Archive of CERT general posting, CERT Summary CS-99.03

01/09/99, CERT Summary CS-99.03
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@coal.cert.org
Subject: CERT Summary CS-99.03
From: CERT Advisory <cert-advisory@cert.org>
Date: Tue, 31 Aug 1999 16:59:44 -0400
Organization: CERT(sm) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org

-----BEGIN PGP SIGNED MESSAGE-----

CERT Summary CS-99-03

   August 31, 1999
   
   Each quarter, the CERTŪ Coordination Center (CERT/CC) issues the CERT
   summary to draw attention to the types of attacks reported to our
   incident response team, as well as other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.
   
   Past CERT summaries are available from
   http://www.cert.org/summaries/
   ______________________________________________________________________
   
New CERT/CC PGP Key

   On October 4, 1999, the current PGP key for the CERT/CC will be
   replaced with a new PGP key. For more information, see
   
   http://www.cert.org/pgp/newpgp.html
   ______________________________________________________________________
   
New "CERT/CC Current Activity" Web Page

   The CERT/CC Current Activity web page is a regularly updated summary
   of the most frequent, high-impact types of security incidents and
   vulnerabilities currently being reported to the CERT/CC. It is
   available from
   
   http://www.cert.org/current/current_activity.html
       
   The information on the Current Activity page will be reviewed and
   updated as reporting trends change.
   ______________________________________________________________________
   
Recent Activity

   Since the last CERT summary, issued in May 1999 (CS-99-02), we have
   noted several vulnerabilities in RPC services, and we have analyzed
   and published information regarding the ExploreZip worm. We also
   continue to see widespread scans for known vulnerabilites.
   
   Protect your systems. Use current software versions, install patches
   as they become available, and update your scanning tools and
   anti-virus software with the latest virus signatures or definitions.
   Be cautious of unsolicited documents or executable programs received
   in electronic mail. Be wary of software that comes from untrusted
   sources.
   
    1. RPC Vulnerabilities
       We have received many reports of exploitations involving three RPC
       vulnerabilties. Such exploitations can lead to root compromise on
       systems that implement these RPC services. Analysis has shown that
       similar artifacts have been found on compromised systems. The
       vulnerable services are
       rpc.cmsd
       Remote and local users can execute arbitrary code with the
       privileges of the rpc.cmsd daemon, typically root. This
       vulnerability is being exploited in a significant number of
       incidents reported to the CERT/CC. For more information see
        CERT Incident Note 99-04
            http://www.cert.org/incident_notes/IN-99-04.html
            CERT Advisory CA-99-08
            http://www.cert.org/advisories/CA-99-08-cmsd.html
       statd and automoutd
       Vulnerabilities in these two services are being used together by
       intruders to gain access to vulnerable systems. The first
       vulnerability is in rpc.statd, a program used to communicate state
       changes among NFS clients and servers. The second vulnerability is
       in automountd, a program used to automatically mount certain types
       of file systems. The vulnerability in rpc.statd may allow a remote
       intruder to call arbitrary RPC services with the privileges of the
       rpc.statd process, typically root. The vulnerablility in
       automountd may allow a local intruder to execute arbitrary
       commands with the privileges of the automountd service.
       By combining attacks exploiting these two vulnerabilities, a
       remote intruder is able to execute arbitrary commands with the
       privileges of the automountd service. For more information see
        CERT Incident Note 99-04
            http://www.cert.org/incident_notes/IN-99-04.html
            CERT Advisory CA-99-05
            http://www.cert.org/advisories/CA-99-05-statd-automountd.html
       ttbserverd
       The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC
       service that manages objects needed for the operation of the
       ToolTalk service. ToolTalk-enabled processes communicate with each
       other using RPC calls to this program, which runs on each
       ToolTalk-enabled host. This program is a standard component of CDE
       (Common Desktop Environment), which is a standard component of
       many commercial Unix operating systems.
       Due to an implementation fault in rpc.ttdbserverd, it is possible
       for a malicious remote client to formulate an RPC message that can
       lead to a buffer overflow. This buffer overflow can result in an
       attacker gaining total control of the ttdbserver process. An
       intruder may be able to use this control to gain root-level
       privileges.
        CERT Incident Note 99-04
            http://www.cert.org/incident_notes/IN-99-04.html
            CERT Advisory CA-98-11
            http://www.cert.org/advisories/CA-98.11.tooltalk.html
    2. Virus and Trojan Horse Activity
       We continue to see reports of virus activity. Current versions of
       anti-virus software can help to protect your systems from these
       viruses.
       It is important to take great caution with any email or Usenet
       attachments that contain executable content. If you receive a
       message containing attachments, scan the message file with
       anti-virus software before you open or run the file. Doing this
       does not guarantee that the contents of the file are safe, but it
       lowers your risk of virus infection by checking for viruses and
       Trojan horses that your scanning software can detect.
       ExploreZip.exe
       The ExploreZip program is a Trojan horse affecting Windows
       95/98/NT systems. It modifies system files and destroys files. For
       ExploreZip to work, a person must open or run an infected email
       attachment, which allows the program to install a copy of itself
       on the victim's computer and enables further propagation.
       ExploreZip may also behave as a worm, propagating to other network
       machines without human interaction. For more information see
        CERT Advisory CA-99-06 ExploreZip Trojan Horse Program
            http://www.cert.org/advisories/CA-99-06-explorezip.html
            CERT Advisory CA-99-02 Trojan Horses
            http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
    3. Continued Widespread Scans
       We are still receiving daily reports of intruders using tools to
       scan networks for multiple vulnerabilities. Intruder scanning
       tools continue to become more sophisticated, varying from scripted
       tools and stealth scanning techniques to a tool that incorporates
       probes for known vulnerabilities, remote operating system
       identification, and automated exploitation attempts. For more
       information, see
        "sscan" Scanning Tool
            http://www.cert.org/incident_notes/IN-99-01.html
            Automated Scanning and Exploitation
            http://www.cert.org/incident_notes/IN-98-06.html
            Probes with Spoofed IP Addresses
            http://www.cert.org/incident_notes/IN-98-05.html
            Advanced Scanning
            http://www.cert.org/incident_notes/IN-98.04.html
            New Tools Used for Widespread Scans
            http://www.cert.org/incident_notes/IN-98.02.html
       The most frequent reports involve well-known vulnerabilities in
       mountd, IMAP, POP3, and several RPC services. These services are
       installed and enabled by default in some operating systems. See
       the following advisories for more information:
        sunrpc (TCP port 111) and mountd (635)
            http://www.cert.org/advisories/CA-98.12.mountd.html
            http://www.cert.org/incident_notes/IN-99-04.html
            IMAP (TCP port 143)
            http://www.cert.org/advisories/CA-98.09.imapd.html
            POP3 (TCP port 110)
            http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
            DNS (TCP port 53 [domain])
            http://www.cert.org/advisories/CA-98.05.bind_problems.html
            http://www.cert.org/advisories/CA-97.22.bind.html
       These scans involve known vulnerabilities for which patches are
       available. Protect your systems by making sure that they are
       properly secured.
   ______________________________________________________________________
   
What's New and Updated

   Since the last CERT summary, we have developed new and updated
     * Advisories
     * Courses
     * Incident notes
     * Security improvement modules
     * Technical reports
     * Tech tips
     * Virus resources
       
   There are descriptions of these documents and links to them on our
   "What's New" web page at
   http://www.cert.org/nav/whatsnew.html
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/summaries/CS-99-03.html
   ______________________________________________________________________
   
CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERTŪ Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
   
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
   http://www.cert.org/CERT_PGP.key
       
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
Getting security information

   CERT publications and other security information are available from
   our web site
   
   http://www.cert.org/
       
   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.
   
   Copyright 1999 Carnegie Mellon University.
   Conditions for use, disclaimers, and sponsorship information can be
   found in
   
   http://www.cert.org/legal_stuff.html
       
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN8w6BnVP+x0t4w7BAQGylgP/ctRDVTvhzO4AFMuUwsENOrCfUh1iYVq8
UBRRtXhuDbnqxt/cTctDG2Z9OplV2ZIx/i7X05rKDiP2PxVd1xR6/kZVNPvCUSnQ
79NFdXb4lWC8QXVaIFyDHX25BBxkcsWKUnMN18mgcWyuft8Bdb4lr02eK4Q4CKX0
85nNFQHbLPA=
=4dqM
-----END PGP SIGNATURE-----



Previous message sorted by date: CERT Summary CS-99.02
Next message sorted by date: CERT Summary CS-99.04
Previous message sorted by thread: CERT Summary CS-99.02
Next message by thread: CERT Summary CS-99.04
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000