Security Advisories
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
-----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2002-01 February 28, 2002 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in November 2001 (CS-2001-04), we have released several advisories, notably CA-2002-03, describing multiple vulnerabilities in SNMP. In addition, we have published 2001 statistics, our annual report, and a white paper on external computer security incidents. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Multiple Vulnerabilities in SNMP Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. These vulnerabilities may allow unauthorized privileged access, denial-of-service attacks, or cause unstable behavior. If your site uses SNMP in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section. In addition to this advisory, we also have an FAQ on SNMP vulnerabilities. CERT Advisory CA-2002-03: Multiple Vulnerabilities In Many Implementations of the Simple Network Management Protocol (SNMP) http://www.cert.org/advisories/CA-2002-03.html Simple Network Management Protocol (SNMP) Vulnerabilities Frequently Asked Questions (FAQ) http://www.cert.org/tech_tips/snmp_faq.html 2. Exploitation of Vulnerability in Solaris CDE Subprocess Control Service Since CA-2001-31 was originally released last November, the CERT/CC has received reports of scanning for dtspcd (6112/tcp). Just recently, however, we have received credible reports of an exploit for Solaris systems. Using network traces provided by The Honeynet Project, we have confirmed that the dtspcd vulnerability identified in CA-2001-31 and discussed in VU#172583 is actively being exploited. CERT Advisory CA-2002-01: Exploitation of Vulnerability in CDE Subprocess Control Service http://www.cert.org/advisories/CA-2002-01.html CERT Advisory CA-2001-31: Buffer Overflow in CDE Subprocess Control Service http://www.cert.org/advisories/CA-2001-31.html Vulnerability Note #172583: Common Desktop Environment (CDE) Subprocess Control Service dtspcd contains buffer overflow http://www.kb.cert.org/vuls/id/172583 3. Buffer Overflow Vulnerability in Microsoft Windows UPnP Service Vulnerabilities in software included by default on Microsoft Windows XP, and optionally on Windows ME and Windows 98, may allow an intruder to execute arbitrary code on vulnerable systems, to launch denial-of-service attacks against vulnerable systems, or to use vulnerable systems to launch denial-of-service attacks against third-party systems. To date we have not received any confirmed reports of UPnP exploitation; however, we urge Windows users to follow the advice provided in CA-2001-37 to protect their systems. CERT Advisory CA-2001-37: Buffer Overflow in UPnP Service On Microsoft Windows http://www.cert.org/advisories/CA-2001-37.html Vulnerability Note #951555: Microsoft Windows Universal Plug and Play (UPNP) vulnerable to buffer overflow via malformed advertisement packets http://www.kb.cert.org/vuls/id/951555 Vulnerability Note #411059: Microsoft Windows Universal Plug and Play (UPNP) fails to limit the data returned in response to a NOTIFY message http://www.kb.cert.org/vuls/id/411059 4. Recent Activity Against Secure Shell Daemons There are multiple vulnerabilities in several implementations of the Secure Shell (SSH) protocol. The SSH protocol enables a secure communications channel from a client to a server. We are still seeing a high amount of scanning for SSH daemons, and we are receiving reports of exploitation. System administrators should review their configurations to ensure that they have applied all relevant patches. CERT Advisory CA-2001-35: Recent Activity Against Secure Shell Daemons http://www.cert.org/advisories/CA-2001-35.html Vulnerability Note #945216: SSH CRC32 attack detection code contains remote integer overflow http://www.kb.cert.org/vuls/id/945216 CERT Incident Note IN-2001-12: Exploitation of vulnerability in SSH1 CRC-32 compensation attack detector http://www.cert.org/incident_notes/IN-2001-12.html 5. Multiple Vulnerabilities in WU-FTPD WU-FTPD is a widely deployed software package used to provide File Transfer Protocol (FTP) services on UNIX and Linux systems. There are two vulnerabilities in WU-FTPD that expose a system to potential remote root compromise by anyone with access to the FTP service. These vulnerabilities have recently received increased scrutiny. CERT Advisory CA-2001-33: Multiple Vulnerabilities in WU-FTPD http://www.cert.org/advisories/CA-2001-33.html 6. W32/BadTrans Worm We have seen a steady stream of reports related to W32/Badtrans since November 2001. W32/BadTrans is a malicious Windows program distributed as an email file attachment. Because of a known vulnerability in Internet Explorer, some email programs, such as Outlook Express and Outlook, may execute the malicious program as soon as the email message is viewed. Windows users should apply appropriate patches and update their antivirus programs as described in IN-2001-14. CERT Incident Note IN-2001-14: W32/BadTrans Worm http://www.cert.org/incident_notes/IN-2001-14.html 7. "Kaiten" Malicious Code The CERT/CC has received reports of a new variant of the "Kaiten" malicious code being installed through exploitation of null default sa passwords in Microsoft SQL Server and Microsoft Data Engine. (Microsoft SQL 2000 Server will allow a null sa password to be used, but this is not default behavior.) Various sources have referred to this malicious code as "W32/Voyager," "Voyager Alpha Force," and "W32/CBlade.worm." CERT Incident Note IN-2001-13: "Kaiten" Malicious Code Installed by Exploiting Null Default Passwords in MS-SQL http://www.cert.org/incident_notes/IN-2001-13.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * CERT/CC 2001 Annual Report http://www.cert.org/annual_rpts/cert_rpt_01.html * Advisories http://www.cert.org/advisories/ * Computer Security Incident Response Team (CSIRT) Frequently Asked Questions http://www.cert.org/csirts/csirt_faq.html * External Security Incidents White Paper http://www.cert.org/archive/pdf/external-incidents.pdf * Incident Notes http://www.cert.org/incident_notes/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Training Schedule http:/www.cert.org/training/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2002-01.html ______________________________________________________________________ CERT/CC Contact Information Email: This email address is being protected from spambots. You need JavaScript enabled to view it. Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to This email address is being protected from spambots. You need JavaScript enabled to view it.. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPH6JoqCVPMXQI2HJAQGjUwQAu1bT6qi08N+dsPGZeEFWIMVxBPQbqmh5 W6ad/WSWAi1jNPhPIg4DmLgzUirSk7MOyybgcMEK0KZVhr+HB+0aHiHv/4lLlvmC re8rqW5gLGq/7AtoV1MfppeSdEKWfgWvUHX9NfZ5aDlS382pWoxTa2HnrxMkDDHe Pg57W9mlkyw= =jMzu -----END PGP SIGNATURE-----
Powered by: | MHonArc |