============================================================================= CA-95:07 CERT Advisory April 10, 1995 Vulnerability in SATAN ----------------------------------------------------------------------------- There is a vulnerability introduced into systems running SATAN version 1.0. This vulnerability affects all systems that support the use of SATAN with the HTML interface. The CERT team recommends that you take the precautions described in Section III below before you run SATAN and that you upgrade to SATAN version 1.1 when available. As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-95:07.README We encourage you to check our README files regularly for updates on advisories. For an overview of SATAN (Security Administrator Tool for Analyzing Systems), see CERT advisory CA-95:06. ----------------------------------------------------------------------------- I. Description In SATAN version 1.0, it is possible for unauthorized users to gain root access to systems during the time SATAN is running from the root account. This vulnerability exploits a weakness in the HTML server started by SATAN on a random, high-numbered TCP port. Additional details on this vulnerability will be found in the SATAN documentation provided with SATAN version 1.1 when version 1.1 is released. II. Impact Unauthorized users can execute programs as root. Access to an account on the system may not be necessary to do this. III. Solution It is expected that SATAN version 1.1 will fix this problem, and if possible you should wait for this version before running SATAN. The following precautions will prevent the introduction of this vulnerability while you are running SATAN and are recommended whether you are running SATAN version 1.0 or 1.1. 1. Install all relevant security patches for the system on which you will run SATAN. 2. Execute SATAN only from the console of the system on which it is installed (e.g., do not run SATAN from an X terminal, from a diskless workstation, or from a remote host). 3. Ensure that the SATAN directory tree is not NFS-mounted from a remote system. 4. Ensure that the SATAN directory tree cannot be read by users other than root. Note that SATAN 1.1 is expected to check systems for this SATAN 1.0 vulnerability as part of scanning other systems. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet E-mail: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT advisories and bulletins are posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. Past advisories, CERT bulletins, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. Copyright 1995 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University.