CERT Summary CS-2002-04

   November 26, 2002

   Each  quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   Summary  to  draw  attention  to  the types of attacks reported to
our
   incident  response  team,  as  well  as  other noteworthy incident
and
   vulnerability information. The summary includes pointers to sources
of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries
          http://www.cert.org/summaries/
 
______________________________________________________________________

Recent Activity

   Since the last regularly scheduled CERT summary, issued in August
2002
   (CS-2002-03),   we   have   seen   trojan  horses  for  three
popular
   distributions,  new  self-propagating malicious code
(Apache/mod_ssl),
   and  multiple  vulnerabilities  in BIND. In addition, we have issued
a
   new PGP Key.

   For  more  current  information  on  activity  being  reported  to
the
   CERT/CC,  please  visit the CERT/CC Current Activity page. The
Current
   Activity  page  is  a  regularly updated summary of the most
frequent,
   high-impact  types  of  security  incidents  and vulnerabilities
being
   reported  to the CERT/CC. The information on the Current Activity
page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity
          http://www.cert.org/current/current_activity.html


    1. Apache/mod_ssl Worm

       Over  the  past  several  months,  we  have  received reports of
a
       self-propagating  malicious  code  that  exploits  a
vulnerability
       (VU#102795)  in  OpenSSL. Reports received by the CERT/CC
indicate
       that  the  Apache/mod_ssl  worm  has already infected thousands
of
       systems.  Over  a  month  earlier,  the CERT/CC issued an
advisory
       (CA-2002-23) describing four remotely exploitable buffer
overflows
       in OpenSSL.

                CERT Advisory CA-2002-27
                Apache/mod_ssl Worm
                http://www.cert.org/advisories/CA-2002-27.html

                CERT Advisory CA-2002-23
                Multiple Vulnerabilities in OpenSSL
                http://www.cert.org/advisories/CA-2002-23.html

                Vulnerability Note #102795
                OpenSSL  servers contain a buffer overflow during the 
                SSL2 handshake process
                http://www.kb.cert.org/vuls/id/102795


    2. Trojan Horse Sendmail Distribution

       The  CERT/CC  has  received  confirmation  that some copies of
the
       source  code  for  the  Sendmail  package have been modified by
an
       intruder  to  contain a Trojan horse. These copies began to
appear
       in  downloads  from  the  FTP server ftp.sendmail.org on or
around
       September  28,  2002.  On  October  8, 2002, the CERT/CC issued
an
       advisory   (CA-2002-28)   describing  various  methods  to
verify
       software authenticity.

                CERT Advisory CA-2002-28
                Trojan Horse Sendmail Distribution
                http://www.cert.org/advisories/CA-2002-28.html


    3. Trojan Horse tcpdump and libpcap Distributions

       The  CERT/CC  has  received reports that some copies of the
source
       code  for  libpcap,  a  packet acquisition library, and tcpdump,
a
       network  sniffer,  have been modified by an intruder and contain
a
       Trojan  horse.  These  modified  distributions  began to appear
in
       downloads  from  the  HTTP server www.tcpdump.org on or around
Nov
       11,  2002. The CERT/CC issued an advisory (CA-2002-30) listing
MD5
       checksums and official distribution sites for libpcap and
tcpdump.

                CERT Advisory CA-2002-30
                Trojan Horse tcpdump and libpcap Distributions
                http://www.cert.org/advisories/CA-2002-30.html


    4. Multiple Vulnerabilities in BIND

       The  CERT/CC  has documented multiple vulnerabilities in BIND,
the
       popular  domain  name  server  and client library software
package
       from  the  Internet  Software  Consortium  (ISC).  Some  of
these
       vulnerabilities  may  allow a remote intruder to execute
arbitrary
       code  with  privileges  of  the  the user running named
(typically
       root).  Several  vulnerabilities  are  referenced in the
advisory;
       they are listed here individually.

                CERT Advisory CA-2002-31
                Multiple Vulnerabilities in BIND
                http://www.cert.org/advisories/CA-2002-31.html

                Vulnerability Note #852283
                Cached malformed SIG record buffer overflow
                http://www.kb.cert.org/vuls/id/852283

                Vulnerability Note #229595
                Overly large OPT record assertion
                http://www.kb.cert.org/vuls/id/229595

                Vulnerability Note #581682
                ISC Bind 8 fails to properly dereference cache SIG RR 
                elements invalid expiry times from the internal database
                http://www.kb.cert.org/vuls/id/581682

                Vulnerability Note #844360
                Domain Name System (DNS) stub resolver libraries  
                vulnerable to buffer overflows via network name or 
                address lookups
                http://www.kb.cert.org/vuls/id/844360

    5. Heap  Overflow  Vulnerability  in Microsoft Data Access
Components
       (MDAC)

       On  November  21, 2002 the CERT/CC issued an advisory
(CA-2002-33)
       describing  a  vulnerability  in  MDAC,  a collection of
Microsoft
       utilities and routines that process requests between databases
and
       network applications.

               CERT Advisory CA-2002-33
               Heap Overflow Vulnerability in Microsoft Data Access 
               Components (MDAC)
               http://www.cert.org/advisories/CA-2002-33.html
 
______________________________________________________________________

New CERT/CC PGP Key

   On  September  19,  the  CERT/CC issued a new PGP key, which should
be
   used when sending sensitive information to the CERT/CC.

          CERT/CC PGP Public Key
          https://www.cert.org/pgp/cert_pgp_key.asc
          Sending Sensitive Information To The CERT/CC

          http://www.cert.org/contact_cert/encryptmail.html
 
______________________________________________________________________

What's New and Updated

   Since the last CERT Summary, we have published new and updated
     * Advisories
       http://www.cert.org/advisories/
     * Congressional Testimony
       http://www.cert.org/congressional_testimony/
     * CERT/CC Statistics
       http://www.cert.org/stats/cert_stats.html
     * Home User Security
       http://www.cert.org/homeusers/HomeComputerSecurity
     * Tech Tips
       http://www.cert.org/tech_tips/
     * Training Schedule
       http:/www.cert.org/training/
 
______________________________________________________________________

   This document is available from:
   http://www.cert.org/summaries/CS-2002-04.html
 
______________________________________________________________________

CERT/CC Contact Information

   Email: [EMAIL PROTECTED]
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)
/
   EDT(GMT-4)  Monday  through  Friday;  they are on call for
emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by
email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for
more
   information.

    Getting security information

   CERT  publications  and  other security information are available
from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and
bulletins,
   send  email  to [EMAIL PROTECTED] Please include in the body of
your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the
U.S.
   Patent and Trademark Office.
 
______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the
Software
   Engineering  Institute  is  furnished  on  an  "as is" basis.
Carnegie
   Mellon University makes no warranties of any kind, either expressed
or
   implied  as  to  any matter including, but not limited to, warranty
of
   fitness  for  a  particular purpose or merchantability, exclusivity
or
   results  obtained from use of the material. Carnegie Mellon
University
   does  not  make  any warranty of any kind with respect to freedom
from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright C2002 Carnegie Mellon University.






IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk


Reply via email to