Date: Thu, 21 Jan 1999 11:38:55 -0500 (EST) From: sans@clark.net Subject: SANS Security Digest Vol 3 Num 1 Here's the first security digest of 1999. I have almost completely re-done the database, removed duplicates, added conference attendees, and combined the NT list. Please return this message with directions if you'd like to unsubscribe, change your address, or report a duplicate. Rob -----BEGIN PGP SIGNED MESSAGE----- ================================================================= | @@@@ @@ @ @ @@@@ | | @ @ @ @@ @ @ | | @@@@ @ @ @ @ @ @@@@ Vol. 3, No. 1 | | @ @@@@@@ @ @ @ @ January 20, 1998 | | @ @ @ @ @ @@ @ @ | | @@@@ @ @ @ @ @@@@ | | The SANS Network Security Digest | | Editor: Michele D. Crabb-Guel | | Contributing Editors: | | Matt Bishop, Gene Spafford, Steve Bellovin, Gene Schultz, | | Bill Cheswick, Marcus Ranum, Dorothy Denning, Dan Geer, | | Rob Kolstad, Peter Neumann, David Harley, Jean Chouanard, | | Fred Avolio, Peter Galvin, John Stewart, Liz Coolbaugh, | | Mark Edmead, Michael Kuhn | ====A Resource for Computer and Network Security Professionals=== CONTENTS: i) LAST CHANCE TO REGISTER FOR SANS IDR99 ii) SANS99 REGISTRATION IS NOW OPEN iii) CALL FOR PAPERS FOR THE FIFTH ANNUAL SANS NETWORK SECURITY CONFERENCE 1) TCP/IP DENIAL OF SERVICE VULNERABILITY 2) CERT SUMMARY RELEASED 3) MULTIPLE DISCUSSIONS REGARDING "REMOTE EXPLORER" VIRUS 4) HP SECURITY PROBLEMS AND PATCHES 5) SUN SECURITY PROBLEMS AND PATCHES 6) SGI SECURITY PROBLEMS AND PATCHES 7) NT/WIN95 SECURITY PROBLEMS AND PATCHES 8) FREEBSD/OPENBSD/BSD4.4 PROBLEMS AND PATCHES 9) LINUX SECURITY PROBLEMS AND PATCHES 10) CISCO SECURITY PROBLEMS AND PATCHES 11) VIRUS UPDATE INFORMATION 12) QUICK TIDBITS ***************************************** i) LAST CHANCE TO REGISTER FOR SANS IDR99 The Third SANS Conference and Workshop on Intrusion Detection and Response will be held in San Diego, California, February 9-13. The program features a Unique, In-Depth Practical Training Program PLUS Windows NT Security - Basic Hands-on and Advance. For more information see: http://sans.org/id/main.htm ============================================================================ ii) SANS99 REGISTRATION IS NOW OPEN Registration for the Eighth Annual System Administration, Networking and Security Conference is now open. The conference will be held in Baltimore Inner Harbor, May 7-14. We have over 60 tutorials to choose from, including many new ones along with the SANS classics. The technical conference will feature 19 two-hour short courses including such topics as "Packet Filtering Firewalls", "PKI Implementation Issues" and "Oracle DBs >from a Systems Administrator's Perspective". In addition to the Short Courses, we have over 25 technical talks on a wide range of topics. Register before February 26th and receive a free book! To register online go to: https://nt4.corpsite.com/secure_escal/SANS99register.htm Over the next 3-4 weeks look for your SANS99 Brochure and a new, updated 2-sided poster: Roadmap to Network Security and Roadmap to Intrusion Detection and Vulnerability Analysis. ============================================================================ iii) CALL FOR PAPERS FOR FIFTH ANNUAL SANS NETWORK SECURITY CONFERENCE The CFP for the fifth Annual SANS Network Security Conference will be posted on the SANS web site at http://www.sans.org/ns99call.html within a few days. Submissions are due by March 15th. SANS NS'99 will be held in New Orleans LA, October 3rd - 10th. We will again be including ever popular Intrusion Detection Track! ============================================================================ 1) TCP/IP DENIAL OF SERVICE VULNERABILITY (12/21/1998) CERT released an advisory regarding a new variation of a TCP/IP vulnerability which may lead to a denial of service attack or cause the target system to crash. This new vulnerability is similar to other TCP/IP DoS attacks discussed in previous SANS Digest and the CERT Advisory at: http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html One defense against these types of attacks is to implement "Network Ingress Filtering". More information on this filtering can be found at: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt There are a number of BSD-derived TCP/IP stacks that are vulnerable, please consult the CERT Advisory for a complete list: http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html ============================================================================ 2) CERT SUMMARY RELEASE (12/14/1998) CERT released their latest summary regarding current trends in internet incidents. The summary reported increased incidents involving: mountd vulnerabilities, Windows-based Trojan Horse programs, widespread scans using "mscan", and a small increase in stealth scans. For more information see the CERT Summary at: http://www.cert.org/summaries/CS-98.08.html ============================================================================ 3) MULTIPLE DISCUSSIONS REGARDING "REMOTE EXPLORER" VIRUS (12/17/1998) During the month of December there was a large amount of discussion (and over-rated according to some of the experts) concerning a new NT virus called "Remote Explorer". It was discovered at a customer site on 12/17/1998; however there have been no other reports of infections. At first it was thought to be a nasty new virus, but some of the discussions note that Remote Explorer is more of a hybrid worm/virus rather than only a virus since it can transport itself to other NT systems via the network. Several of the anti-virus vendors have updated their definitions files to include a check for Remote Explorer. For information see the following resources: http://www.cert.org/incident_notes/IN-98-07.html http://www.microsoft.com/security/bulletins/remote.asp http://www.iss.net/xforce/alerts/advise16.html http://www.symantec.com/avcenter/warn/remoteexplorer.html A good summary of the virus/worm was posted to Bugtraq by David LeBlanc on 12/23/1998: http://www.geek-girl.com/bugtraq/1998_4/0700.html ============================================================================ 4) HP SECURITY PROBLEMS AND PATCHES The HP Electronic Support Center is located at: http://us-support.external.hp.com/ (US and Canada) http://europe-support.external.hp.com/ (Europe) --------------- HP has not released any security bulletins since 12/16/1998. ============================================================================ 5) SUN SECURITY PROBLEMS AND PATCHES Sun Security Bulletins are available at: http://sunsolve.sun.com/pub-cgi/secbul.pl Sun Security Patches are available at: http://sunsolve.sun.com/sunsolve/pubpatches/patches.html --------------- Sun has not released any security bulletins since 12/17/1998. ============================================================================ 6) SGI SECURITY PROBLEMS AND PATCHES SGI maintains a security home page at: http://www.sgi.com/Support/security/security.html SGI patches are available at: ftp://ftp.sgi.com/security/ --------------- SGI has not released any security advisories since 12/10/1998. ============================================================================ 7) NT/WIN95 SECURITY PROBLEMS AND PATCHES The Microsoft Security page is located at: http://www.microsoft.com/security/ Additional NT Security Related web pages may be found at: http://ntbugtraq.ntadvice.com/archives/default.asp http://www.ntsecurity.net/ --------------- A) 01/05/1999 - L0pht Heavy Industries released a security advisory regarding a vulnerability in WIN 95/98 Network File Sharing. A malicious user is able to reuse the SMB challenge to establish a connection impersonating a valid user. According the advisory, the same challenge is used for a period of 15 minutes, during which a replay attack can be done. For more information see the L0pht Advisory at: http://www.l0pht.com/advisories/95replay.txt --------------- B) 12/17/1998 - Microsoft announced the release of a patch for the ISS "GET" vulnerability that may result result in a denial of service attack against an IIS web server. The vulnerability results from the way the server improperly handles a malformed GET request -- the process begins to consume all the server resources and the server hangs. This vulnerability effect ISS Versions 3.0 and 4.0 on X86 and Alpha platforms. For more information see the Microsoft Security Bulletin at: http://www.microsoft.com/security/bulletins/ms98-019.asp Additional information is available at: http://support.microsoft.com/support/kb/articles/q192/2/96.asp --------------- C) 12/23/1998 - Microsoft announced the release of a patch for the "Frame Spoof" vulnerability in multiple versions of Internet Explorer. The vulnerability results from the fact that cross domain protection does not extend to the navigation of frames. The end result is that a malicious user could post a "dummy" frame inside a legitimate window on a valid web site. This vulnerability was first discussed in the November 1998 SANS Digest. Multiple versions of IE are vulnerable, please refer to the Microsoft Security Bulletin for a complete list: http://www.microsoft.com/security/bulletins/ms98-020.asp Additional information is available at: http://support.microsoft.com/support/kb/articles/q167/6/14.asp ============================================================================ 8) FreeBSD/OpenBSD/BSD4.4 PROBLEMS AND PATCHES BSDI maintains a support web page at: http://www.BSDI.COM/support/ FreeBSD maintains a security web page at: http://www.freebsd.org/security/security.html OpenBSD's Security web page is at http://www.openbsd.org/security.html NetBSD's Security web page is at: http://www.NetBSD.ORG/Security/ --------------- No security related postings were made by these groups during the period 12/18/1998 - 01/16/1999. ============================================================================ 9) LINUX SECURITY PROBLEMS AND PATCHES Red Hat Linux maintain a support page at: http://www.redhat.com/support/ RedHat ftp site: ftp://updates.redhat.com/ Debian GNU/Linux maintain a security web page at: http://www.debian.org/security/ Caldera information can be found at: http://www.calderasystems.com S.u.S.E. information can be found at: http://www.suse.com The latest Slackware release and patches can be found at ftp://cdrom.com/pub/linux --------------- A) 12/22/1998 - Red Hat released a new version of their ftp client to correct a security vulnerability. See the errata notes at: http://www.redhat.com/support/docs/rhl/rh52-errata-general.html#ftp-client http://www.redhat.com/support/docs/rhl/rh51-errata-general.html#ftp-client http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#ftp-client --------------- B) 01/03/1999 - Red Hat released new boot images, new kernels and a new version of PAM and NFS which correct several known security problems. For more information see the errata notes at: http://www.redhat.com/support/docs/rhl/rh52-errata-general.html#pam http://www.redhat.com/support/docs/rhl/rh51-errata-general.html#pam http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#pam http://www.redhat.com/support/docs/rhl/rh52-errata-general.html#BootImg http://www.redhat.com/support/docs/rhl/rh52-errata-general.html#kernal http://www.redhat.com/support/docs/rhl/rh51-errata-general.html#kernal http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#kernal http://www.redhat.com/support/docs/rhl/rh51-errata-general.html#NFS http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#NFS --------------- C) 01/04/1999 - Debian GNU/Linux released a new version of netstd which corrects two buffer overflows. For more information see the announcements at: http://www.debian.org/Lists-Archives/debian-security-announce-9901/\ msg00000.html http://www.debian.org/security/1999/19990104 --------------- D) 01/12/1999 - Red Hat released a new RMS for XFree86 that corrects several security problems. For more information see the errata notes at: http://www.redhat.com/support/docs/rhl/rh52-errata-general.html#XFree86 http://www.redhat.com/support/docs/rhl/rh51-errata-general.html#XFree86 http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#XFree86 ============================================================================ 10) CISCO PROBLEMS AND PATCHES Cisco Systems maintains an Internet Security Advisories page at: http://www.cisco.com/warp/public/779/largeent/security/advisory.html --------------- A) 01/11/1999 - Cisco released a Field Notice concerning a Classic IOS syslog crash vulnerability. The vulnerability results from IOS not properly handling invalid user datagrams that are sent to port 514, which is used for syslog requests. Cisco reported that there is one commonly used internet scanning tool, called nscan, which causes these crashes. IOS versions effected are 11.3AA, 11.3DB and any 12.0 or higher release. The vulnerability has already been corrected in certain special releases. Please see the Cisco Field Notice for full details. As a workaround you may apply an access list to block UDP traffic destined for port 514. For additional information, see the Cisco Field Notice at: http://www.cisco.com/warp/public/770/iossyslog-pub.shtml Or the CIAC Information Bulletin at: http://ciac.llnl.gov/ciac/bulletins/j-023.shtml ============================================================================ 11) GENERAL VIRUS UPDATE INFORMATION We will only include items on virus that have been widely discussed. This is not meant to be an all-inclusive update on recent viruses. Virus information is available from a variety of sites, including: http://www.avpve.com/ http://www.drsolomon.com/ http://www.nai.com/ http://www.sophos.com/ http://www.symantec.com/avcenter/ Good sources for virus myths and hoaxes are: http://ciac.llnl.gov/ciac/CIACHoaxes.html --------------- A) Sophos lists their Top Ten Viruses of 1998: http://www.sophos.com/virusinfo/topten --------------- B) 01/1999 - Several antivirus vendors reported that the PICTURE.EXE program is a Trojan Horse (ala AOL password stealer) and not a virus. The Trojan was sent to many Internet users as a file attachment in late December 1998. The file, once downloaded an opened, expands to two files: note.exe and manager.exe and places them in the windows directory. The note.exe program, then tries to mail information to a site in China. For more information see: http://www.symantec.com/avcenter/venc/data/picture-exe-th.html http://www.DataFellows.com/v-descs/backnote.htm http://www.nai.com/products/antivirus/picture_exe.asp For an associated story see: http://www.zdnet.com/zdnn/stories/news/0,4586,2183935,00.html ============================================================================ 12) QUICK TIDBITS A) 01/18/1999 - Xforce released an ISS Vulnerability Alert regarding a vulnerability in the BackWeb Polite Agent Protocol. The vulnerability may allow a malicious user on the local network to spoof a BackWeb server. According to the alert, many hardware and software vendors include BackWeb software as part of their product distribution. The ISS Alert has not been posted to their web site yet. For more information on BackWeb, see their web site at: http://www.backweb.com/home.html --------------- B) 01/12/1999 - The Apache Group announced the release of version 1.3.4 of the Apache HTTP server. In addition to "90 significant improvements", this version adds support to avoid some of the current Denial of Service attacks. For more information see: http://www.apache.org or the Bugtraq posting at: http://www.geek-girl.com/bugtraq/1999_1/0166.html --------------- C) 12/31/1998 - Sendmail version 8.9.2 was released. This version corrects a Denial of Service attack vulnerability for Linux systems, as well as several other minor bugs. For more information see: http://www.sendmail.org/ --------------- D) 12/30/1998 - A message posted to the ssh mailing list, announced a patch has released for security vulnerability in sshd2 which may allow a valid user to request "remote forwarding from privileged ports without being root." The patch is available at: http://www.ssh.fi/sshprotocols2/ For more information see the Bugtraq posting at: http://www.geek-girl.com/bugtraq/1998_4/0769.html --------------- E) 12/25/1998 - Phrack Magazine released Issue 54 containing various interesting articles. To download, see: http://www.phrack.com/ --------------- F) L0pht Heavy Industries released version 2.5 of L0phtCrack. The L0phtCrack development team has hunkered down over the past few months and came up with some major improvements: 450% speed improvement; Graphical network SMB packet capture; Works on NT and 95/98; new hybrid crack gets combination dictionary and numeric/symbol passwords. Fore more information see: http://www.l0pht.com/l0phtcrack/ --------------- G) Network Flight Recorder released a new, experimental version of NFR, called "Version 2.0.2 Research". This differs from the commercial version. For more information see: http://www.nfr.net/nfr/nfr-2.0.2-research/RELEASE_NOTES.html --------------- H) Irish teen wins Young Scientist of the Year with her public key encryption code. The 16-year old based her algorithm on 2 X 2 matrix systems and named it the Cayley-Purser algorithm. According to various articles that have appeared, the code is as much as 30 times faster than the RSA code. For more information see the article at: http://www.zdnet.com/zdnn/stories/news/0,4586,2189301,00.html ********************** Copyright 1999, The SANS Institute. No copying, forwarding, or posting allowed without written permission (write for permission). Email for information on subscribing. You'll receive a free subscription package and sample issue in return. To unsubscribe, forward this note to to join the discussion group. As usual your name will be used only with your specific written permission and not associated with the specific advice you offer. ============================================================================ iv) CALL FOR PARTICIPANTS: Which security software and services are worth the money? Please share your experiences using security products and services. In June, SANS will publish the first "Intelligent Guide to Security Products and Services" which will summarize the community's answers to questions about the value of various tools and services. We'll be sending out 300,000 copies of the guide so we want it to cover the broadest array possible. If you have used commercial tools or hired consultants to help you develop security policies or run vulnerability tests or any of several other services, please share your opinions with your peers. Your responses will be confidential. Visit http://www.delos.com/sanstool to participate. ============================================================================ v) GIFT: New data on adoption rates of Intrusion Detection tools The January web teleconference on "trends in intrusion detection" had an unexpected side benefit: Data on adoption rates of intrusion detection. More than 5,000 individuals registered for the program and, in registering, more than 80% of them provided data about their industry and the status of their implementation of host and network-based intrusion detection systems. The summary tables below give you a unique picture of the adoption of intrusion detection across various industries. Host-Based Intrusion Detection Already Implementing implemented Within Industry Org-wide Pilot 6 mo. Learning Planning (unknown) 3.8% 3.2% 4.4% 28.5% 5.3% Education 3.9% 8.6% 6.0% 49.5% 13.8% Other Gov't 8.6% 5.8% 5.7% 39.3% 12.1% Manufacturing 7.9% 6.8% 3.9% 46.3% 12.3% Accounting/Cons/ Sys Integ'r 9.9% 8.3% 6.0% 38.1% 12.4% Software 12.8% 6.8% 2.5% 42.0% 9.8% Financial/Banking/ Insurance 13.3% 7.0% 7.5% 30.1% 10.2% Computer/ Comm HW 11.3% 9.4% 6.4% 36.7% 12.8% Telecomm 14.5% 8.9% 8.5% 29.7% 14.8% Aerospace 10.8% 13.5% 0.0% 36.4% 13.5% Military 20.6% 15.3% 4.8% 23.5% 12.9% Grand Total 9.6% 7.4% 5.6% 36.3% 11.2% * row totals do not sum to 100% because of missing responses Network Based Intrusion Detection Already Implementing implemented Within Industry Org-wide Pilot 6 mo. Learning Planning (unknown) 4.7% 4.3% 5.5% 25.8% 6.3% Education 4.5% 8.2% 5.8% 48.0% 16.2% Other Gov' t 9.7% 7.4% 5.3% 37.9% 12.3% Manufacturing 11.2% 6.5% 5.4% 44.2% 11.2% Accounting/Cons / System Integ'r 12.6% 6.7% 7.0% 35.5% 13.9% Software 12.4% 6.8% 3.0% 40.3% 13.7% Aerospace 10.8% 9.4% 6.7% 33.7% 10.8% Financial/Banking/ Insurance 13.1% 9.7% 7.2% 28.8% 11.1% Computer/ Comm HW 11.3% 11.7% 5.3% 36.7% 12.1% Telecomm. 16.3% 7.4% 6.3% 30.4% 15.2% Military 27.8% 14.9% 6.7% 21.6% 11.0% Grand Total 10.9% 7.8% 5.9% 34.6% 11.9% * row totals do not sum to 100% because of missing responses ============================================================================ vi) Call for papers: Network Security '99 The Call For Papers for Network Security '99 in New Orleans in October has been posted to http://www.sans.org/ns99call.htm Please consider writing a paper or organizing a panel or some other exciting presentation. Alan Paller & Rob Kolstad The SANS Institute sans@clark.net 301-951-0102 ----- Upcoming Events: ------------------------ Current Publications: ---- Intr Detect & Response (San Diego 2/99) SANS Network Security Digest The SANS NT Digest SANS '99 (Baltimore, 5/99) Windows NT Security: Step-by-Step Network Security 99 (New Orleans, 10/99) Incident Handling: Step-by-Step Intrusion Detection: Shadow Style 1998 SANS Salary Survey See http://www.sans.org for info WindowsNT Power Tools: Consensus