Published:
23 March 1997
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-97.037 -- IBM-ERS Security Vulnerability in "innd" 24 March 1997 =========================================================================== IBM-ERS has released the following advisory concerning a vulnerability in the innd software. This affects all versions up to and including INN 1.5.1. This is NOT the same vulnerability previously described in CERT Advisory CA-97.08, CERT Summary CS-97.02 or AUSCERT Advisory AA-96.19. This following security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write this document, AUSCERT has had no control over its content. As such, the decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. Contact information for IBM-ERS is included in the Security Bulletin below. If you have any questions or need further information, please contact them directly. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- - - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- ======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE SECURITY VULNERABILITY ALERT 24 March 1997 02:00 GMT Number: ERS-SVA-E01-1997:002.1 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Security vulnerability in "innd" (InterNetNews server) PLATFORMS: All versions of INN up to and including INN 1.5.1 *** This is NOT the same vulnerability described in CERT *** Advisory CA-97.08 or CERT Summary CS-97.02 SOLUTION: Follow the procedure described in Section III, below THREAT: This vulnerability can be exploited remotely, and attacks may reach news servers located behind Internet firewalls. =============================================================================== DETAILED INFORMATION I. Description On February 20, 1997, the CERT Coordination Center issued CERT Advisory CA-97.08, warning of a serious vulnerability in the InterNetNews (INN) server. At that time, CERT/CC recommended that all sites upgrade to INN Version 1.5.1, which contains a fix for this vulnerability; sites which are unable to upgrade immediately were urged to apply the patches for earlier versions that have been made available by INN's maintainer. The complete text of CA-97.08, including updates that have been made since the original advisory was issued, is available from: ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd On March 18, 1997, the CERT Coordination Center issued CERT Summary CS-97.02, advising that CERT/CC and other incident response teams around the world have received numerous reports concerning widespread, large-scale attacks on INN servers throughout the world; these attacks attempt to exploit the vulnerability described in CA-97.08. The complete text of CS-97.02 is available from: ftp://info.cert.org/pub/cert_summaries/CS-97.02 In the days since the CERT Summary was issued, security experts in IBM's Global Security Analysis Laboratory (GSAL) at IBM's T.J. Watson Research Center have been carefully examining and testing the INN Version 1.5.1 source code. Their analysis has determined that while Version 1.5.1, when installed properly, is not vulnerable to the vulnerability described in CA-97.08 and CS-97.02, it is still vulnerable to a second, similar vulnerability. II. Impact Exploitation of either vulnerability could result in serious security breaches. Attacks using these vulnerabilities can be launched remotely, and have the potential to reach news servers located behind Internet firewalls. The INN server is an implementation of the Network News Transfer Protocol (NNTP), which is the underlying protocol of USENET. The protocol's primary purpose is to transfer messages between systems, allowing users throughout the world to see them. The exploitation of these vulnerabilities relies on the use of a particular type of these messages called control messages. Because control messages are propagated from server to server just like any other message, it is possible that your site may have been compromised even though it was not specifically targeted by an attacker. In addition to the actual attacks being launched by several attackers around the world, there have been several instances of sites that, in attempting to check their own exposure to these vulnerabilities, have inadvertently released control messages on the Internet that exploit the vulnerabilities. IBM-ERS joins CERT/CC in strongly discouraging sites from using control messages as a way to check their exposure to this problem. III. Solutions The IBM GSAL's security experts are working with Mr. James Brister, the current maintainer of INN, to develop a fix for the new vulnerability they have discovered, and IBM-ERS anticipates that a new version of INN that contains this fix will be available soon. When this new version becomes available, IBM-ERS urges all sites to upgrade their INN servers to the new release as quickly as possible. In the meantime however, the IBM GSAL has developed the following specific actions that you can take to address both the vulnerability described in CA-97.08 and CS-97.02, as well as the new vulnerability they discovered this week. 1. Download the latest version of INN (Version 1.5.1, as of this writing). Archive sites and additional information about INN are available from http://www.isc.org/inn.html 2. Install the latest version of INN, closely following the installation instructions and the information contained in the "README" file, both of which are included in the INN distribution. In particular, IBM-ERS calls your attention to the following update to CA-97.08 made by CERT/CC on March 18, 1997: "If you are upgrading to INN 1.5.1, please be sure to read the README file carefully. Note that if you are upgrading to 1.5.1 from a previous release, running a "make update" alone is not sufficient to ensure that all of the vulnerable scripts are replaced (e.g., parsecontrol). Please especially note the following from the INN 1.5.1 distribution README file: When updating from a previous release, you will usually want to do make update" from the top-level directory; this will only install the programs. To update your scripts and config files, cd into the "site" directory and do "make clean" -- this will remove any files that are unchanged from the official release. Then do "make diff >diff"; this will show you what changes you will have to merge in. Now merge in your changes (from where the files are, ie. /usr/lib/news...) into the files in $INN/site. (You may find that due to the bug fixes and new features in this release, you may not need to change any of the scripts, just the configuration files). Finally, doing "make install" will install everything. After installing any of the patches or updates, ensure that you restart your INN server." 3. Make a backup copy of the INN "control.ctl" file that you use. Then edit the "control.ctl" file and remove the following lines: sendsys:*@uunet.uu.net:*:doit=miscctl senduuname:*@uunet.uu.net:*:doit=miscctl version:*@uunet.uu.net:*:doit=miscctl sendsys:inn@isc.org:*:doit=miscctl senduuname:inn@isc.org:*:doit=miscctl version:inn@isc.org:*:doit=miscctl 4. Search your new spool directory for any control messages that attempt to exploit this vulnerability. To do this, execute the following commands: cd YOUR_NEWS_SPOOL_DIRECTORY cd control find . -exec grep -l /bin/sed {} ; This will provide you with a list of offending messages, if any exist. 5. Delete the files discovered in the previous step, or move them outside the news spool directory hierarchy for later examination. This will prevent them from affecting your news server, and from being propagated to the news servers your site communicates with. IBM GSAL has carefully examined the INN source code, and also tested these steps on a "production" news server. No ill effects have been observed, other than the printing of some spurious warning messages. However, because it is impossible to anticipate all possible environments in which INN is used, the following disclaimer applies to the procedure above: THIS PROCEDURE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTIBILITY OR FITNESS FOR A PARTICULAR PURPOSE. THIS ADVISORY DOES NOT CREATE OR IMPLY ANY SUPPORT OBLIGATIONS OR ANY OTHER LIABILITY ON THE PART OF IBM OR ITS SUBSIDIARIES. Contact IBM-ERS via electronic mail at ibm-inn-help@ers.ibm.com if you need technical advice in obtaining or installing the necessary fixes, or in following the procedure above. IBM-ERS will provide this service free of charge. IV. Acknowledgements IBM-ERS would like to thank the IBM Global Security Analysis Laboratory for their work in analyzing this problem and developing the procedure outlined above. IBM would also like to thank James Brister, the maintainer of INN, for his efforts in making a permanent fix for this problem available as quickly as possible. Finally, IBM-ERS would like to acknowledge the CERT Coordination Center (CERT/CC) for their work on this problem. =============================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, IBM-ERS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Recovery Services organization, the IBM Internet Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Internet Emergency Response Service, send an electronic mail message to ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4). IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. Copyright 1997 International Business Machines Corporation. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, Integrated Systems Solutions Corporation, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS. This security alert may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. - - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- - - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- - -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBMzXhU/WDLGpfj4rlAQEdbgQAiFZtONgGaBnrMyH3brVjkpkQ1RTg3mkc XRxyoqsXJVeF7Ds/Yw83TQbR8whkZX0YC5U5lP+uNQFzXS2G2mpDM/F8E7zGDciY 85UK3BwQuUAfhD6NACLXukWzzdc0hq1moLQ7RSu9D2XU+Tee5TenOxqEBw8YFYvk Web9MgQqBko= =vRsK - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBMzlrryh9+71yA2DNAQHllQP/V9u9brlpnLFOO8IqzL+P7tT1UB5Lfnk1 Nai6S93Yfl1pOQp2CyazsirK1H2IoHKydwOQ0gwj8ZWjccj4+oIPUkiCYmAjJNJl p9+T0u95rz7KWa6NgKe97oxfAdUP/EKtPrzUI8LTgQiGIQ2mhmU+c6rDvnFweCg9 nPBbIwEpduQ= =sf0B -----END PGP SIGNATURE-----