-----BEGIN PGP SIGNED MESSAGE-----

CERT Summary CS-2002-04

   November 26, 2002

   Each  quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   Summary  to  draw  attention  to  the types of attacks reported to our
   incident  response  team,  as  well  as  other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries
          http://www.cert.org/summaries/
   ______________________________________________________________________

Recent Activity

   Since the last regularly scheduled CERT summary, issued in August 2002
   (CS-2002-03),   we   have   seen   trojan  horses  for  three  popular
   distributions,  new  self-propagating malicious code (Apache/mod_ssl),
   and  multiple  vulnerabilities  in BIND. In addition, we have issued a
   new PGP Key.

   For  more  current  information  on  activity  being  reported  to the
   CERT/CC,  please  visit the CERT/CC Current Activity page. The Current
   Activity  page  is  a  regularly updated summary of the most frequent,
   high-impact  types  of  security  incidents  and vulnerabilities being
   reported  to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity
          http://www.cert.org/current/current_activity.html


    1. Apache/mod_ssl Worm

       Over  the  past  several  months,  we  have  received reports of a
       self-propagating  malicious  code  that  exploits  a vulnerability
       (VU#102795)  in  OpenSSL. Reports received by the CERT/CC indicate
       that  the  Apache/mod_ssl  worm  has already infected thousands of
       systems.  Over  a  month  earlier,  the CERT/CC issued an advisory
       (CA-2002-23) describing four remotely exploitable buffer overflows
       in OpenSSL.

    CERT Advisory CA-2002-27
    Apache/mod_ssl Worm
    http://www.cert.org/advisories/CA-2002-27.html

    CERT Advisory CA-2002-23
    Multiple Vulnerabilities in OpenSSL
    http://www.cert.org/advisories/CA-2002-23.html

    Vulnerability Note #102795
    OpenSSL  servers contain a buffer overflow during the 
    SSL2 handshake process
    http://www.kb.cert.org/vuls/id/102795


    2. Trojan Horse Sendmail Distribution

       The  CERT/CC  has  received  confirmation  that some copies of the
       source  code  for  the  Sendmail  package have been modified by an
       intruder  to  contain a Trojan horse. These copies began to appear
       in  downloads  from  the  FTP server ftp.sendmail.org on or around
       September  28,  2002.  On  October  8, 2002, the CERT/CC issued an
       advisory   (CA-2002-28)   describing  various  methods  to  verify
       software authenticity.

    CERT Advisory CA-2002-28
    Trojan Horse Sendmail Distribution
    http://www.cert.org/advisories/CA-2002-28.html


    3. Trojan Horse tcpdump and libpcap Distributions

       The  CERT/CC  has  received reports that some copies of the source
       code  for  libpcap,  a  packet acquisition library, and tcpdump, a
       network  sniffer,  have been modified by an intruder and contain a
       Trojan  horse.  These  modified  distributions  began to appear in
       downloads  from  the  HTTP server www.tcpdump.org on or around Nov
       11,  2002. The CERT/CC issued an advisory (CA-2002-30) listing MD5
       checksums and official distribution sites for libpcap and tcpdump.

    CERT Advisory CA-2002-30
    Trojan Horse tcpdump and libpcap Distributions
    http://www.cert.org/advisories/CA-2002-30.html


    4. Multiple Vulnerabilities in BIND

       The  CERT/CC  has documented multiple vulnerabilities in BIND, the
       popular  domain  name  server  and client library software package
       from  the  Internet  Software  Consortium  (ISC).  Some  of  these
       vulnerabilities  may  allow a remote intruder to execute arbitrary
       code  with  privileges  of  the  the user running named (typically
       root).  Several  vulnerabilities  are  referenced in the advisory;
       they are listed here individually.

    CERT Advisory CA-2002-31
    Multiple Vulnerabilities in BIND
    http://www.cert.org/advisories/CA-2002-31.html

    Vulnerability Note #852283
    Cached malformed SIG record buffer overflow
    http://www.kb.cert.org/vuls/id/852283

    Vulnerability Note #229595
    Overly large OPT record assertion
    http://www.kb.cert.org/vuls/id/229595

    Vulnerability Note #581682
    ISC Bind 8 fails to properly dereference cache SIG RR 
    elements invalid expiry times from the internal database
    http://www.kb.cert.org/vuls/id/581682

    Vulnerability Note #844360
    Domain Name System (DNS) stub resolver libraries  
    vulnerable to buffer overflows via network name or 
    address lookups
    http://www.kb.cert.org/vuls/id/844360

    5. Heap  Overflow  Vulnerability  in Microsoft Data Access Components
       (MDAC)

       On  November  21, 2002 the CERT/CC issued an advisory (CA-2002-33)
       describing  a  vulnerability  in  MDAC,  a collection of Microsoft
       utilities and routines that process requests between databases and
       network applications.

         CERT Advisory CA-2002-33
         Heap Overflow Vulnerability in Microsoft Data Access 
         Components (MDAC)
         http://www.cert.org/advisories/CA-2002-33.html
   ______________________________________________________________________

New CERT/CC PGP Key

   On  September  19,  the  CERT/CC issued a new PGP key, which should be
   used when sending sensitive information to the CERT/CC.

          CERT/CC PGP Public Key
          https://www.cert.org/pgp/cert_pgp_key.asc
          Sending Sensitive Information To The CERT/CC

          http://www.cert.org/contact_cert/encryptmail.html
   ______________________________________________________________________

What's New and Updated

   Since the last CERT Summary, we have published new and updated
     * Advisories
       http://www.cert.org/advisories/
     * Congressional Testimony
       http://www.cert.org/congressional_testimony/
     * CERT/CC Statistics
       http://www.cert.org/stats/cert_stats.html
     * Home User Security
       http://www.cert.org/homeusers/HomeComputerSecurity
     * Tech Tips
       http://www.cert.org/tech_tips/
     * Training Schedule
       http:/www.cert.org/training/
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/summaries/CS-2002-04.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

    Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright ©2002 Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPePMQWjtSoHZUTs5AQGdxwP9HK4mSF15bMQ9MZ4mMFcLIhvdXykANg8A
6nEIAyB8CJpbuWdP7sPh3qAwaZ9BhRFEGeLakONOpoo7bmjkwAWrJHxF3b1CrgHS
ZuKQsgEhnm9wpPdU6w6SG1cJBkwz70b8d7YK0vcVuKhmaW0JOx9OLGKsAe3SFePD
OiZbNHX+eb8=
=Mnbn
-----END PGP SIGNATURE-----