CA-95:06.README
Issue date: June 9, 1995

This file is a supplement to CERT advisory CA-95:06, "Security
Administrator Tool for Analyzing Networks (SATAN)," distributed on
April 3, 1995.  We will update this file as additional information
becomes available.

Advisory CA-95:06 was based on our examination of beta version 0.51 of
SATAN; this README contains updated information based on SATAN version
1.1.1, which was released on April 11, 1995.


Note to users of LINUX SATAN: There was a posting to USENET that a
Trojan horse was introduced into a version of LINUX SATAN binaries
archived on ftp.epinet.com.  CERT staff have not verified that this
Trojan horse exists; however, if you are using LINUX SATAN and
believe your version may be compromised, we suggest you obtain
additional information from

	ftp://ftp.epinet.com/pub/linux/security


For convenience, the following two paragraphs are a summary of the
updates that are more fully described in the sections below.

   * Additions:
        reference to CA-95:07a.vulnerability.in.satan (Introduction)
        information on a SATAN probe for unrestricted modems (Sec. 4) 
        a note on tools for detecting probes (Sec. 6)
        where to get a copy of SATAN (Sec. 7)
        checksums for SATAN and documentation (Sec. 7)
        where to send comments about SATAN (Sec. 8)

   * Corrections: 
	pathnames corrected (Sec. 3)

	There is an extraneous colon after the hostname in
	some URLs. (Sec. 4, Sec. 5) Although this shouldn't affect
	your ability to reach our site, try removing the colon (after
	info.cert.org) if you are having difficulty. 

	For example, change   ftp://info.cert.org:/pub/tech_tips
			 to   ftp://info.cert.org/pub/tech_tips


Addendum to Introduction
------------------------
After the release of SATAN 1.0, we published a separate advisory,
CA-95:07, superseded by CA-95:07a, describing a vulnerability
in SATAN. If you do not already have a copy of CA-95:07a, we
strongly urge you to obtain a copy from

      ftp://info.cert.org/pub/cert_advisories/CA-95:07a.REVISED.satan.vul

As we receive new information about SATAN, we will place it in README files 

      ftp://info.cert.org/pub/cert_advisories/CA-95:06.README
      ftp://info.cert.org/pub/cert_advisories/CA-95:07a.README

We encourage you to check our README files regularly for updates to all
advisories relating to your site.


Correction to Section 3. How to Prepare for the Release of SATAN
----------------------------------------------------------------

The pathnames should read

     ftp://info.cert.org/pub/tech_tips/security_info
     ftp://info.cert.org/pub/tech_tips/anonymous_ftp
     ftp://info.cert.org/pub/tech_tips/packet_filtering


Addendum to Section 4. Vulnerabilities Probed by SATAN
------------------------------------------------------ 

The information in CERT advisory CA-95:06 was based on our examination
of SATAN beta version 0.51.  The information in this README file is
based on our examination of SATAN 1.1.1. This version of SATAN also
probes for unrestricted modems, so Sec. 4 should now have an item 12:

   12. Unrestricted dial-out modem available via TCP.
       Place modems behind a firewall or put password or other extra
       authentication on them (such as S/Key or one-time passwords). 
       For information on one-time passwords, see CERT advisory CA-94:01,
       Appendix B. 

The following information should be added to Item #8 in Sec. 4:
	
       A TCP/IP wrapper program is available from 
           ftp://info.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.2.tar.Z


Addendum to Section 6. Detecting Probes
---------------------------------------
New tools are becoming available on the network to help you detect
probes, but the CERT staff has not evaluated them.

Although detection tools can be helpful, keep in mind that their
effectiveness depends on the nature and availability of your logs and
that the tools may become less effective as SATAN is modified. The
most important thing you can do is take preventive action to secure
your systems.


Addendum to Section 7. Using SATAN
----------------------------------
In addition, the following precautions will help you minimize the
risks of running SATAN:

  * Install all relevant security patches for the system on which you will
    run SATAN.

  * Ensure that the SATAN directory tree cannot be read by users other
    than root.

  * Execute SATAN only from the console of the system on which it is
    installed (e.g., do not run SATAN from an X terminal, from a diskless
    workstation, or from a remote host).

  * Ensure that the SATAN directory tree is not NFS-mounted from a remote
    system.

  * It is best to run SATAN from a system that does not support multiple users.


Addendum to Section 8. Getting more information about SATAN
-----------------------------------------------------------

The SATAN authors report that SATAN 1.1.1 is available from many
sites, including:

     ftp://ftp.win.tue.nl/pub/security/satan-1.1.1.tar.Z
     ftp://ftp.win.tue.nl/pub/security/satan-1.1.1.README
     ftp://ftp.win.tue.nl/pub/security/satan_doc.tar.Z
     ftp://ftp.win.tue.nl/pub/security/satan_doc.README

To get a current list of sites, send mail to: 

     majordomo@wzv.win.tue.nl 

and put in the body of your message

     get satan mirror-sites 

You can also use archie to locate sites that have SATAN.

MD5 checksums for SATAN:

     satan-1.1.1.README = 3f935e595ab85ee28b327237f1d55287
     satan-1.1.1.tar.Z = de2d3d38196ba6638b5d7f37ca8c54d7
     satan-1.1.1.tar.Z.asc = a9261070885560ec11e6cc1fe0622243
     satan_doc.README = 4ebe05abc3268493cdea0da786bc9589
     satan_doc.tar.Z = 951d8bfca033eeb483a004a4f801f99a
     satan_doc.tar.Z.asc = 3216053386f72347956f2f91d6c1cb7c









