Lucene search
sans.sec-v3n5.txt
May SANS Security Digest presents updates on security issues, patches, and an intrusion detection FAQ.
Show more
`Subject: May SANS Security Digest Vol. 3 Num. 5
Fr: Rob the SANS Mailing List Guy
Here's the May SANS Network Security Digest. I hope your spring
is going well!
RK
-----BEGIN PGP SIGNED MESSAGE-----
=================================================================
| |
| @@@@ @@ @ @ @@@@ |
| @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @ @@@@ Vol. 3, No. 5 |
| @ @@@@@@ @ @ @ @ May 20, 1999 |
| @ @ @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @@@@ |
| |
| The SANS Network Security Digest |
| Editor: Michele D. Crabb-Guel |
| |
| Contributing Editors: |
| Fred Avolio, Steve Bellovin, Matt Bishop, |
| Bill Cheswick, Jean Chouanard, Liz Coolbaugh, |
| Dorothy Denning, Dan Geer, Mark Edmead, Rob Kolstad, |
| Richard Jackson, Peter Neumann, Alan Paller, |
| Marcus Ranum,Gene Schultz, Gene Spafford, John Stewart |
| |
====A Resource for Computer and Network Security Professionals===
CONTENTS:
i) Updated Intrusion Detection FAQ
ii) Final Tutorial Selection for Network Security 1999 (NS99)
iii) SANS Roles and Responsibilities Survey
iv) Summaries of the SANS99 Technical Conference
v) June 1 Web Briefing
1) CIAC ISSUES INFORMATION BULLETIN
2) HP SECURITY PROBLEMS AND PATCHES
3) SUN SECURITY PROBLEMS AND PATCHES
4) SGI SECURITY PROBLEMS AND PATCHES
5) IBM AIX SECURITY PROBLEMS AND PATCHES
6) COMPAQ SECURITY PROBLEMS AND PATCHES
7) NT/WIN95/WIN98 SECURITY PROBLEMS AND PATCHES
8) BSDI/FreeBSD/NetBSD/OpenBSD PROBLEMS AND PATCHES
9) LINUX SECURITY PROBLEMS AND PATCHES
10) CISCO SECURITY PROBLEMS AND PATCHES
11) GENERAL VIRUS INFORMATION
12) QUICK TIDBITS
*****************************************
i) Updated Intrusion Detection FAQ
The new Intrusion Detection FAQ has been updated to version 0.6 at
http://www.sans.org/IDFAQ/ID_FAQ.htm; thanks to Stephen Northcutt and
his cast of dozens of volunteers.
=======================================================================
ii) Final Tutorial Selection for Network Security 1999 (NS99)
Final selections for courses at Network Security 99 (New Orleans, October
3-10) have been made. They include the highest rated programs from
SANS99 plus several new ones that were vetted at SANS99 including
Forensics, Hacker Tools, and Cisco Security Features. For those who
require long lead times, the NS99 registration form is posted at
https://www.sans.org/ns99register.htm, though the supporting web pages
are not quite ready yet. If you register for the conference and at
least one course before June 30, you'll get an extra gift certificate
for books at Amazon.com.
=======================================================================
iii) SANS Roles and Responsibilities Survey
The SANS 1999 Security Roles and Responsibilities Survey aims to create
a chart that correlates job titles with job functions and
responsibilities. It takes 12-15 minutes to fill in for four positions.
Those who participate receive results of the survey during June.
=======================================================================
iv) Summaries of the SANS99 Technical Conference
Chris Calabrese created a session-by-session easy-to-read review of the
SANS99 (Baltimore, May 7-9) sessions he attended, and it is posted at
http://www.sans.org/sans99sum.htm. It's so well written it almost feels
like you were there.
=======================================================================
v) June 1 Web Briefing
See http://www.sans.org/jun1.htm to register for the June 1 web briefing.
The first hour of this two-parter is: What The Attackers Know About You:
Anatomy of A Christmas '98 Attack which goes behind the scenes and
illuminates the processes, skills, and thinking of a sophisticated
attacker. Part 2, the second hour, is the first SANS ToolTalk: How to
Get Maximum Value Out of TripWire.
=======================================================================
1) CIAC ISSUES INFORMATION BULLETIN (05/17/1999)
CIAC released an Information Bulletin regarding web security. They
continue to receive daily reports regarding web sites that have been
hacked. Many of these hacks could be avoided by using good security
practices. The information bulletin outlines a number of tips to better
secure your web server. For more information see the CIAC Information
Bulletin at:
http://ciac.llnl.gov/ciac/bulletins/j-042.shtml
=======================================================================
2) HP SECURITY PROBLEMS AND PATCHES
The HP Electronic Support Center is located at:
http://us-support.external.hp.com/ (US and Canada)
http://europe-support.external.hp.com/ (Europe)
Note: Log into the HP Electronic Support Center prior to accessing a
specific support page as identified below.
---------------
HP last released a security bulletin on 04/20/1999.
=======================================================================
3) SUN SECURITY PROBLEMS AND PATCHES
Sun Security Bulletins are available at:
http://sunsolve.sun.com/pub-cgi/secBulletin.pl
Sun Security Patches are available at:
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access/
---------------
Sun last released a security bulletin on 02/10/1999.
=======================================================================
4) SGI SECURITY PROBLEMS AND PATCHES
SGI maintains a security home page at:
http://www.sgi.com/Support/security/security.html
SGI patches are available at:
ftp://ftp.sgi.com/security/
---------------
SGI last released a security advisory on 03/10/1999.
=======================================================================
5) IBM AIX SECURITY PROBLEMS AND PATCHES
IBM maintains a security home page:
http://www.brs.ibm.com/services/brs/ers/brspwers.nsf/Info/Resources/
IBM maintains an on-line support center:
http://service.boulder.ibm.com/cgi-bin/support/rs6000.support/databases/
---------------
A) IBM has not released any ERS Alerts recently; however they continue
to release security related APARS (Authorized Problem Analysis Reports)
on a regular basis. For general APAR information see:
http://service.boulder.ibm.com/cgi-bin/support/rs6000.support/databases
For latest security APAR, you need to enter the key word 'security' into
the search window, and put an appropriate date range (e.g, April 1999
to May 1999), and select on word stems. The list is then displayed.
Important APARS to review for the last month include:
IX86764 - Linking Users to membership group problem
IX71110 - VSD Driver Security Enhancements
IX89365 - Security related updates in AIX 4.3
IX89364 - Security related updates in AIX 4.2
IX89362 - Security related updates in AIX 4.1
There is a Bugtraq article on the AIX fixes at:
http://www.geek-girl.com/bugtraq/1999_2/0375.html
=======================================================================
6) COMPAQ SECURITY PROBLEMS AND PATCHES
Compaq Tru64 UNIX, OpenVMS, Ultrix, and Windows patches located at:
http://ftp.service.digital.com/public/
---------------
A) 5/11/99 - Compaq announced a Tru64 UNIX vulnerability in
/usr/dt/bin/dtlogin which may allow users to gain root privileges.
Versions affected are V4.0B, V4.0D, V4.0E, V4.0F. A patch is available
for the affected versions. The Compaq reference number is SSRT0600U.
For more information see the page:
http://ftp.service.digital.com/public/osf/v4.0b/ssrt0600u.README/
---------------
B) 5/7/99 - Compaq updated an announcement about a Tru64 UNIX
vulnerability in /usr/tcb/bin/edauth which may allow users to gain
unauthorized security information. Versions affected are V3.2G, V4.0,
V4.0A, V4.0B, V4.0C, V4.0D, V4.0E. A patch is available for the affected
versions. The Compaq reference number is SSRT0600U. For more information
see the page:
http://ftp.service.digital.com/public/osf/v4.0b/ssrt0588u.README/
=======================================================================
7) NT/WIN95/WIN98 SECURITY PROBLEMS AND PATCHES
The Microsoft Security page is located at:
http://www.microsoft.com/security/
Additional NT Security Related web pages may be found at:
http://www.ntbugtraq.com/
http://www.ntbugtraq.com/ntfixes.asp
http://www.ntsecurity.net/
---------------
A) 05/20/1999 - Microsoft released a patch that corrects
a security vulnerability in the Window NT Remote Access Service (RAS)
on client machines. The vulnerability, which results from a "malformed
phonebook entry", could leave the client vulnerable to a denial of
service attack and under certain conditions, allow a remote user to
execute arbitrary code. Affected software versions NT 4.0. For more
information refer to the Microsoft Security Bulletin (MS99-016) at:
http://www.microsoft.com/security/bulletins/ms99-016.asp
---------------
B) 05/17/1999 - Microsoft released a patch that corrects the
"Malformed Help File" vulnerability. The vulnerability, which results
>from the ability to write an unchecked buffer (hence the malformed
files), may allow a user to run arbitrary code on an Windows NT. The
patch will prevent the code from being executed but does prevent the
writing of the files. For more information refer to the Microsoft Security
Bulletin (MS99-015) at:
http://www.microsoft.com/security/bulletins/ms99-015.asp
---------------
C) 05/07/1999 - Microsoft released a patch to correct a vulnerability
in the Excel 97 virus warning mechanism. The virus warning feature in
Excel 97 is intended to warn the user before launching/opening an external
file. However, under certain conditions, this feature can be bypassed.
For more information refer to the Microsoft Security Bulletin (MS99-014)
at:
http://www.microsoft.com/security/bulletins/ms99-014.asp
A Microsoft Knowledge Base article is also available at:
http://support.microsoft.com/support/kb/articles/q231/3/04.asp
---------------
D) 05/07/199 & 05/14/1999 - Microsoft released a bulletin and later an
update, regarding a "file viewers" vulnerability. The vulnerability,
which is present in some viewers that are shipped as part of IIS or the
Site Server, may allow a web site visitor to view files on the server
if they are able to guess the name of the file and have access rights
to the file as granted by NT ACLs. The vulnerability does not allow the
web site visitor to modify or upload files.
Affected versions are Site Server 3.0 (this version is included with
the Commerce Edition), MS Commercial Internet System 2.0, MS BackOffice
Server 4.0 and 5.0 and MS IIS 4.0. Patches are not available at this
time; however, there are steps customers can take to eliminate the
vulnerability from their site. For more information, see the Microsoft
Security Bulletin (MS99-013) at:
http://www.microsoft.com/security/bulletins/ms99-013.asp
A Microsoft Knowledge Base article is available at:
http://support.microsoft.com/support/kb/articles/q231/3/68.asp
---------------
E) 04/21/1999 - Microsoft released patches for IE versions 4.0 and 5.0
that correct three separate vulnerabilities. The first vulnerability
is similar to the cross-frame security vulnerability where a malformed
URL can be used to execute a script on a server web site. The second
vulnerability, which only affects IE 5.0, is a new variant of the
"untrusted script paste" problem. The third problem involves the "IMG
SRC" tag in HTML which identifies and loads HTML file. However, the
tag can be used to point to any file type, thus potentially exposing
sensitive information.
Affected versions are IE 4.0 and 5.0 on win95, win98 and NT 4.0 platforms.
For more information see the Microsoft Security Bulletin (MS99-012) at:
http://www.microsoft.com/security/bulletins/ms99-012.asp
---------------
F) 04/21/1999 - Microsoft released a patch for the DHTML edit
vulnerability. The DHTML edit control is an Active X control that allows
users to edit HTML text and view how it might look in a web browser.
The vulnerability results from the fact that users can be tricked into
loading and view sensitive information into the edit window and hence
upload it to the operator's web site. Affected versions are IE version
5.0 on win95, win98 and NT 4.0 and IE 4.0 users who have downloaded the
control and are running on the following platforms: win95, win98, and
x86 version of NT 4.0.
The patch corrects the problem by allowing a web site running the safe
scripting area to upload the data only if the requesting host is in the
same domain. For more information, see the Microsoft Security Bulletin
(MS99-011) at:
http://www.microsoft.com/security/bulletins/ms99-011.asp
A Microsoft Knowledge Base article is available at:
http://support.microsoft.com/support/kb/articles/q226/3/26.asp
=======================================================================
8) BSDI/FreeBSD/NetBSD/OpenBSD PROBLEMS AND PATCHES
BSDI maintains a support web page at:
http://www.BSDI.COM/support/
FreeBSD maintains a security web page at:
ftp://ftp.cdrom.com/pub/FreeBSD/CERT/advisories/
NetBSD's Security web page is at:
http://www.NetBSD.ORG/Security/
OpenBSD's Security web page is at:
http://www.openbsd.org/security.html
---------------
BSDI:
No updates for this period.
FreeBSD:
No updates for this period.
NetBSD:
A) 04/21/1999 - NetBSD released a patch for the SVR4 compatibility device
create vulnerability. The script, which creates the devices, has an
error whereby it creates a device with the wrong Major number. The
erroneous device may allow users "to arbitrarily read or write data
stored on the NetBSD portion of the first IDE disk" Affected versions
of NetBSD 1.3.3 and NetBSD-Current prior to 19990420.
For more information, see the NetBSD release note (SA1999-009) at:
http://www.NetBSD.ORG/Security/advisory.html
Or the Bugtraq article at:
http://www.geek-girl.com/bugtraq/1999_2/0215.html
---------------
B) 04/13/1999 - NetBSD released a patch for file a system locking
vulnerability that results in a system panic or hang. There are certain
kernal operations, such a creating a symbolic link, which may cause the
kernal to panic and hang.
Affected versions prior to NetBSD Current on 19990409 are vulnerable.
For more information see NetBSD release note (SA1999-008) at:
http://www.NetBSD.ORG/Security/advisory.html
Or the Bugtraq article at:
http://www.geek-girl.com/bugtraq/1999_2/0109.html
=======================================================================
9) LINUX SECURITY PROBLEMS AND PATCHES
Caldera OpenLinux security information can be found at:
http://www.caldera.com/news/security/index.html
Debian GNU/Linux maintain a security web page at:
http://www.debian.org/security/
Red Hat Linux maintain a support page at:
http://www.redhat.com/support/
Red Hat ftp site:
ftp://updates.redhat.com/
The latest Slackware release and patches can be found at:
ftp://cdrom.com/pub/linux/
S.u.S.E. information can be found at:
http://www.suse.com/
---------------
Caldera:
A) 04/30/1999 - Caldera released a security advisory regarding a directory
change permission in the rsync program. Under certain circumstances,
rsync may change the permissions of a user's home directory which may
allow other users to view sensitive files that they would normally not
have access to view. Vulnerable versions are OpenLinux 1.0, 1.1, 1.2,
1.3 and 2.2 running rsync versions prior to 2.3.1. Version
2.3.1-1.i286.rpm corrects the problem. Users can also manually change
the permissions on their home directory should they discover they are
incorrect. For more information, see the Caldera Advisory at:
http://www.calderasystems.com/news/security/CSSA-1999:010.0.txt
---------------
B) 04/27/1999 - Caldera released a security advisory regarding
incorrect permissions on the /etc/shadow file that will allow anyone to
view the file. Vulnerable versions include OpenLinux 2.2 previous to
coas-1.0-8. The problem can be corrected by doing a "chmod 600
/etc/shadow" or by installing the coas-1.0-8 package. For more
information see the Caldera Advisory at:
http://www.calderasystems.com/news/security/CSSA-1999:009.0.txt
Or the Bugtraq article at:
http://www.geek-girl.com/bugtraq/1999_2/0291.html
---------------
C) 04/20/1999 - Caldera released an advisory regarding buffer overflows
in the procmail program. This problem was first discussed on the Bugtraq
mailing list on 04/06/1999. A patch is available from Caldera. For more
information see the Caldera Advisory at:
http://www.calderasystems.com/news/security/CSSA-1999:007.0.txt
---------------
Debian:
A) 04/22/1999 - Debian Unix reported a buffer overflow problem with
procmail. This is the same procmail problem discussed on the Bugtraq
mailing list on 04/06/1999. A corrected version is available from Debian
at:
http://www.debian.org/security/1999/19990422
---------------
Red Hat:
A) 05/11/1999 - Red Hat announced a fix for a security vulnerability in
the xscreensaver package shipped with Linux 6.0. In the shipped version,
several security checks were disabled. For more information see:
http://www.redhat.com/corp/support/errata/rh60-errata-general.html
---------------
B) 04/16/1999 - Red Hat released security fixes for three separate
programs: NFS, procmail and lpr. For more information see the Red Hat
Errata notes at:
http://www.redhat.com/corp/support/errata/rh52-errata-general.html
http://www.redhat.com/corp/support/errata/rh51-errata-general.html
http://www.redhat.com/corp/support/errata/rh50-errata-general.html
http://www.redhat.com/corp/support/errata/rh42-errata-general.html
---------------
S.u.S.E.:
No reports this period.
=======================================================================
10) CISCO PROBLEMS AND PATCHES
Cisco Systems maintains an Internet Security Advisories page at:
http://www.cisco.com/warp/public/791/sec_incident_response.shtml
---------------
Cisco last released an Internet Security Advisory on 04/13/1999.
=======================================================================
11) GENERAL VIRUS INFORMATION
We will only include items on viruses that have been widely discussed.
This is not meant to be an all-inclusive update on recent virus problems
and solutions.
Virus information is available from a variety of sites, including:
http://www.antivirus.com/
http://www.avpve.com/
http://www.drsolomon.com/
http://www.datafellows.com/
http://www.nai.com/
http://www.sophos.com/
http://www.symantec.com/avcenter/
Good sources for virus myths and hoaxes are:
http://www.kumite.com/myths/
http://ciac.llnl.gov/ciac/CIACHoaxes.html
---------------
A) The CIH/Chernobyl virus received lots of press this past month as
April 26th came and went. The hardest hit region was the far east.
There are a number of variants of the CIH virus, some can overwrite the
hardisk and the flash BIOS of an infected computer, resulting in a
complete loss of data. Various anti-virus product vendors published
alerts concerning CIH and its variants. For more information see the
following resources:
http://www.avertlabs.com/public/datafiles/valerts/vinfo/spacefiller411.asp
http://www.datafellows.com/cih/
http://www.symantec.com/avcenter/venc/data/cih.html
http://www.symantec.com/avcenter/kill_cih.html
http://www.virusbtn.com/VirusInformation/cih.html
CERT released an Incident Note (IN-99-03) on April 26th regarding the
CIH/Chernobyl virus. The note provides a description of the virus and
suggests some possible solutions along with URLs for vendor related
information. The Incident Note can be found at:
http://www.cert.org/incident_notes/IN-99-03.html
=======================================================================
12) QUICK TIDBITS
A) 05/14/1999 - ssh version 1.2.27 is released. This release includes
a number of bug fixes and enhancements. For for the full list, see the
bugtraq article at:
http://www.geek-girl.com/bugtraq/1999_2/0476.html
---------------
B) 05/11/1999 - An article appeared on Bugtraq describing two security
vulnerabilities in INN 2.0 and higher. The first vulnerability may allow
a news user to execute arbitrary programs as root if they can control
the behavior of the inndstart program. The solution requires a source
code change to the inndstart.c module. The second vulnerability results
>from the fact that the inndstart program is not installed in a directory
which is only accessible by the user news. The solution for this problem
requires the inndstart program to be installed in a directory with 0700
permissions. Versions 1.7.2 and lower are not effected by both
vulnerabilities.
For more information, see the Bugtraq article at:
http://www.geek-girl.com/bugtraq/1999_2/0431.html
---------------
C) 05/10/1999 - During the opening session of the SANS99 Technical
Conference, Alan Paller and Rob Kolstad presented SANS Technology
Leadership Awards to the editors of Bugtraq, NTBugtraq and the SANS
Digest as "The Three Most Valuable Security Publications". During the
Fall of 1998, the SANS Community was asked to rate which security
information sources provided them with the most useful information.
The list included such publications as InfoWorld, SysAdmin, and others.
However, the three most selected choices were write-ins. The individuals
who received the awards were:
Elias Levey (a.k.a Aleph1), Editor of Bugtraq
Russ Cooper, Editor of NTBugtraq
Michele D. Crabb-Guel, Primary editor of the SANS Digest
---------------
D) 05/06/1999 - ISS released an XForce Alert reporting multiple
vulnerabilities in Oracle 8. The vulnerabilities, which involve insecure
file creation and manipulation, may allow malicious local users to
exploit the Oracle administrative tools and gain access to view, modify
and append information. For more information see the ISS Xforce Alert
at:
http://www.iss.net/xforce/alerts/advise26.html
---------------
E) 05/02/1999 - Article published on advances in cryptographic code
breaking by an Israeli scientist. Adi Shamir, one of the worlds foremost
cryptographers and the "S" in RSA public-key cryptosystem will soon
introduce a design for a device that will be able to quickly crack the
private keys in public-key cryptography for key sizes of 512 bits or
less. The paper that describes the device was first presented during
EUROCRYPT rump session.
For more information see:
http://www.rsa.com/rsalabs/html/twinkle.html
The paper is available at:
http://jya.com/twinkle.htm
---------------
F) 04/28/1999 - The UK Government announced their completion of the
evaluation of NT 4.0 under the ITSEC regime and has awarded it a rating
of E3/F-C2. For more information see the summary posted by MS at:
http://www.microsoft.com/security/issues/e3fc2summary.asp
---------------
G) 04/07/199 - rsync version 3.2.1 was released. This version corrects
a security vulnerability with transferring empty directories. For more
information see:
http://rsync.samba.org/cgi-bin/rsync?findid=1706#themesg
---------------
H) 04/06/1999 - procmail version 3.13.1 was released. This version
corrects several buffer overflow problems and eliminates keyword conflicts
with newer versions of gcc. The new version may be downloaded from:
http:/www.procmail.org/procmail.tar.gz
For more information, see the Bugtraq article at:
http://www.geek-girl.com/bugtraq/1999_2/0040.html
---------------
I) Kurt Seifried has published a Linux Administrators Security Guide
(LASG). Check it out at: https://www.seifried.org/lasg/
---------------
J) nmap 2.2-BETA4 is now available. For more information on nmap and
to download the new version, go to:
http://www.insecure.org/nmap/index.html#download
******************
Copyright 1999, The SANS Institute. No copying, forwarding, or posting
allowed without written permission (write <[email protected]> for permission).
Email <[email protected]> for information on subscribing. You'll receive
a free subscription package and sample issue in return. To unsubscribe
or change address, forward this note to <[email protected]> with
appropriate instructions.
The digest is available at no cost to practicing security, networking
and system administration professionals in medium and large organizations.
Archives of past issues are posted at http://www.sans.org/digest.htm .
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBN0Sn1qNx5suARNUhAQFbrgQAllPqW2KVLug24tjBrn15AeswUJYfki4O
+BnW90NxPAvNU2En1uMfgkv9qVdEzRFnMTlhD9hQ9VOg11BP7cmQ3wKpVgwUMZG5
wuERE9TWe70701DrjgvVm4eMA9Nffr4cAKvg807Sn/C/JkLwYBwOA7BwBT9LXqTR
pcuA+CqZtXk=
=h2FJ
-----END PGP SIGNATURE-----
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo17 Aug 1999 00:00Current