This is from Andrew Cormack Head of CERT UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS
--- Begin Forwarded Message --- Date: Tue, 20 Nov 2001 16:00:14 +0000 From: Andrew Cormack <[EMAIL PROTECTED]> Subject: Summary of common exploits - October 2001 Sender: [EMAIL PROTECTED] To: Receivers of CERT messages <[EMAIL PROTECTED]> Reply-To: Andrew Cormack <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> -----BEGIN PGP SIGNED MESSAGE----- Common exploits reported to JANET-CERT during October 2001 =============================================== Contents Compromises: Nimda worm, web defacements, sshd Other advisories: CDE Tooltalk, Excel/PowerPoint Macros, Oracle Webcache Documentation: Scottish Law for Systems Administrators ==== First apologies for the late arrival of this summary. The Nimda worm has continued to be our main problem during October, though thankfully the number of vulnerable systems at JANET sites seems to be declining. However the impact of Nimda was so widespread that it is likely to be years before we see the last scanning activity; many of the infected machines probably have no effective systems administration so the program will only go away when the operating system is upgraded or the hardware fails. We hope that no JANET machines will be in such a desperate state. However now that the effectiveness of the technique has been demonstrated so spectacularly there will be new worms, exploiting new vulnerabilities that try to outdo even Nimda. The importance of keeping machines patched and protecting them with routers, firewalls, or other network configurations, must not be forgotten. Web defacements continue to be popular, especially at a time when there are heated political opinions looking for places to publicise themselves. Fortunately the only reports we have had this month have related to non-JANET web sites, however there is certainly a threat to all web sites. If you are running a web site as the public face of your institution then you should be spending a lot of time ensuring it is secure; if your web site is not for public use then at least take steps to ensure that it cannot be broken into from the public network. We have had a few reports of attacks on systems running the Secure Shell (SSH) daemon. These appear to use a vulnerability that was reported in February in an old version of the program; until now there have been no reports of this being exploited. The reports we have received relate to linux systems, however the vulnerability report indicates that the same software would be vulnerable whatever system it was installed on. If you are running SSH servers we recommend checking the vulnerability report and, if necessary, taking steps to ensure that you are not vulnerable to this type of attack. SSH is a valuable replacement for telnet which encrypts all data as it flows across the network; we continue to recommend its use but, as with any other software it is important to watch out for problems. The CERT Co-ordination Center issued three advisories during October: two of these involve new twists to familar security "blackspots" - Macros contained within Excel spreadsheets and PowerPoint presentations, and the CDE Tooltalk service on unix and linux. Patches are available for both of these problems, but they are both best avoided by good operational practice: not opening files from unchecked sources and disabling and blocking access to LAN services (especially TCP/UDP port 111 that is used by RPC) respectively. The third advisory concerns a buffer overflow in the Oracle9iAS Web Cache, which can be used to crash the cache or to gain access to the underlying operating system. A patch is available from Oracle and should be installed as soon as possible. Finally, most of the presenters from our recent conference on Law for Systems Administrators have agreed to have their presentations published on the web. Conference delegates rated the presentations very highly so we recommend them as well to others who were not able to attend the event. The Law may not be an obvious topic for systems and network administrators to be concerned with but, as the speakers explained, it is increasingly relevant and important all of us. Andrew References ======== Nimda worm http://www.cert.org/advisories/CA-2001-26.html SSHd vulnerability http://razor.bindview.com/publish/advisories/adv_ssh1crc.html ToolTalk vulnerability http://www.cert.org/advisories/CA-2001-27.html see http://www.ja.net/CERT/JANET-CERT/prevention/networks.html for blocking access to these services Excel/PowerPoint Macro vulnerability http://www.cert.org/advisories/CA-2001-28.html Oracle web cache vulnerability http://www.cert.org/advisories/CA-2001-29.html Law for Systems Administrators conference http://www.ja.net/conferences/security/october01/prog.html -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com> iQEVAwUBO/p+C3noxmgUypZhAQGcoAf+IncjbMDTaSrzteQvhcfrXwfgDMTixk/c PjadaYokujZWNijj5RHnFIf53KO7SsS0ozFS31QOpQCfv6GoF064la46I0618KlF Ljv0bAWvF6zRaLt4gYpq+vtQWSRtlbA7xxEzEXCs8uu/QCqAEmXUHKDiRYeIfO8M 3uiHFbPgSzpTnfs0OFLcKbDL+znnigh5/R1tarUJbT9DoyXQejdvYHfM2lWVErEV +EWqwdbrJ9ysqtSNf9pO5gQJk+kf3dtkDA5QQO4i9lVqIXp3+2b2RqwmuXafNUKa YfDeu7VrtG8DwVv+LRKFdoTax0Zspq7yUFQ26N/YQsrT19r5FHDvDw== =xQYW -----END PGP SIGNATURE----- -------------------------------------------------------------- Andrew Cormack Head of CERT UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS Phone: 01235 822 302 E-mail: [EMAIL PROTECTED] Fax: 01235 822 398 --- End Forwarded Message --- -- Ian [EMAIL PROTECTED] Home page http://www.kcl.ac.uk/kis/support/cit//fortran/ comp-fortran-90 home page http://www.jiscmail.ac.uk/lists/comp-fortran-90.html
