CERT mailing list archives
CERT Summary CS-2003-01
From: CERT Advisory <cert-advisory () cert org>
Date: Fri, 21 Mar 2003 15:02:33 -0500
-----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2003-01 March 21, 2003 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in November 2002 (CS-2002-04), we have seen vulnerabilities in multiple Windows operating system components, vulnerabilities in several widely used pieces of server software, and a new piece of self-propagating malicious code. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Buffer Overflow Vulnerability in Core Windows DLL A buffer overflow vulnerability exists in ntdll.dll. This vulnerability may allow a remote attacker to execute arbitrary code on the victim machine. An exploit is publicly available for this vulnerability which increases the urgency that system administrators apply a patch. The CERT/CC strongly encourages sites Windows to read CERT Advisory CA-2003-09, examine their systems for signs of compromise and apply the appropriate patch as soon as possible. CERT Advisory CA-2003-09: Buffer Overflow Vulnerability in Core Windows DLL http://www.cert.org/advisories/CA-2003-09.html 2. Remote Buffer Overflow in Sendmail A vulnerability has been discovered in sendmail, the most popular mail transfer agent (MTA) in use on the Internet, that may allow remote attackers to gain the privileges of the sendmail daemon, typically root. This vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. The CERT/CC has received reports of increased scanning for port 25/tcp (SMTP) and apparent attempts to exploit this vulnerability. Sites running sendmail are encouraged to read CERT Advisory CA-2003-07 apply the appropriate patch. Some other vendors have released patches for their MTA software which prevents the MTA from passing potentially malicious messages to other systems which may be running sendmail. We encourage sites to apply these patches if possible to help protect other servers on the Internet. CERT Advisory CA-2003-07: Remote Buffer Overflow in Sendmail http://www.cert.org/advisories/CA-2003-07.html 3. Increased Activity Targeting Windows Shares Over the past few weeks, the CERT/CC has received an increasing number of reports of intruder activity involving the exploitation of Null (i.e., non-existent) or weak Administrator passwords on Server Message Block (SMB) file shares used on systems running Windows 2000 or Windows XP. This activity has resulted in the successful compromise of thousands of systems, with home broadband users' systems being a prime target. More information on this activity and the attack tools known to be involved are described in CERT Advisory CA-2003-08. CERT Advisory CA-2003-08: Increased Activity Targeting Windows Shares http://www.cert.org/advisories/CA-2003-08.html 4. Samba Contains Buffer Overflow in SMB/CIFS Packet Fragment Reassembly Code A buffer overflow vulnerability has been discovered in Samba, a popular file and printer sharing tool. By exploiting this vulnerability a remote attacker may be able to execute arbitrary code with the privileges of the Super User, typically root. An updated version of Samba (2.2.8) has been released. The CERT/CC has not yet received reports of this vulnerability being exploited, but sites are strongly encouraged to examine their samba servers and upgrade to the newest version if possible to eliminate the potential for exploitation. Vulnerability Note VU#298233: Samba contains buffer overflow in SMB/CIFS packet fragment reassembly code http://www.kb.cert.org/vuls/id/298233 5. MS-SQL Server Worm The CERT/CC has received reports of self-propagating malicious code that exploits a vulnerability in the Resolution Service of Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000. This worm has been referred to as the SQLSlammer, W32.Slammer, and Sapphire worm. The propagation of this malicious code has caused varied levels of network degradation across the Internet and the compromise of vulnerable machines. In January, 2003, the CERT/CC issued an advisory describing the SQL Server Worm. CERT Advisory CA-2003-04: MS-SQL Server Worm http://www.cert.org/advisories/CA-2003-04.html Administrators of all systems running Microsoft SQL Server 2000 and MSDE 2000 are encouraged to review CA-2002-22 and VU#484891. For detailed vendor recommendations regarding installing the patch see the following: http://www.microsoft.com/technet/security/virus/alerts/slammer.asp Six months earlier, the CERT/CC issued an advisory describing several serious vulnerabilities in Microsoft SQL Server that allow attackers to obtain sensitive information, alter database contents, and compromise server hosts. CERT Advisory CA-2002-22: Multiple Vulnerabilities in Microsoft SQL Server http://www.cert.org/advisories/CA-2002-22.html 6. Multiple Vulnerabilities in Implementations of the Session Initiation Protocol (SIP) Numerous vulnerabilities have been reported in multiple vendors' implementations of the Session Initiation Protocol. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. CERT Advisory CA-2003-06: Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) http://www.cert.org/advisories/CA-2003-06.html 7. Multiple Vulnerabilities in SSH Implementations Multiple vendors' implementations of the secure shell (SSH) transport layer protocol contain vulnerabilities that could allow a remote attacker to execute arbitrary code with the privileges of the SSH process or cause a denial of service. The vulnerabilities affect SSH clients and servers, and they occur before user authentication takes place. CERT Advisory CA-2002-36: Multiple Vulnerabilities in SSH Implementations http://www.cert.org/advisories/CA-2002-36.html CERT Vulnerability Note VU#389665: Multiple vendors' SSH transport layer protocol implementations contain vulnerabilities in key exchange and initialization http://www.kb.cert.org/vuls/id/389665 8. Buffer Overflow in Microsoft Windows Shell A buffer overflow vulnerability exists in the Microsoft Windows Shell. An attacker can exploit this vulnerability by enticing a victim to read a malicious email message, visit a malicious web page, or browse to a folder containing a malicious .MP3 or .WMA file. The attacker can then execute arbitrary code with the privileges of the victim. CERT Advisory CA-2002-37: Buffer Overflow in Microsoft Windows Shell http://www.cert.org/advisories/CA-2002-37.html 9. Double-Free Bug in CVS Server A "double-free" vulnerability in the Concurrent Versions System (CVS) server could allow an unauthenticated, remote attacker with read-only access to execute arbitrary code, alter program operation, read sensitive information, or cause a denial of service. CERT Advisory CA-2003-02: Double-Free Bug in CVS Server http://www.cert.org/advisories/CA-2003-02.html 10. Buffer Overflow in Windows Locator Service A buffer overflow vulnerability in the Microsoft Windows Locator service could allow a remote attacker to execute arbitrary code or cause the Windows Locator service to fail. This service is enabled and running by default on Windows 2000 domain controllers and Windows NT 4.0 domain controllers. On January 23, 2003, the CERT/CC issued an advisory describing the vulnerabilities in Windows Locator Service and provided patch information. CERT Advisory CA-2003-03: Buffer Overflow in Windows Locator Service http://www.cert.org/advisories/CA-2003-03.html ______________________________________________________________________ A note about CERT Advisories and email filters CERT advisories occasionally contain words that may trigger email filters. Please check your filters carefully to ensure proper delivery of our email notifications. If your service provider conducts filtering on your behalf, be aware that you may not receive some of our notifications. ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated: * CERT/CC 2002 Annual Report http://www.cert.org/annual_rpts/cert_rpt_02.html * Advisories http://www.cert.org/advisories/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Incident Notes http://www.cert.org/incident_notes * Tech Tips http://www.cert.org/tech_tips/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2003-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert () cert org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo () cert org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPntraGjtSoHZUTs5AQGjZQQAmNIHOCpSjWZf5R8is9e9Fx5rdOjeRvOS 0LwVzWgUPdQiJXhVftWZOtw2EFJsLvSvDqmPVBTULhJrKIbe/d7D0FdY5U2sY3KK mBMSl7d2qaMCuznCzQ5/9P4vXy5L4KCinZEbjKUUC237ecmw32VsTLZqEwYUTgv5 eSCWnGIXVg8= =pFoz -----END PGP SIGNATURE-----
Current thread:
- CERT Summary CS-2003-01 CERT Advisory (Mar 21)