Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.089 -- CERT Summary CS-2001-01 CERT Summary 1 March 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Summary Vendor: CERT/CC - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2001-01 February 28, 2001 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in November 2000 (CS-2000-04), we have seen continued compromises via well-known vulnerabilities in rpc.statd and FTPD, as well as exploitations of recently discovered vulnerabilities in BIND and LPRng. Notable virus activity includes W32/Hybris and VBS/OnTheFly (Anna Kournakova). For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Multiple Vulnerabilities in BIND The CERT/CC has learned of four vulnerabilities spanning multiple versions of the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) server. BIND is an implementation of the Domain Name System (DNS) that is maintained by the ISC. Because the majority of name servers in operation today run BIND, these vulnerabilities present a serious threat to the Internet infrastructure. The CERT/CC has begun receiving reports of these vulnerabilities being successfully exploited. Sites are encouraged to follow the advice in CA-2001-02 to protect systems. CERT Advisory CA-2001-01 Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-2001-02.html 2. Compromises Via Ramen Toolkit The CERT/CC has received reports from sites that have recovered an intruder toolkit called 'ramen' from compromised hosts. Ramen has been discussed in several public forums and the toolkit is publicly available. Ramen exploits known vulnerabilities in FTPD, rpc.statd, and LPRng; and it contains a mechanism to self-propagate. Over the past several months we have received multiple daily reports of sites being root compromised by the Ramen toolkit. Sites, especially those running Linux, are encouraged to review the following document: CERT Incident Note IN-2001-01, Widespread Compromises via "ramen" Toolkit http://www.cert.org/incident_notes/IN-2001-01.html 3. Input Validation Problems in LPRng A popular replacement software package to the BSD lpd printing service called LPRng contains at least one software defect, known as a "format string vulnerability," which may allow remote users to execute arbitrary code on vulnerable systems. Sites are encouraged to follow the advice in CA-2000-22 to protect systems. CERT Advisory CA-2000-22 Input Validation Problems in LPRng http://www.cert.org/advisories/CA-2000-22.html 4. VBS/OnTheFly (Anna Kournikova) Malicious Code The "VBS/OnTheFly" malicious code is a VBScript program that, when executed, sends a copy of itself as an email file attachment. On February 12, the CERT Coordination Center received a large number of reports from sites infected with VBS/OnTheFly. Several of the sites reported suffering network degradation as a result of mail traffic generated by VBS/OnTheFly. The CERT/CC has received few reports since the initial outbreak. For information on how to prevent or recover from a VBS/OnTheFly infection, please see: CERT Advisory CA-2001-03 VBS/OnTheFly (Anna Kournikova) Malicious Code http://www.cert.org/advisories/CA-2001-03.html ______________________________________________________________________ New Vulnerability Notes Database On December 15, 2000, the CERT/CC began publishing vulnerability notes in a new format, and at a new location. Vulnerability notes are very similar to advisories, but they may have less complete information and solutions may not be available for all the vulnerabilities described in vulnerability notes. There are currently more than 70 vulnerability notes available in the database. We will continue publishing vulnerability notes in accordance with our vulnerability disclosure policy. Vulnerability notes can be found at: The CERT Coordination Center Vulnerability Notes Database http://www.kb.cert.org/vuls/ ______________________________________________________________________ What's New and Updated Since the last CERT summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Incident notes http://www.cert.org/incident_notes/ * CERT/CC statistics http://www.cert.org/stats/cert_stats.html * Security improvement modules http://www.cert.org/security-improvement/ Descriptions of these documents and links to them can be found on our "What's New" page: What's New http://www.cert.org/nav/whatsnew.html ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2001-01.html ______________________________________________________________________ CERT/CC Contact Information Email: email@example.com Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to firstname.lastname@example.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright (C) 2001 Carnegie Mellon University. - -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOp1bcQYcfu8gsZJZAQFIMQP9G2X9YFe3JOfExLMiu4sRGjCIlLwqhlnq DdIXAAkAoaEZ9aVn6xKlSWLezmxlf8vftx+m+6kNRmHUf26VIKfARBUYXIG2bIjP EkydQwuteDHX4ZmDLZZbm8Yg1beCSBkFrVcrn9PAOMSFn1Qs5YqESDYaBDxEGQo6 5EJRBR1nEIw= =r/mx - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOp4wYih9+71yA2DNAQEK6QP/e0Gi0K5ICnuLgLnHo83rWyoEZkqNAtzz HMbj3r1rPrz8HOC/3kIdgZX8LqcIlEYdp4eaUZMB2HQ+rfKUDQJGPFSi+6X3Y/b6 OZ1Pr4PfzkQR11uzTXpwFrWf3gBmkxQ9P3b/F6wcJ9pVivv4eY3FZrbxRwRtPX0l eDv/yh7IWZ8= =z/54 -----END PGP SIGNATURE-----