CERT Summary CS-2002-04

From: CERT Advisory (cert-advisory@cert.org)
Date: 11/26/02


Date: Tue, 26 Nov 2002 14:54:01 -0500
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org


-----BEGIN PGP SIGNED MESSAGE-----

CERT Summary CS-2002-04

   November 26, 2002

   Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   Summary to draw attention to the types of attacks reported to our
   incident response team, as well as other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries
          http://www.cert.org/summaries/
   ______________________________________________________________________

Recent Activity

   Since the last regularly scheduled CERT summary, issued in August 2002
   (CS-2002-03), we have seen trojan horses for three popular
   distributions, new self-propagating malicious code (Apache/mod_ssl),
   and multiple vulnerabilities in BIND. In addition, we have issued a
   new PGP Key.

   For more current information on activity being reported to the
   CERT/CC, please visit the CERT/CC Current Activity page. The Current
   Activity page is a regularly updated summary of the most frequent,
   high-impact types of security incidents and vulnerabilities being
   reported to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity
          http://www.cert.org/current/current_activity.html

    1. Apache/mod_ssl Worm

       Over the past several months, we have received reports of a
       self-propagating malicious code that exploits a vulnerability
       (VU#102795) in OpenSSL. Reports received by the CERT/CC indicate
       that the Apache/mod_ssl worm has already infected thousands of
       systems. Over a month earlier, the CERT/CC issued an advisory
       (CA-2002-23) describing four remotely exploitable buffer overflows
       in OpenSSL.

                CERT Advisory CA-2002-27
                Apache/mod_ssl Worm
                http://www.cert.org/advisories/CA-2002-27.html

                CERT Advisory CA-2002-23
                Multiple Vulnerabilities in OpenSSL
                http://www.cert.org/advisories/CA-2002-23.html

                Vulnerability Note #102795
                OpenSSL servers contain a buffer overflow during the
                SSL2 handshake process
                http://www.kb.cert.org/vuls/id/102795

    2. Trojan Horse Sendmail Distribution

       The CERT/CC has received confirmation that some copies of the
       source code for the Sendmail package have been modified by an
       intruder to contain a Trojan horse. These copies began to appear
       in downloads from the FTP server ftp.sendmail.org on or around
       September 28, 2002. On October 8, 2002, the CERT/CC issued an
       advisory (CA-2002-28) describing various methods to verify
       software authenticity.

                CERT Advisory CA-2002-28
                Trojan Horse Sendmail Distribution
                http://www.cert.org/advisories/CA-2002-28.html

    3. Trojan Horse tcpdump and libpcap Distributions

       The CERT/CC has received reports that some copies of the source
       code for libpcap, a packet acquisition library, and tcpdump, a
       network sniffer, have been modified by an intruder and contain a
       Trojan horse. These modified distributions began to appear in
       downloads from the HTTP server www.tcpdump.org on or around Nov
       11, 2002. The CERT/CC issued an advisory (CA-2002-30) listing MD5
       checksums and official distribution sites for libpcap and tcpdump.

                CERT Advisory CA-2002-30
                Trojan Horse tcpdump and libpcap Distributions
                http://www.cert.org/advisories/CA-2002-30.html

    4. Multiple Vulnerabilities in BIND

       The CERT/CC has documented multiple vulnerabilities in BIND, the
       popular domain name server and client library software package
       from the Internet Software Consortium (ISC). Some of these
       vulnerabilities may allow a remote intruder to execute arbitrary
       code with privileges of the the user running named (typically
       root). Several vulnerabilities are referenced in the advisory;
       they are listed here individually.

                CERT Advisory CA-2002-31
                Multiple Vulnerabilities in BIND
                http://www.cert.org/advisories/CA-2002-31.html

                Vulnerability Note #852283
                Cached malformed SIG record buffer overflow
                http://www.kb.cert.org/vuls/id/852283

                Vulnerability Note #229595
                Overly large OPT record assertion
                http://www.kb.cert.org/vuls/id/229595

                Vulnerability Note #581682
                ISC Bind 8 fails to properly dereference cache SIG RR
                elements invalid expiry times from the internal database
                http://www.kb.cert.org/vuls/id/581682

                Vulnerability Note #844360
                Domain Name System (DNS) stub resolver libraries
                vulnerable to buffer overflows via network name or
                address lookups
                http://www.kb.cert.org/vuls/id/844360

    5. Heap Overflow Vulnerability in Microsoft Data Access Components
       (MDAC)

       On November 21, 2002 the CERT/CC issued an advisory (CA-2002-33)
       describing a vulnerability in MDAC, a collection of Microsoft
       utilities and routines that process requests between databases and
       network applications.

               CERT Advisory CA-2002-33
               Heap Overflow Vulnerability in Microsoft Data Access
               Components (MDAC)
               http://www.cert.org/advisories/CA-2002-33.html
   ______________________________________________________________________

New CERT/CC PGP Key

   On September 19, the CERT/CC issued a new PGP key, which should be
   used when sending sensitive information to the CERT/CC.

          CERT/CC PGP Public Key
          https://www.cert.org/pgp/cert_pgp_key.asc
          Sending Sensitive Information To The CERT/CC

          http://www.cert.org/contact_cert/encryptmail.html
   ______________________________________________________________________

What's New and Updated

   Since the last CERT Summary, we have published new and updated
     * Advisories
       http://www.cert.org/advisories/
     * Congressional Testimony
       http://www.cert.org/congressional_testimony/
     * CERT/CC Statistics
       http://www.cert.org/stats/cert_stats.html
     * Home User Security
       http://www.cert.org/homeusers/HomeComputerSecurity
     * Tech Tips
       http://www.cert.org/tech_tips/
     * Training Schedule
       http:/www.cert.org/training/
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/summaries/CS-2002-04.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

    Getting security information

   CERT publications and other security information are available from
   our web site
   http://www.cert.org/

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPePMQWjtSoHZUTs5AQGdxwP9HK4mSF15bMQ9MZ4mMFcLIhvdXykANg8A
6nEIAyB8CJpbuWdP7sPh3qAwaZ9BhRFEGeLakONOpoo7bmjkwAWrJHxF3b1CrgHS
ZuKQsgEhnm9wpPdU6w6SG1cJBkwz70b8d7YK0vcVuKhmaW0JOx9OLGKsAe3SFePD
OiZbNHX+eb8=
=Mnbn
-----END PGP SIGNATURE-----