[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
-----BEGIN PGP SIGNED MESSAGE-----
CERT Summary CS-2002-01
February 28, 2002
Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT summaries are available from:
CERT Summaries
http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last regularly scheduled CERT summary, issued in November
2001 (CS-2001-04), we have released several advisories, notably
CA-2002-03, describing multiple vulnerabilities in SNMP. In addition,
we have published 2001 statistics, our annual report, and a white
paper on external computer security incidents.
For more current information on activity being reported to the
CERT/CC, please visit the CERT/CC Current Activity page. The Current
Activity page is a regularly updated summary of the most frequent,
high-impact types of security incidents and vulnerabilities being
reported to the CERT/CC. The information on the Current Activity page
is reviewed and updated as reporting trends change.
CERT/CC Current Activity
http://www.cert.org/current/current_activity.html
1. Multiple Vulnerabilities in SNMP
Numerous vulnerabilities have been reported in multiple vendors'
SNMP implementations. These vulnerabilities may allow unauthorized
privileged access, denial-of-service attacks, or cause unstable
behavior. If your site uses SNMP in any capacity, the CERT/CC
encourages you to read this advisory and follow the advice
provided in the Solution section. In addition to this advisory, we
also have an FAQ on SNMP vulnerabilities.
CERT Advisory CA-2002-03:
Multiple Vulnerabilities In Many Implementations of
the Simple Network Management Protocol (SNMP)
http://www.cert.org/advisories/CA-2002-03.html
Simple Network Management Protocol (SNMP) Vulnerabilities
Frequently Asked Questions (FAQ)
http://www.cert.org/tech_tips/snmp_faq.html
2. Exploitation of Vulnerability in Solaris CDE Subprocess Control
Service
Since CA-2001-31 was originally released last November, the
CERT/CC has received reports of scanning for dtspcd (6112/tcp).
Just recently, however, we have received credible reports of an
exploit for Solaris systems. Using network traces provided by The
Honeynet Project, we have confirmed that the dtspcd vulnerability
identified in CA-2001-31 and discussed in VU#172583 is actively
being exploited.
CERT Advisory CA-2002-01:
Exploitation of Vulnerability in CDE Subprocess Control Service
http://www.cert.org/advisories/CA-2002-01.html
CERT Advisory CA-2001-31:
Buffer Overflow in CDE Subprocess Control Service
http://www.cert.org/advisories/CA-2001-31.html
Vulnerability Note #172583:
Common Desktop Environment (CDE) Subprocess Control Service
dtspcd contains buffer overflow
http://www.kb.cert.org/vuls/id/172583
3. Buffer Overflow Vulnerability in Microsoft Windows UPnP Service
Vulnerabilities in software included by default on Microsoft
Windows XP, and optionally on Windows ME and Windows 98, may allow
an intruder to execute arbitrary code on vulnerable systems, to
launch denial-of-service attacks against vulnerable systems, or to
use vulnerable systems to launch denial-of-service attacks against
third-party systems. To date we have not received any confirmed
reports of UPnP exploitation; however, we urge Windows users to
follow the advice provided in CA-2001-37 to protect their systems.
CERT Advisory CA-2001-37:
Buffer Overflow in UPnP Service On Microsoft Windows
http://www.cert.org/advisories/CA-2001-37.html
Vulnerability Note #951555:
Microsoft Windows Universal Plug and Play (UPNP) vulnerable
to buffer overflow via malformed advertisement packets
http://www.kb.cert.org/vuls/id/951555
Vulnerability Note #411059:
Microsoft Windows Universal Plug and Play (UPNP) fails to
limit the data returned in response to a NOTIFY message
http://www.kb.cert.org/vuls/id/411059
4. Recent Activity Against Secure Shell Daemons
There are multiple vulnerabilities in several implementations of
the Secure Shell (SSH) protocol. The SSH protocol enables a secure
communications channel from a client to a server. We are still
seeing a high amount of scanning for SSH daemons, and we are
receiving reports of exploitation. System administrators should
review their configurations to ensure that they have applied all
relevant patches.
CERT Advisory CA-2001-35:
Recent Activity Against Secure Shell Daemons
http://www.cert.org/advisories/CA-2001-35.html
Vulnerability Note #945216:
SSH CRC32 attack detection code contains remote integer overflow
http://www.kb.cert.org/vuls/id/945216
CERT Incident Note IN-2001-12:
Exploitation of vulnerability in SSH1 CRC-32 compensation
attack detector
http://www.cert.org/incident_notes/IN-2001-12.html
5. Multiple Vulnerabilities in WU-FTPD
WU-FTPD is a widely deployed software package used to provide File
Transfer Protocol (FTP) services on UNIX and Linux systems. There
are two vulnerabilities in WU-FTPD that expose a system to
potential remote root compromise by anyone with access to the FTP
service. These vulnerabilities have recently received increased
scrutiny.
CERT Advisory CA-2001-33:
Multiple Vulnerabilities in WU-FTPD
http://www.cert.org/advisories/CA-2001-33.html
6. W32/BadTrans Worm
We have seen a steady stream of reports related to W32/Badtrans
since November 2001. W32/BadTrans is a malicious Windows program
distributed as an email file attachment. Because of a known
vulnerability in Internet Explorer, some email programs, such as
Outlook Express and Outlook, may execute the malicious program as
soon as the email message is viewed. Windows users should apply
appropriate patches and update their antivirus programs as
described in IN-2001-14.
CERT Incident Note IN-2001-14: W32/BadTrans Worm
http://www.cert.org/incident_notes/IN-2001-14.html
7. "Kaiten" Malicious Code
The CERT/CC has received reports of a new variant of the "Kaiten"
malicious code being installed through exploitation of null
default sa passwords in Microsoft SQL Server and Microsoft Data
Engine. (Microsoft SQL 2000 Server will allow a null sa password
to be used, but this is not default behavior.) Various sources
have referred to this malicious code as "W32/Voyager," "Voyager
Alpha Force," and "W32/CBlade.worm."
CERT Incident Note IN-2001-13:
"Kaiten" Malicious Code Installed by Exploiting Null
Default Passwords in MS-SQL
http://www.cert.org/incident_notes/IN-2001-13.html
______________________________________________________________________
What's New and Updated
Since the last CERT Summary, we have published new and updated
* CERT/CC 2001 Annual Report
http://www.cert.org/annual_rpts/cert_rpt_01.html
* Advisories
http://www.cert.org/advisories/
* Computer Security Incident Response Team (CSIRT) Frequently Asked
Questions
http://www.cert.org/csirts/csirt_faq.html
* External Security Incidents White Paper
http://www.cert.org/archive/pdf/external-incidents.pdf
* Incident Notes
http://www.cert.org/incident_notes/
* CERT/CC Statistics
http://www.cert.org/stats/cert_stats.html
* Training Schedule
http:/www.cert.org/training/
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-2002-01.html
______________________________________________________________________
CERT/CC Contact Information
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to This email address is being protected from spambots. You need JavaScript enabled to view it. . Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPH6JoqCVPMXQI2HJAQGjUwQAu1bT6qi08N+dsPGZeEFWIMVxBPQbqmh5
W6ad/WSWAi1jNPhPIg4DmLgzUirSk7MOyybgcMEK0KZVhr+HB+0aHiHv/4lLlvmC
re8rqW5gLGq/7AtoV1MfppeSdEKWfgWvUHX9NfZ5aDlS382pWoxTa2HnrxMkDDHe
Pg57W9mlkyw=
=jMzu
-----END PGP SIGNATURE-----
| Powered by: | MHonArc  |