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100121-09 24-Feb-93 57589 360 NFS jumbo patch 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file ====================== SunOS 4.0.3 and 4.0.3c ====================== Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100100-01 30-Jul-90 43821 588 sendmail permits root level access 100101-02 7-Aug-90 42872 34 ptrace security vulnerability 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100383-06 26-Jan-93 58984 121 rdist can create setuid root files ============ SunOS 4.0.2i ============ Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100108-01 22-Aug-90 50309 146 sendmail security vulnerability ===================== SunOS 4.0.1 and 4.0.2 ===================== Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability For additional information or assistance, please contact CIAC at (510) 423-9878 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Novell NetWare LOGIN.EXE Security Patch September 7, 1993 1140 PDT Number D-21 ________________________________________________________________________ PROBLEM: A security vulnerability has been discovered in the login procedure of NetWare 4.x PLATFORM: PC/MS-DOS with Novell NetWare 4.x DAMAGE: User accounts may be readily compromised SOLUTION: Obtain and install replacement LOGIN.EXE v4.02 ________________________________________________________________________ Critical Facts about the LOGIN.EXE vulnerability CIAC has learned of a vulnerability within Novell's LOGIN.EXE program which can allow compromise of user accounts. This vulnerability affects NetWare 4.x only, and does not affect NetWare 2.x, 3.x, nor Netware for Unix. Operation of the vulnerable LOGIN.EXE may cause the inadvertant compromise of a user's name and password. Further details of this vulnerability are contained in the text file included with the patch. The patch (LOGIN.EXE) and text file (SECLOG.TXT) are created by executing the distribution file SECLOG.EXE, a self-extracting archive. After extracting the files, the dir command should produce the following output. SECLOG EXE 166276 xx-xx-xx xx:xxx LOGIN EXE 354859 08-25-93 11:43a SECLOG TXT 5299 09-02-93 11:16a To install the patch, follow the directions contained in the text file SECLOG.TXT, and then instruct all your users to change their passwords. CIAC recommends that you replace your current LOGIN.EXE with the security enhanced version as soon as possible. This patch is available via anonymous FTP as SECLOG.EXE on irbis.llnl.gov in the ~pub/ciac/pcvirus directory, and on CIAC's bulletin board Felicia. It can also be retrieved via anonymous FTP from first.org in the ~pub/software directory. This file is also available at no charge through NetWare resellers, on NetWire in Library 14 of the NOVLIB forum, or by calling 1-800-NETWARE. NetWare customers outside the U.S. may call Novell at 303-339-7027 or 31-55-384279 or fax a request for LOGIN.EXE v4.02 to Novell at 303-330-7655 or 31-55-434455. Include company name, contact name, mailing address and phone number in the fax request. CIAC would like to acknowledge the efforts of Richard Colby of Chem Nuclear Geotech, Inc. for discovering this vulnerability, and the efforts of Novell in the resolution of this issue. For additional information or assistance, please contact CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Satan Bug Virus on MS-DOS computers September 4, 1993 1000 PDT Number D-22 __________________________________________________________________________ NAME: Satan Bug virus PLATFORM: MS-DOS/PC-DOS Computers TYPE: Memory resident, polymorphic, encrypted DAMAGE: Infects .COM, .EXE, .SYS, and .OVL files. Damages infected files, makes LANs inaccessible by damaging the LAN drivers. SYMPTOMS: Files grow at each infection, file dates change, files on LAN file servers become inaccessible. DETECTION: DataPhysician Plus 4.0B, Scan V106, Norton AntiVirus 2.1 with August 1993 virus definitions. __________________________________________________________________________ Critical Facts about the Satan Bug Virus CIAC has been alerted that the Satan Bug virus, a new virus previously thought to be contained, has been located at multiple sites in the "wild." The Satan Bug virus is an encrypted, polymorphic virus that infects all .COM, .EXE, .SYS, and .OVL files on MS-DOS/PC-DOS computers. Infection Mechanism When an infected file is run, the virus installs itself in memory, and then infects COMMAND.COM. Thereafter, whenever an executable file is opened or executed it is infected with the virus. Infected files grow in size from 2.9K to 5.4K bytes, and the creation date is increased by 100 years. Potential Damage It does not appear that this virus does any intentional damage, but infected files may be inoperative. In addition, the virus is not easily removed from infected files, requiring that they be replaced with uninfected copies from backup disks (See Appendix). The virus damages network drivers, making it impossible for a machine to connect to a network and use network services. Detection Anti-virus scanners dated before August 1993 that use virus signature scanning will not be able to recognize this virus. Anti-virus scanners that use file signature scanning should be able to detect that the files have been changed, but will not be able to name the virus. Most anti-virus scanner vendors are updating their programs at this time, so scanners dated after August 1993 should be able to detect the virus by name. As of the release of this bulletin, McAfee's SCANV 106 and Norton AntiVirus version 2.1 with the August 1993 virus definitions update are known to detect it. The DataPhysician Plus package (VirHunt, ResScan) version 4.0B is in final testing and will be available soon. Warning If you run an infected anti-virus scanner, nearly every executable file on your disk will be infected. Virus scanners must open a file to scan it, and if this virus is in memory, the act of opening the file for scanning will infect it. Most scanners first check themselves to see if they are infected with a virus, and display a "Virus Found" or "File Damaged" message when they start up. If this happens, do not scan your disk with this scanner. Even if the scanner claims that it can remove the virus from itself, don't scan your disk with it. The memory resident portion of the virus will still infect your disk. To scan a computer infected with a memory resident virus like the Satan Bug virus, you must boot the computer with a clean (uninfected), locked floppy that contains a clean version of the virus scanner software. Delete any infected files the scanner finds, and replace them with fresh copies. See the Appendix for more information. For More Information or Assistance If you require additional information or assistance, please contact CIAC at: Phone: (510) 422-8193 / FTS FAX: (510) 423-8002 / FTS E-mail: ciac@llnl.gov. Previous CIAC bulletins and other information are available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). CIAC wishes to thank Bill Kenny of DDI, Joe Wells of Symantec and David Proulx of NAVCERT for their help in preparing this bulletin. --------------------------------------------------------------------------- Appendix - Scanners, Encrypted Viruses and Removing Memory Resident Viruses The following appendix answers some frequently asked questions about virus scanners, encrypted viruses, and disinfecting hard disks. Anti-Virus Scanners Virus scanners use two different methods for detecting infected files; scanning for virus signatures, and scanning for changes in executable files. A signature scanner must have a string of bytes or signature that it can detect in a file that uniquely identifies a virus. If a virus does not contain a known signature, then the scanner will not detect it. File scanners look at a files attributes, creation date and time, length, checksum, file header, and other properties to determine if a file has changed. A file scanner can detect a new virus, but can not tell what virus it is. Actually, a file scanner can not tell if a file is infected by a virus only that a file has changed in some way. However, any changes in executable files should be viewed with a lot of suspicion. Few executable files rewrite themselves after installation. None of the DOS utility programs (FORMAT, ASSIGN, etc.) should ever change during normal use, so view changes there as a probable virus infection. Problems Removing Encrypted Viruses Encrypted viruses like the Satan Bug are particularly difficult to remove from an infected program. Most viruses of this type attach themselves to the end of a program, and then remove a small piece from the beginning of the program and insert code there that causes the virus code to be run first. When the virus code completes running, it executes the small piece of code it removed from the beginning of the program and then continues with the original program. That way, when you run an infected program, you will only notice a slight hesitation at the beginning when the virus code runs, and then the infected program runs like normal. Encrypted viruses store this piece of the normal program within the virus code and then encrypt the virus code. For an anti-virus program to be able to patch an infected program, it must be able to decrypt the encrypted virus to find the piece of missing code so that it can be put back where it belongs. The Satan Bug virus has up to nine levels of encryption, the level being different for each infection. Decrypting this much code is a very difficult process, so most anti-virus programs are not expected to be able to repair programs infected with the Satan Bug virus. On the other hand, some file signature scanning programs may save enough of the scanned files to be able to repair an infected program. The Data Physician Plus package does save a sufficient amount of information to be able to repair a program infected with the Satan Bug virus. However, you must have created the file signature file before your program was infected. Again, if at all possible, you should always replace infected files rather than repairing them to insure that you have undamaged copies. Disinfecting Hard Disks Infected With a Memory Resident Program Virus In order to disinfect a disk infected with a memory resident program virus, you first need to get the virus out of memory, then you need to scan the disk with an uninfected copy of the Virus Scanner. To get the virus out of memory, boot your computer with a clean, locked boot disk. Then you can scan the hard disk using an anti-virus scanner, also located on a locked disk. The following steps can be used to disinfect systems infected with memory resident program viruses such as the Satan Bug. It is also applicable to non-memory resident program viruses, but is not applicable to boot sector viruses and partition table viruses which need additional steps. 1. You need a locked, uninfected emergency boot floppy disk that contains the virus scanner, FORMAT.EXE, SYS.COM, and FDISK.COM, any disk management software needed to access your hard disk such as DiskManager. You also need simple CONFIG.SYS and AUTOEXEC.BAT files that let you bring up your system in a limited way, and any backup/restore software you may use. You need to have made this disk before your system gets infected, or make it on some other uninfected machine. 2. Boot the infected computer with the locked, uninfected floppy. 3. Run the copy of the virus scanner on the uninfected floppy and scan the hard disks on the infected computer. 4. Once the scan has completed, delete any infected files the scanner found and scan the disk again. Repeat this step until no more infected or changed files are found. Alternately, you can let the scanner disinfect all the files if it can, but this is not always possible or preferable. 5. When the scanner indicates that the hard disk is clean: Restore the system using the SYS command. This step replaces the invisible system files, COMMAND.COM, and the boot sector. 6. Restore any deleted executables from your locked master disks or backup sets. 7. Scan the disk again with your virus scanner. Note that at this point, the scanner may detect changes in some files because you have copied in new versions. If the scanner detects a virus, then delete the infected file. Later you will need to scan your source disk for that infected file, to see if it is infected as well. 8. Remove the emergency floppy and reboot the computer. Your computer should boot up correctly. 9. Insert the emergency floppy and run the scanner again just to be sure you have gotten every infected file. 10. Start scanning any floppy disks that may have been infected by your computer. Keep in mind that the virus could have been active for months before you discovered it. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. VENDOR RESTRICTED FOR DEPARTMENT OF ENERGY CRAY SITES ONLY DO NOT DISTRIBUTE _______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Limited Distribution Bulletin Cray UltraNet Security Vulnerability September 5, 1993 1000 PDT Number D-23 For additional information or assistance, please contact CIAC at (510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002 / FTS. Cray Research Inc. provided the information used in this bulletin. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN SCO Home Directory Vulnerability September 17, 1993 1115 PDT Number D-24 __________________________________________________________________________ PROBLEM: Home directories for "dos" and "asg" accounts insecure. PLATFORM: Systems using SCO Operating Systems (see list below). DAMAGE: Unauthorized system access, including privileged access. SOLUTION: Apply workaround described below. __________________________________________________________________________ Critical Information about SCO Home Directory Vulnerability CIAC has received information of a vulnerability in SCO Operating Systems that may permit unauthorized access to the "dos" and "asg" accounts. The following SCO products are affected by this vulnerability: SCO UNIX System V/386 Release 3.2 Operating System SCO UNIX System V/386 Release 3.2 Operating System Version 2.0 SCO UNIX System V/386 Release 3.2 Operating System version 4.x SCO UNIX System V/386 Release 3.2 Operating System Version 4.0 with Maintenance Supplement Version 4.1 and/or Version 4.2 SCO Network Bundle Release 4.x SCO Open Desktop Release 1.x SCO Open Desktop Release 2.0 SCO Open Desktop Lite Release 3.0 SCO Open Desktop Release 3.0 SCO Open Server Network System Release 3.0 SCO Open Server Enterprise System Release 3.0 The vulnerability results from the fact that the default home directories for the "dos" and "asg" accounts are /tmp and /usr/tmp respectively, both of which are writeable by all system users. This situation may allow unauthorized users to gain access to these accounts and the files that they own. The access may also be used to gain privileged access to the system. CIAC recommends that sites apply the following workaround to all affected systems: 1. Log onto the system as "root". 2. Choose the following sequence of menu selections from the System Administration Shell, which is invoked by typing "sysadmsh": a. Accounts-->User-->Examine--> [select the "dos" account]-->Identity -->Home directory-->Create-->Path--> [change it to /usr/dos instead of /tmp]-->confirm b. Accounts-->User-->Examine--> [select the "asg" account]-->Identity -->Home directory-->Create-->Path--> [change it to /usr/asg instead of /usr/tmp]-->confirm Sites should also take steps to verify that the "dos" and "asg" accounts have not been compromised. The following command will display recent logins to either of the accounts: last | egrep "dos|asg" Should any login sessions be displayed, it is likely that the system has been compromised. The modification times of the DOS binaries on the system should also be examined for evidence of recent modifications. If any evidence of compromise exists, CIAC strongly recommends that the DOS package of Operating System Extended Utilities be removed and re-installed using custom(ADM). If you have further questions regarding this vulnerability, you may contact SCO Support and ask for more information concerning the "Home Directory Security Vulnerability." SCO may be reached as follows: Electronic mail: support@sco.COM USA/Canada: 6am-5pm Pacific Daylight Time (PDT) ----------- 1-800-347-4381 (voice) 1-408-427-5443 (fax) Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific ------------------------------------------------ Daylight Time (PDT) 1-408-425-4726 (voice) 1-408-427-5443 (fax) Europe, Middle East, Africa: 9am-5:30pm British Standard Time (BST) ---------------------------- +44 (0)923 816344 (voice) +44 (0)923 817781 (fax) For additional information or assistance, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC would like to acknowledge the efforts of both Christopher Durham of the Santa Cruz Operation and the CERT Coordination Center in the resolution of this issue. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ ADVISORY NOTICE Automated Scanning of Network Vulnerabilities September 30, 1993 1000 PDT Number D-25 __________________________________________________________________________ PROBLEM: Automated attacks on networked computers. PLATFORM: All systems supporting TCP/IP networking. DAMAGE: Unauthorized access to information and computer resources. SOLUTION: Examine machines for vulnerabilities detailed below and apply fixes as needed. __________________________________________________________________________ Critical Information about Automated Network Scanning Software CIAC has learned that software allowing automated scanning of networked computers for security vulnerabilities was recently made publicly available on the Internet. The software package, known as ISS or Internet Security Scanner, will interrogate all computers within a specified IP address range, determining the security posture of each with respect to several common system vulnerabilities. The software was designed as a security tool for system and network administrators. However, given its wide distribution and ability to scan remote networks, CIAC feels that it is likely ISS will also be used to locate vulnerable hosts for malicious reasons. While none of the vulnerabilities ISS checks for are new, their aggregation into a widely available automated tool represents a higher level of threat to networked machines. CIAC has analyzed the operation of the program and strongly recommends that administrators take this opportunity to re-examine systems for the vulnerabilities described below. Also detailed below are available security tools that may assist in the detection and prevention of malicious use of ISS. Finally, common symptoms of an ISS attack are outlined to allow detection of malicious use. ISS Vulnerabilities ------------------- The following vulnerabilities are tested for by the ISS tool. Administrators should verify the state of their systems and perform corrective actions as indicated. Default Accounts The accounts "guest" and "bbs", if they exist, should have non-trivial passwords. If login access to these accounts is not needed, they should be disabled by placing a "*" in the password field and the string "/bin/false" in the shell field in /etc/passwd. See the system manual entry for "passwd" for more information on changing passwords and disabling accounts. For example, the /etc/passwd entry for a disabled guest account should resemble the following: guest:*:2311:50:Guest User:/home/guest:/bin/false lp Account The account "lp", if it exists, should not allow logins. It should be disabled by placing a "*" in the password field and the string "/bin/false" in the shell field in /etc/passwd. Decode Alias Mail aliases for decode and uudecode should be disabled on UNIX systems. If the file /etc/aliases contains entries for these programs, they should be disabled by placing a "#" at the beginning of the line and then executing the command "newaliases". Consult the manual page for "aliases" for more information on UNIX mail aliases. A disabled decode alias should appear as follows: # decode: "|/usr/bin/uudecode" Sendmail The sendmail commands "wiz" and "debug" should be disabled. This may be verified by executing the following commands: % telnet hostname 25 220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 PDT wiz You wascal wabbit! Wandering wizards won't win! (or 500 Command unrecognized) quit % telnet hostname 25 220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 PDT debug 500 Command unrecognized quit If the "wiz" command returns "Please pass, oh mighty wizard", your system is vulnerable to attack. The command should be disabled by adding a line to the sendmail.cf configuration file containing the string: OW* If the "debug" command responds with the string "200 Debug set", you should immediately obtain a newer version of sendmail software from your vendor. Anonymous FTP Anonymous FTP allows users without accounts to have restricted access to certain directories on the system. The availability of anonymous FTP on a given system may be determined by executing the following commands: % ftp hostname Connected to hostname. 220 host FTP server ready. Name (localhost:jdoe): anonymous 530 User anonymous unknown. Login failed. The above results indicate that anonymous FTP is not enabled. If the system instead replies with the string "331 Guest login ok" and then prompts for a password, anonymous FTP access is enabled. The configuration of systems allowing anonymous FTP should be checked carefully, as improperly configured FTP servers are frequently attacked. Refer to CIAC Bulletin D-19 for more information. NIS SunOS 4.x machines using NIS are vulnerable unless the patch 100482 has been installed. See CIAC Bulletin C-25 for more information regarding this patch. NFS Filesystems exported under NFS should be mountable only by a restricted set of hosts. The UNIX "showmount" command will display the filesystems exported by a given host: % /usr/etc/showmount -e hostname export list for hostname: /usr hosta:hostb:hostc /usr/local (everyone) The above output indicates that this NFS server is exporting two partitions: /usr, which can be mounted by hosta, hostb, and hostc; and /usr/local which can be mounted by anyone. In this case, access to the /usr/local partition should be restricted. Consult the system manual entry for "exports" or "NFS" for more information. rusers The UNIX rusers command displays information about accounts currently active on a remote system. This may provide an attacker with account names or other information useful in mounting an attack. To check for the availability of rusers information on a particular machine, execute the following command: % rusers -l hostname hostname: RPC: Program not registered If the above example had instead generated a list of user names and login information, a rusers server is running on the host. The server may be disabled by placing a "#" at the beginning of the appropriate line in the file /etc/inetd.conf and then sending the SIGHUP signal to the inetd process. For example, a disabled rusers entry might appear as follows: #rusersd/2 dgram rpc/udp wait root /usr/etc/rusersd rusersd rexd The UNIX remote execution server rexd provides only minimal authentication and is easily subverted. It should be disabled by placing a "#" at the beginning of the rexd line in the file /etc/inetd.conf and then sending the SIGHUP signal to the inetd process. The disabled entry should resemble the following: #rexd/1 stream rpc/tcp wait root /usr/etc/rexd rexd Available Tools --------------- There are several available security tools that may be used to prevent or detect malicious use of ISS. They include the following: SPI SPI, the Security Profile Inspector, will detect the system vulnerabilities described above, as well as many others. U.S. Government agencies interested in obtaining SPI should send E-mail to spi@cheetah.llnl.gov or call (510) 422-3881 for more information. COPS The COPS security tool will also detect the vulnerabilities described above. It is available via anonymous FTP from ftp.cert.org in the directory /pub/tools/cops/1.04. ISS Running ISS on your systems will provide you with the same information an attacker would obtain, allowing you to correct vulnerabilities before they can be exploited. Note that the current version of the software is known to function poorly on some operating systems. If you should have difficulty using the software, please contact CIAC for assistance. ISS may be obtained via anonymous FTP from ftp.uu.net in the directory /usenet/comp.sources.misc/volume39/iss. TCP Wrappers Access to most UNIX network services can be more closely controlled using software known as a TCP wrapper. The wrapper provides additional access control and flexible logging features that may assist in both the prevention and detection of network attacks. This software is available via anonymous FTP from ftp.win.tue.nl in the file /pub/security/tcp_wrappers_6.0.shar.Z Detecting an ISS Attack ----------------------- Given the wide distribution of the ISS tool, CIAC feels that remote attacks are likely to occur. Such attacks can cause system warnings to be generated that may prove useful in tracking down the source of the attack. The most probable indicator of an ISS attack is a mail message sent to "postmaster" on the scanned system similar to the following: From: Mailer-Daemon@hostname (Mail Delivery Subsystem) Subject: Returned mail: Unable to deliver mail Message-Id: <9309291633.AB04591@> To: Postmaster@hostname ----- Transcript of session follows ----- <<< VRFY guest 550 guest... User unknown <<< VRFY decode 550 decode... User unknown <<< VRFY bbs 550 bbs... User unknown <<< VRFY lp 550 lp... User unknown <<< VRFY uudecode 550 uudecode... User unknown <<< wiz 500 Command unrecognized <<< debug 500 Command unrecognized 421 Lost input channel to remote.machine ----- No message was collected ----- If you should receive such a message, it is likely that your machine and others on your network have been scanned for vulnerabilities. You should immediately contact your computer security officer or CIAC for assistance in assessing the damage and taking corrective action. For additional information or assistance, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. VENDOR RESTRICTED FOR DEPARTMENT OF ENERGY CRAY SITES ONLY DO NOT DISTRIBUTE _______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Limited Distribution Bulletin September 30, 1993 1500 PDT Number D-26 For additional information or assistance, please contact CIAC at (510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002 / FTS. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.