CERT Advisory - SATAN Vulnerability
CERT Advisory
cert-advisory at cert.org
Mon Apr 10 18:52:19 UTC 1995
=============================================================================
CA-95:07 CERT Advisory
April 10, 1995
Vulnerability in SATAN
-----------------------------------------------------------------------------
There is a vulnerability introduced into systems running SATAN version
1.0. This vulnerability affects all systems that support the use of
SATAN with the HTML interface.
The CERT team recommends that you take the precautions described in
Section III below before you run SATAN and that you upgrade to SATAN
version 1.1 when available.
As we receive additional information relating to this advisory, we
will place it in
ftp://info.cert.org/pub/cert_advisories/CA-95:07.README
We encourage you to check our README files regularly for updates on
advisories.
For an overview of SATAN (Security Administrator Tool for Analyzing Systems),
see CERT advisory CA-95:06.
-----------------------------------------------------------------------------
I. Description
In SATAN version 1.0, it is possible for unauthorized users to gain
root access to systems during the time SATAN is running from the root
account. This vulnerability exploits a weakness in the HTML server
started by SATAN on a random, high-numbered TCP port. Additional
details on this vulnerability will be found in the SATAN
documentation provided with SATAN version 1.1 when version 1.1 is
released.
II. Impact
Unauthorized users can execute programs as root. Access to an account on
the system may not be necessary to do this.
III. Solution
It is expected that SATAN version 1.1 will fix this problem, and if
possible you should wait for this version before running SATAN.
The following precautions will prevent the introduction of this
vulnerability while you are running SATAN and are recommended
whether you are running SATAN version 1.0 or 1.1.
1. Install all relevant security patches for the system on which you will
run SATAN.
2. Execute SATAN only from the console of the system on which it is
installed (e.g., do not run SATAN from an X terminal, from a diskless
workstation, or from a remote host).
3. Ensure that the SATAN directory tree is not NFS-mounted from a remote
system.
4. Ensure that the SATAN directory tree cannot be read by users other
than root.
Note that SATAN 1.1 is expected to check systems for this SATAN 1.0
vulnerability as part of scanning other systems.
---------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).
If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted. The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).
Internet E-mail: cert at cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
Fax: +1 412-268-6989
Postal address: CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA
CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request at cert.org.
Past advisories, CERT bulletins, information about FIRST representatives, and
other information related to computer security are available for anonymous FTP
from info.cert.org.
Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.
CERT is a service mark of Carnegie Mellon University.
More information about the NANOG
mailing list