Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: US-CERT Technical Cyber Security Alert TA07-059A -- Sun Solaris Telnet Worm



> -----Original Message-----
> From: US-CERT Technical Alerts [mailto:technical-alerts@xxxxxxxxxxx] 
> Sent: Thursday, March 01, 2007 3:27 AM
> To: technical-alerts@xxxxxxxxxxx
> Subject: US-CERT Technical Cyber Security Alert TA07-059A -- 
> Sun Solaris Telnet Worm
> 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
>                      National Cyber Alert System
> 
>                Technical Cyber Security Alert TA07-059A
> 
> 
> Sun Solaris Telnet Worm
> 
>    Original release date: February 28, 2007
>    Last revised: --
>    Source: US-CERT
> 
> 
> Systems Affected
> 
>      * Sun Solaris 10 (SunOS 5.10)
>      * Sun "Nevada" (SunOS 5.11)
> 
>    Both SPARC and Intel (x86) architectures are affected.
> 
> 
> Overview
> 
>    A worm is exploiting a vulnerability (VU#881872) in the Sun Solaris
>    telnet daemon (in.telnetd).
> 
> 
> I. Description
> 
>    A worm is exploiting a vulnerability in the telnet daemon
>    (in.telnetd) on unpatched Sun Solaris systems. The vulnerability
>    allows the worm (or any attacker) to log in via telnet (23/tcp)
>    with elevated privileges. Further details about the vulnerability
>    are available in Vulnerability Note VU#881872 (CVE-2007-0882).
> 
>    Because VU#881872 is trivial to exploit and sufficient technical
>    detail is publicly available, any attacker, not just this worm,
>    could exploit vulnerable systems.
> 
>    Characteristics of the worm include, but are not limited to:
>    
>      * Exploiting VU#881872 to log in via telnet as the users 
> adm or lp
>      * Changing permissions on /var/adm/wtmpx to -rw-r--rw-
>      * Creating the directory .adm in /var/adm/sa/
>      * Adding .profile files to /var/adm/ and /var/spool/lp/
>      * Installing an authenticated backdoor shell on port 32982/tcp
>      * Modifying crontab entries for the users adm and lp
>      * Scanning for other hosts running telnet (23/tcp)
> 
>    Sun has published information about the worm in the Security Sun
>    Alert Feed including an inoculation script that disables the telnet
>    daemon and reverses known changes made by the worm.
> 
> 
> II. Impact
> 
>    VU#881872 allows remote attacker to log on to a vulnerable system
>    via telnet and gain elevated privileges. The worm exploits this
>    vulnerability to compromise systems as described above. Since the
>    worm installs a backdoor shell, it is possible for an attacker with
>    knowledge of the authentication tokens to access a compromised
>    system and take any action with the privileges of the backdoor
>    shell process, likely adm or lp.
> 
> 
> III. Solution
> 
> Apply a patch
> 
>    To address VU#881872, apply the appropriate patches referenced in
>    Sun Alert Notification 102802.
> 
> Run inoculation script
> 
>    To recover compromised systems, Sun has provided an 
> inoculation script
>    that disables the telnet daemon and reverses known changes 
> made by the
>    worm.
> 
>    Note that the inoculation script only recovers from this particular
>    worm. Running the inoculation script does not guarantee system
>    integrity. A vulnerable system may be compromised in different ways
>    by attackers exploiting VU#881872 or using the backdoor installed
>    by the worm. To fully recover, it may be necessary to rebuild a
>    compromised system using trusted software sources. For more
>    information, see Recovering from an Incident.
> 
> 
> IV. Workarounds
> 
>    Until the appropriate patches can be applied, consider the
>    following workarounds.
> 
> Disable telnet
> 
>    Telnet can be disabled by issuing the following command as root:
> 
>      # /usr/sbin/svcadm disable telnet
> 
> Restrict telnet access
> 
>    Restrict access to telnet (23/tcp) from untrusted networks such as
>    the Internet.
> 
> Use SSH instead of telnet
> 
>    SSH provides a comparatively more secure method for remotely
>    logging into a system than telnet. As general advice, we recommend
>    using SSH rather than telnet.
> 
> 
> V. References
> 
>      * US-CERT Vulnerability Note VU#881872 -
>        <http://www.kb.cert.org/vuls/id/881872>
> 
>      * Recovering from an Incident -
>        <http://www.cert.org/nav/recovering.html>
> 
>      * Sun Alert Notification 102802 -
>        
> <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1>
> 
>      * Solaris in.telnetd worm seen in the wild + inoculation script -
>        
> <http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen>
> 
>      * inoculate.local -
>        <http://blogs.sun.com/security/resource/inoculate.local>
> 
>      * CVE-2007-0882 -
>        <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882>
> 
> 
>  ____________________________________________________________________
> 
>    The most recent version of this document can be found at:
> 
>      <http://www.us-cert.gov/cas/techalerts/TA07-059A.html>
>  ____________________________________________________________________
> 
>    Feedback can be directed to US-CERT Technical Staff. Please send
>    email to <cert@xxxxxxxx> with "TA07-059A Feedback VU#881872" in the
>    subject.
>  ____________________________________________________________________
> 
>    For instructions on subscribing to or unsubscribing from this
>    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
>  ____________________________________________________________________
> 
>    Produced 2007 by US-CERT, a government organization.
> 
>    Terms of use:
> 
>      <http://www.us-cert.gov/legal.html>
>  ____________________________________________________________________
> 
> 
> Revision History
> 
>    February 28, 2007: Initial release
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iQEVAwUBReYctOxOF3G+ig+rAQKGUAf+LY2zbs3k8mx3mYhgtpLWCCOo5wDjd90a
> g+apWM4B9qEsAvlIsI/tWof5xSf682D7Yx47xwDDxUyIswHkovGaIWQ7TKmew1Be
> On7KUFSi0fHQ9Su4536COmr3aCOoeXhPpIIC8nFyb9rZ22aax6LowxH4THU1uFRO
> vITWFHKuWkSW75D4WQ9z19m1cdkXf2Y6SC9UcqADdImFo0ZG/mVzQ8as1sb3nHM7
> 0cBje0Dt4rEUtMkgBRrIMqoa1FquJXnLT0YnUtQp914SguxhD5sB/shjiIrttpVq
> uROeI77nsfGzAyWLes2K/fDik4/HJLIgiTpnONBTrXNYuuTsfKOJ0Q==
> =rcWZ
> -----END PGP SIGNATURE-----
> 



 




Copyright © Lexa Software, 1996-2009.