Date: Tue, 23 Nov 1999 16:44:55 -0500
From: CERT Advisory <[email protected]>
To: [email protected]Subject: CERT Summary CS-99.04
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CERT Summary CS-99-04
November 23, 1999
Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT summaries are available from
http://www.cert.org/summaries/
______________________________________________________________________
Reminder: New CERT/CC PGP Key
On October 4, 1999, the PGP key for the CERT/CC was replaced with a
new PGP key. For more information, see
http://www.cert.org/contact_cert/encryptmail.html
______________________________________________________________________
"CERT/CC Current Activity" Web Page
The CERT/CC Current Activity web page is a regularly updated summary
of the most frequent, high-impact types of security incidents and
vulnerabilities currently being reported to the CERT/CC. It is
available from
http://www.cert.org/current/current_activity.html
The information on the Current Activity page will be reviewed and
updated as reporting trends change.
______________________________________________________________________
Year 2000 (Y2K) Information
The CERT/CC has published information regarding the Y2K problem:
Y2K Information
http://www.cert.org/y2k-info/
______________________________________________________________________
Recent Activity
Since the last CERT summary, issued in August 1999 (CS-99-03), we have
published advisories on WU-FTPD, BIND, CDE, and AMD. We have also
analyzed and published information regarding distributed intruder
tools. Among other activity, we continue to see widespread scans for
known vulnerabilities.
1. Distributed Intruder Tools
Denial of Service
We have received reports of intruders compromising machines in
order to install distributed systems used for launching packet
flooding denial-of-service attacks. The systems typically contain
a small number of servers and a large number of clients. These
reports indicate that machines participating in such distributed
systems are likely to have been root compromised. You can find
more information in
CERT Incident Note 99-07
http://www.cert.org/incident_notes/IN-99-07.html
Sniffer
We have received reports of intruders using distributed network
sniffers to capture usernames and passwords. The distributed
sniffer consists of a client and a server portion. As of this
summary, the sniffer clients have been found exclusively on
compromised Linux hosts. For more information please see
CERT Incident Note 99-06
http://www.cert.org/incident_notes/IN-99-06.html
2. CDE Vulnerabilities
Multiple vulnerabilities have been identified in some
distributions of the Common Desktop Environment (CDE). These
vulnerabilities are different from those discussed in CA-98.02 and
can lead to intruders gaining root access on vulnerable systems.
For more information please see
CERT Advisory CA-99-11
http://www.cert.org/advisories/CA-99-1-CDE.html
3. BIND Vulnerabilities
Several vulnerabilities have been found in BIND, the popular
domain name server from the Internet Software Consortium (ISC).
One of these vulnerabilities may allow remote intruders to gain
privileged access to name servers. The others can severely disrupt
the operation of the name server. For more information, please see
CERT Advisory CA-99-14
http://www.cert.org/advisories/CA-99-14-bind.html
4. WU-FTPD Vulnerabilities
Three vulnerabilities have been identified in WU-FTPD and other
ftp daemons based on the WU-FTPD source code. WU-FTPD is a common
package used to provide File Transfer Protocol (FTP) services.
Remote and local intruders may be able to exploit these
vulnerabilities to execute arbitrary code as the user running the
ftp daemon (usually root). Incidents involving the first of these
three vulnerabilities have been reported to the CERT Coordination
Center. For more information please see
CERT Advisory CA-99-13
http://www.cert.org/advisories/CA-99-13-wuftpd.html
5. AMD Vulnerabilities
There is a buffer overflow vulnerability in the logging facility
of the amd daemon. This daemon automatically mounts file systems
in response to attempts to access files that reside on those file
systems. Remote intruders can exploit this vulnerability to
execute arbitrary code as the user running the amd daemon (usually
root). For more information see
CERT Advisory CA-99-12
http://www.cert.org/advisories/CA-99-12-amd.html
We have received reports regarding exploits of this
vulnerability. For more information please see
CERT Incident Note 99-05
http://www.cert.org/incident_notes/IN-99-05.html
6. RPC Vulnerabilities
We continue to receive reports of exploitations involving three
RPC vulnerabilities: rpc.cmsd, ttdbserverd, and statd/automountd.
These exploitations can lead to root compromise on systems that
implement vulnerable RPC services. Analysis has shown that similar
artifacts have been found on compromised systems. For more
information on the vulnerabilities please see
CERT Incident Note 99-04
http://www.cert.org/incident_notes/IN-99-04.html
CERT Advisory CA-99-08
http://www.cert.org/advisories/CA-99-08-cmsd.html
CERT Advisory CA-99-05
http://www.cert.org/advisories/CA-99-05-statd-automountd.html
CERT Advisory CA-98-11
http://www.cert.org/advisories/CA-98.11.tooltalk.html
7. Virus and Trojan Horse Activity
We continue to see reports of virus activity. Current versions of
anti-virus software can help to protect your systems from these
viruses.
It is important to take great caution with any email or Usenet
attachments that contain executable content. If you receive a
message containing attachments, scan the message file with
anti-virus software before you open or run the file. Doing this
does not guarantee that the contents of the file are safe, but it
lowers your risk of virus infection by checking for viruses and
Trojan horses that your scanning software can detect.
CERT/CC has published a Virus Resources page that includes
information on
Frequently Asked Questions (FAQs) about Computer Viruses
Hoax and Chain Letter Databases
Virus Databases
Virus Organizations and Publications
Anti-Virus Vendors
Virus Related Papers
Please see
Virus Resources
http://www.cert.org/other_sources/viruses.html
8. Continued Widespread Scans
We continue to receive reports of scanning and probing activity.
The most frequent reports tend to involve services that have
well-known vulnerabilities. Hosts continue to be affected by
exploitation of well-known vulnerabilities in these services.
sunrpc (TCP port 111) and mountd (635)
http://www.cert.org/advisories/CA-98.12.mountd.htmlhttp://www.cert.org/incident_notes/IN-99-04.html
IMAP (TCP port 143)
http://www.cert.org/advisories/CA-98.09.imapd.html
POP3 (TCP port 110)
http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
DNS (TCP port 53 [domain])
http://www.cert.org/advisories/CA-98.05.bind_problems.htmlhttp://www.cert.org/advisories/CA-97.22.bind.html
______________________________________________________________________
What's New and Updated
Since the last CERT summary, we have developed new and updated
* Advisories
* CERT statistics
* Incident notes
* Tech tips/FAQs
* Y2K information
There are descriptions of these documents and links to them on our
"What's New" web page at
http://www.cert.org/nav/whatsnew.html
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-99-04.html
______________________________________________________________________
CERT/CC Contact Information
Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send
email to [email protected] and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in
http://www.cert.org/legal_stuff.html
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA+AwUBODsBglr9kb5qlZHQEQIvZACbBrc75HYvuxT/JZDa778JBH3eWcAAlR1S
AFgkAYyLg3U8XXq5dhCRR0g=
=Oqqs
-----END PGP SIGNATURE-----
