Archive of CERT general posting, CERT Summary CS-2003-01

22/03/03, CERT Summary CS-2003-01
From: CERT Advisory <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Summary CS-2003-01
From: CERT Advisory <>
Date: Fri, 21 Mar 2003 15:02:37 -0500
List-archive: <>
List-help: <>, <>
List-owner: <>
List-post: NO (posting not allowed on this list)
List-subscribe: <>
List-unsubscribe: <>
Mail-from: From Sat Mar 22 04:54:17 2003
Organization: CERT(R) Coordination Center - +1 412-268-7090


CERT Summary CS-2003-01

   March 21, 2003

   Each  quarter, the CERT Coordination Center  (CERT/CC) issues the CERT
   Summary  to  draw  attention  to  the types of attacks reported to our
   incident  response  team,  as  well  as  other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries


   Recent Activity

   Since  the  last  regularly scheduled CERT summary, issued in November
   2002  (CS-2002-04),  we  have seen vulnerabilities in multiple Windows
   operating  system  components,  vulnerabilities in several widely used
   pieces  of  server  software,  and  a  new  piece  of self-propagating
   malicious code.

   For  more  current  information  on  activity  being  reported  to the
   CERT/CC,  please  visit the CERT/CC Current Activity page. The Current
   Activity  page  is  a  regularly updated summary of the most frequent,
   high-impact  types  of  security  incidents  and vulnerabilities being
   reported  to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity

    1. Buffer Overflow Vulnerability in Core Windows DLL

       A   buffer   overflow  vulnerability  exists  in  ntdll.dll.  This
       vulnerability  may  allow  a  remote attacker to execute arbitrary
       code on the victim machine.

       An  exploit  is  publicly  available  for this vulnerability which
       increases  the  urgency  that system administrators apply a patch.
       The  CERT/CC  strongly  encourages  sites  Windows  to  read  CERT
       Advisory CA-2003-09, examine their systems for signs of compromise
       and apply the appropriate patch as soon as possible.

          CERT  Advisory  CA-2003-09:
          Buffer Overflow Vulnerability in Core Windows DLL

    2. Remote Buffer Overflow in Sendmail

       A  vulnerability has been discovered in sendmail, the most popular
       mail  transfer  agent (MTA) in use on the Internet, that may allow
       remote  attackers  to  gain the privileges of the sendmail daemon,
       typically root. This vulnerability is triggered by the contents of
       a  specially-crafted  email  message  rather  than  by lower-level
       network traffic.

       The  CERT/CC  has  received reports of increased scanning for port
       25/tcp (SMTP) and apparent attempts to exploit this vulnerability.
       Sites  running  sendmail  are  encouraged  to  read  CERT Advisory
       CA-2003-07 apply the appropriate patch.

       Some  other  vendors  have released patches for their MTA software
       which prevents the MTA from passing potentially malicious messages
       to other systems which may be running sendmail. We encourage sites
       to  apply  these patches if possible to help protect other servers
       on the Internet.

           CERT  Advisory  CA-2003-07:
           Remote  Buffer  Overflow  in Sendmail

    3. Increased Activity Targeting Windows Shares

       Over  the  past  few weeks, the CERT/CC has received an increasing
       number  of reports of intruder activity involving the exploitation
       of  Null  (i.e.,  non-existent) or weak Administrator passwords on
       Server  Message  Block  (SMB)  file shares used on systems running
       Windows  2000  or  Windows  XP.  This activity has resulted in the
       successful compromise of thousands of systems, with home broadband
       users'  systems  being  a  prime  target. More information on this
       activity  and  the attack tools known to be involved are described
       in CERT Advisory CA-2003-08.

           CERT  Advisory  CA-2003-08:
           Increased Activity Targeting Windows Shares

    4. Samba Contains Buffer Overflow in SMB/CIFS Packet Fragment
       Reassembly Code

       A  buffer  overflow  vulnerability has been discovered in Samba, a
       popular   file  and  printer  sharing  tool.  By  exploiting  this
       vulnerability  a  remote attacker may be able to execute arbitrary
       code  with  the  privileges  of the Super User, typically root. An
       updated version of Samba (2.2.8) has been released.

       The  CERT/CC  has  not  yet received reports of this vulnerability
       being  exploited,  but  sites  are  strongly encouraged to examine
       their  samba servers and upgrade to the newest version if possible
       to eliminate the potential for exploitation.

           Vulnerability Note VU#298233:
           Samba contains buffer overflow in SMB/CIFS
           packet fragment reassembly code

    5. MS-SQL Server Worm

       The  CERT/CC  has  received  reports of self-propagating malicious
       code  that  exploits  a vulnerability in the Resolution Service of
       Microsoft  SQL  Server  2000  and  Microsoft Desktop Engine (MSDE)
       2000.   This   worm  has  been  referred  to  as  the  SQLSlammer,
       W32.Slammer,  and Sapphire worm. The propagation of this malicious
       code  has  caused  varied levels of network degradation across the
       Internet  and  the  compromise of vulnerable machines. In January,
       2003,  the  CERT/CC  issued  an advisory describing the SQL Server

           CERT Advisory CA-2003-04:
           MS-SQL Server Worm

       Administrators  of  all  systems running Microsoft SQL Server 2000
       and  MSDE  2000 are encouraged to review CA-2002-22 and VU#484891.
       For detailed vendor recommendations regarding installing the patch
       see the following:

       Six  months  earlier,  the  CERT/CC  issued an advisory describing
       several serious vulnerabilities in Microsoft SQL Server that allow
       attackers   to   obtain   sensitive  information,  alter  database
       contents, and compromise server hosts.

           CERT Advisory CA-2002-22:
           Multiple Vulnerabilities in Microsoft SQL Server

    6. Multiple Vulnerabilities in Implementations of the Session
       Initiation Protocol (SIP)

       Numerous  vulnerabilities  have been reported in multiple vendors'
       implementations   of   the   Session  Initiation  Protocol.  These
       vulnerabilities   may  allow  an  attacker  to  gain  unauthorized
       privileged  access,  cause  denial-of-service  attacks,  or  cause
       unstable  system  behavior. If your site uses SIP-enabled products
       in  any capacity, the CERT/CC encourages you to read this advisory
       and follow the advice provided in the Solution section below.

           CERT Advisory CA-2003-06:
           Multiple vulnerabilities in implementations of the Session     
           Initiation Protocol (SIP)

    7. Multiple Vulnerabilities in SSH Implementations

       Multiple  vendors'  implementations  of  the  secure  shell  (SSH)
       transport  layer protocol contain vulnerabilities that could allow
       a remote attacker to execute arbitrary code with the privileges of
       the  SSH process or cause a denial of service. The vulnerabilities
       affect  SSH  clients  and  servers,  and  they  occur  before user
       authentication takes place.

           CERT Advisory CA-2002-36:
           Multiple Vulnerabilities in SSH Implementations

           CERT  Vulnerability Note VU#389665:
           Multiple vendors' SSH transport layer protocol implementations 
           contain vulnerabilities in key exchange and initialization

    8. Buffer Overflow in Microsoft Windows Shell

       A  buffer  overflow  vulnerability exists in the Microsoft Windows
       Shell.  An  attacker  can exploit this vulnerability by enticing a
       victim  to  read  a malicious email message, visit a malicious web
       page,  or  browse  to a folder containing a malicious .MP3 or .WMA
       file.  The  attacker  can  then  execute  arbitrary  code with the
       privileges of the victim.

           CERT  Advisory  CA-2002-37:
           Buffer Overflow in Microsoft Windows Shell

    9. Double-Free Bug in CVS Server

       A  "double-free"  vulnerability  in the Concurrent Versions System
       (CVS)  server could allow an unauthenticated, remote attacker with
       read-only   access   to  execute  arbitrary  code,  alter  program
       operation,  read  sensitive  information,  or  cause  a  denial of

           CERT Advisory CA-2003-02:
           Double-Free Bug in CVS Server

   10. Buffer Overflow in Windows Locator Service

       A  buffer  overflow vulnerability in the Microsoft Windows Locator
       service could allow a remote attacker to execute arbitrary code or
       cause the Windows Locator service to fail. This service is enabled
       and  running  by  default  on  Windows 2000 domain controllers and
       Windows  NT  4.0  domain  controllers.  On  January  23, 2003, the
       CERT/CC  issued  an  advisory  describing  the  vulnerabilities in
       Windows Locator Service and provided patch information.

           CERT Advisory CA-2003-03:
           Buffer Overflow in Windows Locator Service


   A note about CERT Advisories and email filters

   CERT  advisories  occasionally  contain  words  that may trigger email
   filters. Please check your filters carefully to ensure proper delivery
   of   our  email  notifications.  If  your  service  provider  conducts
   filtering  on  your  behalf, be aware that you may not receive some of
   our notifications.

   What's New and Updated

   Since the last CERT Summary, we have published new and updated:
     * CERT/CC 2002 Annual Report
     * Advisories
     * CERT/CC Statistics
     * Incident Notes
     * Tech Tips

   This document is available from:

   CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

    Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University. 

Version: PGP 6.5.8


Next message sorted by date: CERT Summary CS-2003-02
Next message by thread: CERT Summary CS-2003-02
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jan 2004