Archive of CERT general posting, CERT Summary CS-2002-04

27/11/02, CERT Summary CS-2002-04
From: CERT Advisory <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Summary CS-2002-04
From: CERT Advisory <>
Date: Tue, 26 Nov 2002 14:59:19 -0500
List-archive: <>
List-help: <>, <>
List-owner: <>
List-post: NO (posting not allowed on this list)
List-subscribe: <>
List-unsubscribe: <>
Mail-from: From Wed Nov 27 04:36:03 2002
Organization: CERT(R) Coordination Center - +1 412-268-7090


CERT Summary CS-2002-04

   November 26, 2002

   Each  quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   Summary  to  draw  attention  to  the types of attacks reported to our
   incident  response  team,  as  well  as  other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries


Recent Activity

   Since the last regularly scheduled CERT summary, issued in August 2002
   (CS-2002-03),   we   have   seen   trojan  horses  for  three  popular
   distributions,  new  self-propagating malicious code (Apache/mod_ssl),
   and  multiple  vulnerabilities  in BIND. In addition, we have issued a
   new PGP Key.

   For  more  current  information  on  activity  being  reported  to the
   CERT/CC,  please  visit the CERT/CC Current Activity page. The Current
   Activity  page  is  a  regularly updated summary of the most frequent,
   high-impact  types  of  security  incidents  and vulnerabilities being
   reported  to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity

    1. Apache/mod_ssl Worm

       Over  the  past  several  months,  we  have  received reports of a
       self-propagating  malicious  code  that  exploits  a vulnerability
       (VU#102795)  in  OpenSSL. Reports received by the CERT/CC indicate
       that  the  Apache/mod_ssl  worm  has already infected thousands of
       systems.  Over  a  month  earlier,  the CERT/CC issued an advisory
       (CA-2002-23) describing four remotely exploitable buffer overflows
       in OpenSSL.

		CERT Advisory CA-2002-27
		Apache/mod_ssl Worm

		CERT Advisory CA-2002-23
		Multiple Vulnerabilities in OpenSSL

		Vulnerability Note #102795
		OpenSSL  servers contain a buffer overflow during the 
		SSL2 handshake process

    2. Trojan Horse Sendmail Distribution

       The  CERT/CC  has  received  confirmation  that some copies of the
       source  code  for  the  Sendmail  package have been modified by an
       intruder  to  contain a Trojan horse. These copies began to appear
       in  downloads  from  the  FTP server on or around
       September  28,  2002.  On  October  8, 2002, the CERT/CC issued an
       advisory   (CA-2002-28)   describing  various  methods  to  verify
       software authenticity.

		CERT Advisory CA-2002-28
		Trojan Horse Sendmail Distribution

    3. Trojan Horse tcpdump and libpcap Distributions

       The  CERT/CC  has  received reports that some copies of the source
       code  for  libpcap,  a  packet acquisition library, and tcpdump, a
       network  sniffer,  have been modified by an intruder and contain a
       Trojan  horse.  These  modified  distributions  began to appear in
       downloads  from  the  HTTP server on or around Nov
       11,  2002. The CERT/CC issued an advisory (CA-2002-30) listing MD5
       checksums and official distribution sites for libpcap and tcpdump.

		CERT Advisory CA-2002-30
		Trojan Horse tcpdump and libpcap Distributions

    4. Multiple Vulnerabilities in BIND

       The  CERT/CC  has documented multiple vulnerabilities in BIND, the
       popular  domain  name  server  and client library software package
       from  the  Internet  Software  Consortium  (ISC).  Some  of  these
       vulnerabilities  may  allow a remote intruder to execute arbitrary
       code  with  privileges  of  the  the user running named (typically
       root).  Several  vulnerabilities  are  referenced in the advisory;
       they are listed here individually.

		CERT Advisory CA-2002-31
		Multiple Vulnerabilities in BIND

		Vulnerability Note #852283
		Cached malformed SIG record buffer overflow

		Vulnerability Note #229595
		Overly large OPT record assertion

		Vulnerability Note #581682
		ISC Bind 8 fails to properly dereference cache SIG RR 
		elements invalid expiry times from the internal database

		Vulnerability Note #844360
		Domain Name System (DNS) stub resolver libraries  
		vulnerable to buffer overflows via network name or 
		address lookups

    5. Heap  Overflow  Vulnerability  in Microsoft Data Access Components

       On  November  21, 2002 the CERT/CC issued an advisory (CA-2002-33)
       describing  a  vulnerability  in  MDAC,  a collection of Microsoft
       utilities and routines that process requests between databases and
       network applications.

	       CERT Advisory CA-2002-33
	       Heap Overflow Vulnerability in Microsoft Data Access 
	       Components (MDAC)


   On  September  19,  the  CERT/CC issued a new PGP key, which should be
   used when sending sensitive information to the CERT/CC.

          CERT/CC PGP Public Key

          Sending Sensitive Information To The CERT/CC


What's New and Updated

   Since the last CERT Summary, we have published new and updated
     * Advisories
     * Congressional Testimony
     * CERT/CC Statistics
     * Home User Security
     * Tech Tips
     * Training Schedule

   This document is available from:

CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

    Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

Version: PGP 6.5.8


Previous message sorted by date: CERT Advisory CA-2002-30 Trojan Horse tcpdump and libpcap Distributions
Previous message sorted by thread: CERT Advisory CA-2002-30 Trojan Horse tcpdump and libpcap Distributions
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jan 2003