From: crawdad@fnal.gov Subject: CVS Server: Critical Vulnerability Date: May 24, 2004 10:19:53 CDT To: cppm_reg_sysadmins@fnal.gov, cvs-support@fnal.gov Cc: computer-security@fnal.gov There are exploits published and in use against a bug in the CVS server. Affected versions are: 1.11.* up to and including 1.11.15 1.12.* up to and including 1.12.7 There is a list below of systems recently seen listening on port 2401. Please look at it, since it includes machines where a CVS server might not have been expected to be running! The listed systems are all presumed to be running a CVS server and for each of them a report must be received including: 1. Whether the system has ever run a CVS server any time during 2004. 2a. If no, what is listening on port 2401? 2b. If yes, was the :pserver: method enabled? (It doesn't matter whether :pserver: allowed write permission or not.) If the answers to 1 and 2b are yes, then 3. The CVS server must be updated to 1.11.16 or newer, or 1.12.8 or newer. This may be difficult as the CVS in kits has not been upddated (as of this writing) and ccvs.cvshome.org is not reachable, for undetermined reasons. Mirrors do exist and some are reachable. Alternatively, the CVS server can be shut down and disabled - in some fashion that will remain disabled after a reboot - pending the availability of an update in kits or yum. Those are expected to be available today. 4. The system must be examined for root kits installed. "chkrootkit" (http://www.chkrootkit.org/) can help you there. If the CVS server was updated on May 21 or earlier, you may skip this check at your discretion. 5. Results of the above must be reported to nightwatch@fnal.gov. EXCEPTION: If a suspected root kit is discovered, report it as a security incident to x2345 and computer-security@fnal.gov, disconnect the machine from the network, and await contact from FCIRT. Deadline for all the above: 1 PM CDT Thursday, May 27. It is acknowledged that this deadline is inconveniently short. Machines on the list below which haven't been spoken for at that time may be blocked at the border router, the DHCP server or a local switch or router port as appropriate. Matt Crawford Fermilab Computer Security Coordinator +1 630 840 3461 ** Computer security contact line: +1 630 840 2345 ** Appendix - systems listening on port 2401, including the most recent time detected. 131.225.7.94 sdssprd1 CD 2004-04-27 14:30:28 2401 131.225.7.95 sdssprd CD 2004-04-26 18:22:33 2401 131.225.39.115 d-r15146.dhcp MISC 2004-04-26 08:16:43 2401 131.225.39.182 d-r15213.dhcp MISC 2004-05-10 08:49:55 2401 131.225.39.196 d-r15227.dhcp MISC 2004-05-06 08:48:00 2401 131.225.44.157 mtfpc29 TD 2004-04-24 20:18:46 2401 131.225.46.96 mdtf36 TD 2004-04-27 00:18:00 2401 131.225.53.167 pc781b PPD 2004-05-16 08:18:25 2401 131.225.53.169 pc781c PPD 2004-04-24 10:18:33 2401 131.225.53.170 pc781d PPD 2004-05-21 12:36:09 2401 131.225.53.171 pc781e PPD 2004-05-18 09:05:09 2401 131.225.54.194 ckm05 PPD 2004-04-30 10:58:39 2401 131.225.54.195 ckm06 PPD 2004-05-04 22:19:41 2401 131.225.54.196 ckm07 PPD 2004-05-22 22:17:55 2401 131.225.54.197 ckm08 PPD 2004-04-26 14:24:34 2401 131.225.54.198 ckm10 PPD 2004-04-28 04:30:25 2401 131.225.54.199 ckm09 PPD 2004-05-16 22:24:08 2401 131.225.80.40 cepasrv1 CD 2004-05-19 04:23:09 2401 131.225.80.59 ngop CD 2004-05-03 14:22:25 2401 131.225.80.66 sether CD 2004-05-13 09:06:20 2401 131.225.80.220 minos1 CD 2004-04-28 10:58:17 2401 131.225.81.107 minoscvs CD 2004-05-12 00:17:52 2401 131.225.82.39 web.dhcp CD 2004-04-26 10:23:13 2401 131.225.82.65 web.dhcp CD 2004-05-18 08:36:14 2401 131.225.82.85 web.dhcp CD 2004-05-06 08:40:49 2401 131.225.82.91 cd-89780.dhcp CD 2004-05-06 16:23:25 2401 131.225.82.125 cd-89780.dhcp CD 2004-05-24 08:41:46 2401 131.225.84.201 whcdf04 CD 2004-05-20 10:36:50 2401 131.225.84.248 pox CD 2004-05-23 20:19:19 2401 131.225.94.1 web.dhcp WIRELESS 2004-05-23 14:17:19 2401 131.225.94.15 cd-89780.dhcp WIRELESS 2004-05-20 08:40:31 2401 131.225.94.76 web.dhcp WIRELESS 2004-04-27 08:49:46 2401 131.225.94.87 cd-89780.dhcp WIRELESS 2004-05-04 14:17:59 2401 131.225.107.20 ndem MISC 2004-05-08 20:18:01 2401 131.225.110.1 ngopsrv CD 2004-05-21 00:19:44 2401 131.225.110.23 cdcvs1 CD 2004-05-12 22:19:27 2401 131.225.110.25 cdcvs2 CD 2004-04-24 22:17:21 2401 131.225.110.27 cdcvs0 CD 2004-05-23 08:18:01 2401 131.225.110.49 btevsrv2 CD 2004-05-19 09:08:22 2401 131.225.121.207 nova BD 2004-05-12 12:32:06 2401 131.225.163.42 d-r12637-d0.dhcp D0 2004-05-14 18:18:16 2401 131.225.163.46 d-r12641-d0.dhcp D0 2004-05-10 18:17:41 2401 131.225.163.63 d-r12658-d0.dhcp D0 2004-05-06 20:19:46 2401 131.225.163.79 d-r12674-d0.dhcp D0 2004-05-17 10:51:22 2401 131.225.163.94 d-r12689-d0.dhcp D0 2004-04-26 20:17:05 2401 131.225.163.95 d-r12690-d0.dhcp D0 2004-04-29 18:19:02 2401 131.225.163.142 d-r12737-d0.dhcp D0 2004-05-03 12:30:59 2401 131.225.163.145 d-r12740-d0.dhcp D0 2004-04-28 10:54:46 2401 131.225.163.157 d-r12752-d0.dhcp D0 2004-04-25 12:17:08 2401 131.225.163.159 d-r12754-d0.dhcp D0 2004-05-07 16:19:50 2401 131.225.232.8 cdfpca CDF 2004-05-03 06:17:11 2401 131.225.232.108 cdfsga CDF 2004-04-26 22:18:30 2401 131.225.232.134 ncdf168 CDF 2004-05-19 18:18:40 2401 131.225.235.49 nkchep2 CDF 2004-05-14 22:17:37 2401 131.225.236.1 b0dau30 CDF 2004-05-21 14:25:01 2401