CERT Summary CS-2002-04
November 26, 2002
Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
Summary to draw attention to the types of attacks reported to
our
incident response team, as well as other noteworthy incident
and
vulnerability information. The summary includes pointers to sources
of
information for dealing with the problems.
Past CERT summaries are available from:
CERT Summaries
http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last regularly scheduled CERT summary, issued in August
2002
(CS-2002-03), we have seen trojan horses for three
popular
distributions, new self-propagating malicious code
(Apache/mod_ssl),
and multiple vulnerabilities in BIND. In addition, we have issued
a
new PGP Key.
For more current information on activity being reported to
the
CERT/CC, please visit the CERT/CC Current Activity page. The
Current
Activity page is a regularly updated summary of the most
frequent,
high-impact types of security incidents and vulnerabilities
being
reported to the CERT/CC. The information on the Current Activity
page
is reviewed and updated as reporting trends change.
CERT/CC Current Activity
http://www.cert.org/current/current_activity.html
1. Apache/mod_ssl Worm
Over the past several months, we have received reports of
a
self-propagating malicious code that exploits a
vulnerability
(VU#102795) in OpenSSL. Reports received by the CERT/CC
indicate
that the Apache/mod_ssl worm has already infected thousands
of
systems. Over a month earlier, the CERT/CC issued an
advisory
(CA-2002-23) describing four remotely exploitable buffer
overflows
in OpenSSL.
CERT Advisory CA-2002-27
Apache/mod_ssl Worm
http://www.cert.org/advisories/CA-2002-27.html
CERT Advisory CA-2002-23
Multiple Vulnerabilities in OpenSSL
http://www.cert.org/advisories/CA-2002-23.html
Vulnerability Note #102795
OpenSSL servers contain a buffer overflow during the
SSL2 handshake process
http://www.kb.cert.org/vuls/id/102795
2. Trojan Horse Sendmail Distribution
The CERT/CC has received confirmation that some copies of
the
source code for the Sendmail package have been modified by
an
intruder to contain a Trojan horse. These copies began to
appear
in downloads from the FTP server ftp.sendmail.org on or
around
September 28, 2002. On October 8, 2002, the CERT/CC issued
an
advisory (CA-2002-28) describing various methods to
verify
software authenticity.
CERT Advisory CA-2002-28
Trojan Horse Sendmail Distribution
http://www.cert.org/advisories/CA-2002-28.html
3. Trojan Horse tcpdump and libpcap Distributions
The CERT/CC has received reports that some copies of the
source
code for libpcap, a packet acquisition library, and tcpdump,
a
network sniffer, have been modified by an intruder and contain
a
Trojan horse. These modified distributions began to appear
in
downloads from the HTTP server www.tcpdump.org on or around
Nov
11, 2002. The CERT/CC issued an advisory (CA-2002-30) listing
MD5
checksums and official distribution sites for libpcap and
tcpdump.
CERT Advisory CA-2002-30
Trojan Horse tcpdump and libpcap Distributions
http://www.cert.org/advisories/CA-2002-30.html
4. Multiple Vulnerabilities in BIND
The CERT/CC has documented multiple vulnerabilities in BIND,
the
popular domain name server and client library software
package
from the Internet Software Consortium (ISC). Some of
these
vulnerabilities may allow a remote intruder to execute
arbitrary
code with privileges of the the user running named
(typically
root). Several vulnerabilities are referenced in the
advisory;
they are listed here individually.
CERT Advisory CA-2002-31
Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-2002-31.html
Vulnerability Note #852283
Cached malformed SIG record buffer overflow
http://www.kb.cert.org/vuls/id/852283
Vulnerability Note #229595
Overly large OPT record assertion
http://www.kb.cert.org/vuls/id/229595
Vulnerability Note #581682
ISC Bind 8 fails to properly dereference cache SIG RR
elements invalid expiry times from the internal database
http://www.kb.cert.org/vuls/id/581682
Vulnerability Note #844360
Domain Name System (DNS) stub resolver libraries
vulnerable to buffer overflows via network name or
address lookups
http://www.kb.cert.org/vuls/id/844360
5. Heap Overflow Vulnerability in Microsoft Data Access
Components
(MDAC)
On November 21, 2002 the CERT/CC issued an advisory
(CA-2002-33)
describing a vulnerability in MDAC, a collection of
Microsoft
utilities and routines that process requests between databases
and
network applications.
CERT Advisory CA-2002-33
Heap Overflow Vulnerability in Microsoft Data Access
Components (MDAC)
http://www.cert.org/advisories/CA-2002-33.html
______________________________________________________________________
New CERT/CC PGP Key
On September 19, the CERT/CC issued a new PGP key, which should
be
used when sending sensitive information to the CERT/CC.
CERT/CC PGP Public Key
https://www.cert.org/pgp/cert_pgp_key.asc
Sending Sensitive Information To The CERT/CC
http://www.cert.org/contact_cert/encryptmail.html
______________________________________________________________________
What's New and Updated
Since the last CERT Summary, we have published new and updated
* Advisories
http://www.cert.org/advisories/
* Congressional Testimony
http://www.cert.org/congressional_testimony/
* CERT/CC Statistics
http://www.cert.org/stats/cert_stats.html
* Home User Security
http://www.cert.org/homeusers/HomeComputerSecurity
* Tech Tips
http://www.cert.org/tech_tips/
* Training Schedule
http:/www.cert.org/training/
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-2002-04.html
______________________________________________________________________
CERT/CC Contact Information
Email: [EMAIL PROTECTED]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5)
/
EDT(GMT-4) Monday through Friday; they are on call for
emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for
more
information.
Getting security information
CERT publications and other security information are available
from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins,
send email to [EMAIL PROTECTED] Please include in the body of
your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the
U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software
Engineering Institute is furnished on an "as is" basis.
Carnegie
Mellon University makes no warranties of any kind, either expressed
or
implied as to any matter including, but not limited to, warranty
of
fitness for a particular purpose or merchantability, exclusivity
or
results obtained from use of the material. Carnegie Mellon
University
does not make any warranty of any kind with respect to freedom
from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright C2002 Carnegie Mellon University.
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
