CERT Summary CS-2003-01

From: CERT Advisory (cert-advisory@cert.org)
Date: 03/21/03

  • Next message: CERT Advisory: "CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino"
    Date: Fri, 21 Mar 2003 15:02:29 -0500
    From: CERT Advisory <cert-advisory@cert.org>
    To: cert-advisory@cert.org


    CERT Summary CS-2003-01

       March 21, 2003

       Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
       Summary to draw attention to the types of attacks reported to our
       incident response team, as well as other noteworthy incident and
       vulnerability information. The summary includes pointers to sources of
       information for dealing with the problems.

       Past CERT summaries are available from:

              CERT Summaries

       Recent Activity

       Since the last regularly scheduled CERT summary, issued in November
       2002 (CS-2002-04), we have seen vulnerabilities in multiple Windows
       operating system components, vulnerabilities in several widely used
       pieces of server software, and a new piece of self-propagating
       malicious code.

       For more current information on activity being reported to the
       CERT/CC, please visit the CERT/CC Current Activity page. The Current
       Activity page is a regularly updated summary of the most frequent,
       high-impact types of security incidents and vulnerabilities being
       reported to the CERT/CC. The information on the Current Activity page
       is reviewed and updated as reporting trends change.

              CERT/CC Current Activity

        1. Buffer Overflow Vulnerability in Core Windows DLL

           A buffer overflow vulnerability exists in ntdll.dll. This
           vulnerability may allow a remote attacker to execute arbitrary
           code on the victim machine.

           An exploit is publicly available for this vulnerability which
           increases the urgency that system administrators apply a patch.
           The CERT/CC strongly encourages sites Windows to read CERT
           Advisory CA-2003-09, examine their systems for signs of compromise
           and apply the appropriate patch as soon as possible.

              CERT Advisory CA-2003-09:
              Buffer Overflow Vulnerability in Core Windows DLL

        2. Remote Buffer Overflow in Sendmail

           A vulnerability has been discovered in sendmail, the most popular
           mail transfer agent (MTA) in use on the Internet, that may allow
           remote attackers to gain the privileges of the sendmail daemon,
           typically root. This vulnerability is triggered by the contents of
           a specially-crafted email message rather than by lower-level
           network traffic.

           The CERT/CC has received reports of increased scanning for port
           25/tcp (SMTP) and apparent attempts to exploit this vulnerability.
           Sites running sendmail are encouraged to read CERT Advisory
           CA-2003-07 apply the appropriate patch.

           Some other vendors have released patches for their MTA software
           which prevents the MTA from passing potentially malicious messages
           to other systems which may be running sendmail. We encourage sites
           to apply these patches if possible to help protect other servers
           on the Internet.

               CERT Advisory CA-2003-07:
               Remote Buffer Overflow in Sendmail

        3. Increased Activity Targeting Windows Shares

           Over the past few weeks, the CERT/CC has received an increasing
           number of reports of intruder activity involving the exploitation
           of Null (i.e., non-existent) or weak Administrator passwords on
           Server Message Block (SMB) file shares used on systems running
           Windows 2000 or Windows XP. This activity has resulted in the
           successful compromise of thousands of systems, with home broadband
           users' systems being a prime target. More information on this
           activity and the attack tools known to be involved are described
           in CERT Advisory CA-2003-08.

               CERT Advisory CA-2003-08:
               Increased Activity Targeting Windows Shares

        4. Samba Contains Buffer Overflow in SMB/CIFS Packet Fragment
           Reassembly Code

           A buffer overflow vulnerability has been discovered in Samba, a
           popular file and printer sharing tool. By exploiting this
           vulnerability a remote attacker may be able to execute arbitrary
           code with the privileges of the Super User, typically root. An
           updated version of Samba (2.2.8) has been released.

           The CERT/CC has not yet received reports of this vulnerability
           being exploited, but sites are strongly encouraged to examine
           their samba servers and upgrade to the newest version if possible
           to eliminate the potential for exploitation.

               Vulnerability Note VU#298233:
               Samba contains buffer overflow in SMB/CIFS
               packet fragment reassembly code

        5. MS-SQL Server Worm

           The CERT/CC has received reports of self-propagating malicious
           code that exploits a vulnerability in the Resolution Service of
           Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE)
           2000. This worm has been referred to as the SQLSlammer,
           W32.Slammer, and Sapphire worm. The propagation of this malicious
           code has caused varied levels of network degradation across the
           Internet and the compromise of vulnerable machines. In January,
           2003, the CERT/CC issued an advisory describing the SQL Server

               CERT Advisory CA-2003-04:
               MS-SQL Server Worm

           Administrators of all systems running Microsoft SQL Server 2000
           and MSDE 2000 are encouraged to review CA-2002-22 and VU#484891.
           For detailed vendor recommendations regarding installing the patch
           see the following:


           Six months earlier, the CERT/CC issued an advisory describing
           several serious vulnerabilities in Microsoft SQL Server that allow
           attackers to obtain sensitive information, alter database
           contents, and compromise server hosts.

               CERT Advisory CA-2002-22:
               Multiple Vulnerabilities in Microsoft SQL Server

        6. Multiple Vulnerabilities in Implementations of the Session
           Initiation Protocol (SIP)

           Numerous vulnerabilities have been reported in multiple vendors'
           implementations of the Session Initiation Protocol. These
           vulnerabilities may allow an attacker to gain unauthorized
           privileged access, cause denial-of-service attacks, or cause
           unstable system behavior. If your site uses SIP-enabled products
           in any capacity, the CERT/CC encourages you to read this advisory
           and follow the advice provided in the Solution section below.

               CERT Advisory CA-2003-06:
               Multiple vulnerabilities in implementations of the Session
               Initiation Protocol (SIP)

        7. Multiple Vulnerabilities in SSH Implementations

           Multiple vendors' implementations of the secure shell (SSH)
           transport layer protocol contain vulnerabilities that could allow
           a remote attacker to execute arbitrary code with the privileges of
           the SSH process or cause a denial of service. The vulnerabilities
           affect SSH clients and servers, and they occur before user
           authentication takes place.

               CERT Advisory CA-2002-36:
               Multiple Vulnerabilities in SSH Implementations

               CERT Vulnerability Note VU#389665:
               Multiple vendors' SSH transport layer protocol implementations
               contain vulnerabilities in key exchange and initialization

        8. Buffer Overflow in Microsoft Windows Shell

           A buffer overflow vulnerability exists in the Microsoft Windows
           Shell. An attacker can exploit this vulnerability by enticing a
           victim to read a malicious email message, visit a malicious web
           page, or browse to a folder containing a malicious .MP3 or .WMA
           file. The attacker can then execute arbitrary code with the
           privileges of the victim.

               CERT Advisory CA-2002-37:
               Buffer Overflow in Microsoft Windows Shell

        9. Double-Free Bug in CVS Server

           A "double-free" vulnerability in the Concurrent Versions System
           (CVS) server could allow an unauthenticated, remote attacker with
           read-only access to execute arbitrary code, alter program
           operation, read sensitive information, or cause a denial of

               CERT Advisory CA-2003-02:
               Double-Free Bug in CVS Server

       10. Buffer Overflow in Windows Locator Service

           A buffer overflow vulnerability in the Microsoft Windows Locator
           service could allow a remote attacker to execute arbitrary code or
           cause the Windows Locator service to fail. This service is enabled
           and running by default on Windows 2000 domain controllers and
           Windows NT 4.0 domain controllers. On January 23, 2003, the
           CERT/CC issued an advisory describing the vulnerabilities in
           Windows Locator Service and provided patch information.

               CERT Advisory CA-2003-03:
               Buffer Overflow in Windows Locator Service


       A note about CERT Advisories and email filters

       CERT advisories occasionally contain words that may trigger email
       filters. Please check your filters carefully to ensure proper delivery
       of our email notifications. If your service provider conducts
       filtering on your behalf, be aware that you may not receive some of
       our notifications.

       What's New and Updated

       Since the last CERT Summary, we have published new and updated:
         * CERT/CC 2002 Annual Report
         * Advisories
         * CERT/CC Statistics
         * Incident Notes
         * Tech Tips

       This document is available from:

       CERT/CC Contact Information

       Email: cert@cert.org
              Phone: +1 412-268-7090 (24-hour hotline)
              Fax: +1 412-268-6989
              Postal address:
              CERT Coordination Center
              Software Engineering Institute
              Carnegie Mellon University
              Pittsburgh PA 15213-3890

       CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

        Using encryption

       We strongly urge you to encrypt sensitive information sent by email.
       Our public PGP key is available from

       If you prefer to use DES, please call the CERT hotline for more

        Getting security information

       CERT publications and other security information are available from
       our web site

       To subscribe to the CERT mailing list for advisories and bulletins,
       send email to majordomo@cert.org. Please include in the body of your

       subscribe cert-advisory

       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.

       Any material furnished by Carnegie Mellon University and the Software
       Engineering Institute is furnished on an "as is" basis. Carnegie
       Mellon University makes no warranties of any kind, either expressed or
       implied as to any matter including, but not limited to, warranty of
       fitness for a particular purpose or merchantability, exclusivity or
       results obtained from use of the material. Carnegie Mellon University
       does not make any warranty of any kind with respect to freedom from
       patent, trademark, or copyright infringement.

       Conditions for use, disclaimers, and sponsorship information

       Copyright 2003 Carnegie Mellon University.

    Version: PGP 6.5.8

    -----END PGP SIGNATURE-----

  • Next message: CERT Advisory: "CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino"