From: ers@ers.ibm.com Sent: Wednesday, May 31, 2000 10:44 PM To: client-first_usa@ers.ibm.com Subject: IBM-ERS Outside Advisory Redistribution: Carnegie Mellon University CS-2000-02: CERT Summary -----BEGIN PGP SIGNED MESSAGE----- - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- IBM EMERGENCY RESPONSE SERVICE OUTSIDE ADVISORY REDISTRIBUTION 01 June 2000 02:00 GMT Number: ERS-OAR-E01-2000:105.1 =============================================================================== The ERS Outside Advisory Redistribution is designed to provide customers of the IBM Emergency Response Service with access to the security advisories sent out by other computer security incident response teams, vendors, and other groups concerned about security. IBM makes no representations and assumes no responsibility for the contents or accuracy of the advisories themselves. ERS is forwarding the following information from Carnegie Mellon University. Contact information for Carnegie Mellon University is included in the forwarded text below; please contact them if you have any questions or need further information. =============================================================================== ********************** FORWARDED INFORMATION STARTS HERE ********************** CERT Summary CS-2000-02 May 31, 2000 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in February (CS-2000-01), we have published information on buffer overflows in Kerberos authenticated services, improper validation of SSL sessions in Netscape Navigator, the Love Letter Worm, denial-of-service attacks using nameservers, and the exploitation of unprotected Windows shares. We also continue to receive a large number of reports of machines compromised by exploiting vulnerabilities in BIND. 1. Multiple Vulnerabilities in BIND We continue to receive daily reports of systems being root compromised via one of the vulnerabilities in BIND. The "NXT bug" described in advisory CA-99-14 is being exploited to gain root access to systems running vulnerable versions of BIND. This activity has been ongoing and constant since late last year. Sites are strongly encouraged to follow the advice contained in CA-99-14 and CA-2000-03 to protect systems running BIND nameservers. CERT Advisory CA-2000-03 Continuing Compromises of DNS servers http://www.cert.org/advisories/CA-2000-03.html CERT Advisory CA-99-14 Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-99-14-bind.html 2. Multiple Buffer Overflows in Kerberos Authenticated Services There are several buffer overflow vulnerabilities in the Kerberos authentication software. The most severe vulnerability allows remote intruders to gain root privileges on systems running services using Kerberos authentication. If vulnerable services are enabled on the Key Distribution Center (KDC) system, the entire Kerberos domain may be compromised. For more details and vendor information, see CERT Advisory CA-2000-06 Multiple Buffer Overflows in Kerberos Authenticated Services http://www.cert.org/advisories/CA-2000-06.html 3. Netscape Navigator Improperly Validates SSL Sessions The ACROS Security Team of Slovenia recently discovered a flaw in the way Netscape Navigator validates SSL sessions. Attackers can trick users into disclosing information intended for a legitimate web site, even if that web site uses SSL to authenticate and secure transactions. CERT Advisory CA-2000-05 Netscape Navigator Improperly Validates SSL Sessions http://www.cert.org/advisories/CA-2000-05.html 4. Love Letter Worm The "Love Letter" worm is a malicious VBScript program which spreads in a variety of ways. As of 5:00 pm EDT(GMT-4) on May 8, 2000, the CERT/CC Coordination Center had received reports from more than 650 individual sites indicating more than 500,000 individual systems were affected. In addition, we had several reports of sites suffering considerable network degradation as a result of mail, file, and web traffic generated by the "Love Letter" worm. Despite several variations being found in the wild, reports indicate that activity related to the Love Letter worm has subsided. Information about the worm can be found in CERT Advisory CA-2000-04 Love Letter Worm http://www.cert.org/advisories/CA-2000-04.html 5. Denial-of-Service Attacks Using Nameservers We have received a number of reports of intruders using nameservers to execute packet flooding denial-of-service attacks, which are described in a CERT incident note: CERT Incident Note IN-2000-04 Denial of Service Attacks Using Nameservers http://www.cert.org/incident_notes/IN-2000-04.html 6. Exploitation of Unprotected Windows Shares Intruders are actively exploiting Windows networking shares that are made available for remote connections across the Internet. This is not a new problem, but the potential impact on the overall security of the Internet is increasing. Unprotected Windows shares allow worms like network.vbs (IN-2000-02) or the 911 Worm (IN-2000-03) to spread. Exploitation may also lead to the installation of Windows based DDoS agents (IN-2000-01). Here are the URLs for information on these problems. CERT Incident Note IN-2000-03 911 Worm http://www.cert.org/incident_notes/IN-2000-03.html CERT Incident Note IN-2000-02 Exploitation of Unprotected Windows Shares http://www.cert.org/incident_notes/IN-2000-02.html CERT Incident Note IN-2000-01 Windows Based DDoS Agents http://www.cert.org/incident_notes/IN-2000-01.html ______________________________________________________________________ New Windows Security Tech Tips The CERT/CC and AusCERT (Australian Computer Emergency Response Team) jointly published the following tech tips addressing security issues related to Microsoft Windows-based systems. These documents provide a broad range of information about Windows 95, Windows 98, and Windows NT security. Some of this information applies to UNIX systems as well. Windows 95/98 Computer Security Information http://www.cert.org/tech_tips/win-95-info.html Windows NT Configuration Guidelines http://www.cert.org/tech_tips/win_configuration_guidelines.html Windows NT Security and Configuration Resources http://www.cert.org/tech_tips/win-resources.html Windows NT Intruder Detection Checklist http://www.cert.org/tech_tips/win_intruder_detection_checklist.html Steps for Recovering from a UNIX or NT System Compromise http://www.cert.org/tech_tips/win-UNIX-system_compromise.html ______________________________________________________________________ "CERT/CC Channel" The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC. It is available from http://www.cert.org/channels/ ______________________________________________________________________ "CERT/CC Current Activity" Web Page The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC. It is available from http://www.cert.org/current/current_activity.html The information on the Current Activity page is reviewed and updated as reporting trends change. ______________________________________________________________________ What's New and Updated Since the last CERT summary, we have published new and updated * Advisories * Incident notes * Tech tips/FAQs * CERT/CC statistics * Infosec Outlook newsletter * Announcement of CERT Conference 2000 * Copies of Congressional testimony by our staff * Security improvement implementations There are descriptions of these documents and links to them on our "What's New" web page at http://www.cert.org/nav/whatsnew.html ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2000-02.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2000 Carnegie Mellon University. *********************** FORWARDED INFORMATION ENDS HERE *********************** =============================================================================== IBM's Internet Emergency Response Service (ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, ERS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Continuity and Recovery Service IBM's Emergency Response Service is a component of IBM Global Services Privacy and Security Services suite of offerings. To find out more about the IBM Emergency Response Service, send an electronic mail message to ers-sales@ers.ibm.com, or call 1-800-426-7378. ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, complete- ness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBOTXNivWDLGpfj4rlAQHDngP9FlpKQlBGiK0VxbVQw8bQx6R4kQa7kIsg 86DDVrToBZ6egZ+BIPiosn2zaLvKToagHDV7oJ0VJW5VM7w1LQlJ81VO56d/Fbw+ k8sJSy3OZm9v9cAWbuhsjwR1UwlXmsZlzrIgzfanX8X1PlnJxKZolCz6+0MgnxIJ q2rDiR88hYA= =TXUK -----END PGP SIGNATURE-----