11013454 2003-11-24 15:27 -0500 /362 rader/ CERT Advisory <cert-advisory@cert.org>
Sänt av: bellman@lysator.liu.se
Importerad: 2003-11-24 22:04 av Brevbäraren
Extern mottagare: cert-advisory@cert.org
Mottagare: Bugtraq (import) <30052>
Sänt: 2003-11-25 22:30
Ärende: CERT Summary CS-2003-04
------------------------------------------------------------
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Message-ID: <CS-2003-04.1@cert.org>
-----BEGIN PGP SIGNED MESSAGE-----
CERT Summary CS-2003-04
November 24, 2003
Each quarter, the CERT Coordination Center (CERT/CC) issues the
CERT Summary to draw attention to the types of attacks
reported to our incident response team, as well as other
noteworthy incident and vulnerability information. The summary
includes pointers to sources of information for dealing with the
problems.
Past CERT summaries are available from:
CERT Summaries
http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last regularly scheduled CERT summary, issued in
September 2003 (CS-2003-03), we have documented vulnerabilities in
the Microsoft Windows Workstation Service, RPCSS Service, and
Exchange. We have also documented vulnerabilities in various
SSL/TLS implementations, a buffer overflow in Sendmail, and a
buffer management error in OpenSSH. We have received reports
of W32/Swen.A, W32/Mimail variants, and exploitation of an
Internet Explorer vulnerability reported in August of 2003.
For more current information on activity being reported to
the CERT/CC, please visit the CERT/CC Current Activity page. The
Current Activity page is a regularly updated summary of the
most frequent, high-impact types of security incidents and
vulnerabilities being reported to the CERT/CC. The information on
the Current Activity page is reviewed and updated as reporting
trends change.
CERT/CC Current Activity
http://www.cert.org/current/current_activity.html
1. W32/Mimail Variants
The CERT/CC has received reports of several new variants of the
'Mimail' worm. The most recent variant of the worm (W32/Mimail.J)
arrives as an email message alleging to be from the Paypal
financial service. The message requests that the recipient
'verify' their account information to prevent the suspension of
their Paypal account. Attached to the email is an executable file
which captures this information (if entered), and sends it to a
number of email addresses.
Current Activity - November 19, 2003
http://www.cert.org/current/archive/2003/11/19/archive.html#mimaili
2. Buffer Overflow in Windows Workstation Service
A buffer overflow vulnerability exists in Microsoft's
Windows Workstation Service (WKSSVC.DLL) allowing an
attacker to execute arbitrary code or cause a
denial-of-service condition.
CERT Advisory CA-2003-28
Buffer Overflow in Windows Workstation Service
http://www.cert.org/advisories/CA-2003-28.html
Vulnerability Note VU#567620
Microsoft Windows Workstation service vulnerable to
buffer overflow when sent specially crafted network
message
http://www.kb.cert.org/vuls/id/567620
3. Multiple Vulnerabilities in Microsoft Windows and Exchange
Multiple vulnerabilities exist in Microsoft Windows and
Microsoft Exchange, the most serious of which could allow
remote attackers to execute arbitrary code.
CERT Advisory CA-2003-27
Multiple Vulnerabilities in Microsoft Windows and
Exchange
http://www.cert.org/advisories/CA-2003-27.html
Vulnerability Note VU#575892
Buffer overflow in Microsoft Windows Messenger Service
http://www.kb.cert.org/vuls/id/575892
Vulnerability Note VU#422156
Microsoft Exchange Server fails to properly handle
specially crafted SMTP extended verb requests
http://www.kb.cert.org/vuls/id/422156
Vulnerability Note VU#467036
Microsoft Windows Help and support Center contains buffer
overflow in code used to handle HCP protocol
http://www.kb.cert.org/vuls/id/467036
Vulnerability Note VU#989932
Microsoft Windows contains buffer overflow in Local
Troubleshooter ActiveX control (Tshoot.ocx)
http://www.kb.cert.org/vuls/id/989932
Vulnerability Note VU#838572
Microsoft Windows Authenticode mechanism installs ActiveX
controls without prompting user
http://www.kb.cert.org/vuls/id/838572
Vulnerability Note VU#435444
Microsoft Outlook Web Access (OWA) contains cross-site
scripting vulnerability in the "Compose New Message" form
http://www.kb.cert.org/vuls/id/435444
Vulnerability Note VU#967668
Microsoft Windows ListBox and ComboBox controls vulnerable
to buffer overflow when supplied crafted Windows message
http://www.kb.cert.org/vuls/id/967668
4. Multiple Vulnerabilities in SSL/TLS Implementations
Multiple vulnerabilities exist in the Secure Sockets Layer
(SSL) and Transport Layer Security (TLS) protocols allowing
an attacker to execute arbitrary code or cause a
denial-of-service condition.
CERT Advisory CA-2003-26
Multiple Vulnerabilities in SSL/TLS Implementations
http://www.cert.org/advisories/CA-2003-26.html
Vulnerability Note VU#935264
OpenSSL ASN.1 parser insecure memory deallocation
http://www.kb.cert.org/vuls/id/935264
Vulnerability Note VU#255484
OpenSSL contains integer overflow handling ASN.1 tags (1)
http://www.kb.cert.org/vuls/id/255484
Vulnerability Note VU#380864
OpenSSL contains integer overflow handling ASN.1 tags (2)
http://www.kb.cert.org/vuls/id/380864
Vulnerability Note VU#686224
OpenSSL does not securely handle invalid public key when
configured to ignore errors
http://www.kb.cert.org/vuls/id/686224
Vulnerability Note VU#732952
OpenSSL accepts unsolicited client certificate messages
http://www.kb.cert.org/vuls/id/732952
Vulnerability Note VU#104280
Multiple vulnerabilities in SSL/TLS implementations
http://www.kb.cert.org/vuls/id/104280
Vulnerability Note VU#412478
OpenSSL 0.9.6k does not properly handle ASN.1 sequences
http://www.kb.cert.org/vuls/id/412478
5. Exploitation of Internet Explorer Vulnerability
The CERT/CC received a number of reports indicating that attackers
were actively exploiting the Microsoft Internet Explorer
vulnerability described in VU#865940. These attacks include the
installation of tools for launching distributed denial-of-service
(DDoS) attacks, providing generic proxy services, reading
sensitive information from the Windows registry, and using a
victim system's modem to dial pay-per-minute services. The
vulnerability described in VU#865940 exists due to an interaction
between IE's MIME type processing and the way it handles HTML
application (HTA) files embedded in OBJECT tags.
CERT Advisory IN-2003-04
Exploitation of Internet Explorer Vulnerability
http://www.cert.org/incident_notes/IN-2003-04.html
Vulnerability Note VU#865940
Microsoft Internet Explorer does not properly evaluate
"application/hta" MIME type referenced by DATA attribute
of OBJECT element
http://www.kb.cert.org/vuls/id/865940
6. W32/Swen.A Worm
On September 19, the CERT/CC began receiving a large
volume of reports of a mass mailing worm, referred to
as W32/Swen.A, spreading on the Internet. Similar to
W32/Gibe.B in function, this worm arrives as an attachment
claiming to be a Microsoft Internet Explorer Update or a
delivery failure notice from qmail. The W32/Swen.A worm
requires a user to execute the attachment either manually or
by using an email client that will open the attachment
automatically. Upon opening the attachment, the worm
attempts to mail itself to all email addresses it finds on
the system. The CERT/CC updated the current activity page
to contain further information on this worm.
Current Activity - September 19, 2003
http://www.cert.org/current/archive/2003/09/19/archive.html#swena
7. Buffer Overflow in Sendmail
Sendmail, a widely deployed mail transfer agent (MTA),
contains a vulnerability that could allow an attacker to
execute arbitrary code with the privileges of the sendmail
daemon, typically root.
CERT Advisory CA-2003-25
Buffer Overflow in Sendmail
http://www.cert.org/advisories/CA-2003-25.html
Vulnerability Note VU#784980
Sendmail prescan() buffer overflow vulnerability
http://www.kb.cert.org/vuls/id/784980
8. Buffer Management Vulnerability in OpenSSH
A remotely exploitable vulnerability exists in a buffer
management function in versions of OpenSSH prior to
3.7.1. This vulnerability could enable an attacker to cause a
denial-of-service condition.
CERT Advisory CA-2003-24
Buffer Management Vulnerability in OpenSSH
http://www.cert.org/advisories/CA-2003-24.html
Vulnerability Note VU#333628
OpenSSH contains buffer management errors
http://www.kb.cert.org/vuls/id/333628
9. RPCSS Vulnerabilities in Microsoft Windows
On September 10, the CERT/CC reported on three
vulnerabilities that affect numerous versions of Microsoft
Windows, two of which are remotely exploitable buffer
overflows that may an allow an attacker to execute code with
system privileges.
CERT Advisory CA-2003-23
RPCSS Vulnerabilities in Microsoft Windows
http://www.cert.org/advisories/CA-2003-23.html
Vulnerability Note VU#483492
Microsoft Windows RPCSS Service contains heap overflow in
DCOM activation routines
http://www.kb.cert.org/vuls/id/483492
Vulnerability Note VU#254236
Microsoft Windows RPCSS Service contains heap overflow in
DCOM request filename handling
http://www.kb.cert.org/vuls/id/254236
Vulnerability Note VU#326746
Microsoft Windows RPC service vulnerable to
denial of service
http://www.kb.cert.org/vuls/id/326746
______________________________________________________________________
New CERT Coordination Center (CERT/CC) PGP Key
On October 15, the CERT/CC issued a new PGP key, which should be
used when sending sensitive information to the CERT/CC.
CERT/CC PGP Public Key
https://www.cert.org/pgp/cert_pgp_key.asc
Sending Sensitive Information to the CERT/CC
https://www.cert.org/contact_cert/encryptmail.html
______________________________________________________________________
What's New and Updated
Since the last CERT Summary, we have published new and updated
* Advisories
http://www.cert.org/advisories/
* Vulnerability Notes
http://www.kb.cert.org/vuls
* CERT/CC Statistics
http://www.cert.org/stats/cert_stats.html
* Congressional Testimony
http://www.cert.org/congressional_testimony
* Training Schedule
http://www.cert.org/training/
* CSIRT Development
http://www.cert.org/csirts/
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-2003-04.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for
more information.
Getting security information
CERT publications and other security information are available
from our web site http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins, send email to majordomo@cert.org. Please include in
the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the
U.S. Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY Any material furnished by Carnegie Mellon University
and the Software Engineering Institute is furnished on an
"as is" basis. Carnegie Mellon University makes no warranties of
any kind, either expressed or implied as to any matter
including, but not limited to, warranty of fitness for a
particular purpose or merchantability, exclusivity or results
obtained from use of the material. Carnegie Mellon University does
not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright ©2003 Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBP8JVOZZ2NNT/dVAVAQGL9wP+I18NJBUBuv7b0pam5La7E7qOQFMn5n78
7i0gBX/dKgaY5siM6jBYYwCbbA7Y0/Jwtby2zHp1s8RHZY5/3JEzElfv4TLlR8rT
rb8gJDbpan2JWA6xH9IzqZaSrxrXpNypwU2wWxR2osmbYl8FdV0rD3ZYXJjyi+nU
UENALuNdthA=
=DD60
-----END PGP SIGNATURE-----
(11013454) /CERT Advisory <cert-advisory@cert.org>/(Ombruten)