-----Original Message----- From: CERT Advisory Sent: 28 May 2002 19:47 To: [EMAIL PROTECTED] Subject: CERT Summary CS-2002-02 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2002-02 May 28, 2002 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available at http://www.cert.org/summaries/. ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in February 2002 (CS-2002-01), we have released several advisories addressing vulnerabilties in Microsoft's IIS server, Oracle Database and Application Servers, Sun Solaris cachefsd, and MSN Instant Messenger. In addition, we have published statistics for the first quarter of 2002, numerous white papers, and a collection of frequently asked questions about the OCTAVE Method. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. 1. Exploitation of Vulnerabilities in Microsoft SQL Server The CERT/CC has received reports of systems being compromised through the automated exploitation of null or weak default sa passwords in Microsoft SQL Server and Microsoft Data Engine. This activity is accompanied by high volumes of scanning, and appears to be related to recently discovered self-propagating malicious code, referred to by various sources as Spida, SQLsnake, and Digispid. CERT Incident Note IN-2002-04: Exploitation of Vulnerabilities in Microsoft SQL Server http://www.cert.org/incident_notes/IN-2002-04.html 2. Buffer Overflow in Microsoft's MSN Chat ActiveX Control Microsoft's MSN Chat is an ActiveX control for Microsoft Messenger, an instant messaging client. A buffer overflow exists in the ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. CERT Advisory CA-2002-13: Buffer Overflow in Microsoft's MSN Chat ActiveX Control http://www.cert.org/advisories/CA-2002-13.html 3. Format String Vulnerability in ISC DHCPD The Internet Software Consortium (ISC) provides a Dynamic Host Configuration Protocol Daemon (DHCPD), which is a server that is used to allocate network addresses and assign configuration parameters to hosts. A format string vulnerability may permit a remote attacker to execute code with the privileges of the DHCPD (typically root). We have not seen active scanning or exploitation of this vulnerability. CERT Advisory CA-2002-12: Format String Vulnerability in ISC DHCPD http://www.cert.org/advisories/CA-2002-12.html 4. Heap Overflow in Cachefs Daemon (cachefsd) Sun's NFS/RPC file system cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remotely exploitable vulnerability exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root. The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running cachefsd. CERT Advisory CA-2002-11: Heap Overflow in Cachefs Daemon (cachefsd) http://www.cert.org/advisories/CA-2002-11.html 5. Multiple Vulnerabilities in Microsoft IIS A variety of vulnerabilities exist in various versions of Microsoft IIS. Some of these vulnerabilities may allow an intruder to execute arbitrary code on vulnerable systems. CERT Advisory CA-2002-09: Multiple Vulnerabilities in Microsoft IIS http://www.cert.org/advisories/CA-2002-09.html 6. Multiple Vulnerabilities in Oracle Servers Multiple vulnerabilities in Oracle Application Server and Oracle Database have recently been discovered. These vulnerabilities include buffer overflows, insecure default settings, failures to enforce access controls, and failure to validate input. The impacts of these vulnerabilities include the execution of arbitrary commands or code, denial of service, and unauthorized access to sensitive information. CERT Advisory CA-2002-08: Multiple Vulnerabilities in Oracle Servers http://www.cert.org/advisories/CA-2002-08.html 7. Social Engineering Attacks via IRC and Instant Messaging The CERT/CC has received reports of social engineering attacks on users of Internet Relay Chat (IRC) and Instant Messaging (IM) services. Intruders trick unsuspecting users into downloading and executing malicious software, which allows the intruders to use the systems as attack platforms for launching distributed denial-of-service (DDoS) attacks. The reports to the CERT/CC indicate that tens of thousands of systems have recently been compromised in this manner. CERT Incident Note IN-2002-03: Social Engineering Attacks via IRC and Instant Messaging http://www.cert.org/incident_notes/IN-2002-03.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new or updated * Advisories * Incident Notes * CERT/CC Statistics * OCTAVE^SM Method Frequently Asked Questions * White Papers + Foundations for Survivable Systems Engineering + Organized Crime and Cyber-Crime: Implications for Business + Overview of Attack Trends + Using PGP to Verify Digital Signatures + Downstream Liability for Attack Relay Amplification + Cross-Site Scripting Vulnerabilities + Countering Cyber War ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2002-02.html ______________________________________________________________________ CERT/CC Contact Information Email: [EMAIL PROTECTED] Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to [EMAIL PROTECTED] Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2002 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPPPOk6CVPMXQI2HJAQHHeAQAxlNggZhs00dAQBX4Wvm1xIeBMyK6NYLn HQyiHIhHFoeshf+FsF1aBbwV1m07nkv9OnEWm4I2fqOPtPRNQJAAhud7XrfEpeOm EqEkHQD9LaoQux/HVe23Gmp/Lv5RkLbUu72tL18KdI7YVnteRKvtxIWvCgFfvjRM 2YTPonaOjlQ= =XKwE -----END PGP SIGNATURE----- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
