CERT Summary CS-2003-01
From: CERT Advisory (firstname.lastname@example.org)
Date: Fri, 21 Mar 2003 15:02:29 -0500 From: CERT Advisory <email@example.com> To: firstname.lastname@example.org
-----BEGIN PGP SIGNED MESSAGE-----
CERT Summary CS-2003-01
March 21, 2003
Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
Summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT summaries are available from:
Since the last regularly scheduled CERT summary, issued in November
2002 (CS-2002-04), we have seen vulnerabilities in multiple Windows
operating system components, vulnerabilities in several widely used
pieces of server software, and a new piece of self-propagating
For more current information on activity being reported to the
CERT/CC, please visit the CERT/CC Current Activity page. The Current
Activity page is a regularly updated summary of the most frequent,
high-impact types of security incidents and vulnerabilities being
reported to the CERT/CC. The information on the Current Activity page
is reviewed and updated as reporting trends change.
CERT/CC Current Activity
1. Buffer Overflow Vulnerability in Core Windows DLL
A buffer overflow vulnerability exists in ntdll.dll. This
vulnerability may allow a remote attacker to execute arbitrary
code on the victim machine.
An exploit is publicly available for this vulnerability which
increases the urgency that system administrators apply a patch.
The CERT/CC strongly encourages sites Windows to read CERT
Advisory CA-2003-09, examine their systems for signs of compromise
and apply the appropriate patch as soon as possible.
CERT Advisory CA-2003-09:
Buffer Overflow Vulnerability in Core Windows DLL
2. Remote Buffer Overflow in Sendmail
A vulnerability has been discovered in sendmail, the most popular
mail transfer agent (MTA) in use on the Internet, that may allow
remote attackers to gain the privileges of the sendmail daemon,
typically root. This vulnerability is triggered by the contents of
a specially-crafted email message rather than by lower-level
The CERT/CC has received reports of increased scanning for port
25/tcp (SMTP) and apparent attempts to exploit this vulnerability.
Sites running sendmail are encouraged to read CERT Advisory
CA-2003-07 apply the appropriate patch.
Some other vendors have released patches for their MTA software
which prevents the MTA from passing potentially malicious messages
to other systems which may be running sendmail. We encourage sites
to apply these patches if possible to help protect other servers
on the Internet.
CERT Advisory CA-2003-07:
Remote Buffer Overflow in Sendmail
3. Increased Activity Targeting Windows Shares
Over the past few weeks, the CERT/CC has received an increasing
number of reports of intruder activity involving the exploitation
of Null (i.e., non-existent) or weak Administrator passwords on
Server Message Block (SMB) file shares used on systems running
Windows 2000 or Windows XP. This activity has resulted in the
successful compromise of thousands of systems, with home broadband
users' systems being a prime target. More information on this
activity and the attack tools known to be involved are described
in CERT Advisory CA-2003-08.
CERT Advisory CA-2003-08:
Increased Activity Targeting Windows Shares
4. Samba Contains Buffer Overflow in SMB/CIFS Packet Fragment
A buffer overflow vulnerability has been discovered in Samba, a
popular file and printer sharing tool. By exploiting this
vulnerability a remote attacker may be able to execute arbitrary
code with the privileges of the Super User, typically root. An
updated version of Samba (2.2.8) has been released.
The CERT/CC has not yet received reports of this vulnerability
being exploited, but sites are strongly encouraged to examine
their samba servers and upgrade to the newest version if possible
to eliminate the potential for exploitation.
Vulnerability Note VU#298233:
Samba contains buffer overflow in SMB/CIFS
packet fragment reassembly code
5. MS-SQL Server Worm
The CERT/CC has received reports of self-propagating malicious
code that exploits a vulnerability in the Resolution Service of
Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE)
2000. This worm has been referred to as the SQLSlammer,
W32.Slammer, and Sapphire worm. The propagation of this malicious
code has caused varied levels of network degradation across the
Internet and the compromise of vulnerable machines. In January,
2003, the CERT/CC issued an advisory describing the SQL Server
CERT Advisory CA-2003-04:
MS-SQL Server Worm
Administrators of all systems running Microsoft SQL Server 2000
and MSDE 2000 are encouraged to review CA-2002-22 and VU#484891.
For detailed vendor recommendations regarding installing the patch
see the following:
Six months earlier, the CERT/CC issued an advisory describing
several serious vulnerabilities in Microsoft SQL Server that allow
attackers to obtain sensitive information, alter database
contents, and compromise server hosts.
CERT Advisory CA-2002-22:
Multiple Vulnerabilities in Microsoft SQL Server
6. Multiple Vulnerabilities in Implementations of the Session
Initiation Protocol (SIP)
Numerous vulnerabilities have been reported in multiple vendors'
implementations of the Session Initiation Protocol. These
vulnerabilities may allow an attacker to gain unauthorized
privileged access, cause denial-of-service attacks, or cause
unstable system behavior. If your site uses SIP-enabled products
in any capacity, the CERT/CC encourages you to read this advisory
and follow the advice provided in the Solution section below.
CERT Advisory CA-2003-06:
Multiple vulnerabilities in implementations of the Session
Initiation Protocol (SIP)
7. Multiple Vulnerabilities in SSH Implementations
Multiple vendors' implementations of the secure shell (SSH)
transport layer protocol contain vulnerabilities that could allow
a remote attacker to execute arbitrary code with the privileges of
the SSH process or cause a denial of service. The vulnerabilities
affect SSH clients and servers, and they occur before user
authentication takes place.
CERT Advisory CA-2002-36:
Multiple Vulnerabilities in SSH Implementations
CERT Vulnerability Note VU#389665:
Multiple vendors' SSH transport layer protocol implementations
contain vulnerabilities in key exchange and initialization
8. Buffer Overflow in Microsoft Windows Shell
A buffer overflow vulnerability exists in the Microsoft Windows
Shell. An attacker can exploit this vulnerability by enticing a
victim to read a malicious email message, visit a malicious web
page, or browse to a folder containing a malicious .MP3 or .WMA
file. The attacker can then execute arbitrary code with the
privileges of the victim.
CERT Advisory CA-2002-37:
Buffer Overflow in Microsoft Windows Shell
9. Double-Free Bug in CVS Server
A "double-free" vulnerability in the Concurrent Versions System
(CVS) server could allow an unauthenticated, remote attacker with
read-only access to execute arbitrary code, alter program
operation, read sensitive information, or cause a denial of
CERT Advisory CA-2003-02:
Double-Free Bug in CVS Server
10. Buffer Overflow in Windows Locator Service
A buffer overflow vulnerability in the Microsoft Windows Locator
service could allow a remote attacker to execute arbitrary code or
cause the Windows Locator service to fail. This service is enabled
and running by default on Windows 2000 domain controllers and
Windows NT 4.0 domain controllers. On January 23, 2003, the
CERT/CC issued an advisory describing the vulnerabilities in
Windows Locator Service and provided patch information.
CERT Advisory CA-2003-03:
Buffer Overflow in Windows Locator Service
A note about CERT Advisories and email filters
CERT advisories occasionally contain words that may trigger email
filters. Please check your filters carefully to ensure proper delivery
of our email notifications. If your service provider conducts
filtering on your behalf, be aware that you may not receive some of
What's New and Updated
Since the last CERT Summary, we have published new and updated:
* CERT/CC 2002 Annual Report
* CERT/CC Statistics
* Incident Notes
* Tech Tips
This document is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available from
our web site
To subscribe to the CERT mailing list for advisories and bulletins,
send email to email@example.com. Please include in the body of your
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright ©2003 Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
-----END PGP SIGNATURE-----