Archive of CERT general posting, CERT Summary CS-2002-01

01/03/02, CERT Summary CS-2002-01
From: CERT Advisory <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Summary CS-2002-01
From: CERT Advisory <>
Date: Thu, 28 Feb 2002 15:06:50 -0500 (EST)
List-Archive: <>
List-Help: <>, <>
List-Owner: <>
List-Post: NO (posting not allowed on this list)
List-Subscribe: <>
List-Unsubscribe: <>
Mail-from: From Fri Mar 1 06:13:55 2002
Organization: CERT(R) Coordination Center - +1 412-268-7090


   CERT Summary CS-2002-01

   February 28, 2002

   Each  quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   summary  to  draw  attention  to  the types of attacks reported to our
   incident  response  team,  as  well  as  other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries


   Recent Activity

   Since  the  last  regularly scheduled CERT summary, issued in November
   2001  (CS-2001-04),  we  have  released  several  advisories,  notably
   CA-2002-03,  describing multiple vulnerabilities in SNMP. In addition,
   we  have  published  2001  statistics,  our annual report, and a white
   paper on external computer security incidents.

   For  more  current  information  on  activity  being  reported  to the
   CERT/CC,  please  visit the CERT/CC Current Activity page. The Current
   Activity  page  is  a  regularly updated summary of the most frequent,
   high-impact  types  of  security  incidents  and vulnerabilities being
   reported  to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity

    1. Multiple Vulnerabilities in SNMP

       Numerous  vulnerabilities  have been reported in multiple vendors'
       SNMP implementations. These vulnerabilities may allow unauthorized
       privileged  access,  denial-of-service  attacks, or cause unstable
       behavior.  If  your  site  uses  SNMP in any capacity, the CERT/CC
       encourages  you  to  read  this  advisory  and  follow  the advice
       provided in the Solution section. In addition to this advisory, we
       also have an FAQ on SNMP vulnerabilities.

                CERT Advisory CA-2002-03:  
		Multiple Vulnerabilities In Many Implementations of  
		the Simple Network Management Protocol (SNMP)

                Simple Network Management Protocol (SNMP) Vulnerabilities
                Frequently Asked Questions (FAQ)

    2. Exploitation  of  Vulnerability  in Solaris CDE Subprocess Control

       Since  CA-2001-31  was  originally  released  last  November,  the
       CERT/CC  has  received  reports of scanning for dtspcd (6112/tcp).
       Just  recently,  however,  we have received credible reports of an
       exploit  for Solaris systems. Using network traces provided by The
       Honeynet  Project, we have confirmed that the dtspcd vulnerability
       identified  in  CA-2001-31  and discussed in VU#172583 is actively
       being exploited.

                CERT Advisory CA-2002-01: 
		Exploitation of Vulnerability in CDE Subprocess Control Service

                CERT Advisory CA-2001-31:   
		Buffer Overflow in CDE Subprocess Control Service

                Vulnerability Note #172583:  
		Common Desktop Environment (CDE) Subprocess Control Service
		dtspcd contains buffer overflow

    3. Buffer Overflow Vulnerability in Microsoft Windows UPnP Service

       Vulnerabilities  in  software  included  by  default  on Microsoft
       Windows XP, and optionally on Windows ME and Windows 98, may allow
       an  intruder  to  execute arbitrary code on vulnerable systems, to
       launch denial-of-service attacks against vulnerable systems, or to
       use vulnerable systems to launch denial-of-service attacks against
       third-party  systems.  To  date we have not received any confirmed
       reports  of  UPnP  exploitation; however, we urge Windows users to
       follow the advice provided in CA-2001-37 to protect their systems.

                CERT Advisory CA-2001-37: 
		Buffer Overflow in UPnP Service On Microsoft Windows

                Vulnerability Note #951555: 
		Microsoft Windows Universal Plug and Play  (UPNP) vulnerable
		to buffer overflow via malformed advertisement packets

                Vulnerability Note #411059:
		Microsoft Windows Universal Plug and Play (UPNP) fails to 
		limit the data returned in response to a NOTIFY message

    4. Recent Activity Against Secure Shell Daemons

       There  are  multiple vulnerabilities in several implementations of
       the Secure Shell (SSH) protocol. The SSH protocol enables a secure
       communications  channel  from  a  client to a server. We are still
       seeing  a  high  amount  of  scanning  for SSH daemons, and we are
       receiving  reports  of  exploitation. System administrators should
       review  their  configurations to ensure that they have applied all
       relevant patches.

                CERT Advisory CA-2001-35: 
		Recent Activity Against Secure Shell Daemons

                Vulnerability Note #945216: 
		SSH CRC32 attack detection code contains remote integer overflow

                CERT Incident Note IN-2001-12: 
		Exploitation of vulnerability in SSH1 CRC-32 compensation
		attack detector

    5. Multiple Vulnerabilities in WU-FTPD

       WU-FTPD is a widely deployed software package used to provide File
       Transfer  Protocol (FTP) services on UNIX and Linux systems. There
       are  two  vulnerabilities  in  WU-FTPD  that  expose  a  system to
       potential  remote root compromise by anyone with access to the FTP
       service.  These  vulnerabilities  have recently received increased

                CERT Advisory CA-2001-33:  
		Multiple  Vulnerabilities in WU-FTPD

    6. W32/BadTrans Worm

       We  have  seen  a steady stream of reports related to W32/Badtrans
       since  November  2001. W32/BadTrans is a malicious Windows program
       distributed  as  an  email  file  attachment.  Because  of a known
       vulnerability  in  Internet Explorer, some email programs, such as
       Outlook  Express and Outlook, may execute the malicious program as
       soon  as  the  email message is viewed. Windows users should apply
       appropriate   patches  and  update  their  antivirus  programs  as
       described in IN-2001-14.

                CERT Incident Note IN-2001-14: W32/BadTrans Worm

    7. "Kaiten" Malicious Code

       The  CERT/CC has received reports of a new variant of the "Kaiten"
       malicious  code  being  installed  through  exploitation  of  null
       default  sa  passwords  in Microsoft SQL Server and Microsoft Data
       Engine.  (Microsoft  SQL 2000 Server will allow a null sa password
       to  be  used,  but  this is not default behavior.) Various sources
       have  referred  to  this malicious code as "W32/Voyager," "Voyager
       Alpha Force," and "W32/CBlade.worm."

                CERT Incident Note IN-2001-13: 
		"Kaiten" Malicious Code Installed by Exploiting Null 
		Default Passwords in MS-SQL

   What's New and Updated

   Since the last CERT Summary, we have published new and updated
     * CERT/CC 2001 Annual Report
     * Advisories
     * Computer  Security Incident Response Team (CSIRT) Frequently Asked
     * External Security Incidents White Paper
     * Incident Notes
     * CERT/CC Statistics
     * Training Schedule

   This document is available from:

   CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

    Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

Version: PGP 6.5.8


Next message sorted by date: CERT Summary CS-2002-02
Next message by thread: CERT Summary CS-2002-02
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jan 2003