Published:
29 May 2001
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.219 -- CERT Summary CS-2001-02 CERT Summary 30 May 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Summary Vendor: CERT/CC - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2001-02 May 29, 2001 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in February 2001 (CS-2001-01), we have seen a significant increase in reconnaissance activity, a number of self-propagating worms, and active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by intruders For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. sadmind/IIS Worm The CERT/CC has received reports from more than 400 sites affected by a piece of self-propagating malicious code (referred to here as the sadmind/IIS worm). This worm uses two well-known vulnerabilities to compromise Solaris systems and deface web pages running on IIS servers. Reports indicate more than 500 Solaris machines have been compromised by the sadmind/IIS worm and more than 6000 IIS servers have been defaced. Sites running either Solaris or IIS are strongly encouraged to review CA-2001-11 and those running IIS should review the advisories listed below in the "Other Recent IIS Security Issues" section as well. CERT Advisory CA-2001-11: sadmind/IIS Worm http://www.cert.org/advisories/CA-2001-11.html 2. Other Recent IIS Security Issues The CERT/CC has recently published information on two new vulnerabilities in IIS. Given the current level of exploitation of IIS by intruders and the sadmind/IIS worm, the CERT/CC strongly encourages sites to review the following advisories and take appropriate steps to protect IIS servers. + Superfluous Decoding Vulnerability in IIS A serious vulnerability in Microsoft IIS may allow remote intruders to execute commands on an IIS web server. This vulnerability closely resembles a previous vulnerability in IIS that was widely exploited. The CERT/CC urges IIS administrators to take action to correct this vulnerability. CERT Advisory CA-2001-12: Superfluous Decoding Vulnerability in IIS http://www.cert.org/advisories/CA-2001-12.html + Buffer Overflow Vulnerability in Microsoft IIS 5.0 A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine, allowing them to gain complete administrative control of the machine. A proof-of-concept exploit is publicly available for this vulnerability, which increases the urgency that system administrators apply the patch. CERT Advisory CA-2001-10: Buffer Overflow Vulnerability in Microsoft IIS 5.0 http://www.cert.org/advisories/CA-2001-10.html Additional advice on securing IIS web servers is available from: Microsoft Technet Security Tools http://www.microsoft.com/technet/security/tools.asp 3. Exploitation of snmpXdmid The CERT/CC has received dozens of reports indicating that a vulnerability in snmpXdmid is being actively exploited. Exploitation of this vulnerability allows an intruder to gain privileged (root) access to the system. CERT Advisory CA-2001-05: Exploitation of snmpXdmid http://www.cert.org/advisories/CA-2001-05.html 4. Exploitation of BIND Vulnerabilities On January 29, 2001, the CERT/CC published CERT Advisory CA-2001-02, detailing multiple vulnerabilities in multiple versions of ISC BIND nameserver software. Two of the vulnerabilities described in the advisory are still being actively exploited by the intruder community to compromise systems. CERT Incident Note IN-2001-03: Exploitation of BIND Vulnerabilities http://www.cert.org/incident_notes/IN-2001-03.html CERT Advisory CA-2001-02: Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-2001-02.html 5. The "cheese" Worm The CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the "cheese" worm which may contribute to this pattern. CERT Incident Note IN-2001-05: The "cheese" Worm http://www.cert.org/incident_notes/IN-2001-05.html 6. Increase in Reconnaissance Activity Over the past several weeks, the CERT/CC has observed a significant increase in network reconnaissance activity. While some of this traffic may be attributed to the sadmind/IIS worm or the "cheese" worm, reports indicate active scanning for known vulnerabilities in other network services as well. In addition, we have seen a significant increase in the number of generalized port scans of hosts. In order to minimize exposure to this activity, the CERT/CC recommends that sites review and apply vendor-supplied security patches, disable non-critical network services, and actively monitor system and network logs for unusual activity. 7. Statistical Weaknesses in TCP/IP Initial Sequence Numbers A new vulnerability has been identified which is present when using random increments to constantly increase TCP ISN values over time. Systems are vulnerable if they have not incorporated RFC 1948 or equivalent improvements, or do not use cryptographically secure network protocols like IPsec. CERT Advisory CA-2001-09: Statistical Weaknesses in TCP/IP Initial Sequence Numbers http://www.cert.org/advisories/CA-2001-09.html _________________________________________________________________ Collaboration between the CERT Coordination Center and the Internet Security Alliance Using its standard process for collaborating with industry organizations, the CERT/CC, as part of the SEI, has entered into an agreement with the Electronic Industries Alliance, a not-for-profit organization in Virginia, to support the activity of the Internet Security Alliance (ISA). ISA is a member organization that is focused on the overall improvement of Internet security. Internet Security Alliance http://www.isalliance.org Frequently Asked Questions (FAQ) about the collaboration between CERT Coordination Center and the Internet Security Alliance http://www.cert.org/faq/certcc_ISA.html _________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Incident Notes http://www.cert.org/incident_notes/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Annual Reports http://www.cert.org/annual_rpts/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2001-02.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2001 Carnegie Mellon University. - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOxQFvgYcfu8gsZJZAQGhBwQAnOGWyK2i3snaTskm3SvFycSFQCIhatKI 0+UrWPAX4oR5dYcygJwg23/QSuN2deQuLatfJSRKHW+hYKVgJlHxoBED0CPspkhx ezU47UcqLFKk2QI3Bt3cG22i28qxjpEOZNn325MfrxJg/q2XdUFZcpqkdian5otJ Lv+z0JyeV/M= =I/U5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOxT5wyh9+71yA2DNAQElowP/bcSN+4/lvmHlunicsbCajg93D9RnwfOm O6cKOVySnkSJUTMAhUh2fERKaN52ODRIa6W18ztlwjYYGZTG8sL8PdOc0mwCkfiG HxFlpJhu87HPY2K3VLyO22jmPa/MPP5StMqZBQ8BZ+L7WDt35ZYlWq7+MWX3esHQ 35A5/1Eofqw= =NAuD -----END PGP SIGNATURE-----