[SECURITY-L] Fwd: CAIS-Alerta: CERT Summary CS-2003-01
Silvana Mieko Misuta
mieko em unicamp.br
Sex Mar 21 17:56:09 -03 2003
Subject: CAIS-Alerta: CERT Summary CS-2003-01
Date: Fri, 21 Mar 2003 17:38:47 -0300 (BRT)
From: Centro de Atendimento a Incidentes de Seguranca
<cais em cais.rnp.br>
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS está repassando o CERT Summary CS-2003-01, no qual são resumidos
os
tipos de ataques e vulnerabilidades reportados com mais freqüência ao
CERT/CC nos últimos três meses. Tal documento inclui tambem referências
a
artigos, documentos e outras informações que auxiliam no tratamento dos
problemas de segurança apontados.
O CAIS relembra aos administradores a necessidade de acompanhar os
alertas
de seguranca divulgados pelos fabricantes e orgaos de renome na area de
seguranca. Tao importante quanto manter-se atualizado, e´ manter seus
sistemas operacionais e aplicativos em dia, de acordo com as últimas
versões e correções disponíveis.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################
CERT Summary CS-2003-01
March 21, 2003
Each quarter, the CERT Coordination Center (CERT/CC) issues the
CERT
Summary to draw attention to the types of attacks reported to
our
incident response team, as well as other noteworthy incident
and
vulnerability information. The summary includes pointers to sources
of
information for dealing with the problems.
Past CERT summaries are available from:
CERT Summaries
http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last regularly scheduled CERT summary, issued in
November
2002 (CS-2002-04), we have seen vulnerabilities in multiple
Windows
operating system components, vulnerabilities in several widely
used
pieces of server software, and a new piece of
self-propagating
malicious code.
For more current information on activity being reported to
the
CERT/CC, please visit the CERT/CC Current Activity page. The
Current
Activity page is a regularly updated summary of the most
frequent,
high-impact types of security incidents and vulnerabilities
being
reported to the CERT/CC. The information on the Current Activity
page
is reviewed and updated as reporting trends change.
CERT/CC Current Activity
http://www.cert.org/current/current_activity.html
1. Buffer Overflow Vulnerability in Core Windows DLL
A buffer overflow vulnerability exists in ntdll.dll.
This
vulnerability may allow a remote attacker to execute
arbitrary
code on the victim machine.
An exploit is publicly available for this vulnerability
which
increases the urgency that system administrators apply a
patch.
The CERT/CC strongly encourages sites Windows to read
CERT
Advisory CA-2003-09, examine their systems for signs of
compromise
and apply the appropriate patch as soon as possible.
CERT Advisory CA-2003-09:
Buffer Overflow Vulnerability in Core Windows DLL
http://www.cert.org/advisories/CA-2003-09.html
2. Remote Buffer Overflow in Sendmail
A vulnerability has been discovered in sendmail, the most
popular
mail transfer agent (MTA) in use on the Internet, that may
allow
remote attackers to gain the privileges of the sendmail
daemon,
typically root. This vulnerability is triggered by the contents
of
a specially-crafted email message rather than by
lower-level
network traffic.
The CERT/CC has received reports of increased scanning for
port
25/tcp (SMTP) and apparent attempts to exploit this
vulnerability.
Sites running sendmail are encouraged to read CERT
Advisory
CA-2003-07 apply the appropriate patch.
Some other vendors have released patches for their MTA
software
which prevents the MTA from passing potentially malicious
messages
to other systems which may be running sendmail. We encourage
sites
to apply these patches if possible to help protect other
servers
on the Internet.
CERT Advisory CA-2003-07:
Remote Buffer Overflow in Sendmail
http://www.cert.org/advisories/CA-2003-07.html
3. Increased Activity Targeting Windows Shares
Over the past few weeks, the CERT/CC has received an
increasing
number of reports of intruder activity involving the
exploitation
of Null (i.e., non-existent) or weak Administrator passwords
on
Server Message Block (SMB) file shares used on systems
running
Windows 2000 or Windows XP. This activity has resulted in
the
successful compromise of thousands of systems, with home
broadband
users' systems being a prime target. More information on
this
activity and the attack tools known to be involved are
described
in CERT Advisory CA-2003-08.
CERT Advisory CA-2003-08:
Increased Activity Targeting Windows Shares
http://www.cert.org/advisories/CA-2003-08.html
4. Samba Contains Buffer Overflow in SMB/CIFS Packet Fragment
Reassembly Code
A buffer overflow vulnerability has been discovered in Samba,
a
popular file and printer sharing tool. By exploiting
this
vulnerability a remote attacker may be able to execute
arbitrary
code with the privileges of the Super User, typically root.
An
updated version of Samba (2.2.8) has been released.
The CERT/CC has not yet received reports of this
vulnerability
being exploited, but sites are strongly encouraged to
examine
their samba servers and upgrade to the newest version if
possible
to eliminate the potential for exploitation.
Vulnerability Note VU#298233:
Samba contains buffer overflow in SMB/CIFS
packet fragment reassembly code
http://www.kb.cert.org/vuls/id/298233
5. MS-SQL Server Worm
The CERT/CC has received reports of self-propagating
malicious
code that exploits a vulnerability in the Resolution Service
of
Microsoft SQL Server 2000 and Microsoft Desktop Engine
(MSDE)
2000. This worm has been referred to as the
SQLSlammer,
W32.Slammer, and Sapphire worm. The propagation of this
malicious
code has caused varied levels of network degradation across
the
Internet and the compromise of vulnerable machines. In
January,
2003, the CERT/CC issued an advisory describing the SQL
Server
Worm.
CERT Advisory CA-2003-04:
MS-SQL Server Worm
http://www.cert.org/advisories/CA-2003-04.html
Administrators of all systems running Microsoft SQL Server
2000
and MSDE 2000 are encouraged to review CA-2002-22 and
VU#484891.
For detailed vendor recommendations regarding installing the
patch
see the following:
http://www.microsoft.com/technet/security/virus/alerts/slammer.asp
Six months earlier, the CERT/CC issued an advisory
describing
several serious vulnerabilities in Microsoft SQL Server that
allow
attackers to obtain sensitive information, alter
database
contents, and compromise server hosts.
CERT Advisory CA-2002-22:
Multiple Vulnerabilities in Microsoft SQL Server
http://www.cert.org/advisories/CA-2002-22.html
6. Multiple Vulnerabilities in Implementations of the Session
Initiation Protocol (SIP)
Numerous vulnerabilities have been reported in multiple
vendors'
implementations of the Session Initiation Protocol.
These
vulnerabilities may allow an attacker to gain
unauthorized
privileged access, cause denial-of-service attacks, or
cause
unstable system behavior. If your site uses SIP-enabled
products
in any capacity, the CERT/CC encourages you to read this
advisory
and follow the advice provided in the Solution section below.
CERT Advisory CA-2003-06:
Multiple vulnerabilities in implementations of the Session
Initiation Protocol (SIP)
http://www.cert.org/advisories/CA-2003-06.html
7. Multiple Vulnerabilities in SSH Implementations
Multiple vendors' implementations of the secure shell
(SSH)
transport layer protocol contain vulnerabilities that could
allow
a remote attacker to execute arbitrary code with the privileges
of
the SSH process or cause a denial of service. The
vulnerabilities
affect SSH clients and servers, and they occur before
user
authentication takes place.
CERT Advisory CA-2002-36:
Multiple Vulnerabilities in SSH Implementations
http://www.cert.org/advisories/CA-2002-36.html
CERT Vulnerability Note VU#389665:
Multiple vendors' SSH transport layer protocol
implementations
contain vulnerabilities in key exchange and initialization
http://www.kb.cert.org/vuls/id/389665
8. Buffer Overflow in Microsoft Windows Shell
A buffer overflow vulnerability exists in the Microsoft
Windows
Shell. An attacker can exploit this vulnerability by enticing
a
victim to read a malicious email message, visit a malicious
web
page, or browse to a folder containing a malicious .MP3 or
.WMA
file. The attacker can then execute arbitrary code with
the
privileges of the victim.
CERT Advisory CA-2002-37:
Buffer Overflow in Microsoft Windows Shell
http://www.cert.org/advisories/CA-2002-37.html
9. Double-Free Bug in CVS Server
A "double-free" vulnerability in the Concurrent Versions
System
(CVS) server could allow an unauthenticated, remote attacker
with
read-only access to execute arbitrary code, alter
program
operation, read sensitive information, or cause a denial
of
service.
CERT Advisory CA-2003-02:
Double-Free Bug in CVS Server
http://www.cert.org/advisories/CA-2003-02.html
10. Buffer Overflow in Windows Locator Service
A buffer overflow vulnerability in the Microsoft Windows
Locator
service could allow a remote attacker to execute arbitrary code
or
cause the Windows Locator service to fail. This service is
enabled
and running by default on Windows 2000 domain controllers
and
Windows NT 4.0 domain controllers. On January 23, 2003,
the
CERT/CC issued an advisory describing the vulnerabilities
in
Windows Locator Service and provided patch information.
CERT Advisory CA-2003-03:
Buffer Overflow in Windows Locator Service
http://www.cert.org/advisories/CA-2003-03.html
______________________________________________________________________
A note about CERT Advisories and email filters
CERT advisories occasionally contain words that may trigger
email
filters. Please check your filters carefully to ensure proper
delivery
of our email notifications. If your service provider
conducts
filtering on your behalf, be aware that you may not receive some
of
our notifications.
______________________________________________________________________
What's New and Updated
Since the last CERT Summary, we have published new and updated:
* CERT/CC 2002 Annual Report
http://www.cert.org/annual_rpts/cert_rpt_02.html
* Advisories
http://www.cert.org/advisories/
* CERT/CC Statistics
http://www.cert.org/stats/cert_stats.html
* Incident Notes
http://www.cert.org/incident_notes
* Tech Tips
http://www.cert.org/tech_tips/
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-2003-01.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert em cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5)
/
EDT(GMT-4) Monday through Friday; they are on call for
emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for
more
information.
Getting security information
CERT publications and other security information are available
from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins,
send email to majordomo em cert.org. Please include in the body of
your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the
U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software
Engineering Institute is furnished on an "as is" basis.
Carnegie
Mellon University makes no warranties of any kind, either expressed
or
implied as to any matter including, but not limited to, warranty
of
fitness for a particular purpose or merchantability, exclusivity
or
results obtained from use of the material. Carnegie Mellon
University
does not make any warranty of any kind with respect to freedom
from
patent, trademark, or copyright infringement.
______________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright ©2003 Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPnt4X+kli63F4U8VAQGFkwQApryHtMAKo548aG5C4u/qmZMNYc5rGyph
Rg9paTmKnKpMqHEaS2cbbMbLXB5y+aTZtbfR+h5Jum6F81MV2NnxfrnbsQjnxrUb
luPl3b4F4tHZYzc8l65Ske8tFK6iTkiOlNPGB48IJUzYKlJKn0QB5yzBtTbohqhs
f2MlpdI6fo4=
=KGwC
-----END PGP SIGNATURE-----
Mais detalhes sobre a lista de discussão SECURITY-L