CERT Quarterly Summary for May, 2001. Since the last regularly scheduled CERT summary, issued in February 2001 (CS-2001-01), we have seen a significant increase in reconnaissance activity, a number of self-propagating worms, and active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by intruders.
4a4c69c74f9f9dfbf99e62d106c6b336a191d5792a093ca4b01aa1079a25f3c2
-----BEGIN PGP SIGNED MESSAGE-----
CERT Summary CS-2001-02
May 29, 2001
Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
Summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT summaries are available from:
CERT Summaries
http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last regularly scheduled CERT summary, issued in February
2001 (CS-2001-01), we have seen a significant increase in
reconnaissance activity, a number of self-propagating worms, and
active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by
intruders
For more current information on activity being reported to the
CERT/CC, please visit the CERT/CC Current Activity page. The Current
Activity page is a regularly updated summary of the most frequent,
high-impact types of security incidents and vulnerabilities being
reported to the CERT/CC. The information on the Current Activity page
is reviewed and updated as reporting trends change.
CERT/CC Current Activity
http://www.cert.org/current/current_activity.html
1. sadmind/IIS Worm
The CERT/CC has received reports from more than 400 sites affected
by a piece of self-propagating malicious code (referred to here as
the sadmind/IIS worm). This worm uses two well-known
vulnerabilities to compromise Solaris systems and deface web pages
running on IIS servers. Reports indicate more than 500 Solaris
machines have been compromised by the sadmind/IIS worm and more
than 6000 IIS servers have been defaced. Sites running either
Solaris or IIS are strongly encouraged to review CA-2001-11 and
those running IIS should review the advisories listed below in the
"Other Recent IIS Security Issues" section as well.
CERT Advisory CA-2001-11: sadmind/IIS Worm
http://www.cert.org/advisories/CA-2001-11.html
2. Other Recent IIS Security Issues
The CERT/CC has recently published information on two new
vulnerabilities in IIS. Given the current level of exploitation of
IIS by intruders and the sadmind/IIS worm, the CERT/CC strongly
encourages sites to review the following advisories and take
appropriate steps to protect IIS servers.
+ Superfluous Decoding Vulnerability in IIS
A serious vulnerability in Microsoft IIS may allow remote
intruders to execute commands on an IIS web server. This
vulnerability closely resembles a previous vulnerability in
IIS that was widely exploited. The CERT/CC urges IIS
administrators to take action to correct this vulnerability.
CERT Advisory CA-2001-12: Superfluous Decoding
Vulnerability in IIS
http://www.cert.org/advisories/CA-2001-12.html
+ Buffer Overflow Vulnerability in Microsoft IIS 5.0
A vulnerability exists in Microsoft IIS 5.0 running on
Windows 2000 that allows a remote intruder to run arbitrary
code on the victim machine, allowing them to gain complete
administrative control of the machine. A proof-of-concept
exploit is publicly available for this vulnerability, which
increases the urgency that system administrators apply the
patch.
CERT Advisory CA-2001-10: Buffer Overflow
Vulnerability in Microsoft IIS 5.0
http://www.cert.org/advisories/CA-2001-10.html
Additional advice on securing IIS web servers is available from:
Microsoft Technet Security Tools
http://www.microsoft.com/technet/security/tools.asp
3. Exploitation of snmpXdmid
The CERT/CC has received dozens of reports indicating that a
vulnerability in snmpXdmid is being actively exploited.
Exploitation of this vulnerability allows an intruder to gain
privileged (root) access to the system.
CERT Advisory CA-2001-05: Exploitation of snmpXdmid
http://www.cert.org/advisories/CA-2001-05.html
4. Exploitation of BIND Vulnerabilities
On January 29, 2001, the CERT/CC published CERT Advisory
CA-2001-02, detailing multiple vulnerabilities in multiple
versions of ISC BIND nameserver software. Two of the
vulnerabilities described in the advisory are still being actively
exploited by the intruder community to compromise systems.
CERT Incident Note IN-2001-03: Exploitation of BIND
Vulnerabilities
http://www.cert.org/incident_notes/IN-2001-03.html
CERT Advisory CA-2001-02: Multiple Vulnerabilities in
BIND
http://www.cert.org/advisories/CA-2001-02.html
5. The "cheese" Worm
The CERT/CC has observed in public and private reports a recent
pattern of activity surrounding probes to TCP port 10008. We have
obtained an artifact called the "cheese" worm which may contribute
to this pattern.
CERT Incident Note IN-2001-05: The "cheese" Worm
http://www.cert.org/incident_notes/IN-2001-05.html
6. Increase in Reconnaissance Activity
Over the past several weeks, the CERT/CC has observed a
significant increase in network reconnaissance activity. While
some of this traffic may be attributed to the sadmind/IIS worm or
the "cheese" worm, reports indicate active scanning for known
vulnerabilities in other network services as well. In addition, we
have seen a significant increase in the number of generalized port
scans of hosts.
In order to minimize exposure to this activity, the CERT/CC
recommends that sites review and apply vendor-supplied security
patches, disable non-critical network services, and actively
monitor system and network logs for unusual activity.
7. Statistical Weaknesses in TCP/IP Initial Sequence Numbers
A new vulnerability has been identified which is present when
using random increments to constantly increase TCP ISN values over
time. Systems are vulnerable if they have not incorporated RFC
1948 or equivalent improvements, or do not use cryptographically
secure network protocols like IPsec.
CERT Advisory CA-2001-09: Statistical Weaknesses in
TCP/IP Initial Sequence Numbers
http://www.cert.org/advisories/CA-2001-09.html
_________________________________________________________________
Collaboration between the CERT Coordination Center and the Internet Security
Alliance
Using its standard process for collaborating with industry
organizations, the CERT/CC, as part of the SEI, has entered into an
agreement with the Electronic Industries Alliance, a not-for-profit
organization in Virginia, to support the activity of the Internet
Security Alliance (ISA). ISA is a member organization that is focused
on the overall improvement of Internet security.
Internet Security Alliance
http://www.isalliance.org
Frequently Asked Questions (FAQ) about the collaboration
between CERT Coordination Center and the Internet Security
Alliance
http://www.cert.org/faq/certcc_ISA.html
_________________________________________________________________
What's New and Updated
Since the last CERT Summary, we have published new and updated
* Advisories
http://www.cert.org/advisories/
* Incident Notes
http://www.cert.org/incident_notes/
* CERT/CC Statistics
http://www.cert.org/stats/cert_stats.html
* Annual Reports
http://www.cert.org/annual_rpts/
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-2001-02.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright ©2001 Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBOxQFvgYcfu8gsZJZAQGhBwQAnOGWyK2i3snaTskm3SvFycSFQCIhatKI
0+UrWPAX4oR5dYcygJwg23/QSuN2deQuLatfJSRKHW+hYKVgJlHxoBED0CPspkhx
ezU47UcqLFKk2QI3Bt3cG22i28qxjpEOZNn325MfrxJg/q2XdUFZcpqkdian5otJ
Lv+z0JyeV/M=
=I/U5
-----END PGP SIGNATURE-----