CERT Summary CS-2003-04

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 11/24/03


Date: Mon, 24 Nov 2003 15:28:13 -0500
To: cert-advisory@cert.org


-----BEGIN PGP SIGNED MESSAGE-----

CERT Summary CS-2003-04

   November 24, 2003

   Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   Summary to draw attention to the types of attacks reported to our
   incident response team, as well as other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries
          http://www.cert.org/summaries/
   ______________________________________________________________________

Recent Activity

   Since the last regularly scheduled CERT summary, issued in September
   2003 (CS-2003-03), we have documented vulnerabilities in the Microsoft
   Windows Workstation Service, RPCSS Service, and Exchange. We have also
   documented vulnerabilities in various SSL/TLS implementations, a
   buffer overflow in Sendmail, and a buffer management error in OpenSSH.
   We have received reports of W32/Swen.A, W32/Mimail variants, and
   exploitation of an Internet Explorer vulnerability reported in August
   of 2003.

   For more current information on activity being reported to the
   CERT/CC, please visit the CERT/CC Current Activity page. The Current
   Activity page is a regularly updated summary of the most frequent,
   high-impact types of security incidents and vulnerabilities being
   reported to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity
          http://www.cert.org/current/current_activity.html

    1. W32/Mimail Variants

       The CERT/CC has received reports of several new variants of the
       'Mimail' worm. The most recent variant of the worm (W32/Mimail.J)
       arrives as an email message alleging to be from the Paypal
       financial service. The message requests that the recipient
       'verify' their account information to prevent the suspension of
       their Paypal account. Attached to the email is an executable file
       which captures this information (if entered), and sends it to a
       number of email addresses.

                Current Activity - November 19, 2003
                http://www.cert.org/current/archive/2003/11/19/archive.html#mimaili

    2. Buffer Overflow in Windows Workstation Service

       A buffer overflow vulnerability exists in Microsoft's Windows
       Workstation Service (WKSSVC.DLL) allowing an attacker to execute
       arbitrary code or cause a denial-of-service condition.

                CERT Advisory CA-2003-28
                Buffer Overflow in Windows Workstation Service
                http://www.cert.org/advisories/CA-2003-28.html

                Vulnerability Note VU#567620
                Microsoft Windows Workstation service vulnerable to
                buffer overflow when sent specially crafted network
                message
                http://www.kb.cert.org/vuls/id/567620

    3. Multiple Vulnerabilities in Microsoft Windows and Exchange

       Multiple vulnerabilities exist in Microsoft Windows and Microsoft
       Exchange, the most serious of which could allow remote attackers
       to execute arbitrary code.

                CERT Advisory CA-2003-27
                Multiple Vulnerabilities in Microsoft Windows and
                Exchange
                http://www.cert.org/advisories/CA-2003-27.html

                Vulnerability Note VU#575892
                Buffer overflow in Microsoft Windows Messenger Service
                http://www.kb.cert.org/vuls/id/575892

                Vulnerability Note VU#422156
                Microsoft Exchange Server fails to properly handle
                specially crafted SMTP extended verb requests
                http://www.kb.cert.org/vuls/id/422156

                Vulnerability Note VU#467036
                Microsoft Windows Help and support Center contains buffer
                overflow in code used to handle HCP protocol
                http://www.kb.cert.org/vuls/id/467036

                Vulnerability Note VU#989932
                Microsoft Windows contains buffer overflow in Local
                Troubleshooter ActiveX control (Tshoot.ocx)
                http://www.kb.cert.org/vuls/id/989932

                Vulnerability Note VU#838572
                Microsoft Windows Authenticode mechanism installs ActiveX
                controls without prompting user
                http://www.kb.cert.org/vuls/id/838572

                Vulnerability Note VU#435444
                Microsoft Outlook Web Access (OWA) contains cross-site
                scripting vulnerability in the "Compose New Message" form
                http://www.kb.cert.org/vuls/id/435444

                Vulnerability Note VU#967668
                Microsoft Windows ListBox and ComboBox controls vulnerable
                to buffer overflow when supplied crafted Windows message
                http://www.kb.cert.org/vuls/id/967668

    4. Multiple Vulnerabilities in SSL/TLS Implementations

       Multiple vulnerabilities exist in the Secure Sockets Layer (SSL)
       and Transport Layer Security (TLS) protocols allowing an attacker
       to execute arbitrary code or cause a denial-of-service condition.

                CERT Advisory CA-2003-26
                Multiple Vulnerabilities in SSL/TLS Implementations
                http://www.cert.org/advisories/CA-2003-26.html

                Vulnerability Note VU#935264
                OpenSSL ASN.1 parser insecure memory deallocation
                http://www.kb.cert.org/vuls/id/935264

                Vulnerability Note VU#255484
                OpenSSL contains integer overflow handling ASN.1 tags (1)
                http://www.kb.cert.org/vuls/id/255484

                Vulnerability Note VU#380864
                OpenSSL contains integer overflow handling ASN.1 tags (2)
                http://www.kb.cert.org/vuls/id/380864

                Vulnerability Note VU#686224
                OpenSSL does not securely handle invalid public key when
                configured to ignore errors
                http://www.kb.cert.org/vuls/id/686224

                Vulnerability Note VU#732952
                OpenSSL accepts unsolicited client certificate messages
                http://www.kb.cert.org/vuls/id/732952

                Vulnerability Note VU#104280
                Multiple vulnerabilities in SSL/TLS implementations
                http://www.kb.cert.org/vuls/id/104280

                Vulnerability Note VU#412478
                OpenSSL 0.9.6k does not properly handle ASN.1 sequences
                http://www.kb.cert.org/vuls/id/412478

    5. Exploitation of Internet Explorer Vulnerability

       The CERT/CC received a number of reports indicating that attackers
       were actively exploiting the Microsoft Internet Explorer
       vulnerability described in VU#865940. These attacks include the
       installation of tools for launching distributed denial-of-service
       (DDoS) attacks, providing generic proxy services, reading
       sensitive information from the Windows registry, and using a
       victim system's modem to dial pay-per-minute services. The
       vulnerability described in VU#865940 exists due to an interaction
       between IE's MIME type processing and the way it handles HTML
       application (HTA) files embedded in OBJECT tags.

                CERT Advisory IN-2003-04
                Exploitation of Internet Explorer Vulnerability
                http://www.cert.org/incident_notes/IN-2003-04.html

                Vulnerability Note VU#865940
                Microsoft Internet Explorer does not properly evaluate
                "application/hta" MIME type referenced by DATA attribute
                of OBJECT element
                http://www.kb.cert.org/vuls/id/865940

    6. W32/Swen.A Worm

       On September 19, the CERT/CC began receiving a large volume of
       reports of a mass mailing worm, referred to as W32/Swen.A,
       spreading on the Internet. Similar to W32/Gibe.B in function, this
       worm arrives as an attachment claiming to be a Microsoft Internet
       Explorer Update or a delivery failure notice from qmail. The
       W32/Swen.A worm requires a user to execute the attachment either
       manually or by using an email client that will open the attachment
       automatically. Upon opening the attachment, the worm attempts to
       mail itself to all email addresses it finds on the system. The
       CERT/CC updated the current activity page to contain further
       information on this worm.

                Current Activity - September 19, 2003
                http://www.cert.org/current/archive/2003/09/19/archive.html#swena

    7. Buffer Overflow in Sendmail

       Sendmail, a widely deployed mail transfer agent (MTA), contains a
       vulnerability that could allow an attacker to execute arbitrary
       code with the privileges of the sendmail daemon, typically root.

                CERT Advisory CA-2003-25
                Buffer Overflow in Sendmail
                http://www.cert.org/advisories/CA-2003-25.html

                Vulnerability Note VU#784980
                Sendmail prescan() buffer overflow vulnerability
                http://www.kb.cert.org/vuls/id/784980

    8. Buffer Management Vulnerability in OpenSSH

       A remotely exploitable vulnerability exists in a buffer management
       function in versions of OpenSSH prior to 3.7.1. This vulnerability
       could enable an attacker to cause a denial-of-service condition.

                CERT Advisory CA-2003-24
                Buffer Management Vulnerability in OpenSSH
                http://www.cert.org/advisories/CA-2003-24.html

                Vulnerability Note VU#333628
                OpenSSH contains buffer management errors
                http://www.kb.cert.org/vuls/id/333628

    9. RPCSS Vulnerabilities in Microsoft Windows

       On September 10, the CERT/CC reported on three vulnerabilities
       that affect numerous versions of Microsoft Windows, two of which
       are remotely exploitable buffer overflows that may an allow an
       attacker to execute code with system privileges.

                CERT Advisory CA-2003-23
                RPCSS Vulnerabilities in Microsoft Windows
                http://www.cert.org/advisories/CA-2003-23.html

                Vulnerability Note VU#483492
                Microsoft Windows RPCSS Service contains heap overflow in
                DCOM activation routines
                http://www.kb.cert.org/vuls/id/483492

                Vulnerability Note VU#254236
                Microsoft Windows RPCSS Service contains heap overflow in
                DCOM request filename handling
                http://www.kb.cert.org/vuls/id/254236

                Vulnerability Note VU#326746
                Microsoft Windows RPC service vulnerable to
                denial of service
                http://www.kb.cert.org/vuls/id/326746
   ______________________________________________________________________

New CERT Coordination Center (CERT/CC) PGP Key

   On October 15, the CERT/CC issued a new PGP key, which should be used
   when sending sensitive information to the CERT/CC.

          CERT/CC PGP Public Key
          https://www.cert.org/pgp/cert_pgp_key.asc

          Sending Sensitive Information to the CERT/CC
          https://www.cert.org/contact_cert/encryptmail.html
   ______________________________________________________________________

What's New and Updated

   Since the last CERT Summary, we have published new and updated
     * Advisories
       http://www.cert.org/advisories/
     * Vulnerability Notes
       http://www.kb.cert.org/vuls
     * CERT/CC Statistics
       http://www.cert.org/stats/cert_stats.html
     * Congressional Testimony
       http://www.cert.org/congressional_testimony
     * Training Schedule
       http://www.cert.org/training/
     * CSIRT Development
       http://www.cert.org/csirts/
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/summaries/CS-2003-04.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site
   http://www.cert.org/

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP8JVOZZ2NNT/dVAVAQGL9wP+I18NJBUBuv7b0pam5La7E7qOQFMn5n78
7i0gBX/dKgaY5siM6jBYYwCbbA7Y0/Jwtby2zHp1s8RHZY5/3JEzElfv4TLlR8rT
rb8gJDbpan2JWA6xH9IzqZaSrxrXpNypwU2wWxR2osmbYl8FdV0rD3ZYXJjyi+nU
UENALuNdthA=
=DD60
-----END PGP SIGNATURE-----