-jot
>From: CERT Bulletin <cert-advisory@cert.org>
>Subject: CERT Advisory CA-96.13 - Alien/OS Vulnerability
>Date: 4 July 1996 20:52:15 GMT
>Organization: CERT(sm) Coordination Center - +1 412-268-7090
>
>=============================================================================
>CERT(sm) Advisory CA-96.13
>July 4, 1996
>
>Topic: ID4 virus, Alien/OS Vulnerability
>
>-----------------------------------------------------------------------------
>
>The CERT Coordination Center has received reports of weaknesses in
>Alien/OS that can allow species with primitive information sciences
>technology to initiate denial-of-service attacks against MotherShip(tm)
>hosts. One report of exploitation of this bug has been received.
>
>When attempting takeover of planets inhabited by such races, a trojan
>horse attack is possible that permits local access to the MotherShip
>host, enabling the implantation of executable code with full root access
>to mission-critical security features of the operating system.
>
>The vulnerability exists in versions of EvilAliens' Alien/OS 34762.12.1
>or later, and all versions of Microsoft's Windows/95. CERT advises
>against initiating further planet takeover actions until patches
>are available from these vendors. If planet takeover is absolutely
>necessary, CERT advises that affected sites apply the workarounds as
>specified below.
>
>As we receive additional information relating to this advisory, we will
>place it in
>
> ftp://info.cert.org/pub/cert_advisories/CA-96.13.README
>
>We encourage you to check our README files regularly for updates on
>advisories that relate to your site.
>
>-----------------------------------------------------------------------------
>
>I. Description
>
> Alien/OS contains a security vulnerability, which strangely enough
> can be exploited by a primitive race running Windows/95. Although
> Alien/OS has been extensively field tested over millions of years by
> EvilAliens, Inc., the bug was only recently discovered during a
> routine invasion of a backwater planet. EvilAliens notes that
> the operating system had never before been tested against a race
> with "such a kick-ass president."
>
> The vulnerability allows the insertion of executable code with
> root access to key security features of the operating system. In
> particular, such code can disable the NiftyGreenShield (tm)
> subsystem, allowing child processes to be terminated by unauthorized
> users.
>
> Additionally, Alien/OS networking protocols can provide a
> low-bandwidth covert timing channel to a determined attacker.
>
>
>II. Impact
>
> Non-privileged primitive users can cause the total destruction of
> your entire invasion fleet and gain unauthorized access to
> files.
>
>
>III. Solution
>
> EvilAliens has supplied a workaround and a patch, as follows:
>
> A. Workaround
>
> To prevent unauthorized insertion of executables, install a
> firewall to selectively vaporize incoming packets that do not
> contain valid aliens. Also, disable the "Java" option in
> Netscape.
>
> To eliminate the covert timing channel, remove untrusted
> hosts from routing tables. As tempting as it is, do not use
> target species' own satellites against them.
>
>
> B. Patch
>
> As root, install the "evil" package from the distribution tape.
>
> (Optionally) save a copy of the existing /usr/bin/sendmail and
> modify its permission to prevent misuse.
>
>
>---------------------------------------------------------------------------
>The CERT Coordination Center thanks Jeff Goldblum and Fjkxdtssss for
>providing information for this advisory.
>---------------------------------------------------------------------------
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident
>Response and Security Teams (FIRST).
>
>We strongly urge you to encrypt any sensitive information you send by email.
>The CERT Coordination Center can support a shared DES key and PGP. Contact
>the CERT staff for more information.
>
>Location of CERT PGP key
> ftp://info.cert.org/pub/CERT_PGP.key
>
>CERT Contact Information
>------------------------
>Email cert@cert.org
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST
> (GMT-5)/EDT(GMT-4), and are on call for
> emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>CERT publications, information about FIRST representatives, and other
>security-related information are available for anonymous FTP from
> http://www.cert.org/
> ftp://info.cert.org/pub/
>
>CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
>To be added to our mailing list for CERT advisories and bulletins, send your
>email address to
> cert-advisory-request@cert.org
>
>
>Copyright 1996 Carnegie Mellon University
>This material may be reproduced and distributed without permission
>provided it is used for noncommercial purposes and the copyright
>statement is included.
>
>CERT is a service mark of Carnegie Mellon University.
>
>
-- jot@cs.brown.edu http://www.cs.brown.edu/people/jot/