[12715] in bugtraq
Fw: CERT Summary CS-99.04
daemon@ATHENA.MIT.EDU (Sehmel, William C.)
Wed Nov 24 12:13:50 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <011c01bf3657$5d2195c0$05000006@newpc>
Date: Wed, 24 Nov 1999 00:39:02 -0800
Reply-To: "Sehmel, William C." <bsehmel@NARROWS.COM>
From: "Sehmel, William C." <bsehmel@NARROWS.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>CERT Summary CS-99-04
>
> November 23, 1999
>
> Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
> summary to draw attention to the types of attacks reported to our
> incident response team, as well as other noteworthy incident and
> vulnerability information. The summary includes pointers to sources of
> information for dealing with the problems.
>
> Past CERT summaries are available from
> http://www.cert.org/summaries/
> ______________________________________________________________________
>
>Reminder: New CERT/CC PGP Key
>
> On October 4, 1999, the PGP key for the CERT/CC was replaced with a
> new PGP key. For more information, see
>
> http://www.cert.org/contact_cert/encryptmail.html
> ______________________________________________________________________
>
>"CERT/CC Current Activity" Web Page
>
> The CERT/CC Current Activity web page is a regularly updated summary
> of the most frequent, high-impact types of security incidents and
> vulnerabilities currently being reported to the CERT/CC. It is
> available from
>
> http://www.cert.org/current/current_activity.html
>
> The information on the Current Activity page will be reviewed and
> updated as reporting trends change.
> ______________________________________________________________________
>
>Year 2000 (Y2K) Information
>
> The CERT/CC has published information regarding the Y2K problem:
>
> Y2K Information
> http://www.cert.org/y2k-info/
> ______________________________________________________________________
>
>Recent Activity
>
> Since the last CERT summary, issued in August 1999 (CS-99-03), we have
> published advisories on WU-FTPD, BIND, CDE, and AMD. We have also
> analyzed and published information regarding distributed intruder
> tools. Among other activity, we continue to see widespread scans for
> known vulnerabilities.
>
> 1. Distributed Intruder Tools
> Denial of Service
> We have received reports of intruders compromising machines in
> order to install distributed systems used for launching packet
> flooding denial-of-service attacks. The systems typically contain
> a small number of servers and a large number of clients. These
> reports indicate that machines participating in such distributed
> systems are likely to have been root compromised. You can find
> more information in
>
> CERT Incident Note 99-07
> http://www.cert.org/incident_notes/IN-99-07.html
>
> Sniffer
> We have received reports of intruders using distributed network
> sniffers to capture usernames and passwords. The distributed
> sniffer consists of a client and a server portion. As of this
> summary, the sniffer clients have been found exclusively on
> compromised Linux hosts. For more information please see
>
> CERT Incident Note 99-06
> http://www.cert.org/incident_notes/IN-99-06.html
>
> 2. CDE Vulnerabilities
> Multiple vulnerabilities have been identified in some
> distributions of the Common Desktop Environment (CDE). These
> vulnerabilities are different from those discussed in CA-98.02 and
> can lead to intruders gaining root access on vulnerable systems.
> For more information please see
>
> CERT Advisory CA-99-11
> http://www.cert.org/advisories/CA-99-1-CDE.html
>
> 3. BIND Vulnerabilities
> Several vulnerabilities have been found in BIND, the popular
> domain name server from the Internet Software Consortium (ISC).
> One of these vulnerabilities may allow remote intruders to gain
> privileged access to name servers. The others can severely disrupt
> the operation of the name server. For more information, please see
>
> CERT Advisory CA-99-14
> http://www.cert.org/advisories/CA-99-14-bind.html
>
> 4. WU-FTPD Vulnerabilities
> Three vulnerabilities have been identified in WU-FTPD and other
> ftp daemons based on the WU-FTPD source code. WU-FTPD is a common
> package used to provide File Transfer Protocol (FTP) services.
> Remote and local intruders may be able to exploit these
> vulnerabilities to execute arbitrary code as the user running the
> ftp daemon (usually root). Incidents involving the first of these
> three vulnerabilities have been reported to the CERT Coordination
> Center. For more information please see
>
> CERT Advisory CA-99-13
> http://www.cert.org/advisories/CA-99-13-wuftpd.html
>
> 5. AMD Vulnerabilities
> There is a buffer overflow vulnerability in the logging facility
> of the amd daemon. This daemon automatically mounts file systems
> in response to attempts to access files that reside on those file
> systems. Remote intruders can exploit this vulnerability to
> execute arbitrary code as the user running the amd daemon (usually
> root). For more information see
>
> CERT Advisory CA-99-12
> http://www.cert.org/advisories/CA-99-12-amd.html
>
> We have received reports regarding exploits of this
> vulnerability. For more information please see
>
> CERT Incident Note 99-05
> http://www.cert.org/incident_notes/IN-99-05.html
>
> 6. RPC Vulnerabilities
> We continue to receive reports of exploitations involving three
> RPC vulnerabilities: rpc.cmsd, ttdbserverd, and statd/automountd.
> These exploitations can lead to root compromise on systems that
> implement vulnerable RPC services. Analysis has shown that similar
> artifacts have been found on compromised systems. For more
> information on the vulnerabilities please see
> CERT Incident Note 99-04
> http://www.cert.org/incident_notes/IN-99-04.html
> CERT Advisory CA-99-08
> http://www.cert.org/advisories/CA-99-08-cmsd.html
> CERT Advisory CA-99-05
> http://www.cert.org/advisories/CA-99-05-statd-automountd.html
> CERT Advisory CA-98-11
> http://www.cert.org/advisories/CA-98.11.tooltalk.html
> 7. Virus and Trojan Horse Activity
> We continue to see reports of virus activity. Current versions of
> anti-virus software can help to protect your systems from these
> viruses.
> It is important to take great caution with any email or Usenet
> attachments that contain executable content. If you receive a
> message containing attachments, scan the message file with
> anti-virus software before you open or run the file. Doing this
> does not guarantee that the contents of the file are safe, but it
> lowers your risk of virus infection by checking for viruses and
> Trojan horses that your scanning software can detect.
> CERT/CC has published a Virus Resources page that includes
> information on
>
> Frequently Asked Questions (FAQs) about Computer Viruses
>
> Hoax and Chain Letter Databases
>
> Virus Databases
>
> Virus Organizations and Publications
>
> Anti-Virus Vendors
>
> Virus Related Papers
>
> Please see
>
> Virus Resources
> http://www.cert.org/other_sources/viruses.html
>
> 8. Continued Widespread Scans
> We continue to receive reports of scanning and probing activity.
> The most frequent reports tend to involve services that have
> well-known vulnerabilities. Hosts continue to be affected by
> exploitation of well-known vulnerabilities in these services.
> sunrpc (TCP port 111) and mountd (635)
> http://www.cert.org/advisories/CA-98.12.mountd.html
> http://www.cert.org/incident_notes/IN-99-04.html
> IMAP (TCP port 143)
> http://www.cert.org/advisories/CA-98.09.imapd.html
> POP3 (TCP port 110)
> http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
> DNS (TCP port 53 [domain])
> http://www.cert.org/advisories/CA-98.05.bind_problems.html
> http://www.cert.org/advisories/CA-97.22.bind.html
> ______________________________________________________________________
>
>What's New and Updated
>
> Since the last CERT summary, we have developed new and updated
> * Advisories
> * CERT statistics
> * Incident notes
> * Tech tips/FAQs
> * Y2K information
>
> There are descriptions of these documents and links to them on our
> "What's New" web page at
> http://www.cert.org/nav/whatsnew.html
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/summaries/CS-99-04.html
> ______________________________________________________________________
>
>CERT/CC Contact Information
>
> Email: cert@cert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> Monday through Friday; they are on call for emergencies during other
> hours, on U.S. holidays, and on weekends.
>
>Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
>
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
>Getting security information
>
> CERT publications and other security information are available from
> our web site
>
> http://www.cert.org/
>
> To be added to our mailing list for advisories and bulletins, send
> email to cert-advisory-request@cert.org and include SUBSCRIBE
> your-email-address in the subject of your message.
>
> Copyright 1999 Carnegie Mellon University.
> Conditions for use, disclaimers, and sponsorship information can be
> found in
>
> http://www.cert.org/legal_stuff.html
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP for Personal Privacy 5.0
>Charset: noconv
>
>iQA+AwUBODsBglr9kb5qlZHQEQIvZACbBrc75HYvuxT/JZDa778JBH3eWcAAlR1S
>AFgkAYyLg3U8XXq5dhCRR0g=
>=Oqqs
>-----END PGP SIGNATURE-----