CERT Quarterly Summary for February, 2001 - Since the last regularly scheduled CERT summary, issued in November 2000, bugs in BIND TSIG and LPRng have began to be used on a large scale, while rpc.statd and FTPD continue to be exploited. A new Vulnerability Notes database has been started.
fe50242a328ecc66210ff9c70c8c7c8235963c7b3c118a3f1dbf25678c5876c5
-----BEGIN PGP SIGNED MESSAGE-----
CERT Summary CS-2001-01
February 28, 2001
Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
Summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT summaries are available from:
CERT Summaries
http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last regularly scheduled CERT summary, issued in November
2000 (CS-2000-04), we have seen continued compromises via well-known
vulnerabilities in rpc.statd and FTPD, as well as exploitations of
recently discovered vulnerabilities in BIND and LPRng. Notable virus
activity includes W32/Hybris and VBS/OnTheFly (Anna Kournakova).
For more current information on activity being reported to the
CERT/CC, please visit the CERT/CC Current Activity page. The Current
Activity page is a regularly updated summary of the most frequent,
high-impact types of security incidents and vulnerabilities being
reported to the CERT/CC. The information on the Current Activity page
is reviewed and updated as reporting trends change.
CERT/CC Current Activity
http://www.cert.org/current/current_activity.html
1. Multiple Vulnerabilities in BIND
The CERT/CC has learned of four vulnerabilities spanning multiple
versions of the Internet Software Consortium's (ISC) Berkeley
Internet Name Domain (BIND) server. BIND is an implementation of
the Domain Name System (DNS) that is maintained by the ISC.
Because the majority of name servers in operation today run BIND,
these vulnerabilities present a serious threat to the Internet
infrastructure. The CERT/CC has begun receiving reports of these
vulnerabilities being successfully exploited. Sites are encouraged
to follow the advice in CA-2001-02 to protect systems.
CERT Advisory CA-2001-01 Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-2001-02.html
2. Compromises Via Ramen Toolkit
The CERT/CC has received reports from sites that have recovered an
intruder toolkit called 'ramen' from compromised hosts. Ramen has
been discussed in several public forums and the toolkit is
publicly available. Ramen exploits known vulnerabilities in FTPD,
rpc.statd, and LPRng; and it contains a mechanism to
self-propagate. Over the past several months we have received
multiple daily reports of sites being root compromised by the
Ramen toolkit. Sites, especially those running Linux, are
encouraged to review the following document:
CERT Incident Note IN-2001-01, Widespread Compromises via
"ramen" Toolkit
http://www.cert.org/incident_notes/IN-2001-01.html
3. Input Validation Problems in LPRng
A popular replacement software package to the BSD lpd printing
service called LPRng contains at least one software defect, known
as a "format string vulnerability," which may allow remote users
to execute arbitrary code on vulnerable systems. Sites are
encouraged to follow the advice in CA-2000-22 to protect systems.
CERT Advisory CA-2000-22 Input Validation Problems in
LPRng
http://www.cert.org/advisories/CA-2000-22.html
4. VBS/OnTheFly (Anna Kournikova) Malicious Code
The "VBS/OnTheFly" malicious code is a VBScript program that, when
executed, sends a copy of itself as an email file attachment.
On February 12, the CERT Coordination Center received a large
number of reports from sites infected with VBS/OnTheFly. Several
of the sites reported suffering network degradation as a result of
mail traffic generated by VBS/OnTheFly. The CERT/CC has received
few reports since the initial outbreak.
For information on how to prevent or recover from a VBS/OnTheFly
infection, please see:
CERT Advisory CA-2001-03 VBS/OnTheFly (Anna Kournikova)
Malicious Code
http://www.cert.org/advisories/CA-2001-03.html
______________________________________________________________________
New Vulnerability Notes Database
On December 15, 2000, the CERT/CC began publishing vulnerability notes
in a new format, and at a new location. Vulnerability notes are very
similar to advisories, but they may have less complete information and
solutions may not be available for all the vulnerabilities described
in vulnerability notes. There are currently more than 70 vulnerability
notes available in the database. We will continue publishing
vulnerability notes in accordance with our vulnerability disclosure
policy. Vulnerability notes can be found at:
The CERT Coordination Center Vulnerability Notes Database
http://www.kb.cert.org/vuls/
______________________________________________________________________
What's New and Updated
Since the last CERT summary, we have published new and updated
* Advisories
http://www.cert.org/advisories/
* Incident notes
http://www.cert.org/incident_notes/
* CERT/CC statistics
http://www.cert.org/stats/cert_stats.html
* Security improvement modules
http://www.cert.org/security-improvement/
Descriptions of these documents and links to them can be found on our
"What's New" page:
What's New
http://www.cert.org/nav/whatsnew.html
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-2001-01.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright (C) 2001 Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCVAwUBOp1bcQYcfu8gsZJZAQFIMQP9G2X9YFe3JOfExLMiu4sRGjCIlLwqhlnq
DdIXAAkAoaEZ9aVn6xKlSWLezmxlf8vftx+m+6kNRmHUf26VIKfARBUYXIG2bIjP
EkydQwuteDHX4ZmDLZZbm8Yg1beCSBkFrVcrn9PAOMSFn1Qs5YqESDYaBDxEGQo6
5EJRBR1nEIw=
=r/mx
-----END PGP SIGNATURE-----