CERT Advisory - SATAN Vulnerability

CERT Advisory cert-advisory at cert.org
Mon Apr 10 18:52:19 UTC 1995

CA-95:07                          CERT Advisory
                                 April 10, 1995
                            Vulnerability in SATAN

There is a vulnerability introduced into systems running SATAN version
1.0.  This vulnerability affects all systems that support the use of
SATAN with the HTML interface.

The CERT team recommends that you take the precautions described in
Section III below before you run SATAN and that you upgrade to SATAN
version 1.1 when available.

As we receive additional information relating to this advisory, we
will place it in 


We encourage you to check our README files regularly for updates on 

For an overview of SATAN (Security Administrator Tool for Analyzing Systems),
see CERT advisory CA-95:06.


I.   Description

     In SATAN version 1.0, it is possible for unauthorized users to gain
     root access to systems during the time SATAN is running from the root
     account. This vulnerability exploits a weakness in the HTML server
     started by SATAN on a random, high-numbered TCP port.  Additional
     details on this vulnerability will be found in the SATAN
     documentation provided with SATAN version 1.1 when version 1.1 is 

II.  Impact

     Unauthorized users can execute programs as root. Access to an account on
     the system may not be necessary to do this.

III. Solution

     It is expected that SATAN version 1.1 will fix this problem, and if
     possible you should wait for this version before running SATAN.  

     The following precautions will prevent the introduction of this 
     vulnerability while you are running SATAN and are recommended  
     whether you are running SATAN version 1.0 or 1.1.  

     1. Install all relevant security patches for the system on which you will
        run SATAN. 

     2. Execute SATAN only from the console of the system on which it is
        installed (e.g., do not run SATAN from an X terminal, from a diskless
        workstation, or from a remote host). 

     3. Ensure that the SATAN directory tree is not NFS-mounted from a remote

     4. Ensure that the SATAN directory tree cannot be read by users other
        than root.

     Note that SATAN 1.1 is expected to check systems for this SATAN 1.0
     vulnerability as part of scanning other systems.


If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted.  The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet E-mail: cert at cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

Postal address:  CERT Coordination Center
                 Software Engineering Institute
                 Carnegie Mellon University
                 Pittsburgh, PA 15213-3890

CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request at cert.org.

Past advisories, CERT bulletins, information about FIRST representatives, and
other information related to computer security are available for anonymous FTP
from info.cert.org. 

Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

More information about the NANOG mailing list