CERT Summary CS-2002-04

From: CERT Advisory (cert-advisory@cert.org)
Date: 11/26/02

Date: Tue, 26 Nov 2002 14:54:01 -0500
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org


CERT Summary CS-2002-04

   November 26, 2002

   Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   Summary to draw attention to the types of attacks reported to our
   incident response team, as well as other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries

Recent Activity

   Since the last regularly scheduled CERT summary, issued in August 2002
   (CS-2002-03), we have seen trojan horses for three popular
   distributions, new self-propagating malicious code (Apache/mod_ssl),
   and multiple vulnerabilities in BIND. In addition, we have issued a
   new PGP Key.

   For more current information on activity being reported to the
   CERT/CC, please visit the CERT/CC Current Activity page. The Current
   Activity page is a regularly updated summary of the most frequent,
   high-impact types of security incidents and vulnerabilities being
   reported to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity

    1. Apache/mod_ssl Worm

       Over the past several months, we have received reports of a
       self-propagating malicious code that exploits a vulnerability
       (VU#102795) in OpenSSL. Reports received by the CERT/CC indicate
       that the Apache/mod_ssl worm has already infected thousands of
       systems. Over a month earlier, the CERT/CC issued an advisory
       (CA-2002-23) describing four remotely exploitable buffer overflows
       in OpenSSL.

                CERT Advisory CA-2002-27
                Apache/mod_ssl Worm

                CERT Advisory CA-2002-23
                Multiple Vulnerabilities in OpenSSL

                Vulnerability Note #102795
                OpenSSL servers contain a buffer overflow during the
                SSL2 handshake process

    2. Trojan Horse Sendmail Distribution

       The CERT/CC has received confirmation that some copies of the
       source code for the Sendmail package have been modified by an
       intruder to contain a Trojan horse. These copies began to appear
       in downloads from the FTP server ftp.sendmail.org on or around
       September 28, 2002. On October 8, 2002, the CERT/CC issued an
       advisory (CA-2002-28) describing various methods to verify
       software authenticity.

                CERT Advisory CA-2002-28
                Trojan Horse Sendmail Distribution

    3. Trojan Horse tcpdump and libpcap Distributions

       The CERT/CC has received reports that some copies of the source
       code for libpcap, a packet acquisition library, and tcpdump, a
       network sniffer, have been modified by an intruder and contain a
       Trojan horse. These modified distributions began to appear in
       downloads from the HTTP server www.tcpdump.org on or around Nov
       11, 2002. The CERT/CC issued an advisory (CA-2002-30) listing MD5
       checksums and official distribution sites for libpcap and tcpdump.

                CERT Advisory CA-2002-30
                Trojan Horse tcpdump and libpcap Distributions

    4. Multiple Vulnerabilities in BIND

       The CERT/CC has documented multiple vulnerabilities in BIND, the
       popular domain name server and client library software package
       from the Internet Software Consortium (ISC). Some of these
       vulnerabilities may allow a remote intruder to execute arbitrary
       code with privileges of the the user running named (typically
       root). Several vulnerabilities are referenced in the advisory;
       they are listed here individually.

                CERT Advisory CA-2002-31
                Multiple Vulnerabilities in BIND

                Vulnerability Note #852283
                Cached malformed SIG record buffer overflow

                Vulnerability Note #229595
                Overly large OPT record assertion

                Vulnerability Note #581682
                ISC Bind 8 fails to properly dereference cache SIG RR
                elements invalid expiry times from the internal database

                Vulnerability Note #844360
                Domain Name System (DNS) stub resolver libraries
                vulnerable to buffer overflows via network name or
                address lookups

    5. Heap Overflow Vulnerability in Microsoft Data Access Components

       On November 21, 2002 the CERT/CC issued an advisory (CA-2002-33)
       describing a vulnerability in MDAC, a collection of Microsoft
       utilities and routines that process requests between databases and
       network applications.

               CERT Advisory CA-2002-33
               Heap Overflow Vulnerability in Microsoft Data Access
               Components (MDAC)


   On September 19, the CERT/CC issued a new PGP key, which should be
   used when sending sensitive information to the CERT/CC.

          CERT/CC PGP Public Key
          Sending Sensitive Information To The CERT/CC


What's New and Updated

   Since the last CERT Summary, we have published new and updated
     * Advisories
     * Congressional Testimony
     * CERT/CC Statistics
     * Home User Security
     * Tech Tips
     * Training Schedule

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If you prefer to use DES, please call the CERT hotline for more

    Getting security information

   CERT publications and other security information are available from
   our web site

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

Version: PGP 6.5.8