<<< Date Index >>>     <<< Thread Index >>>

CERT Summary CS-2003-04



-----BEGIN PGP SIGNED MESSAGE-----

CERT Summary CS-2003-04

   November 24, 2003

   Each  quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   Summary  to  draw  attention  to  the types of attacks reported to our
   incident  response  team,  as  well  as  other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries
          http://www.cert.org/summaries/
   ______________________________________________________________________

Recent Activity

   Since  the  last regularly scheduled CERT summary, issued in September
   2003 (CS-2003-03), we have documented vulnerabilities in the Microsoft
   Windows Workstation Service, RPCSS Service, and Exchange. We have also
   documented  vulnerabilities  in  various  SSL/TLS  implementations,  a
   buffer overflow in Sendmail, and a buffer management error in OpenSSH.
   We  have  received  reports  of  W32/Swen.A,  W32/Mimail variants, and
   exploitation  of an Internet Explorer vulnerability reported in August
   of 2003.

   For  more  current  information  on  activity  being  reported  to the
   CERT/CC,  please  visit the CERT/CC Current Activity page. The Current
   Activity  page  is  a  regularly updated summary of the most frequent,
   high-impact  types  of  security  incidents  and vulnerabilities being
   reported  to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity
          http://www.cert.org/current/current_activity.html


    1. W32/Mimail Variants

       The  CERT/CC  has  received reports of several new variants of the
       'Mimail'  worm. The most recent variant of the worm (W32/Mimail.J)
       arrives  as  an  email  message  alleging  to  be  from the Paypal
       financial   service.  The  message  requests  that  the  recipient
       'verify'  their  account  information to prevent the suspension of
       their  Paypal account. Attached to the email is an executable file
       which  captures  this  information (if entered), and sends it to a
       number of email addresses.

                Current Activity - November 19, 2003
                
http://www.cert.org/current/archive/2003/11/19/archive.html#mimaili


    2. Buffer Overflow in Windows Workstation Service

       A  buffer  overflow  vulnerability  exists  in Microsoft's Windows
       Workstation  Service  (WKSSVC.DLL) allowing an attacker to execute
       arbitrary code or cause a denial-of-service condition.

                CERT Advisory CA-2003-28
                Buffer Overflow in Windows Workstation Service
                http://www.cert.org/advisories/CA-2003-28.html

                Vulnerability Note VU#567620
                Microsoft Windows Workstation service vulnerable to 
                buffer overflow when sent specially crafted network
                message
                http://www.kb.cert.org/vuls/id/567620


    3. Multiple Vulnerabilities in Microsoft Windows and Exchange

       Multiple  vulnerabilities exist in Microsoft Windows and Microsoft
       Exchange,  the  most serious of which could allow remote attackers
       to execute arbitrary code.

                CERT Advisory CA-2003-27
                Multiple Vulnerabilities in Microsoft Windows and 
                Exchange
                http://www.cert.org/advisories/CA-2003-27.html

                Vulnerability Note VU#575892
                Buffer overflow in Microsoft Windows Messenger Service
                http://www.kb.cert.org/vuls/id/575892

                Vulnerability Note VU#422156
                Microsoft Exchange Server fails to properly handle
                specially crafted SMTP extended verb requests
                http://www.kb.cert.org/vuls/id/422156

                Vulnerability Note VU#467036
                Microsoft Windows Help and support Center contains buffer
                overflow in code used to handle HCP protocol
                http://www.kb.cert.org/vuls/id/467036

                Vulnerability Note VU#989932
                Microsoft Windows contains buffer overflow in Local 
                Troubleshooter ActiveX control (Tshoot.ocx)
                http://www.kb.cert.org/vuls/id/989932

                Vulnerability Note VU#838572
                Microsoft Windows Authenticode mechanism installs ActiveX
                controls without prompting user
                http://www.kb.cert.org/vuls/id/838572

                Vulnerability Note VU#435444
                Microsoft Outlook Web Access (OWA) contains cross-site
                scripting vulnerability in the "Compose New Message" form
                http://www.kb.cert.org/vuls/id/435444

                Vulnerability Note VU#967668
                Microsoft Windows ListBox and ComboBox controls vulnerable
                to buffer overflow when supplied crafted Windows message
                http://www.kb.cert.org/vuls/id/967668


    4. Multiple Vulnerabilities in SSL/TLS Implementations

       Multiple  vulnerabilities  exist in the Secure Sockets Layer (SSL)
       and  Transport Layer Security (TLS) protocols allowing an attacker
       to execute arbitrary code or cause a denial-of-service condition.

                CERT Advisory CA-2003-26
                Multiple  Vulnerabilities in SSL/TLS Implementations
                http://www.cert.org/advisories/CA-2003-26.html

                Vulnerability Note VU#935264
                OpenSSL ASN.1 parser insecure memory deallocation
                http://www.kb.cert.org/vuls/id/935264

                Vulnerability Note VU#255484
                OpenSSL contains integer overflow handling ASN.1 tags (1)
                http://www.kb.cert.org/vuls/id/255484

                Vulnerability Note VU#380864
                OpenSSL contains integer overflow handling ASN.1 tags (2)
                http://www.kb.cert.org/vuls/id/380864

                Vulnerability Note VU#686224
                OpenSSL does not securely handle invalid public key when
                configured to ignore errors
                http://www.kb.cert.org/vuls/id/686224

                Vulnerability Note VU#732952
                OpenSSL accepts unsolicited client certificate messages
                http://www.kb.cert.org/vuls/id/732952

                Vulnerability Note VU#104280
                Multiple vulnerabilities in SSL/TLS implementations
                http://www.kb.cert.org/vuls/id/104280

                Vulnerability Note VU#412478
                OpenSSL 0.9.6k does not properly handle ASN.1 sequences
                http://www.kb.cert.org/vuls/id/412478


    5. Exploitation of Internet Explorer Vulnerability

       The CERT/CC received a number of reports indicating that attackers
       were   actively   exploiting   the   Microsoft  Internet  Explorer
       vulnerability  described  in  VU#865940. These attacks include the
       installation  of tools for launching distributed denial-of-service
       (DDoS)   attacks,   providing   generic  proxy  services,  reading
       sensitive  information  from  the  Windows  registry,  and using a
       victim   system's  modem  to  dial  pay-per-minute  services.  The
       vulnerability  described in VU#865940 exists due to an interaction
       between  IE's  MIME  type  processing  and the way it handles HTML
       application (HTA) files embedded in OBJECT tags.

                CERT Advisory IN-2003-04
                Exploitation of Internet Explorer Vulnerability
                http://www.cert.org/incident_notes/IN-2003-04.html

                Vulnerability Note VU#865940
                Microsoft Internet Explorer does not properly evaluate
                "application/hta" MIME type referenced by DATA attribute
                of OBJECT element
                http://www.kb.cert.org/vuls/id/865940


    6. W32/Swen.A Worm

       On  September  19,  the  CERT/CC began receiving a large volume of
       reports  of  a  mass  mailing  worm,  referred  to  as W32/Swen.A,
       spreading on the Internet. Similar to W32/Gibe.B in function, this
       worm  arrives as an attachment claiming to be a Microsoft Internet
       Explorer  Update  or  a  delivery  failure  notice from qmail. The
       W32/Swen.A  worm  requires a user to execute the attachment either
       manually or by using an email client that will open the attachment
       automatically.  Upon  opening the attachment, the worm attempts to
       mail  itself  to  all  email addresses it finds on the system. The
       CERT/CC  updated  the  current  activity  page  to contain further
       information on this worm.

                Current Activity - September 19, 2003
                
http://www.cert.org/current/archive/2003/09/19/archive.html#swena


    7. Buffer Overflow in Sendmail

       Sendmail,  a widely deployed mail transfer agent (MTA), contains a
       vulnerability  that  could  allow an attacker to execute arbitrary
       code with the privileges of the sendmail daemon, typically root.

                CERT Advisory CA-2003-25
                Buffer Overflow in Sendmail
                http://www.cert.org/advisories/CA-2003-25.html

                Vulnerability Note VU#784980
                Sendmail prescan() buffer overflow vulnerability
                http://www.kb.cert.org/vuls/id/784980


    8. Buffer Management Vulnerability in OpenSSH

       A remotely exploitable vulnerability exists in a buffer management
       function in versions of OpenSSH prior to 3.7.1. This vulnerability
       could enable an attacker to cause a denial-of-service condition.

                CERT Advisory CA-2003-24
                Buffer Management Vulnerability in OpenSSH
                http://www.cert.org/advisories/CA-2003-24.html

                Vulnerability Note VU#333628
                OpenSSH contains buffer management errors
                http://www.kb.cert.org/vuls/id/333628


    9. RPCSS Vulnerabilities in Microsoft Windows

       On  September  10,  the  CERT/CC reported on three vulnerabilities
       that  affect  numerous versions of Microsoft Windows, two of which
       are  remotely  exploitable  buffer  overflows that may an allow an
       attacker to execute code with system privileges.

                CERT Advisory CA-2003-23
                RPCSS Vulnerabilities in Microsoft Windows
                http://www.cert.org/advisories/CA-2003-23.html

                Vulnerability Note VU#483492
                Microsoft Windows RPCSS Service contains heap overflow in
                DCOM activation routines
                http://www.kb.cert.org/vuls/id/483492

                Vulnerability Note VU#254236
                Microsoft Windows RPCSS Service contains heap overflow in
                DCOM request filename handling
                http://www.kb.cert.org/vuls/id/254236

                Vulnerability Note VU#326746
                Microsoft Windows RPC service vulnerable to 
                denial of service
                http://www.kb.cert.org/vuls/id/326746
   ______________________________________________________________________

New CERT Coordination Center (CERT/CC) PGP Key

   On  October 15, the CERT/CC issued a new PGP key, which should be used
   when sending sensitive information to the CERT/CC.

          CERT/CC PGP Public Key
          https://www.cert.org/pgp/cert_pgp_key.asc

          Sending Sensitive Information to the CERT/CC
          https://www.cert.org/contact_cert/encryptmail.html
   ______________________________________________________________________

What's New and Updated

   Since the last CERT Summary, we have published new and updated
     * Advisories
       http://www.cert.org/advisories/
     * Vulnerability Notes
       http://www.kb.cert.org/vuls
     * CERT/CC Statistics
       http://www.cert.org/stats/cert_stats.html
     * Congressional Testimony
       http://www.cert.org/congressional_testimony
     * Training Schedule
       http://www.cert.org/training/
     * CSIRT Development
       http://www.cert.org/csirts/
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/summaries/CS-2003-04.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@xxxxxxxx
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@xxxxxxxxx Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright ©2003 Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP8JVOZZ2NNT/dVAVAQGL9wP+I18NJBUBuv7b0pam5La7E7qOQFMn5n78
7i0gBX/dKgaY5siM6jBYYwCbbA7Y0/Jwtby2zHp1s8RHZY5/3JEzElfv4TLlR8rT
rb8gJDbpan2JWA6xH9IzqZaSrxrXpNypwU2wWxR2osmbYl8FdV0rD3ZYXJjyi+nU
UENALuNdthA=
=DD60
-----END PGP SIGNATURE-----