[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CERT Summary CS-99-04

   November 23, 1999
   
   Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   summary to draw attention to the types of attacks reported to our
   incident response team, as well as other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.
   
   Past CERT summaries are available from
   http://www.cert.org/summaries/
   ______________________________________________________________________
   
Reminder: New CERT/CC PGP Key

   On October 4, 1999, the PGP key for the CERT/CC was replaced with a
   new PGP key. For more information, see
   
   http://www.cert.org/contact_cert/encryptmail.html
   ______________________________________________________________________
   
"CERT/CC Current Activity" Web Page

   The CERT/CC Current Activity web page is a regularly updated summary
   of the most frequent, high-impact types of security incidents and
   vulnerabilities currently being reported to the CERT/CC. It is
   available from
   
   http://www.cert.org/current/current_activity.html
       
   The information on the Current Activity page will be reviewed and
   updated as reporting trends change.
   ______________________________________________________________________
   
Year 2000 (Y2K) Information

   The CERT/CC has published information regarding the Y2K problem:
   
   Y2K Information
       http://www.cert.org/y2k-info/
   ______________________________________________________________________
   
Recent Activity

   Since the last CERT summary, issued in August 1999 (CS-99-03), we have
   published advisories on WU-FTPD, BIND, CDE, and AMD. We have also
   analyzed and published information regarding distributed intruder
   tools. Among other activity, we continue to see widespread scans for
   known vulnerabilities.
   
    1. Distributed Intruder Tools
       Denial of Service
       We have received reports of intruders compromising machines in
       order to install distributed systems used for launching packet
       flooding denial-of-service attacks. The systems typically contain
       a small number of servers and a large number of clients. These
       reports indicate that machines participating in such distributed
       systems are likely to have been root compromised. You can find
       more information in
       
        CERT Incident Note 99-07
                http://www.cert.org/incident_notes/IN-99-07.html
                
       Sniffer
       We have received reports of intruders using distributed network
       sniffers to capture usernames and passwords. The distributed
       sniffer consists of a client and a server portion. As of this
       summary, the sniffer clients have been found exclusively on
       compromised Linux hosts. For more information please see
       
        CERT Incident Note 99-06
                http://www.cert.org/incident_notes/IN-99-06.html
                
    2. CDE Vulnerabilities
       Multiple vulnerabilities have been identified in some
       distributions of the Common Desktop Environment (CDE). These
       vulnerabilities are different from those discussed in CA-98.02 and
       can lead to intruders gaining root access on vulnerable systems.
       For more information please see
       
        CERT Advisory CA-99-11
                http://www.cert.org/advisories/CA-99-1-CDE.html
                
    3. BIND Vulnerabilities
       Several vulnerabilities have been found in BIND, the popular
       domain name server from the Internet Software Consortium (ISC).
       One of these vulnerabilities may allow remote intruders to gain
       privileged access to name servers. The others can severely disrupt
       the operation of the name server. For more information, please see
       
        CERT Advisory CA-99-14
                http://www.cert.org/advisories/CA-99-14-bind.html
                
    4. WU-FTPD Vulnerabilities
       Three vulnerabilities have been identified in WU-FTPD and other
       ftp daemons based on the WU-FTPD source code. WU-FTPD is a common
       package used to provide File Transfer Protocol (FTP) services.
       Remote and local intruders may be able to exploit these
       vulnerabilities to execute arbitrary code as the user running the
       ftp daemon (usually root). Incidents involving the first of these
       three vulnerabilities have been reported to the CERT Coordination
       Center. For more information please see
       
        CERT Advisory CA-99-13
                http://www.cert.org/advisories/CA-99-13-wuftpd.html
                
    5. AMD Vulnerabilities
       There is a buffer overflow vulnerability in the logging facility
       of the amd daemon. This daemon automatically mounts file systems
       in response to attempts to access files that reside on those file
       systems. Remote intruders can exploit this vulnerability to
       execute arbitrary code as the user running the amd daemon (usually
       root). For more information see
       
        CERT Advisory CA-99-12
                http://www.cert.org/advisories/CA-99-12-amd.html
                
                We have received reports regarding exploits of this
                vulnerability. For more information please see
                
                CERT Incident Note 99-05
                http://www.cert.org/incident_notes/IN-99-05.html
                
    6. RPC Vulnerabilities
       We continue to receive reports of exploitations involving three
       RPC vulnerabilities: rpc.cmsd, ttdbserverd, and statd/automountd.
       These exploitations can lead to root compromise on systems that
       implement vulnerable RPC services. Analysis has shown that similar
       artifacts have been found on compromised systems. For more
       information on the vulnerabilities please see
        CERT Incident Note 99-04
            http://www.cert.org/incident_notes/IN-99-04.html
            CERT Advisory CA-99-08
            http://www.cert.org/advisories/CA-99-08-cmsd.html
            CERT Advisory CA-99-05
            http://www.cert.org/advisories/CA-99-05-statd-automountd.html
            CERT Advisory CA-98-11
            http://www.cert.org/advisories/CA-98.11.tooltalk.html
    7. Virus and Trojan Horse Activity
       We continue to see reports of virus activity. Current versions of
       anti-virus software can help to protect your systems from these
       viruses.
       It is important to take great caution with any email or Usenet
       attachments that contain executable content. If you receive a
       message containing attachments, scan the message file with
       anti-virus software before you open or run the file. Doing this
       does not guarantee that the contents of the file are safe, but it
       lowers your risk of virus infection by checking for viruses and
       Trojan horses that your scanning software can detect.
       CERT/CC has published a Virus Resources page that includes
       information on
       
          Frequently Asked Questions (FAQs) about Computer Viruses
                
          Hoax and Chain Letter Databases
                
          Virus Databases
                
          Virus Organizations and Publications
                
          Anti-Virus Vendors
                
          Virus Related Papers
                
       Please see
       
        Virus Resources
                http://www.cert.org/other_sources/viruses.html
                
    8. Continued Widespread Scans
       We continue to receive reports of scanning and probing activity.
       The most frequent reports tend to involve services that have
       well-known vulnerabilities. Hosts continue to be affected by
       exploitation of well-known vulnerabilities in these services.
        sunrpc (TCP port 111) and mountd (635)
            http://www.cert.org/advisories/CA-98.12.mountd.html
            http://www.cert.org/incident_notes/IN-99-04.html
            IMAP (TCP port 143)
            http://www.cert.org/advisories/CA-98.09.imapd.html
            POP3 (TCP port 110)
            http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
            DNS (TCP port 53 [domain])
            http://www.cert.org/advisories/CA-98.05.bind_problems.html
            http://www.cert.org/advisories/CA-97.22.bind.html
   ______________________________________________________________________
   
What's New and Updated

   Since the last CERT summary, we have developed new and updated
     * Advisories
     * CERT statistics
     * Incident notes
     * Tech tips/FAQs
     * Y2K information
       
   There are descriptions of these documents and links to them on our
   "What's New" web page at
   http://www.cert.org/nav/whatsnew.html
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/summaries/CS-99-04.html
   ______________________________________________________________________
   
CERT/CC Contact Information

   Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
   
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
   http://www.cert.org/CERT_PGP.key
       
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
Getting security information

   CERT publications and other security information are available from
   our web site
   
   http://www.cert.org/
       
   To be added to our mailing list for advisories and bulletins, send
   email to This email address is being protected from spambots. You need JavaScript enabled to view it. and include SUBSCRIBE
   your-email-address in the subject of your message.
   
   Copyright 1999 Carnegie Mellon University.
   Conditions for use, disclaimers, and sponsorship information can be
   found in
   
   http://www.cert.org/legal_stuff.html
       
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA+AwUBODsBglr9kb5qlZHQEQIvZACbBrc75HYvuxT/JZDa778JBH3eWcAAlR1S
AFgkAYyLg3U8XXq5dhCRR0g=
=Oqqs
-----END PGP SIGNATURE-----


Powered by: MHonArc