CERT Advisory - SATAN

Mon Apr 3 15:56:25 UTC 1995

=============================================================================
CA-95:06                        CERT Advisory
                                April 3, 1995
         Security Administrator Tool for Analyzing Networks (SATAN)
-----------------------------------------------------------------------------

The CERT Coordination Center staff has examined beta version 0.51 of the
Security Administrator Tool for Analyzing Networks (SATAN). This advisory
contains information based on our review of this pre-release version. When the
official release is available, we will distribute an updated advisory. SATAN
is scheduled for release on April 5, 1995, at 14:00 GMT.

1. What is SATAN?
------------------
SATAN is a testing and reporting tool that collects a variety of information
about networked hosts. The currently available documentation can be found at
         ftp://ftp.win.tue.nl/pub/security/satan_doc.tar.Z

SATAN gathers information about specified hosts and networks by examining
network services (for example, finger, NFS, NIS, ftp, and rexd).  It can then
report this data in a summary format or, with a simple rule-based system,
investigate potential security problems. Problems are described briefly and
pointers provided to patches or workarounds. In addition to reporting
vulnerabilities, SATAN gathers general network information (network topology,
network services run, types of hardware and software being used on the
network).  As described in the SATAN documentation, SATAN has an exploratory
mode that allows it to probe hosts that have not been explicitly specified.
Thus, SATAN could probe not only targeted hosts, but also hosts outside your
administrative domain.

Section 4 below lists the vulnerabilities currently probed by SATAN.

2. Potential Impact of SATAN
----------------------------
SATAN was designed as a security tool for system and network administrators.
However, given its wide distribution, ease of use, and ability to scan remote
networks, SATAN is also likely to be used to locate vulnerable hosts for
malicious reasons. It is also possible that sites running SATAN for a
legitimate purpose will accidentally scan your system via SATAN's exploratory
mode.

Although the vulnerabilities SATAN identifies are not new, the ability to
locate them with a widely available, easy-to-use tool increases the level of
threat to sites that have not taken steps to address those vulnerabilities. In
addition, SATAN is easily extensible. After it is released, modified versions
might scan for other vulnerabilities as well and might include code to
compromise systems. 

3. How to Prepare for the Release of SATAN
------------------------------------------

* Examine your systems for the vulnerabilities described below and implement
  security fixes accordingly.

* In addition to reading the advisories cited for specific vulnerabilities
  below, consult the following documents for guidance on improving the
  security of your systems:
          ftp://info.cert.org/tech_tips/security_info
          ftp://info.cert.org/tech_tips/anonymous_ftp
          ftp://info.cert.org/tech_tips/packet_filtering

* Contact your vendor for information on available security patches, and
  ensure that all patches have been installed at your site.

* Use the tools listed in Section 5 to assist you in assessing and improving
  the security of your systems.

4. Vulnerabilities Probed by SATAN
----------------------------------
Listed below are vulnerabilities that beta version 0.51 of SATAN tests for,
along with references to CERT advisories and other documents where applicable.

Administrators should verify the state of their systems and perform corrective
actions as necessary. We cannot stress enough the importance of good network
configuration and the need to install all available patches.

   1. NFS export to unprivileged programs
   2. NFS export via portmapper
   3. Unrestricted NFS export

      See CERT advisory CA-94:15 and CA-94:15.README for security measures you
      can take to address NFS vulnerabilities.

      The following advisories also address problems related to NFS:
             CA-94:02.REVISED.SunOS.rpc.mountd.vulnerability
             CA-94:02.README
             CA-93:15.SunOS.and.Solaris.vulnerabilities
             CA-92:15.Multiple.SunOS.vulnerabilities.patches
             CA-92:12.REVISED.SunOS.rpc.mountd.vulnerability
             CA-91:21.SunOS.NFS.Jumbo.and.fsirand

   4. NIS password file access
      See CERT advisory CA-92:13 for information about SunOS 4.x machines using
      NIS, and CA-93:01 for information about HP machines.

   5. rexd access
      We recommend filtering the rexd service at your firewall and commenting
      out rexd in the file /etc/inetd.conf. 

      See CERT advisory CA-92:05 for more information about IBM AIX machines
      using rexd, and CA-91:06 for information about NeXT.

   6. Sendmail vulnerabilities
      See CERT advisory CA-95:05 and CA-95:05.README for the latest information
      we have published about sendmail. 

   7. TFTP file access
      See CERT advisory CA-91:18 for security measures that address TFTP access
      problems. In addition, CA-91:19 contains information for IBM AIX users.

   8. Remote shell access
      We recommend that you comment out rshd in the file /etc/inetd.conf or
      protect it with a TCP wrapper.

   9. Unrestricted X server access
      We recommend filtering X at your firewall. Additional advice about
      packet filtering is available by anonymous FTP from
             ftp://info.cert.org:/pub/tech_tips/anonymous_ftp

   10. Writable FTP home directory
       See CERT advisory CA-93:10. 
       Guidance on anonymous FTP configuration is also available from
             ftp://info.cert.org:/pub/tech_tips/anonymous_ftp

   11. wu-ftpd vulnerability
       See CA-93:06, CA-94:07, and CA-94:07.README for more information about
       ftpd.

Note: In addition to our FTP archive at info.cert.org, CERT documents are
      available from the following sites, and others which you can locate
      by using archie:

          ftp://coast.cs.purdue.edu:/pub/mirrors/cert.org/cert_advisories 
          ftp://unix.hensa.ac.uk:/pub/uunet/doc/security/cert_advisories
          ftp://ftp.luth.se:/pub/misc/cert/cert_advisories
          ftp://ftp.switch.ch:/network/security/cert_advisories
          ftp://corton.inria.fr:/CERT/cert_advisories
          ftp://ftp.inria.fr:/network/cert_advisories
          ftp://nic.nordu.net:/networking/security/cert_advisories

5. Currently Available Tools
-----------------------------
The following tools are freely available now and can help you improve your
site's security before SATAN is released.

COPS and ISS can be used to check for vulnerabilities and configuration
weaknesses. 

     COPS is available from ftp://info.cert.org:/pub/tools/cops/*

     ISS is available from
     ftp://ftp.uu.net:/usenet/comp.sources.misc/volume39/iss  
     CERT advisory CA-93:14 and CA-93:14.README contain information about ISS.

TCP wrappers can provide access control and flexible logging to most network
services. These features can help you prevent and detect network attacks. This
software is available by anonymous FTP from

          ftp://info.cert.org:/pub/tools/tcp_wrappers/*

The TAMU security package includes tools to check for vulnerabilities and
system configuration weaknesses, and it provides logging and filtering of
network services. This software is available by anonymous FTP from

          ftp://net.tamu.edu:/pub/security/TAMU/*

The Swatch log file monitor allows you to identify patterns in log file entries
and associate them with actions. This tool is available from

          ftp://ee.stanford.edu:/pub/sources/swatch.tar.Z

6. Detecting Probes
-------------------
One indication of attacks by SATAN, and other tools, is evidence of a heavy
scan of a range of ports and services in a relatively short time.  Many UNIX
network daemons do not provide sufficient logging to determine if SATAN is
probing the system. TCP wrappers, the TAMU tools, and Swatch can provide the
logging you need.

7. Using SATAN
---------------
Running SATAN on your systems will provide you with the same information an
attacker would obtain, allowing you to correct vulnerabilities. If you choose
to run SATAN, we urge you to read the documentation carefully. Also,
note the following:

* It is easy to accidentally probe systems you did not intend to. If this
  occurs, the probed site may view the probe(s) as an attack on their
  system(s).

* Take special care in setting up your configuration file, and in selecting the
  probe level when you run SATAN. 

* Explicitly bound the scope of your probes when you run SATAN. Under "SATAN
  Configuration Management," explicitly limit probes to specific hosts and
  exclude specific hosts.  

* When you run SATAN, ensure that other users do not have read access to your
  SATAN directory.

* In some cases, SATAN points to CERT advisories. If the link does not work
  for you, try getting the advisories by anonymous FTP.

8. Getting more information about SATAN
---------------------------------------
As noted above, SATAN documentation is available from
          ftp://ftp.win.tue.nl/pub/security/satan_doc.tar.Z

Additional documents are available through a mail server set up by one of the
authors. 

Send mail to
          majordomo at wzv.win.tue.nl

Put the following text in the body (not subject):
        get satan mirror-sites
        get satan release-plan
        get satan description
        get satan admin-guide-to-cracking.101

The last document contains "Improving the Security of Your Site by Breaking
Into It," a 1993 paper in which the authors give their rationale for creating
SATAN.

---------------------------------------------------------------------------
The CERT Coordination Center staff thanks Dan Farmer and Wieste Venema for the
the opportunity to examine pre-release versions of SATAN. We also appreciate
the interaction with the response teams at AUSCERT, CIAC, and DFN-CERT, and
feedback from Eric Allman.
---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted.  The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet E-mail: cert at cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

Postal address:  CERT Coordination Center
                 Software Engineering Institute
                 Carnegie Mellon University
                 Pittsburgh, PA 15213-3890
                 USA

CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request at cert.org.

Past advisories, CERT bulletins, information about FIRST representatives, and
other information related to computer security are available for anonymous 
FTP from info.cert.org. 

Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.