[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
-----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------------- CERT* Summary CS-98.07 August 26, 1998 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our incident response team, as well as to other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems discussed here. Past CERT Summaries are available from http://www.cert.org/summaries/ ftp://ftp.cert.org/pub/cert_summaries/ - ---------------------------------------------------------------------------- Recent Activity - --------------- Since the last CERT Summary issued in June 1998 (CS-98.06), we have seen these trends in incidents reported to us. 1. New Tools Used For Widespread Scans It is nothing new for intruders to launch widespread scans to locate vulnerable machines. However, a new, publicly released intruder tool called "mscan" scans networks for many different vulnerabilities. The CERT/CC has received numerous reports indicating that this tool is in widespread use within the intruder community. We encourage you to review CERT Incident Note IN-98.02, which describes mscan and its recognizable signature in more detail. (A description of incident notes appears in a later section, New CERT Security Documents.) This incident note is available at http://www.cert.org/incident_notes/IN-98.02.html The tool uses DNS zone transfers and systematic scanning of IP addresses, either alone or in combination, to locate machines. Once machines are located, they are tested for a number of vulnerabilities. Additional useful information about mscan can be found at ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-98.01.mscan courtesy of the Australian Computer Emergency Response Team (AUSCERT). 2. Buffer Overflows in Some POP Servers The CERT/CC continues to receive reports that the buffer overflow vulnerability described in CA-98.08 is being exploited in some Post Office Protocol (POP) servers based on QUALCOMM's qpopper implementation of POP. Remote users can gain privileged access to systems running vulnerable POP servers. For more information about the vulnerability, please see the most recent version of the advisory at http://www.cert.org/advisories/CA-98.08.qpopper_vul.html ftp://ftp.cert.org/pub/cert_advisories/CA-98.08.qpopper_vul and take appropriate action. 3. Multiple Vulnerabilities in BIND In two previous special edition CERT Summaries, CS-98.04 and CS-98.05, we discussed several attack methods being used to exploit vulnerabilities in BIND. CS-98.04 and CS-98.05 are available from http://www.cert.org/summaries/CS-98.04.html http://www.cert.org/summaries/CS-98.05.html Intruders are still exploiting vulnerabilities described in CERT Advisory CA-98.05. We encourage you to review CERT Advisory CA-98.05, which describes the BIND buffer overflow vulnerability, and to apply the appropriate patches if you have not done so already. This advisory is available from http://www.cert.org/advisories/CA-98.05.bind_problems.html ftp://ftp.cert.org/pub/cert_advisories/CA-98.05.bind_problems If you find you have been root compromised, this document suggests appropriate steps to take in response: http://www.cert.org/tech_tips/root_compromise.html ftp://ftp.cert.org/pub/tech_tips/root_compromise Noteworthy Incident and Vulnerability Information - ------------------------------------------------- Internet Explorer Vulnerability Some versions of Microsoft's Internet Explorer 4 have a vulnerability in the way they handle Javascript. This problem can permit a maliciously written script to run arbitrary code on a user's machine. There is a CERT Vulnerability Note describing this problem and defenses against it. The vulnerability note is available at http://www.cert.org/vul_notes/VN-98.06.ms_jscript.html New CERT Security Documents - --------------------------- The CERT/CC sometimes has incident and vulnerability information that may not warrant CERT Summaries or Advisories, but that may have value for the Internet community. To easily disseminate that information, we have created two new document types: CERT Incident Notes and CERT Vulnerability Notes. CERT/CC Incident Notes Incident notes are an informal and current way to inform the Internet community about computer security incidents and changing intruder attacks that have been reported to us. There is no set schedule for publishing incident notes; they will be created as noteworthy incident information becomes available. Incident notes are available from http://www.cert.org/incident_notes/index.html CERT/CC Vulnerability Notes We created vulnerability notes as an informal mechanism for publishing current information about vulnerabilities. Vulnerability notes may contain a wide variety of information. Vulnerabilities that do not meet the criteria to become CERT advisories may be described in vulnerability notes, though some notes contain information similar to that in CERT advisories. Other notes contain more informal discussions about vulnerabilities. Vulnerability notes are available from http://www.cert.org/vul_notes/index.html We encourage you to periodically check the incident notes and vulnerability notes for new information. What's New and Updated - ---------------------- Brief notices about new and updated CERT information, such as advisories, vendor-initiated bulletins, and incident and vulnerability notes, are available from the CERT web site at http://www.cert.org/nav/whatsnew.html - ---------------------------------------------------------------------------- How to Contact the CERT Coordination Center EmailThis email address is being protected from spambots. You need JavaScript enabled to view it. Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address toThis email address is being protected from spambots. You need JavaScript enabled to view it. In the subject line, type SUBSCRIBE your-email-address CERT advisories and bulletins are posted on the USENET news group: comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://ftp.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff If you do not have FTP or web access, send mail toThis email address is being protected from spambots. You need JavaScript enabled to view it. with "copyright" in the subject line. * CERT is registered in the U.S. Patent and Trademark Office. NO WARRANTY - ----------- ANY MATERIAL FURNISHED BY CARNEGIE MELLON UNIVERSITY AND THE SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN "AS IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNeQNz3VP+x0t4w7BAQERdgP/d0TXJGVbXn3O+PRxEa53VpTqb6KoxRNV aN/JE/DPUD7Tl3v+yg/HZ3HtwXVNVfrzwV7A8GK1+tKYsVH1gMD2rkoa9pM/x70I 3Q1rW29b7ocOYKij+bB+DCDfOUZL4ctzTmcYd2rp/GB+dsKesvzXUCluaZpX+I8W Zf7VJUdUzew= =ynSe -----END PGP SIGNATURE-----
Powered by: | MHonArc ![]() |