[ISN] FBI warns as Unix web server flaw gets automated

From: InfoSec News (isnat_private)
Date: Tue Sep 04 2001 - 02:15:19 PDT

  • Next message: InfoSec News: "[ISN] Another flaw in PGP reported. Need Dutch translator."

    By John Leyden
    Posted: 03/09/2001 at 15:56 GMT
    A worm called x.c, which takes advantage of a buffer overflow
    vulnerability in the telnet daemon program commonly used on Unix
    boxes, has being discovered, and security experts fear it is a
    harbinger of worse to come.
    Many of these organisations, such as the FBI's National Infrastructure
    Protection Centre, overplayed the destructive nature of the Code Red
    worm but that's not to say there isn't a problem here. The security
    loophole might allow an attacker to take control of a victim's system,
    and it is suspected as the root cause behind a number of recent hacks,
    so it's well worth reviewing the vulnerability.
    The flaw, which was first reported last month, primarily affects
    BSD-derived Telnet daemons, which are used on Solaris, AIX, HP-UX and
    several versions of Linux-based servers, for example. More information
    on affected systems, possible workarounds and how to obtain fixes has
    been published by CERT and is available here.
    ASSESSMENT 01-019
    "Buffer Overflow Vulnerability in Telnet Daemon"
    August 30, 2001 
    Synopsis: Recently, the cyber security community received numerous
    reports of intruders using the buffer overflow vulnerability in the
    telnet daemon program. Security organizations, such as
    CERT/Coordination Center, cited this vulnerability in a July advisory
    (http://www.cert.org/advisories/CA-2001-21.html) outlining the
    vulnerability and solutions to address this problem. Due to the
    increase of these reports and with the activity of a new worm that has
    targeted this vulnerability, the NIPC urges the consumers to contact
    their vendors to obtain the appropriate fix. This vulnerability has
    the potential to impact the victim by allowing an intruder to copy,
    delete, or execute any program on the victim's system.
    A new worm called "x.c", designed to exploit this vulnerability, has
    been discovered. Although that specific worm has been disabled, other
    malicious code variants could take advantage of the same
    vulnerability. Vendor patches are available and NIPC urges consumers
    to contact their vendor to obtain the appropriate fix for their
    operating system.
    This vulnerability affects primarily FreeBSD-derived telnet daemons
    (including Solaris, AIX, and several versions of Linux), but some
    information suggests other vendors= telnet daemons may also be subject
    to attack using the same method.
    A list of vulnerable systems, along with links to vendor patches, can
    be obtained at http://www.securityfocus.com/bid/3064. It is
    recommended that users of these operating systems check with their
    vendor for applicable patches, or disable the telnet daemon entirely.
    Further information on the vulnerability can be found at:
    Any information regarding the above worm or any other exploitation of
    the buffer overflow vulnerability should be reported to the NIPC or
    other authorities. Incidents may be reported online at
    http://www.nipc.gov/incident/cirr.htm, directly to the NIPC Watch and
    Warning Unit at (202) 323-3204/3205/3206 or nipc.watch@ fbi.gov.
    Government agencies should report incidents to FedCIRC at
    http://www.fedcirc.gov, fedcircat_private, or 1-888-282-0870.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 05:58:41 PDT