FBI warns as Unix web server flaw gets automated

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/21438.html

By John Leyden
Posted: 03/09/2001 at 15:56 GMT

A worm called x.c, which takes advantage of a buffer overflow
vulnerability in the telnet daemon program commonly used on Unix
boxes, has being discovered, and security experts fear it is a
harbinger of worse to come.

Many of these organisations, such as the FBI's National Infrastructure
Protection Centre, overplayed the destructive nature of the Code Red
worm but that's not to say there isn't a problem here. The security
loophole might allow an attacker to take control of a victim's system,
and it is suspected as the root cause behind a number of recent hacks,
so it's well worth reviewing the vulnerability.

The flaw, which was first reported last month, primarily affects
BSD-derived Telnet daemons, which are used on Solaris, AIX, HP-UX and
several versions of Linux-based servers, for example. More information
on affected systems, possible workarounds and how to obtain fixes has
been published by CERT and is available here.

-=-

http://www.nipc.gov/warnings/assessments/2001/01-019.htm

ASSESSMENT 01-019

"Buffer Overflow Vulnerability in Telnet Daemon"
August 30, 2001 

Synopsis: Recently, the cyber security community received numerous
reports of intruders using the buffer overflow vulnerability in the
telnet daemon program. Security organizations, such as
CERT/Coordination Center, cited this vulnerability in a July advisory
(http://www.cert.org/advisories/CA-2001-21.html) outlining the
vulnerability and solutions to address this problem. Due to the
increase of these reports and with the activity of a new worm that has
targeted this vulnerability, the NIPC urges the consumers to contact
their vendors to obtain the appropriate fix. This vulnerability has
the potential to impact the victim by allowing an intruder to copy,
delete, or execute any program on the victim's system.

A new worm called "x.c", designed to exploit this vulnerability, has
been discovered. Although that specific worm has been disabled, other
malicious code variants could take advantage of the same
vulnerability. Vendor patches are available and NIPC urges consumers
to contact their vendor to obtain the appropriate fix for their
operating system.

This vulnerability affects primarily FreeBSD-derived telnet daemons
(including Solaris, AIX, and several versions of Linux), but some
information suggests other vendors= telnet daemons may also be subject
to attack using the same method.

A list of vulnerable systems, along with links to vendor patches, can
be obtained at http://www.securityfocus.com/bid/3064. It is
recommended that users of these operating systems check with their
vendor for applicable patches, or disable the telnet daemon entirely.

Further information on the vulnerability can be found at:
http://www.cert.org/advisories/CA-2001-21.html
http://www.net-security.org/text/bugs/996661549,7633,.shtml

Any information regarding the above worm or any other exploitation of
the buffer overflow vulnerability should be reported to the NIPC or
other authorities. Incidents may be reported online at
http://www.nipc.gov/incident/cirr.htm, directly to the NIPC Watch and
Warning Unit at (202) 323-3204/3205/3206 or nipc.watch@ fbi.gov.
Government agencies should report incidents to FedCIRC at
http://www.fedcirc.gov, fedcirc () fedcirc gov, or 1-888-282-0870.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.