From owner-freebsd-questions Mon Apr 10 23:16:34 1995 Return-Path: questions-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id XAA14310 for questions-outgoing; Mon, 10 Apr 1995 23:16:34 -0700 Received: from mail.euronet.nl (mail.euronet.nl [193.67.112.150]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id XAA14304 for ; Mon, 10 Apr 1995 23:16:30 -0700 Received: from p78.euronet.nl (p78.euronet.nl [193.67.112.238]) by mail.euronet.nl (8.6.4.1/A/UX 3.1) with SMTP id IAA12118 for ; Tue, 11 Apr 1995 08:16:20 +0200 Date: Tue, 11 Apr 1995 08:16:20 +0200 Message-Id: <199504110616.IAA12118@mail.euronet.nl> X-Sender: jg@mail.euronet.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: questions@FreeBSD.org From: jg@euronet.nl (Jan_Guldemond) Subject: FORWARD: CERT Advisory - SATAN Vulnerability X-Mailer: Sender: questions-owner@FreeBSD.org Precedence: bulk >Date: Mon, 10 Apr 1995 14:58:47 -0400 >From: CERT Advisory >To: cert-advisory@cert.org >Subject: CERT Advisory - SATAN Vulnerability >Reply-To: cert-advisory-request@cert.org >Organization: CERT Coordination Center - 412-268-7090 > >============================================================================= >CA-95:07 CERT Advisory > April 10, 1995 > Vulnerability in SATAN >----------------------------------------------------------------------------- > >There is a vulnerability introduced into systems running SATAN version >1.0. This vulnerability affects all systems that support the use of >SATAN with the HTML interface. > >The CERT team recommends that you take the precautions described in >Section III below before you run SATAN and that you upgrade to SATAN >version 1.1 when available. > >As we receive additional information relating to this advisory, we >will place it in > > ftp://info.cert.org/pub/cert_advisories/CA-95:07.README > >We encourage you to check our README files regularly for updates on >advisories. > >For an overview of SATAN (Security Administrator Tool for Analyzing Systems), >see CERT advisory CA-95:06. > >----------------------------------------------------------------------------- > >I. Description > > In SATAN version 1.0, it is possible for unauthorized users to gain > root access to systems during the time SATAN is running from the root > account. This vulnerability exploits a weakness in the HTML server > started by SATAN on a random, high-numbered TCP port. Additional > details on this vulnerability will be found in the SATAN > documentation provided with SATAN version 1.1 when version 1.1 is > released. > >II. Impact > > Unauthorized users can execute programs as root. Access to an account on > the system may not be necessary to do this. > > >III. Solution > > It is expected that SATAN version 1.1 will fix this problem, and if > possible you should wait for this version before running SATAN. > > The following precautions will prevent the introduction of this > vulnerability while you are running SATAN and are recommended > whether you are running SATAN version 1.0 or 1.1. > > 1. Install all relevant security patches for the system on which you will > run SATAN. > > 2. Execute SATAN only from the console of the system on which it is > installed (e.g., do not run SATAN from an X terminal, from a diskless > workstation, or from a remote host). > > 3. Ensure that the SATAN directory tree is not NFS-mounted from a remote > system. > > 4. Ensure that the SATAN directory tree cannot be read by users other > than root. > > Note that SATAN 1.1 is expected to check systems for this SATAN 1.0 > vulnerability as part of scanning other systems. > >--------------------------------------------------------------------------- > >If you believe that your system has been compromised, contact the CERT >Coordination Center or your representative in the Forum of Incident >Response and Security Teams (FIRST). > >If you wish to send sensitive incident or vulnerability information to >CERT staff by electronic mail, we strongly advise that the e-mail be >encrypted. The CERT Coordination Center can support a shared DES key, PGP >(public key available via anonymous FTP on info.cert.org), or PEM (contact >CERT staff for details). > >Internet E-mail: cert@cert.org >Telephone: +1 412-268-7090 (24-hour hotline) > CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), > and are on call for emergencies during other hours. >Fax: +1 412-268-6989 > >Postal address: CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh, PA 15213-3890 > USA > >CERT advisories and bulletins are posted on the USENET newsgroup >comp.security.announce. If you would like to have future advisories and >bulletins mailed to you or to a mail exploder at your site, please send mail >to cert-advisory-request@cert.org. > >Past advisories, CERT bulletins, information about FIRST representatives, and >other information related to computer security are available for anonymous FTP >from info.cert.org. > > > >Copyright 1995 Carnegie Mellon University >This material may be reproduced and distributed without permission provided it >is used for noncommercial purposes and the copyright statement is included. > >CERT is a service mark of Carnegie Mellon University. > > > >