Original issue date: February 20, 1997<BR>
Last revised: September 26, 1997<BR>
Updated copyright statement
<P>A complete revision history is at the end of this file.
<P>A second vulnerability was found in INN (InterNetNews server) after
the initial publication of this advisory. We are including it in this advisory
as "Topic 2" so that all INN information is in one advisory. Versions 1.5.1
and earlier are vulnerable to this second problem.
<P>Information about the first vulnerability has been widely distributed,
and we have received numerous reports of exploitation. INN 1.5 and earlier
are vulnerable to this problem.
<P>Both vulnerabilities allow unauthorized users to execute arbitrary commands
on the machine running INN by sending a maliciously formed news control
message. Because the problem is with the content of news control messages,
attacks can be launched remotely and may reach news servers located behind
Internet firewalls.
<P>The CERT/CC staff recommends that sites upgrade to INN 1.5.1 and add
the patch described in Section III.A. Until you can upgrade, you should
apply two patches, as described in Section III.B. You may also want to
check with your vendor. Vendors who have provided input for this advisory
are listed in Sec. III.C and Appendix A.
<P>We will update this advisory as we receive additional information. Please
check advisory files regularly for updates that relate to your site.
<P><HR>
<H2>I. Description</H2>
<A NAME="topic2"></A><A HREF="#topic12">TOPIC 2 - ucbmail</A>
<P>A second vulnerability involving INN has been found. It is similar to
*but not the same as* the one described in Topic 1 below.
<P>INN itself attempts to carefully remove certain shell "metacharacters"
from data in control messages before passing that data to a shell. The
patch for Topic 1 fixes some of the checks that were found to be inadequate.
However ucbmail, a program typically configured as the mailer INN should
use, lacks similar checks. INN passes some data unchecked to this mailer,
which in turn passes the data to a shell for processing.
<P>James Brister, the current maintainer of INN, has made a patch available
that checks more data before it is passed to the mailer program. Although
only the ucbmail program is known to have this problem, sites are encouraged
to apply the patch regardless of what mail program their INN is configured
to use.
<P><A NAME="topic1"></A><A HREF="#topic12">TOPIC 1 - Information provided
with the initial advisory</A>
<P>The INN daemon (innd) processes "newgroup" and "rmgroup" control messages
in a shell script (parsecontrol) that uses the shell's "eval" command.
However, some of the information passed to eval comes from the message
without adequate checks for characters that are special to the shell.
<P>This permits anyone who can send messages to an INN server - almost
anyone with Usenet access - to execute arbitrary commands on that server.
These commands run with the uid and privileges of the "innd" process on
that server. Because such messages are usually passed through Internet
firewalls to a site's news server, servers behind such firewalls are vulnerable
to attack. Also, the program executes these commands before checking whether
the sender is authorized to create or remove newsgroups, so checks at that
level (such as running pgpverify) do not prevent this problem.
<P>As of the advisory update of March 18, 1997, we have received numerous
reports that the vulnerability is being exploited.
<H3>Determining if you are vulnerable</H3>
You can determine which version of INN your site is running by connecting
to the NNTP port (119) of your news server. For example:
<PRE>% telnet news.your.site 119
Connected to news.your.site
Escape character is '^]'.
200 news.your.site InterNetNews server INN 1.4unoff4 05-Mar-96 ready</PRE>
Type "quit" to exit the connection. Note that this does not indicate whether
or not the patch recommended below has been installed.
<BR><A NAME="topic12"></A>
<H2>II. Impact</H2>
<A HREF="#topic12b">(Applies to both TOPICS 1 & 2)</A>
<P>Remote, unauthorized users can execute arbitrary commands on the system
with the same privileges as the innd (INN daemon) process. Attacks may
reach news servers located behind Internet firewalls.
<BR>
<H2>III. Solution</H2>
Warning: If you applied any of the solutions offered in the version of
this advisory released on Feb. 20, 1997, you must add an additional patch.
<P><A NAME="topic12b"></A>(The following apply to both <A HREF="#topic1b">TOPIC
1</A> and <A HREF="#topic12c">TOPIC 2</A>)
<P>We recommend upgrading to version 1.5.1 and applying the patch developed
by James Brister, the current maintainer of INN (Section III. A). If you
upgraded previously, you must apply this new patch to protect against the
second vulnerability. Until you can upgrade, you need to apply two patches
(Section III. B). You may also want to consult your vendor. Vendors who
have provided input for this advisory are listed in Sec. III.C and Appendix
A.
<P>After installing any of the patches or updates, ensure that you restart
your INN server.
<BR>
<H3>A. Upgrade to INN 1.5.1 and apply a patch.</H3>
The current version of INN is 1.5.1. It is not vulnerable to the first
vulnerability; but it is vulnerable to the second, so a patch is necessary.
<P>When you upgrade to INN 1.5.1, please be sure to read the README file
carefully.
<P>INN 1.5.1 and information about it are available from
<P><A HREF="http://www.isc.org/inn.html">http://www.isc.org/inn.html</A>
<P>The md5 checksum for the gzip'ed tar file is
<P>MD5 (inn-1.5.1.tar.gz) = 555d50c42ba08ece16c6cdfa392e0ca4
<P>The patch is available from
<P><A HREF="ftp://ftp.isc.org:/isc/inn/patches/security-patch.05">ftp://ftp.isc.org:/isc/inn/patches/security-patch.05</A>
<P>Note that the advisory originally pointed to patch 04; there was a problem
with this patch. You need to install patch 05.
<P>Checksums for patches are in the directory, along with a README.
<BR>
<H3>B. If you do not upgrade to 1.5.1,</H3>
apply a patch for the version you are running and then apply the newly
released patch that addresses the second vulnerability discussed in this
advisory. If you are running INN 1.4sec2, you should upgrade to 1.5.1 as
no patches are available.
<P>FIRST apply:
<P>version - patch
<BR>1.5 - f<A HREF="ftp://ftp.isc.org/isc/inn/patches/security-patch.01">tp://ftp.isc.org/isc/inn/patches/security-patch.01</A>
<BR>1.4sec - <A HREF="ftp://ftp.isc.org/isc/inn/patches/security-patch.02">ftp://ftp.isc.org/isc/inn/patches/security-patch.02</A>
<BR>1.4unoff3, 1.4unoff4 - <A HREF="ftp://ftp.isc.org/isc/inn/patches/security-patch.03">ftp://ftp.isc.org/isc/inn/patches/security-patch.03</A>
<BR>
<BR>THEN apply (1.5.1, 1.5, 1.4sec, 1.4unoff3, 1.4unoff4)
<P><A HREF="ftp://ftp.isc.org:/isc/inn/patches/security-patch.05">ftp://ftp.isc.org:/isc/inn/patches/security-patch.05</A>
<P>Note that the advisory originally pointed to patch 04; there was a problem
with this patch. You need to install patch 05.
<P>There are md5 checksums for each file in the directory, and a README
file describes what is what.
<BR>
<H3>C. Consult your vendor</H3>
Below is a list of vendors who have provided information about INN. Details
are in Appendix A of this advisory; we will update the appendix as we receive
more information. If your vendor's name is not on this list, the CERT/CC
did not hear from that vendor. Please contact your vendor directly.
<P>Berkeley Software Design, Inc. (BSDI)
<BR>Caldera
<BR>Cray Research - A Silicon Graphics Company
<BR>Debian Linux
<BR>NEC Corporation
<BR>Netscape
<BR>Red Hat Linux
<H2><HR></H2>
<H2>Appendix A - Vendor Information</H2>
Below is a list of the vendors who have provided information for this advisory,
along with an indication about whether the information relates to the first
vulnerability or both. We will update this appendix as we receive additional
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact the vendor directly.
<BR>
<H3>Berkeley Software Design, Inc. (BSDI)</H3>
<A NAME="topic1b"></A><A HREF="#topic1c">For TOPIC 1</A>
<P>We ship INN as part of our distribution. BSD/OS 2.1 includes INN 1.4sec
and 2.1 users should apply the patch referenced in the advisory. BSD/OS
3.0 includes INN 1.4unoff4 and the patch for that version is already included
so BSD/OS 3.0 is not vulnerable as distributed.
<BR>
<H3>Caldera</H3>
<A NAME="topic1c"></A><A HREF="#topic12c">For TOPIC 1</A>
<P>An upgrade package for Caldera OpenLinux Base 1.0 will appear at Caldera's
site:
<P><A HREF="ftp://ftp.caldera.com/pub/col-1.0/updates/Helsinki/004/inn-1.5.1-2.i386.rpm">ftp://ftp.caldera.com/pub/col-1.0/updates/Helsinki/004/inn-1.5.1-2.i386.rpm</A>
<P>MD5 sum is:
<P>3bcd3120b93f41577d3246f3e9276098 inn-1.5.1-2.i386.rpm
<BR>
<H3>Cray Research - A Silicon Graphics Company</H3>
<A NAME="topic12c"></A>For <A HREF="#topicd">TOPIC 1</A> and <A HREF="#topic12d">TOPIC
2</A>
<P>Cray Research has never shipped any news server with Unicos.
<H3>Debian Linux</H3>
<A NAME="topic1d"></A><A HREF="#topic12d">For TOPIC 1</A>
<P>The current version of INN shipped with Debian is 1.4unoff4. However
the "unstable" (or development) tree contains inn-1.5.1. It can be gotten
from any debian mirror in the subdirectory
<P>debian/unstable/binary/news
<P>d3603d9617fbf894a3743a330544b62e 591154 news optional inn_1.5.1-1_i386.deb
205850779d2820f03f2438d063e1dc51 45230 news optional inn-dev_1.5.1-1_i386.deb
badbe8431479427a4a4de8ebd6e1e150 31682 news optional inewsinn_1.5.1-1_i386.deb
<BR>
<H3>NEC Corporation</H3>
<A NAME="topic12d"></A>For <A HREF="#topic1f">TOPIC 1</A> and <A HREF="#topic2b">TOPIC 2</A>
<P>Products below are shipped with INN mentioned in this advisory, so they
are vulnerable and patches are in progress.
<TABLE BORDER=0 WIDTH="50%" >
<TR>
<TD>Goah/NetworkSV R1.2</TD>
<TD>vulnerable</TD>
</TR>
<TR>
<TD>Goah/NetworkSV R2.2</TD>
<TD>vulnerable</TD>
</TR>
<TR>
<TD>Goah/NetworkSV R3.1</TD>
<TD>vulnerable</TD>
</TR>
<TR>
<TD>Goah/IntraSV R1.1</TD>
<TD>vulnerable</TD>
</TR>
</TABLE>
<H3>Netscape</H3>
<A NAME="topic2b"></A><A HREF="#ttopic12e">For Topic 2</A>
<P>The Netscape News Server 2.01 and current beta (and future shipping)
versions of Netscape Collabra Server are NOT vulnerable to this problem
because the Netscape News Server uses its own mailer instead of 'ucbmail'.
The Netscape News Server mailer is a simple SMTP front-end that DOES NOT
pass anything to the shell. Hence it is immune to the vulnerability outlined
in topic 2 of the advisory.
<P>Netscape News Server 1.1 users should apply the patch recommended by
the Cert Advisory to solve this problem.
<P><A NAME="topic1f"></A><A HREF="#ttopic12e">For Topic 1</A>
<BR>The Netscape News Server 2.01 is immune to the attack outlined in the
advisory.
<P>The News Server 1.1 is, however, subject to the same vulnerability as
INN and we have advised customers to install the patch described in the
advisory.
<H3>Red Hat Linux</H3>
<A NAME="ttopic12e"></A>For Topics 1 and 2
<P>There is a critical security hole in INN which affects all versions
of Red Hat Linux. A new version, inn-1.5.1-6, is now available for Red
Hat Linux 4.0 and 4.1 for all platforms. If you are running an earlier
version of Red Hat, we strongly encourage you to upgrade to 4.1 as soon
as possible, as many critical security fixes have been made. The new version
of inn is PGP signed with the Red Hat PGP key, which is available on all
Red Hat CDROMs, ftp.redhat.com, and public keyservers.
<P>You may upgrade to the new version as follows:
<H4>Red Hat 4.1</H4>
i386:
<P>rpm -Uvh <A HREF="ftp://ftp.redhat.com/updates/4.1/i386/inn-1.5.1-6.i386.rpm">ftp://ftp.redhat.com/updates/4.1/i386/inn-1.5.1-6.i386.rpm</A>
<P>alpha:
<P>rpm -Uvh <A HREF="ftp://ftp.redhat.com/updates/4.1/alpha/inn-1.5.1-6.alpha.rpm">ftp://ftp.redhat.com/updates/4.1/alpha/inn-1.5.1-6.alpha.rpm</A>
<P>rpm -Uvh <A HREF="ftp://ftp.redhat.com/updates/4.1/sparc/inn-1.5.1-6.sparc.rpm">ftp://ftp.redhat.com/updates/4.1/sparc/inn-1.5.1-6.sparc.rpm</A>
<H4>Red Hat 4.0</H4>
i386:
<P>rpm -Uvh <A HREF="ftp://ftp.redhat.com/updates/4.0/i386/inn-1.5.1-6.i386.rpm">ftp://ftp.redhat.com/updates/4.0/i386/inn-1.5.1-6.i386.rpm</A>
<P>alpha:
<P>rpm -Uvh <A HREF="ftp://ftp.redhat.com/updates/4.0/alpha/inn-1.5.1-6.alpha.rpm">ftp://ftp.redhat.com/updates/4.0/alpha/inn-1.5.1-6.alpha.rpm</A>
<H3>SPARC</H3>
rpm -Uvh <A HREF="ftp://ftp.redhat.com/updates/4.0/sparc/inn-1..5.1-6.sparc.rpm">ftp://ftp.redhat.com/updates/4.0/sparc/inn-1..5.1-6.sparc.rpm</A>
<P><HR>
<P>The CERT Coordination Center thanks James Brister of the Internet Software
Consortium for making fixes available and Matt Power of MIT for analyzing
and reporting the first problem. We also thank AUSCERT for their contributions
to this advisory. James Crawford Ralston of the University of Pittsburgh
and Frank Miller of Tektronix Corporation assisted with the March 18, 1997
update.
<P>The second vulnerability addressed in this advisory was discovered by
security experts in the Global Security Analysis Laboratory (GSAL) at IBM's
T.J. Watson Research Center. We thank the IBM Emergency Response Service
for providing information on this topic. (They published information in
ERS-SVA-E01-1997:002.1. Their alert is copyrighted 1997 by International
Business Machines Corporation.)
<H2>UPDATES</H2>
<H4>August 15, 1997</H4>
The current version is inn-1.5.1sec2, and is available from:
<BR><A HREF="ftp://ftp.isc.org/isc/inn/inn-1.5.1sec2.tar.gz">ftp://ftp.isc.org/isc/inn/inn-1.5.1sec2.tar.gz</A>
<BR>
<H4>March 18, 1997</H4>
If you are upgrading to INN 1.5.1, please be sure to read the README file
carefully. Note that if you are upgrading to 1.5.1 from a previous release,
running a "make update" alone is not sufficient to ensure that all of the
vulnerable scripts are replaced (e.g., parsecontrol). Please especially
note the following from the INN 1.5.1 distribution README file:
<P>When updating from a previous release, you will usually want to do "make
update" from the top-level directory; this will only install the programs.
To update your scripts and config files, cd into the "site" directory and
do "make clean" -- this will remove any files that are unchanged from the
official release. Then do "make diff >diff"; this will show you what changes
you will have to merge in. Now merge in your changes (from where the files
are, ie. /usr/lib/news...) into the files in $INN/site. (You may find that
due to the bug fixes and new features in this release, you may not need
to change any of the scripts, just the configuration files). Finally, doing
"make install" will install everything.
<P>After installing any of the patches or updates, ensure that you restart
your INN server.
<P><HR>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1997 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
Sep. 26, 1997 Updated copyright statement
Aug. 15, 1997 UPDATES - added information about the latest release.
Apr 04, 1997 Appendix A - added information from Netscape about Topic
2 Solution sections III.A and B - replaced pointer to
patch 04 with patch 05 and noted that you must use patch
05 Contact information corrected the URL for FIRST
Apr 03, 1997 Added information on a second vulnerability (labeled
Topic 2), including a new patch that must be applied to
many versions of INN. Labeled vendor information as
input on Topic 1 or 2.
Mar 25, 1997 Section III.B - added a note that no patches are
available for version 1.4sec2.
Mar 24, 1997 Appendix A - added information from Netscape.
Mar 21, 1997 Appendix A - added information from NEC Corporation.
Mar 18, 1997 Updates section - added a caution for sites upgrading to
1.5.1 Acknowledgments - added J. C. Ralston and F. Miller
Mar 17, 1997 Section III.B - corrected patch information (patch.03
must be used for 1.4unoff3, 1.4unoff4 rather than
patch.01); added a URL for INN information.
Section III.A and introduction - noted that the
vulnerability is being actively exploited.
</PRE>
|