[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]
Conference minotr::security_advisory

Title:	SECURITY_ADVISORY
Notice:	Security is Everyone's Responsibility
Moderator:	MINOTR::NOBLE

Created:	Wed Dec 22 1993
Last Modified:	Thu May 29 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	148
Total number of notes:	459
135.0. "CISG Security Advisory 1997-03, INN Vulnerability" by MINOTR::NOBLE (Your Data, Your Job...Protect Both) Sun Mar 23 1997 14:00

         DIGITAL INTERNAL USE ONLY
************************************************
*        CORPORATE SECURITY
*        CORPORATE INFORMATION SECURITY GROUP
*        Mar 23, 1997
*        SECURITY ADVISORY #97-03
*
************************************************
[DO NOT DELETE THIS BANNER]

This security advisory is for immediate distribution to
all system managers and internal personnel who are supporting
1.  INN (InterNetNews) server versions up to and including V1.5;
2.  Netscape News Server versions up to and including V1.12.

Cost Center managers hosting contract personnel are responsible 
for ensuring appropriate forwarding of this advisory.


SUBJECT:  Major Security Vulnerability in INN Server Software

The CERT Coordination Center has released CERT Advisory CA-97:08
which reports that a vulnerability exists in all versions of INN
(InterNetNews server) up to and including version 1.5.


IMPACT:

CA-97:08 states:

*************************************************
"This vulnerability allows unauthorized users to execute arbitrary
commands on the machine running INN by sending a maliciously formed
news control message. Because the problem is with the content of
news control messages, attacks can be launched remotely and may
reach news servers located behind Internet firewalls."
*************************************************
End CA-97:08 Information
*************************************************

NOTE: CISG has learned that Netscape News Server V1.12 includes a
modified version of INN V1.4 and therefore may be vulnerable such
intrusions.  However, no reports have been received to date of
successful intrusions on Netscape News Server V1.12.


REQUIRED ACTIONS:  THIS IS A MANDATORY SECURITY UPDATE

System managers and other personnel supporting INN must upgrade to
INN V1.5.1, or appropriate third party solutions implementing INN
V1.5.1.  

DIGITAL IAS provides a freeware kit for INN V1.5.1.  This kit is
internally available via anonymous ftp at:
    speedi.zko.dec.com
        /pub/DEC/IAS/inn-1.5.1.tar.gz

System managers and other personnel supporting Netscape News Server
V1.12 or older must upgrade to Netscape News Server 2.01.  At this
time, the following kits are internally available from the IBG
Engineering Software Distribution Server at URL:
    http://ibgzko.zko.dec.com/sdk/
        Netscape News Server 2.01 for Digital Unix 
        Netscape News Server 2.01 for NT/Alpha 
        Netscape News Server 2.01 for NT/Intel 
Contact your Netscape support channel if you have further questions.

For other implementations of INN, CA-97:08 provides the following
information:

*************************************************
Solution 
--------      

Upgrade to INN 1.5.1. Until you can do so, install the patches
available from James Brister or get help from your vendor, if it is
available.

  A. Upgrade to INN 1.5.1

      The current version of INN is 1.5.1, which does not have 
      this vulnerability. Archive sites for INN version 1.5.1 
      along with additional information about INN are given at

        http://www.isc.org/inn.html

      The MD5 checksum for the gzip'ed tar file is

        MD5 (inn-1.5.1.tar.gz) = 555d50c42ba08ece16c6cdfa392e0ca4

Install Patches 
---------------

Until you are able to upgrade to INN 1.5.1, we recommend installing
the following patches, which have been made available by James
Brister, the current maintainer of INN.

For releases inn1.4unoff3, inn1.4unoff4, and inn1.5 (all versions),
apply "security-patch.01" at 

        ftp://ftp.isc.org/isc/inn/patches/security-patch.01
        MD5 (security-patch.01) = 06131a3d1f4cf19d7d1e664c10306fa8

For release 1.4sec, Brister recommends upgrading to a newer version,
but he has made the patch "security-patch.02" available at

        ftp://ftp.isc.org/isc/inn/patches/security-patch.02
        MD5 (security-patch.02) = 3a964ba0b2b2baf678ef554c67bb28f2


Consult Your Vendor 
-------------------

Below is a list of vendors who have provided information about this
problem. Details are in Appendix A of this advisory; we will update
the appendix as we receive more information. If your vendor's name
is  not on this list, the CERT/CC did not hear from that vendor.
Please contact your vendor directly. 

           Berkeley Software Design, Inc. (BSDI)
           Caldera
           Cray Research - A Silicon Graphics Company
           Debian Linux
           Red Hat
*************************************************
End CA-97:08 Information
*************************************************
           
Note:  CA-97:08 Appendix A is provided in the following ADDITIONAL
INFORMATION.


ADDITIONAL INFORMATION:

CA-97:08 states:

*************************************************
Description
-----------

The INN daemon (innd) processes "newgroup" and "rmgroup" control
messages in a shell script (parsecontrol) that uses the shell's
"eval" command. However, some of the information passed to eval
comes from the message without adequate checks for characters that
are special to the shell.

This permits anyone who can send messages to an INN server - almost
anyone with Usenet access - to execute arbitrary commands on that
server. These commands run with the uid and privileges of the "innd"
process on that server. Because such messages are usually passed
through Internet firewalls to a site's news server, servers behind
such firewalls are vulnerable to attack. Also, the program executes
these commands before checking whether the sender is authorized to
create or remove newsgroups, so checks at that level (such as
running pgpverify) do not prevent this problem.

All versions of INN through 1.5 are vulnerable. You can determine
which version of INN your site is running by connecting to the NNTP
port (119) of your news server. For example:

  % telnet news.your.site 119
  Connected to news.your.site
  Escape character is '^]'.
  200 news.your.site InterNetNews server INN 1.4unoff405-Mar-96 ready

    Type "quit" to exit the connection. Note that this does not
    indicate  whether or not the patch recommended below has been
    installed.


Appendix A - Vendor Information 
-------------------------------

Below is a list of the vendors who have provided information for
this advisory. We will update this appendix as we receive additional
information. If you do not see your vendor's name, the CERT/CC did
not hear from that vendor. Please contact the vendor directly.


Berkeley Software Design, Inc. (BSDI) 
==================================== 
  We ship INN as part of our distribution.  BSD/OS 2.1 includes INN
  1.4sec and 2.1 users should apply the patch referenced in the
  advisory.  BSD/OS 3.0 includes INN 1.4unoff4 and the patch for
  that version is already included so BSD/OS 3.0 is not vulnerable
  as distributed.


Caldera 
=======
  An upgrade package for Caldera OpenLinux Base 1.0 will appear at
  Caldera's site:

ftp://ftp.caldera.com/pub/col-1.0/updates/Helsinki/004/inn-1.5.1-2.i386.rpm

  MD5 sum is:
    3bcd3120b93f41577d3246f3e9276098  inn-1.5.1-2.i386.rpm


Cray Research - A Silicon Graphics Company
==========================================
  Cray Research has never shipped any news server with Unicos.


Debian Linux
============

  The current version of INN shipped with Debian is 1.4unoff4.
  However the "unstable" (or development) tree contains inn-1.5.1.
  It can be gotten from any debian mirror in the subdirectory

	debian/unstable/binary/news

d3603d9617fbf894a3743a330544b62e 591154 news optional inn_1.5.1-1_i386.deb
205850779d2820f03f2438d063e1dc51 45230 news optional inn-dev_1.5.1-1_i386.deb
badbe8431479427a4a4de8ebd6e1e150 31682 news optional inewsinn_1.5.1-1_i386.deb


Red Hat  
=======
  All users of Red Hat 4.0 and Red Hat 4.1 are urged to upgrade to
  the inn-1.5.1-3 package available from ftp.redhat.com. The same
  package will work on both 4.0 and 4.1 systems, and is available
  from ftp.redhat.com in /updates/4.0 and /updates/4.1. Users with
  direct Internet connections can upgrade with one of the following
  commands:

  i386:	
  rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/inn-1.5.1-3.i386.rpm

  alpha (note the --ignorearch is only needed for Red Hat 4.0/AXP
  users):
  rpm -Uvh --ignorearch \
      ftp://ftp.redhat.com/4.1/updates/i386/inn-1.5.1-3.alpha.rpm

  SPARC:
  rpm -Uvh 
  ftp://ftp.redhat.com/updates/4.1/sparc/inn-1.5.1-3.alpha.rpm

  All of these packages have been signed with Red Hat's PGP key,
  which is availble on all Red Hat CDROMs, ftp.redhat.com, and
  public keyservers.

*************************************************
End CA-97:08 Information
*************************************************


COMPLIANCE:

1.  Per Corporate Security Policy CP211-00, this mandatory
    security update must be installed, or put into functional
    qualification  testing if required, within one (1) week of
    receiving notification,  of the security update.

2.  Issues relating to the non-compliance of this mandatory
    security  update MUST be addressed with your geography
    information security  contact;  Please refer to the Contact
    Information section of this  advisory.


CONTACT INFORMATION:

For any support questions concerning your version of the INN server,
please contact the appropriate software vendor.

To report a potential security incident or software security
vulnerability, or general questions concerning information security,
up-to-date reference information on local Information Security
contacts can be found at the following locations:

    INTERNAL WWW SERVERS
      Corporate Security
        http://corpsec.mso.dec.com/
      Information Services Security
        http://www-is-security.mso.dec.com/
      
    VIDEOTEXT SERVERS
      $ VTX SECURITY


NOTE:

    The only authorized source of computer/network security
related advisories and bulletins for Digital is the
Corporate Information Security Group.  Please advise your
system managers and users of Digital's computers and
networks that any security warnings, alerts, advisories, and
bulletins, especially those requiring responsive action on
their  part, are the explicit responsibility of the
Corporate Information Security Group.

    If an internal or external advisory or bulletin is received
from other sources and no information on the topic has been
received from CISG, please contact our group at DTN 223-8900.
This allows a single focus for all security advisory and 
bulletin information for our Company.

    All security advisories and bulletins can be found via the
Security Advisory Notefile MINOTR::SECURITY_ADVISORY
(http://www-notes.lkg.dec.com/minotr/security_advisory) or 
VTX SECURITY.


The preceding CERT information has been provided for DIGITAL 
internal use only under the following copyright agreement:

-----------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission
provided it is used for noncommercial purposes and the copyright 
statement is included.

CERT is a service mark of Carnegie Mellon University.
-----------------------------------------


DIGITAL INTERNAL USE ONLY
T.R	Title	User	Personal Name	Date	Lines