1: CA—1 996-01: UDP Port Denial—of—Serviee Attack
`
`
`
`1 CA-1996-01: UDP Port Denial—of—Service Attack
`
`Original issue date: February 8, 1996
`Last revised: September 24, 1997
`
`Updated copyright statement
`
`A complete revision history is at the end of this file.
`
`The CERT Coordination Center has received reports ofprograms that launch denialhf-service at—
`tacks by creating a "UDP packet storm" either on a system or between two systems. An attack on
`one host causes that host to perform poorly. An attack between two hnosts can cause extreme net-
`work congestion in addition to adversely affecting host performance.
`
`The CERT stat’freconnnends disabling unneeded UDP services on each host, in particular the
`chargen and echo services, and filtering these services at the firewall or Internet gateway.
`
`Because the UDP port denial-of—service attacks typically involve 1P spoofing, we encourage you
`to follow the recommendations in advisory CA-96.21.
`
`We will update this advisory as we receive additional information. Please check advisory files
`regularly for updates that relate to your site
`
`I. Description
`
`When a connection is established between two UDP services, each of which produces output,
`these two services can produce a very high number of packets that can lead to a denial of service
`on the machine(s) where the services are offered. Anyone with network connectivity can launch
`an attack; no account access is needed.
`
`For example, by connecting a host's chargen service to the echo service on the same or another
`machine, all affected machines may be effectively taken out of service because of the excessively
`high number of packets produced. In addition, if two or more hosts are so connected, the interven-
`ing network may also become congested and deny service to all hosts whose traffic traverses that
`network.
`
`II. Impact
`
`Anyone with network connectivity can cause a denial of service. This attack does not enable them
`to gain additional access.
`
`Ill. Solution
`
`We recommend taking all the steps described below.
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE l CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
`
`1
`
`CS-1026
`CS—1026
`Cisco Systems, Inc. v. Finjan, Inc.
`Cisco Systems, Inc. v. Finjan, Inc.
`
`

`

`1: CA—1 996-01: UDP Port Denial-ot—Service Attack
`
`1. Disable and filter chargen and echo services.
`
`This attack is most readily exploited using the chargen or echo services, neither of which is gener-
`ally needed as far as we are aware. We reconunend that you disable both services on the host and
`filter them at the firewall or Internet gateway.
`
`To disable these services on a host, it is necessary to edit the inctd configuration file and cause
`inetd to begin using the new configuration. Exactly how to do this is system dependent so you
`should check your vendor's documentation for inetd(8); but on many UNIX systems the steps will
`be as follows:
`
`1. Edit the inetd configuration file (cg. fetcfinetdconi).
`2. Comment out the echo, ehargen, and other UDP services not used.
`3. Cause the inetd process to reread the configuration file (e.g., by sending it a HUP signal).
`
`2. Disable and filter other unused UDP services.
`
`To protect against similar attacks against other services, we recommend:
`
`-
`
`-
`
`disabling all unused UDP services on hosts and
`
`blocking at firewalls all UDP ports less than 900 with the exception of specific services you
`require, such as DNS (port 53).
`
`3. If you must provide external access to some UDP services, consider using a proxy
`mechanism to protect that service from misuse.
`
`Techniques to do this are discussed in Chapter 8, "Configuring Internet Services," in _Bui1ding
`Internet Firewalls_ by Chapman and Zwicky (see Section IV below).
`
`4. Monitor your network.
`
`Ifyou do provide external UDP services, we recommend monitoring your network to learn which
`systems are using these services and to monitor for signs of misuse. Tools for doing so include
`Argus, tcpdump, and netlog.
`
`Argus is available from
`
`ftflg’r’i’tp.net.emu.edur'pub;‘_a_rgus—1.5;i
`MDS (argus—l.5.tar.gz) = 9c7052fb1742t9f6232a890267c03t3c
`
`Note that Argus requires the TCP wrappers to install:
`
`
`flpfiffmlsrtnrgfipubftoolsl’tcp wrappersr'tcp wrapper_s_’i'.2.tar.Z
`MDS (tcp_wrappers_7.2.tar.Z) = 883d00cbd2dedd9bfc783b7065740e74
`
`tcpdurnp is available from
`
`itpzflflg.ee.lbl._govftctflump-3.0.2.tar.Z
`MDS (tepdump-3.0.2.tar.Z) = c757608d5823aa68e406lebd4753e591
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
`
`2
`
`

`

`1: CA—1996—01: UDP Port Denial—of—Service Attack
`
`Note that tcpdump requires libpcap, available at ftpflfip.ce.lbl.govflibpcap-0.0.6.tar.z
`MDS (libpcap-0.0.6.tar.Z) = cda0980fi86932a7e2eebtb264laa'iaO
`
`netlog is available from flp:finest-emu.eduipubfseeurityLI‘Ah/IIJinetlogiQ.targg
`MDS (netlog—1.2.tar.gz) = 1dd62e7e96192456e8c75047c38e994b
`
`5. Take steps against IP spoofing.
`
`Because 1P spoofing is typically involved in UDP port denial-of-service attacks, we encourage
`you to follow the guidance in advisory CA-95:01, available from
`www.certgg/advisoriesiCA—95 .01 .1Rspoofmghtml.
`
`IV. Sources of further information about packet filtering
`
`For a general packet-filtering recommendations, see
`fipflftp.cert.orgipubitechjipsflpacketjItering.
`
`For in-depth discussions of how to configure your firewall, see
`
`Firewafl's and Internet Security: Repeiiing the Wit)! Hacker
`William R. Cheswiclc and Steven M. Bellovin
`
`Addison-Wesley Publishing Company, 1994
`ISBN 0-201—63357
`
`Buiiding Internet Firewafls
`Brent Chapman and Elizabeth D. Zwicky
`O'Reilly 6': Associates, Inc, 1995
`ISBN 1—56592—124-0
`
`The CERT Coordination Center staffthanks Peter D. Skopp of Columbia University for reporting
`the vulnerability and Steve Bellovin of AT&T Bell Labs for his support in responding to this
`problem.
`
`UPDATES
`
`Cisco
`
`Cisco Alert Summary: h_ttp:lfwww.cisco.comfwa_rp/publici146F917 secug'tyhtrnl
`
`Cisco Security Guide: hmliwwweisco.comfortivercdfdatafdocfcinn—neflicsiicssecurhtm
`
`Silicon Graphics Inc.
`
`SG] acknowledges CERT Advisory CA—96.01 and is currently investigating. No What infor-
`mation is available at this time.
`
`1 993 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
`
`3
`
`

`

`1: CIA—199501: UDP Port Denial-of-Servioe Attack
`
`Copyright 1996, 199? Carnegie Mellon University.
`
`Revision History
`
`Sep- 24, 1997 Updated copyright statement
`
`Feb. 14, 1997 Introduction — updated the 1P spoofing reference to
`CA—96.21-
`
`Updates section — added pointers to CISCO documents.
`
`Aug. 30, 1996 Information previously in the README was inserted into
`the advisory-
`
`Feb. 23, 1996 Updates section — added information from Silicon
`Graphics,
`Inc.
`
`Feb“ 21, 1996 Solution, Sec. III.4 — added new URL for Argus.
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
`
`

`

`2: GA-199M2: BIND Version 4-9.3
`
`——_—_—___—_—.—-_—-~—
`
`2 CA-1996-02: BIND Version 4.9.3
`
`CERTtsmi Advisory CA—96-02
`
`February 15, 1996
`Original issue date:
`Last revised: August 13, 1997
`
`Superseded by CA—97-22
`A complete revision history is at the end of this ad—
`
`visory.
`
`Topic: BIND Version 4.9.3
`
`** This advisory has been superseded by CA—97.22.bind **
`Vulnerabilities in the Berkeley Internet Name Domain (BIND) pregram
`
`make it possible for intruders to render Domain Name System {DNS}
`information unreliable- At the beginning of this year, a version of
`BIND (4.9-3) became available that fixes several security problems
`that are being exploited by the intruder community. The CERT staff
`urges you to install the appropriate patch from your vendor- If a
`patch is not currently available, an alternative is to install BIND
`4.9.3 yourself.
`(Note: Although BIND will be further improved in the
`future, we urge you to upgrade now because of the seriousness of the
`problems addressed by version 4.9.3.} If neither of the above alter—
`natives is possible, we strongly recommend blocking or turning off
`DNS name—based authentication services such as rlogin. We will up~
`
`information- Please
`date this advisory as we receive additional
`check advisory files regularly for updates that relate to your site-
`
`Description
`I.
`Version 4.9.3 of the Berkeley Internet Name Domain (BIND) program
`fixes several security problems that are well known and being exu
`ploited by the intruder cemmunity to render Domain Name System (DNS)
`information unreliable. BIND is an implementation of the Domain Name
`
`(For details, see RFC 1035, a publication of the Internet
`System.
`Engineering Task Force.) The full distribution of BIND includes a
`number of programs and resolver library routines- The main program
`is "named",
`the daemon that provides DNS information from local con—
`figuration files and a local cache. The named daemon is often called
`/etc/named or fetc/in.named- Programs such as Telnet communicate
`with named via the resolver library routines provided in the BIND
`distribution. Services in widespread use that depend on DNS infor—
`mation for authentication include rlogin, rsh (rcp), xhost, and NFS-
`Sites may have installed locally other services that trust DNS in—
`formation.
`In addition, many other services, such as Telnet, FTP,
`
`and email,
`
`trust DNS information. If these services are used only to
`
`1996 CERT ADVISORIES 1 SOFTWARE ENGiNEERlNG INSTITUTE] CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited disiribution.
`
`5
`
`

`

`22 GA-‘I 996-02: BIND Version 4.9.3
`
`make outbound connections or informational logs about the source of
`connections,
`the security impact is less severe than for services
`such as rlogin. Although you might be willing to accept the risks
`associated with using these services for now, you need to consider
`the impact that spoofed DNS information may have. Although the new
`BIND distributions do address important security problems, not all
`known problems are'fixed.
`In particular, several problems can be
`fixed only with the use of cryptographic authentication techniques.
`Implementing and deploying this solution is non—trivial; work on
`this task is currently underway within the Internet community. The
`CERT staff has received information that the next minor release of
`BIND nameserver will be enforcing RFCQSZ (as modified by RFC1123I
`hostname conformance as part of its SECURITY measures. Following The
`BIND release, hostnames that fail to conform to these rules will be
`unreachable from sites running these servers- Hostnames
`(A records)
`are restricted to the following_characters only:
`“A" — "Z", “a“ — "z", “0" - “9", “." and “-"
`These characters are specifically excluded:
`“flf and "/". For a full
`description of what is allowed in a hostname, please refer to RFC952
`and RFC1123, available from http:l/ds.internic.net/ds/
`RFC952: DOD INTERNET HOST TABLE SPECIFICATION, October 1985
`RFC1123: Requirements for Internet Hosts —w Application and
`Support, October 1989
`
`A program is available for checking hostnames and IP addresses-
`It is available in
`ftp://info-cert-org/pub/toolsIValidateHostname/IsValid.c
`ftp://ftp.cert.dfn-de/pub/tools/net/ValidateHostname/Is-
`
`Valid.c
`
`The following files are in the directory {from the README]:
`IsValid.J
`The lax/flex file containing the code for
`IsValidHostname and IsValidIPAddress
`
`IsValid—raw.c
`
`MD5 IIsValid.l} = 2d35040aacae4fb12906eb1b48957776
`The C file created by running flex
`on IsValid.l
`
`367c7Td3ef84bc63a5c23d90eeb69330
`
`MDS
`
`IIsValid-raw-c}
`
`IsValid.c
`
`The editted file created by internalizing
`variable and function definitions in
`IsValid—raw.c
`
`IsValid.diffs
`
`IIsValid.c} = ffe45f1256210aeb71691f4f7cdad27f
`MDS
`The set of diffs between IsValid-raw.c
`and IsValid.c
`
`MDS IIsValid.diffs) =
`
`3619022cf31dT35151f8e8c83cce3744
`htest-c
`.A main routing for testing IsValidHostname
`and IsValidIPAddress
`
`1996 CERT ADWSORIES I SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
`
`

`

`2: GA—1996—02; BIND Version 4.9.3
`
`M05 (htest.c} = 2d50b2bffb537cc4e637ddlf07a187f4
`
`Impact
`II-
`It is possible for intruders to spoof BIND into providing incorrect
`name data. Some Systems and programs depend on this information for
`authentication, so it is possible to spoof those systems and gain
`unauthorized access-
`
`III. Solutions The preferred solution, described in Section A,
`install your vendor's patch if one is available- An alternative
`(Section B}
`is to install the latest version of BIND.
`In both cases,
`we encourage you to take the additional precautions described in
`Section C.
`
`is to
`
`A- Obtain the appropriate patch from your vendor and install it aC*
`cording to instructions included with the program. Redistributing
`BIND and all programs affected by these problems is not a simple
`matter, so some vendors are working on new named daemon as an imme—
`diate patch. Although installing a new named daemon addresses some
`problems, significant problems remain that can be addressed only by
`fully installing fixes to the library resolver routines- If your
`vendor‘s patch does not include both named and new resolver roue
`tines, we recommend that you install the current version of BIND
`(Solution B) if possible. We also encourage you to take the precau—
`tions described in Section C. Below is a list of the vendors and the
`status they have provided concerning BIND. More complete information
`is provided in Appendix A of this advisory. We will update the ap—
`pendix as we receive more information from vendors. If your vendor's
`name is not on the list, contact the vendor directly for status in-
`formation and further instructions.
` Vendor New named available Full distribution available
`
`
`Under investigation.
`
`Work is under way.
`Currently porting and
`
`Digital Equipment
`Hewlett—Packard
`testing
`
`Calendar 97
`
`process
`
`IBM Corporation
`NEC Corporation
`Santa Cruz Operation
`Silicon Graphics,
`Inc.
`Solbourne (Grumman)
`BIND 4.9-3.
`Sun Microsystems
`
`(BIND 4.9.3] for the Q1,
`
`general release. Patch in
`
`for 10.x releases-
`
`Work is under way.
`Work is under way.
`Under consideration.
`Under investigation.
`Customers should install
`
`Patches available.
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`DISTRIBUTION STATEMENT A} Approved for public release and unlimited dis1ribution.
`
`

`

`2: CA—lQQfi-DZ: BIND Version 4.9.3
`
`B. Install the latest version of BIND (version 4.9.3}, available
`from Paul Vixie,
`the current maintainer of BIND:
`ftp://ftp.vix.com/pub/bind/release/4.9-3/bind~4.9.3—
`REL.tar.gz
`MD5 {bind-4.9-3-REL-tar.gz) =
`da1908b001f8e6dc93f902589b989ef1
`
`Also get Patch #1 for 4-9.3:
`ftp://ftp.vix.com/pub/bind/release/4.9.3/Patchl
`II
`MDS
`(Patchl)
`5d57adl3381e242cb08b5da0e1e9c5b9
`To find the most current version of bind, see
`ftp://info.cert.org/pub/latest_sw_versions/
`
`C. Take additional precautions.
`_To protect against vulnerabilities that have not yet been addressed,
`and as good security practice in general, filter at a router all
`namerased authentication services so that you do not rely on DNS
`information for authentication. This includes the services rlogin,
`rsh [rcp], xhost, NFS, and any other locally installed services that
`provide trust based on domain name information.
`
`Appendix A
`BelOw is information we have received from vendors. If you do not
`see an entry for your vendor, please contact the vendor directly for
`status information and further instructions.
`
`Paul Vixie
`
`See Updates Section
`
`Digital Equipment Corporation
`At the time of writing this advisory, Digital intends to support
`final revision of BIND 4.9.3. The project plan for incorporating
`Version 4.9-3 BIND for Digital‘s ULTRIX platforms has been approved.
`This includes 4.3, V4.3A, V4-4 and V4.5. A similar project plan for
`Digital UNIX versions is under review. The first implementations
`will be V3.0 through V3-2D, and V4.0, when released. It is our plan
`to evaluate and then incorporate v4.9.3 Bind into other UNIX ver-
`sions as necessary to reduce risk to our customer base. Digital will
`provide notice of the completion of the kits through AES services
`(DIA, DSNlink FLASH] and be available from your normal Digital Sup—
`port channel.
`
`the
`
`Hewlett—Packard Company
`
`The named daemon is under investigation. HP will provide updated
`information for the CERT advisory. HP is currently porting and test—
`ing BIND 4.9.3 for a general release first quarter of 1997- A patch
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution,
`
`

`

`2: CA—1996-02: BIND Version 4.9.3
`
`is in process for 10-x releases. Watch for CERT advisory updates and
`a Security Bulletin from HP.
`
`IBM Corporation
`Work is under way.
`
`NEC Corporation
`Some systems are vulnerable- We are developing the patches and plan
`to put them on our anonymous FTP server. You can contact us with the
`following e—mail address if you need.
`E—mail: 0X4B—security—support@nec.co.jp
`FTP server: ftp://ftp-meshnet.or.jp
`
`Inc.
`The Santa Cruz Operation,
`SCO is currently considering a port of the new BIND into its product
`line, but no timeline is yet available. This includes SCO OpenServer
`and 8C0 UNIXWare-
`
`Silicon Graphics Inc-
`SGI acknowledges CERT Advisory CAe96.02 and is currently investigat—
`ing -
`No further information is available at this time-
`As further information becomes available, additional advisories will
`be available from ftp://sgigate-sgi.com.
`
`Solbourne (Grumman)
`Solbourne have determined that Solbourne Computers are vulnerable A
`patch is not available and they recommend Solbourne customers in—
`stall
`BIND version 4.9.3.
`
`
`Inc.
`Sun Microsystems,
`Sun Security Patches and Bulletins are available through your local
`SunService and SunSoft Support Services organizations, via the secu—
`rity—alert alias (security—alert@sun.com) and on SunSolve Online:
`http://sunsolvel.sun.com/
`SunOS 5-3/Solaris 2.3
`
`101359—03
`
`SunOS 5-3: DNS spoofing is possible per CERT
`
`CA—96.02
`
`101739-12
`
`sendmail patch
`
`102167—03
`103705-01
`SunOS 5.4/Solaris 2.4
`
`nsstns.so-l rebuild for BIND 4.9.3
`rpc.nisd_reSOlv rebuild for BIND 4.9.3
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE] CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
`
`

`

`2: CA—1996—02: BIND Version 4.9.3
`
`102479—02
`
`SunOS 5.4: DNS spoofing is possible per CERT
`
`CPL—96 . 02
`
`102066~11
`
`sendmail patch
`
`nssfldns.so.1 rebuild for BIND 4.9.3
`102165—03
`rpc.nisd;resolv rebuild for BIND 4.9.3
`103706—01
`SunOS 5.4_X86/Solaris 2.4fix86
`
`102480-02
`
`SunOS 5.4_x86: DNS spoofing is pessible per
`CERT CHI-96 - 02
`
`102064—10
`
`sendmail patch
`
`102166—03
`103707—01
`SunOS 5.5/Solaris 2.5
`
`nss_dns.so.l rebuild for BIND 4.9-3
`rpc.nisd_resolv rebuild for BIND 4.9-3
`
`103667—01
`
`SunOS 5.5: DNS spoofing is possible per CERT
`
`CIA—96 . 02
`
`102980~O7
`
`103279—02
`103703-01
`103708F01
`
`sendmail patch
`
`nscd/nscd#nischeck rebuild for BIND 4.9.3
`nss_dns.so.1 rebuild for BIND 4.9.3
`rpc.nisd#resolv rebuild for BIND 4-9.3
`
`SunOS 5-5_x86/Solaris 2.5Mx86
`
`103668—01
`
`SunOS 5.5_x86: DNS spoofing is possible per
`CERT CPI-96 . 02
`
`102981—07
`
`sendmail patch
`
`nscd/nscd_nischeck rebuild for BIND 4.9.3
`103280—02
`nss_dns.so.l rebuild for BIND 4.9.3
`103704~01
`rpc.nisdflresolv rebuild for BIND 4.9.3
`103709—01
`SunOS 5.5.1/Solaris 2.5-1
`
`103663-01
`CERT CA" 96 . 02
`
`SunOS 5.5.1: DNS spoofing is possible per
`
`103594—03
`
`sendmail patch
`
`nscd/nscd_nischeck rebuild for BIND 4.9.3
`103680—01
`nss_dns.so.l rebuild for BIND 4.9.3
`103683-01
`rpc.nisd*resolv rebuild for BIND 4.9.3
`103686—01
`SunOS 5.5.1_ppc/Solaris 2-5-l_ppc
`
`103665—01
`
`SunOS 5.5.1_ppc: DNS spoofing is possible
`Per CERT CA—96.02
`
`103596-03
`
`sendmail patch
`
`nscd/nscd_nischeck rebuild for BIND 4.9.3
`103682-01
`nss_dns.so.l rebuild for BIND 4.9.3
`103685~01
`rpc.nisd_resolv rebuild for BIND 4.9.3
`103688‘01
`SunOS 5.5.1#x86/Solaris 2.5.1fixBé
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE I CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for puinc reiease and unlimited distribution.
`
`10
`
`

`

`2: CIA—199502; BIND Version 4.9.3
`
`103664—01
`
`103595~03
`103681—01
`103684-01
`103687—01
`
`SunOS 5.5.1_386: DNS spoofing is possible
`Per CERT CA~96.02
`
`sendmail patch
`nscd/nscd_nischeck rebuild for BIND 4.9-3
`nss_dns.so.l rebuild for BIND 4.9.3
`rpc.nisd_resolv rebuild for BIND 4.9.3
`
`The CERT Coordination Center wishes to thank Paul Vixie for his ef—
`forts in responding to this problem and his aid in develoPing this
`advisory.
`'
`
`If you believe that your system has been compromised, contact the
`CERT Coordination Center or your representative in the Forum of In—
`cident Response and Security Teams
`(FIRST). We strongly urge you to
`encrypt any sensitive information you send by email- The CERT Coor—
`dination Center can support a shared DES key and PCP. Contact the
`CERT staff for more information.
`
`Location of CERT PGP key
`
`ftp://info.cert.org/pub/CERT PGP.key
`
`CERT Contact Information
`
`Email
`
`cert@cert.org
`
`Phone
`
`+1 412-268—7090 {24—hour hotline)
`CERT personnel answer 8:30—5:00 p.m. EST
`(GMT-5)/EDT(GMT-4J, and are on call for
`emergencies during other hours.
`+1 412—268-6989
`Fax
`Postal address
`CERT Coordination Center
`
`Software Engineering Institute
`Carnegie Mellon University
`Pittsburgh PA 15213—3890
`USA
`
`To be added to our mailing list for CERT advisories and bulletins,
`send your email address to oert—advisory-request@cert.org
`
`information about FIRST representatives, and
`CERT publications,
`other securitywrelated information are available for anonymous FTP
`from ftp://info.cert-org/pub/
`CERT advisories and bulletins are also posted on the USENET news—
`
`group comp.security.announce
`
`Copyright 1996 Carnegie Mellon University
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE I CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A} Approved for public release and unlimited distribution.
`
`11
`
`

`

`2: CA—1996—l32: BIND Version 4.9.3
`
`This material may be reproduced and distributed without permission
`provided it is used for noncommercial purposes and the copyright
`statement is included- CERT is a service mark of Carnegie Mellon
`University.
`
`El.
`
`UPDATES
`
`June 25, 1997
`
`If you are running BIND 8-1 you want to upgrade- The current version
`of BIND (8.8.1)
`is available by anonymous FTP from
`
`ftp://ftp.isc.org/isc/hind/src/8.1.1
`If you are still running BIND—4 rather than BIND—8, you need the se—
`curity patches contained in BIND 4.9.6- Available from
`ftp:[/ftp.isc.org/isc/bind/src/4.9.6/
`The author of BIND encourages sites to switch to BIND—B.
`
`Revision History
`
`Aug. 13, 1997 This advisory superseded by CA—97.22.
`June 25, 1997 Appendix, Changed Vixie entry to point to Updates.
`Updates section — Current release information-
`May 22, 1997 Updates section _ noted current version of BIND and
`new location for the BIND archives-
`
`Information previously in the README was inserted
`Aug. 30, 1996
`into the advisory-
`Aug. 01, 1996 Appendix — updated Sun patch information
`Apr. 08, 1996 Sec. I — added information about the next release of
`BIND and the IsValid program to the end of the section
`Mar- 29, 1996 Appendix, Sun — added information
`Feb. 27, 1996 Appendix, SGI — added an entry
`Feb- 21, 1996 Appendix,
`IBM & Solbourne — added entries
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
`
`12
`
`

`

`3: CA—199M3: Vulnerability in Kerberos 4 Key Server
`
`_—___—_———.—————
`3 CA-1996-03: Vulnerability in Kerberos 4 Key Server
`
`Original issue date: February 21, 1996
`Last revised: September 24, 1997
`
`Updated copyright statement
`
`A complete revision history is at the end of this file.
`
`The CERT Coordination Center has received reports of a vulnerability in the Kerberos Version 4
`server. On unpatched Kerberos 4 systems, under certain circumstances, intruders can masquerade
`as authorized Kerberos users and gain access to services and resources not intended for their use.
`The CERT team recommends that you apply one of the solutions given in Section Ill.
`
`The Kerberos Version 5 server running in Version 4 compatibility mode is also vuhierable under
`certain circumstances. The Massachusetts Institute of Technology (MIT) is working on the
`
`patches for that version.
`
`We will update this advisory as we receive additional information. Please check advisory files
`regularly for updates that relate to your site.
`
`I. Description
`
`The Kerberos Version 4 server is using a weak random number generator to produce session keys.
`On a computer of average speed, the session key for a ticket can be broken in a maximum of 2—4
`minutes, and sometimes in much less time. This means that usable session keys can be manufac-
`tured without a user first being authorired by Kerberos.
`
`ll. lm pact
`
`Under certain circumstances, intruders can masquerade as authorized Kerberos users and gain ac—
`cess to services and resources not intended for their use.
`
`III. Solution
`
`lfyou are running Kerberos Version 4 and have built Kerberos from a source distribution, use so-
`lution A. If you have obtained Kerberos 4 binaries from a vendor, use solution B. If you are now
`using Kerberos Version 5, be aware that MIT is working on patches for that version. Notice will
`be made when the patches are available.
`
`A. Solution for Source Distributions
`
`Ifyou have built Kerberos Version 4 from source, follow these instructions to retrieve the fixes
`necessary to correct this problem:
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
`
`13
`
`

`

`3: CA—1996-03: Vulnerability in Kerberos 4 Key Server
`
`Use anonymous FTP to athena—distmitedu. Change directory to fpubfkerberos, fetch and read
`"READMEKRB4" found in that directory. It will provide the name of the distribution directory
`(which is otherwise hidden and cannot be found by listing its parent directory). Change directory
`to the hidden distribution directory. There you will find the original Kerberos distribution plus a
`new file named "random_patch.tar.Z" (and random__patch.tar.gz for those with "gzip"). This tar
`file contains two files, the patch itself and a READMEPATCH file. Read this file carefully be-
`fore proceeding.
`
`As of February 23, 1996, MIT has updated the patch described in advisory CA-96.03. The actual
`patch has not changed, but the READMEPATCH file (part of random_patch.tar.*) which con—
`tains instructions on how to install the patch has been edited to include the following new para-
`
`graph:
`
`IMPORTANT: After running fix_kdb_keys you must kill and restart the kerberos server process
`(it has the old keys cached in memory). Also, if you operate any Kerberos slave servers, you need
`to perform a slave propagation immediately to update the keys on the slaves.
`
`Updated files are now available on "athena—dist.mit.edu“ including an updated random_patch.md5
`file which contains the MDS checksurns of random__patch.tar.* "Ute PGP Signature is issued by
`Jeffrey I. Schiller <jis@,rnit.edu> using PGP keyid 0x0DBF906D. The fingerprint is
`
`DDDCSSAASIZDCDDDSBAOA 63 59 Cl 65AD01
`
`The updated files are also available from
`
`flip:fffip_.ccrt.org[pub!vendorsimitx’Patchesterbems-VM.
`
`The new checksurns are
`
`MDS (random_patch.md5) ‘—' ecf54120945?2e183aa33ae465fl97b3
`MDS (random_patch.tar.Z) = e925b687a05a8c6321b2305026253315
`MDS (random_patch.tar.gz) = 003226914427094a642fd1f067f589d2
`
`These files are also available from
`
`fipjiftp.cert.orgimbfvendorsI'mit/Patchesterberos-thfrandcrnflch.mdS
`
`mifftpcert.orgflbfvendorsfmitfPatchesiKerberos—V4Irandom_pa_tch.tar.Z
`
`fipzfllp.cert.orgfpubfvendorsfrnitfPatchesterberos-Vtifrancflnjatch.targz
`
`The checksums are the same as above.
`
`B. Solution for Binary Distributions
`
`Contact your vendor.
`
`Some vendors who provide Kerberos are sending the CERT Coordination Center information
`about their patches. Thus far, we have received information from one vendor and placed it in the
`appendix of this advisory. We will update the appendix as we hear from vendors.
`
`1996 CERT ADVISORIES ]. SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
`
`14
`
`

`

`3: CA—1996-03: Vulnerability in Kerberos 4 Key Server
`
`Appendix A: Vendor Information
`
`Below is information we have received from vendors concerning the vulnerability described in
`this advisory. Ifyou do not see your vendor‘s name, please contact the vendor directly for infor-
`mation.
`
`The Santa Cruz Operation, inc.
`
`The Kerberos 4 problem does not affect SCO.
`
`SCO OpenServer, SCO Open Desktop, SCO UnixWare, SCO Unix, and SCO Xenix do not sup-
`port Kerberos.
`-
`
`The SCO Security Server, an add—on product for SCO OpenServer 3 and SCO OpenServer 5, sup-
`ports Kerberos V5 authentication. This product cannot be configured to be Kerberos V4 compati—
`ble; therefore, it is not vulnerable.
`
`TGV Software, Inc.
`
`TGV has made two Kerberos ECO kits available (one for MultiNet V3.4 and one for V3.5) for
`Anonymous FTP. Ifyou are running Kerberos, we _strongly__ urge you to apply this kit.
`
`To obtain the kit, FTP to ECO.TGV.COM, username ANONYMOUS, password either
`KERBEROS-034 or KERBEROS—035 (depending on the version of MultiNet that you are nin-
`ning) and download the ECO kit: Milanonymous:kcrberos-035_@eco.tgv.com.
`
`The kit is available in both VMS BACKUP save set format as well as in a compressed .ZIP file.
`Use VMSINSTAL to apply the ECO.
`
`Once you have completed the upgrade, the KlTREMARK.VUR file fi'orn the ECO kit will be dis-
`played providing instructions during the installation process.
`
`Ifyou have any questions, please send an e-mail message to
`
`Multiixlet-VMS@Sppport.TGV.COi\/L
`
`Transarc Corporation
`
`Kerberos Version 4.0 is used in our APB product (all versions of AFS), while Kerberos Version
`5.0 is used in our DCE product (Kerberos Version 5.0 is used in ALL DCE products).
`
`In light of the COAST work, Transarc is doing a security review of Kerberos 4.0 and AFS. We
`expect to provide some procedural changes to improve security in new cells, and we will make
`code changes as necessary. OSF also reviewed Kerberos 5.0, and they have released a source
`patch for Kerberos 5.0 that strengthens the random number generator in Kerberos 5.0. This patch
`is relevant to all versions of DCE (but not to AFS since it is based on Kerberos 4.0).
`
`1996 CERT ADVISORIES | SOFnNARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DTSTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
`
`15
`
`

`

`3: GA-1996—03: Vulnerability in Kerberos 4 Key Server
`
`TransaIc has this OSF patch available for DCE 1.1 on Solaris 2.4, DCE 1-0.33 on Solaris 2.4,
`DCE 1.0.3a on Solaris 2.3, and DCE 1.0.3a on Sun OS 4.1.3. Please contact Transarc Customer
`
`Support for access to these patches.
`
`Please feel free to contact me directly if you have further questions about this issue.
`
`For pointers and background on these issues please refer to
`http:fiww.transarc.comr’afsltransarc.conflpuhlicfwwwaublidSupportr‘secufity-l updatehtml.
`
`Liz Hines
`
`Hines@transarc.com
`
`
`
`The CERT Coordination Center thanks Jefii-ey Schiller and Theodore Ts'o ofMassachusetts Insti-
`tute of Technology for their effort in responding to this problem, and thanks Gene Spafford of
`COAST for the initial information about the problem.
`
`Copyright 1996 Carnegie Mellon University.
`
`Revision History
`
`Sep. 24, 1997 Updated copyright statement
`
`Aug. 30, 1996 Information previously in the README was inserted into
`the advisory.
`
`Mar- 08, 1996 Appendix, TGV Software & Transarc — added entries
`
`Feb. 23, 1996 Sec. III.A — noted a change in the readme.patch file
`and put new MDS checksums at the end of the section.
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INST‘ITUTE I CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
`
`16
`
`

`

`4: (EA-199604: Corrupt Information from Network Sewers
`
`_________._——-————
`4 CA-1996-04: Corrupt Information from Network Servers
`
`Original issue date: February 22, 1996
`Last revised: April 28, 1998
`Corrected URL for obtaining RFCs. Removed obsolete references to a latest_sw_versions direc-
`tory.
`
`A complete revision history is at the end of this file.
`
`The CERT Coordination Center has received reports of intruders exploiting systems by corrupting
`data provided by a Domain Name Service (DNS) server. Although these reports have focused
`only on DNS, this vulnerability could apply to any networ