[Prev][Next][Index][Thread]

CERT Summary CS-96.06 (fwd)




-----BEGIN PGP SIGNED MESSAGE-----

CERT(sm) Summary CS-96.6
November  26, 1996

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from
     ftp://info.cert.org/pub/cert_summaries/
- ----------------------------------------------------------------------------


Recent Activity
- ---------------

Since the September CERT Summary, we have noticed these continuing trends
in incidents reported to us.

1. cgi-bin/phf Exploits

We continue to see frequent reports of attempts to exploit the vulnerability
in the CGI example program "phf".  The phf program, which is installed by
default with several implementations of httpd servers, contains a weakness
that can allow intruders to execute arbitrary commands on the server.  The
most common attack involves an attempt to retrieve the httpd server's
/etc/passwd file, and sample scripts for exploiting this vulnerability in phf
have been widely posted on the Internet.

While we are encouraged to see that the majority of the recently reported
attacks have failed (because the attacked sites had already removed the phf
program), the steady reports of continuing attacks indicate that these phf
exploits are still being widely attempted.

For more information about this vulnerability, see

  ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code

For related information about protecting your password files, please see

  ftp://info.cert.org/pub/tech_tips/passwd_file_protection


2. Continuing Linux Exploits

We continue to see incidents in which Linux machines have been the victims
of root compromises. In many of these incidents, the compromised systems
were unpatched or misconfigured, and the intruders exploited well-known
vulnerabilities for which CERT advisories have been published.

If you are running Linux, we strongly urge you to keep current with all
security patches and workarounds. If your system has been root compromised,
we also recommend that you review

  ftp://info.cert.org/pub/tech_tips/root_compromise

Further, you may want to monitor the Linux newsgroups and mailing lists for
security patches and workarounds. More information can be found at

  http://bach.cis.temple.edu/linux/linux-security/


- ----------------------------------
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (September 24,
1996).

* New Additions

ftp://info.cert.org/pub/cert_advisories/

    CA-96.22.bash_vuls                  Addresses two problems with the GNU
                                        Project's Bourne Again SHell (bash):
                                        one in yy_string_get() and one in
                                        yy_readline_get().

    CA-96.23.workman_vul                Describes a vulnerability in the
                                        WorkMan compact disc-playing program
                                        that affects UNIX System V Release 4.0
                                        and derivatives and Linux systems.

    CA-96.24.sendmail.daemon.mode       Addresses a vulnerability that allows
                                        intruders to gain root
                                        privileges. Includes patch and upgrade
                                        information.



ftp://info.cert.org/pub/cert_bulletins/

    VB-96.17.linux                      Linux Security FAQ Update from
                                        Alexander Yuriev. Includes information
                                        about a mount/umount vulnerability.

    VB-96.18.sun                        Addresses vulnerabilities in the libc
                                        and libnsl libraries of Solaris 2.5
                                        (SunOS 5.5) and Solaris 2.5.1
                                        (SunOS 5.5.1) from Sun Microsystems,
                                        Inc. Includes patch information.


ftp://info.cert.org/pub/latest_sw_versions/

    bash                                Added information on bash 1.14.7.

    sendmail                            Added information on sendmail 8.8.3.



* Updated Files

ftp://info.cert.org/pub/

    Sysadmin_Tutorial.announcement      Added date of next course offering.


ftp://info.cert.org/pub/cert_advisories/

    CA-94:01.ongoing.network.monitoring.attacks
                                        Clarified introductory
                                        information. Added a pointer to the
                                        CERT tech tip on root compromises.

    CA-95:02.binmail.vulnerabilities    Removed Appendices B & C, which
                                        contained outdated information. In
                                        section B, added information that
                                        mail.local is now part of
                                        sendmail. Added a pointer to sendmail.

    CA-96.09.rpc.statd                  Updated information from Silicon
                                        Graphics Inc.

    CA-96.20.sendmail_vul               Added a pointer to CA-96.24.

    CA-96.21.tcp_syn_flooding           Revised second paragraph of
                                        introduction for clarity. Added new
                                        information for Silicon Graphics
                                        Inc. (SGI), Berkeley Software Design,
                                        Inc. (BSDI), Sun Microsystems, Inc.
                                        Revised appendix information on
                                        reserved private network
                                        numbers. Added pointer to information
                                        in ftp://info.cert.org/pub/vendors.

    CA-96.22.bash_vuls                  Added Appendix A containing
                                        information from IBM Corporation,
                                        LINUX, and Silicon Graphics,
                                        Inc. (SGI). Removed patch for problem
                                        in yy_readline_get, as the problem
                                        described for yy_string_get is not
                                        exploitable for yy_readline_get.


ftp://info.cert.org/pub/tools/mail.local/

    README                              Added information that mail.local is
                                        now a part of sendmail. Added a
                                        pointer to sendmail.


ftp://info.cert.org/pub/tools/sendmail/

    sendmail.8.8.3.patch
    sendmail..8.8.3.tar.Z
    sendmail.8.8.3.tar.gz
    sendmail.8.8.3.tar.sig


ftp://info.cert.org/pub/vendors/hp/

    HP.contact_info                     Replaced instructions for subscribing
                                        by email with the new URLs people must
                                        use.


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMpoitXVP+x0t4w7BAQEp1gP/XK7WsKsoplL4F9YdMi9CyHCd/H1Qh3Nm
oyJDD9O19EPsCjeuFgBX5bGWb26L1MeuuCyEhV/5Z9Vf2R9wrPcOq3l+UeVjV/0t
SDwp/Y2R4uP+hdCzkDKk5Ryuzoxq3xj4TD0GNv8XRShQbUR2u05zFbzbyiH+ONh8
C7E1HKBP03M=
=nrOY
-----END PGP SIGNATURE-----