Arthur
>The CERT Coordination Center has received reports of
>weaknesses in Alien/OS that can allow species with
>primitive information sciences technology to initiate
>denial-of-service attacks against MotherShip(tm)
>hosts. One report of exploitation of this bug has been
>received.
>
>When attempting takeover of planets inhabited by such
>races, a trojan horse attack is possible that permits
>local access to the MotherShip host, enabling the
>implantation of executable code with full root access
>to mission-critical security features of the operating
>system.
>
>The vulnerability exists in versions of EvilAliens'
>Alien/OS 34762.12.1 or later, and all versions of
>Microsoft's Windows/95. CERT advises against initiating
>further planet takeover actions until patches are
>available from these vendors. If planet takeover is
>absolutely necessary, CERT advises that affected sites
>apply the workarounds as specified below.
>
>As we receive additional information relating to this
>advisory, we will place it in
>ftp://info.cert.org/pub/cert_advisories/CA-96.13.README
>
>We encourage you to check our README files regularly for
>updates on advisories that relate to your site.
>
>I. Description
>
>Alien/OS contains a security vulnerability, which
>strangely enough can be exploited by a primitive race
>running Windows/95. Although Alien/OS has been
>extensively field tested over millions of years by
>EvilAliens, Inc., the bug was only recently discovered
>during a routine invasion of a backwater planet.
>EvilAliens notes that the operating system had never
>before been tested against a race with "such a kick-ass
>president."
>
>The vulnerability allows the insertion of executable
>code with root access to key security features of the
>operating system. In particular, such code can disable
>the NiftyGreenShield (tm) subsystem, allowing child
>processes to be terminated by unauthorized users.
>
>Additionally, Alien/OS networking protocols can
>provide a low-bandwidth covert timing channel to a
>determined attacker.
>
>
>II. Impact
>
>Non-privileged primitive users can cause the total
>destruction of your entire invasion fleet and gain
>unauthorized access to files.
>
>
>III. Solution
>
> EvilAliens has supplied a workaround and a patch, as
> follows:
>
> A. Workaround
>
> To prevent unauthorized insertion of executables,
> install a firewall to selectively vaporize
> incoming packets that do not contain valid
> aliens. Also, disable the "Java" option in
> Netscape.
>
> To eliminate the covert timing channel, remove
> untrusted hosts from routing tables. As tempting
> as it is, do not use target species' own
> satellites against them.
>
> B. Patch
>
> As root, install the "evil" package from the
> distribution tape.
>
> (Optionally) save a copy of the existing
> /usr/bin/sendmail and modify its permission to
> prevent misuse.
>
>
>- -
>------------------------------------------------------------------------
>- - ---
>The CERT Coordination Center thanks Jeff Goldblum and Fjkxdtssss for
>providing information for this advisory.
>- -
>------------------------------------------------------------------------
>- - ---
>
>If you believe that your system has been compromised,
>contact the CERT Coordination Center or your
>representative in the Forum of Incident Response and
>Security Teams (FIRST).
>
>We strongly urge you to encrypt any sensitive information
>you send by email. The CERT Coordination Center can
>support a shared DES key and PGP. Contact the CERT staff
>for more information.
>
>Location of CERT PGP key
> ftp://info.cert.org/pub/CERT_PGP.key
>
>CERT Contact Information
>- - ------------------------
>Email cert@cert.org
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST
> (GMT-5)/EDT(GMT-4), and are on call for
> emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>CERT publications, information about FIRST representatives, and other
>security-related information are available for anonymous FTP from
> http://www.cert.org/
> ftp://info.cert.org/pub/
>
>CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
>To be added to our mailing list for CERT advisories and bulletins, send
>your
>email address to
> cert-advisory-request@cert.org
>
>
>Copyright 1996 Carnegie Mellon University
>This material may be reproduced and distributed without permission
>provided it
>is used for noncommercial purposes and the copyright statement is
>included.
>
>CERT is a service mark of Carnegie Mellon University.
>