From security em unicamp.br Thu Mar 1 09:40:12 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 1 Mar 2007 09:40:12 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-059A -- Sun Solaris Telnet Worm Message-ID: <20070301124012.GA67565@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-059A -- Sun Solaris Telnet Worm To: technical-alerts em us-cert.gov Date: Wed, 28 Feb 2007 19:26:34 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-059A Sun Solaris Telnet Worm Original release date: February 28, 2007 Last revised: -- Source: US-CERT Systems Affected * Sun Solaris 10 (SunOS 5.10) * Sun "Nevada" (SunOS 5.11) Both SPARC and Intel (x86) architectures are affected. Overview A worm is exploiting a vulnerability (VU#881872) in the Sun Solaris telnet daemon (in.telnetd). I. Description A worm is exploiting a vulnerability in the telnet daemon (in.telnetd) on unpatched Sun Solaris systems. The vulnerability allows the worm (or any attacker) to log in via telnet (23/tcp) with elevated privileges. Further details about the vulnerability are available in Vulnerability Note VU#881872 (CVE-2007-0882). Because VU#881872 is trivial to exploit and sufficient technical detail is publicly available, any attacker, not just this worm, could exploit vulnerable systems. Characteristics of the worm include, but are not limited to: * Exploiting VU#881872 to log in via telnet as the users adm or lp * Changing permissions on /var/adm/wtmpx to -rw-r--rw- * Creating the directory .adm in /var/adm/sa/ * Adding .profile files to /var/adm/ and /var/spool/lp/ * Installing an authenticated backdoor shell on port 32982/tcp * Modifying crontab entries for the users adm and lp * Scanning for other hosts running telnet (23/tcp) Sun has published information about the worm in the Security Sun Alert Feed including an inoculation script that disables the telnet daemon and reverses known changes made by the worm. II. Impact VU#881872 allows remote attacker to log on to a vulnerable system via telnet and gain elevated privileges. The worm exploits this vulnerability to compromise systems as described above. Since the worm installs a backdoor shell, it is possible for an attacker with knowledge of the authentication tokens to access a compromised system and take any action with the privileges of the backdoor shell process, likely adm or lp. III. Solution Apply a patch To address VU#881872, apply the appropriate patches referenced in Sun Alert Notification 102802. Run inoculation script To recover compromised systems, Sun has provided an inoculation script that disables the telnet daemon and reverses known changes made by the worm. Note that the inoculation script only recovers from this particular worm. Running the inoculation script does not guarantee system integrity. A vulnerable system may be compromised in different ways by attackers exploiting VU#881872 or using the backdoor installed by the worm. To fully recover, it may be necessary to rebuild a compromised system using trusted software sources. For more information, see Recovering from an Incident. IV. Workarounds Until the appropriate patches can be applied, consider the following workarounds. Disable telnet Telnet can be disabled by issuing the following command as root: # /usr/sbin/svcadm disable telnet Restrict telnet access Restrict access to telnet (23/tcp) from untrusted networks such as the Internet. Use SSH instead of telnet SSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet. V. References * US-CERT Vulnerability Note VU#881872 - * Recovering from an Incident - * Sun Alert Notification 102802 - * Solaris in.telnetd worm seen in the wild + inoculation script - * inoculate.local - * CVE-2007-0882 - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-059A Feedback VU#881872" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History February 28, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBReYctOxOF3G+ig+rAQKGUAf+LY2zbs3k8mx3mYhgtpLWCCOo5wDjd90a g+apWM4B9qEsAvlIsI/tWof5xSf682D7Yx47xwDDxUyIswHkovGaIWQ7TKmew1Be On7KUFSi0fHQ9Su4536COmr3aCOoeXhPpIIC8nFyb9rZ22aax6LowxH4THU1uFRO vITWFHKuWkSW75D4WQ9z19m1cdkXf2Y6SC9UcqADdImFo0ZG/mVzQ8as1sb3nHM7 0cBje0Dt4rEUtMkgBRrIMqoa1FquJXnLT0YnUtQp914SguxhD5sB/shjiIrttpVq uROeI77nsfGzAyWLes2K/fDik4/HJLIgiTpnONBTrXNYuuTsfKOJ0Q== =rcWZ -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Mar 7 11:59:40 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 7 Mar 2007 11:59:40 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-065A -- Apple Releases Security Updates for QuickTime Message-ID: <20070307145937.GC5863@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-065A -- Apple Releases Security Updates for QuickTime To: technical-alerts em us-cert.gov Date: Tue, 6 Mar 2007 14:04:37 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-065A Apple Releases Security Updates for QuickTime Original release date: March 06, 2007 Last revised: -- Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows Overview Apple QuickTime contains multiple vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. I. Description Apple QuickTime 7.1.5 resolves multiple vulnerabilities in the way different types of image and media files are handled. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. Note that QuickTime ships with Apple iTunes. For more information, please refer to the Vulnerability Notes Database. II. Impact These vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or commands and cause a denial-of-service condition. For further information, please see the Vulnerability Notes Database. III. Solution Upgrade QuickTime Upgrade to QuickTime 7.1.5. This and other updates for Mac OS X are available via Apple Update. On Microsoft Windows the QuickTime built-in auto-update mechanism may not detect this release. Instead, Windows users should check for updates using Apple Software Update or install the update manually. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. References * Vulnerability Notes for QuickTime 7.1.5 - * About the security content of the QuickTime 7.1.5 Update - * How to tell if Software Update for Windows is working correctly when no updates are available - * Apple QuickTime 7.1.5 for Windows - * Apple QuickTime 7.1.5 for Mac - * Standalone Apple QuickTime Player - * Mac OS X: Updating your software - * Securing Your Web Browser - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-065A Feedback VU#568689" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History March 06, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRe26JOxOF3G+ig+rAQIL/AgArfKGgONZLe46VrCe71/m/47EcYHx/m4u K7rK5zeV11CItic4BMTyhC/s9OMEJdkRpVLhi9TJtLv0OYQoqT8WCqkcWpn6rf+p mRbMMIc0m2/IqQWBz3oHU1rlAem8Xk0wbARe+y3Pb1Xz5TumoyVSjbkKkyQJVYLz 35SS6byTmpspL/GIui8lt37b66aiXOGr91FCMQ4eCJXucJKlDNndjdL5isVKjXoA 74aavroywUVzoBzjxXCRSquxcFHW0B6t1TIMuMJhyVbmcV4i/0Cq3EfEg8iKVZdO ZAXHIj3P4cPmdsYRbgl0IqqyZYt51gMdpmUNGORCShuMajqwwbNjvg== =5/kY -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Mar 14 11:14:42 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 14 Mar 2007 11:14:42 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-072A -- Apple Updates for Multiple Vulnerabilities Message-ID: <20070314141442.GA40321@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-072A -- Apple Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 13 Mar 2007 21:00:16 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-072A Apple Updates for Multiple Vulnerabilities Original release date: March 13, 2007 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X version 10.3.x and 10.4.x * Apple Mac OS X Server version 10.3.x and 10.4.x These vulnerabilities affect both Intel-based and PowerPC-based Apple systems. Overview Apple has released Security Update 2007-003 to correct multiple vulnerabilities affecting Apple Mac OS X and Mac OS X Server. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Attackers may take advantage of the less serious vulnerabilities to bypass security restrictions or cause a denial of service. I. Description Apple Security Update 2007-003 addresses a number of vulnerabilities affecting Apple Mac OS X and OS X Server. Further details are available in the related vulnerability notes. Many of the fixes included in this update address vulnerabilities in products from other vendors that ship with Apple OS X or OS X Server. These products include: * Adobe Flash Player * GNU Tar * MySQL Server * OpenSSH * Sudo Apple Security Update 2007-003 addresses vulnerabilities on both 10.3.9 and 10.4.x. According to Apple: Security Update 2007-003 will install on Mac OS X v10.3.9 and Mac OS X Server v10.3.9 systems. Mac OS X v10.4.9 contains the security fixes present in Security Update 2007-003 and will install on Mac OS X v10.4 or later, as well as Mac OS X Server v10.4 or later systems. II. Impact The impacts of these vulnerabilities vary. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. Solution Install Updates from Apple Install Apple Security Update 2007-003. OS X 10.4 users should upgrade to 10.4.9 to obtain the security fixes in Apple Security Update 2007-003. This and other updates are available via Apple Update or via Apple Downloads. IV. References * Vulnerability notes for Apple Security Update 2007-003 - * About the security content of Mac OS X 10.4.9 and Security Update 2007-003 - * Mac OS X: Updating your software - * Apple downloads - * Adobe - Security bulletins and advisories - * Tar - GNU Project - Free Software Foundation (FSF) - * MySQL AB :: MySQL 3.23, 4.0, 4.1 Reference Manual :: B.1 Changes in release 4.1.x (Production) - * OpenSSH release 4.5 - * Current version of Sudo - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-072A Feedback VU#449440" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History March 13, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRfdGvexOF3G+ig+rAQL2gwgAkVSGwq7OKzyTW3nGc9kmDRRUdWksQ0Qi o94IxB8zMXHbNG63lS2964esfbTd/WWDhOoc3W1scQXJ7jsv5MUPky2hSYF7nYHC lCjJdqew5jdzruoZ+3MvPsrVt5b63GNcREycLb0yA4jGxPdK31KU3B6VUxO5Goiq 8aOQluLfVGIlJBTNQTPYSUpok63snXhsEq1qdNEHlGqM3mvWgFOcLC/2mObIzQh2 XJdwMKmhCnF/8Fnk0UZKCH5AL/KqyRqRS2mXEV8tmY4vPzk00FxNy9zgmwkQuF7m uMAUhFfdRXjrt5Gjjhq2KVZrI1ZSefl77C0Qz2N05UZhdRWMgDhhmw== =hu6q -----END PGP SIGNATURE----- ----- End forwarded message -----