Published:
23 March 1997
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-97.037 -- IBM-ERS Security Vulnerability in "innd"
24 March 1997
===========================================================================
IBM-ERS has released the following advisory concerning a vulnerability
in the innd software. This affects all versions up to and including
INN 1.5.1.
This is NOT the same vulnerability previously described in CERT Advisory
CA-97.08, CERT Summary CS-97.02 or AUSCERT Advisory AA-96.19.
This following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
Contact information for IBM-ERS is included in the Security Bulletin
below. If you have any questions or need further information, please
contact them directly.
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
- - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---
======= ============ ====== ======
======= ============== ======= =======
=== === ==== ====== ======
=== =========== ======= =======
=== =========== === ======= ===
=== === ==== === ===== ===
======= ============== ===== === =====
======= ============ ===== = =====
EMERGENCY RESPONSE SERVICE
SECURITY VULNERABILITY ALERT
24 March 1997 02:00 GMT Number: ERS-SVA-E01-1997:002.1
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Security vulnerability in "innd" (InterNetNews server)
PLATFORMS: All versions of INN up to and including INN 1.5.1
*** This is NOT the same vulnerability described in CERT
*** Advisory CA-97.08 or CERT Summary CS-97.02
SOLUTION: Follow the procedure described in Section III, below
THREAT: This vulnerability can be exploited remotely, and attacks may
reach news servers located behind Internet firewalls.
===============================================================================
DETAILED INFORMATION
I. Description
On February 20, 1997, the CERT Coordination Center issued CERT Advisory
CA-97.08, warning of a serious vulnerability in the InterNetNews (INN) server.
At that time, CERT/CC recommended that all sites upgrade to INN Version 1.5.1,
which contains a fix for this vulnerability; sites which are unable to upgrade
immediately were urged to apply the patches for earlier versions that have
been made available by INN's maintainer. The complete text of CA-97.08,
including updates that have been made since the original advisory was issued,
is available from:
ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd
On March 18, 1997, the CERT Coordination Center issued CERT Summary CS-97.02,
advising that CERT/CC and other incident response teams around the world have
received numerous reports concerning widespread, large-scale attacks on INN
servers throughout the world; these attacks attempt to exploit the
vulnerability described in CA-97.08. The complete text of CS-97.02 is
available from:
ftp://info.cert.org/pub/cert_summaries/CS-97.02
In the days since the CERT Summary was issued, security experts in IBM's
Global Security Analysis Laboratory (GSAL) at IBM's T.J. Watson Research
Center have been carefully examining and testing the INN Version 1.5.1 source
code. Their analysis has determined that while Version 1.5.1, when installed
properly, is not vulnerable to the vulnerability described in CA-97.08 and
CS-97.02, it is still vulnerable to a second, similar vulnerability.
II. Impact
Exploitation of either vulnerability could result in serious security
breaches. Attacks using these vulnerabilities can be launched remotely, and
have the potential to reach news servers located behind Internet firewalls.
The INN server is an implementation of the Network News Transfer Protocol
(NNTP), which is the underlying protocol of USENET. The protocol's primary
purpose is to transfer messages between systems, allowing users throughout the
world to see them. The exploitation of these vulnerabilities relies on the
use of a particular type of these messages called control messages. Because
control messages are propagated from server to server just like any other
message, it is possible that your site may have been compromised even though
it was not specifically targeted by an attacker.
In addition to the actual attacks being launched by several attackers around
the world, there have been several instances of sites that, in attempting to
check their own exposure to these vulnerabilities, have inadvertently released
control messages on the Internet that exploit the vulnerabilities. IBM-ERS
joins CERT/CC in strongly discouraging sites from using control messages as a
way to check their exposure to this problem.
III. Solutions
The IBM GSAL's security experts are working with Mr. James Brister, the
current maintainer of INN, to develop a fix for the new vulnerability they
have discovered, and IBM-ERS anticipates that a new version of INN that
contains this fix will be available soon. When this new version becomes
available, IBM-ERS urges all sites to upgrade their INN servers to the new
release as quickly as possible.
In the meantime however, the IBM GSAL has developed the following specific
actions that you can take to address both the vulnerability described in
CA-97.08 and CS-97.02, as well as the new vulnerability they discovered this
week.
1. Download the latest version of INN (Version 1.5.1, as of this writing).
Archive sites and additional information about INN are available from
http://www.isc.org/inn.html
2. Install the latest version of INN, closely following the installation
instructions and the information contained in the "README" file, both of
which are included in the INN distribution.
In particular, IBM-ERS calls your attention to the following update to
CA-97.08 made by CERT/CC on March 18, 1997:
"If you are upgrading to INN 1.5.1, please be sure to read the README
file carefully. Note that if you are upgrading to 1.5.1 from a previous
release, running a "make update" alone is not sufficient to ensure that
all of the vulnerable scripts are replaced (e.g., parsecontrol). Please
especially note the following from the INN 1.5.1 distribution README
file:
When updating from a previous release, you will usually want to do
make update" from the top-level directory; this will only install the
programs. To update your scripts and config files, cd into the "site"
directory and do "make clean" -- this will remove any files that are
unchanged from the official release. Then do "make diff >diff"; this
will show you what changes you will have to merge in. Now merge in
your changes (from where the files are, ie. /usr/lib/news...) into the
files in $INN/site. (You may find that due to the bug fixes and new
features in this release, you may not need to change any of the
scripts, just the configuration files). Finally, doing "make install"
will install everything.
After installing any of the patches or updates, ensure that you restart
your INN server."
3. Make a backup copy of the INN "control.ctl" file that you use. Then edit
the "control.ctl" file and remove the following lines:
sendsys:*@uunet.uu.net:*:doit=miscctl
senduuname:*@uunet.uu.net:*:doit=miscctl
version:*@uunet.uu.net:*:doit=miscctl
sendsys:inn@isc.org:*:doit=miscctl
senduuname:inn@isc.org:*:doit=miscctl
version:inn@isc.org:*:doit=miscctl
4. Search your new spool directory for any control messages that attempt to
exploit this vulnerability. To do this, execute the following commands:
cd YOUR_NEWS_SPOOL_DIRECTORY
cd control
find . -exec grep -l /bin/sed {} ;
This will provide you with a list of offending messages, if any exist.
5. Delete the files discovered in the previous step, or move them outside the
news spool directory hierarchy for later examination. This will prevent
them from affecting your news server, and from being propagated to the news
servers your site communicates with.
IBM GSAL has carefully examined the INN source code, and also tested these
steps on a "production" news server. No ill effects have been observed, other
than the printing of some spurious warning messages. However, because it is
impossible to anticipate all possible environments in which INN is used, the
following disclaimer applies to the procedure above:
THIS PROCEDURE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING,
WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTIBILITY OR FITNESS FOR A
PARTICULAR PURPOSE. THIS ADVISORY DOES NOT CREATE OR IMPLY ANY SUPPORT
OBLIGATIONS OR ANY OTHER LIABILITY ON THE PART OF IBM OR ITS SUBSIDIARIES.
Contact IBM-ERS via electronic mail at
ibm-inn-help@ers.ibm.com
if you need technical advice in obtaining or installing the necessary fixes,
or in following the procedure above. IBM-ERS will provide this service free
of charge.
IV. Acknowledgements
IBM-ERS would like to thank the IBM Global Security Analysis Laboratory for
their work in analyzing this problem and developing the procedure outlined
above. IBM would also like to thank James Brister, the maintainer of INN, for
his efforts in making a permanent fix for this problem available as quickly as
possible. Finally, IBM-ERS would like to acknowledge the CERT Coordination
Center (CERT/CC) for their work on this problem.
===============================================================================
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment. By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).
As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services. From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources. To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).
IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.
IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information. The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.
IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.
Copyright 1997 International Business Machines Corporation.
The information in this document is provided as a service to customers of
the IBM Emergency Response Service. Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries. The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.
The material in this security alert may be reproduced and distributed,
without permission, in whole or in part, by other security incident response
teams (both commercial and non-commercial), provided the above copyright is
kept intact and due credit is given to IBM-ERS.
This security alert may be reproduced and distributed, without permission,
in its entirety only, by any person provided such reproduction and/or
distribution is performed for non-commercial purposes and with the intent of
increasing the awareness of the Internet community.
- - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---
- - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
- -----BEGIN PGP SIGNATURE-----
Version: 2.7.1
iQCVAwUBMzXhU/WDLGpfj4rlAQEdbgQAiFZtONgGaBnrMyH3brVjkpkQ1RTg3mkc
XRxyoqsXJVeF7Ds/Yw83TQbR8whkZX0YC5U5lP+uNQFzXS2G2mpDM/F8E7zGDciY
85UK3BwQuUAfhD6NACLXukWzzdc0hq1moLQ7RSu9D2XU+Tee5TenOxqEBw8YFYvk
Web9MgQqBko=
=vRsK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMzlrryh9+71yA2DNAQHllQP/V9u9brlpnLFOO8IqzL+P7tT1UB5Lfnk1
Nai6S93Yfl1pOQp2CyazsirK1H2IoHKydwOQ0gwj8ZWjccj4+oIPUkiCYmAjJNJl
p9+T0u95rz7KWa6NgKe97oxfAdUP/EKtPrzUI8LTgQiGIQ2mhmU+c6rDvnFweCg9
nPBbIwEpduQ=
=sf0B
-----END PGP SIGNATURE-----