From: CERT Advisory <cert-advisory@cert.org> To: cert-advisory@cert.org Subject: CERT Summary CS-2001-02 Date: Tue, 29 May 2001 16:49:21 -0400 (EDT) -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2001-02 May 29, 2001 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in February 2001 (CS-2001-01), we have seen a significant increase in reconnaissance activity, a number of self-propagating worms, and active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by intruders For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. sadmind/IIS Worm The CERT/CC has received reports from more than 400 sites affected by a piece of self-propagating malicious code (referred to here as the sadmind/IIS worm). This worm uses two well-known vulnerabilities to compromise Solaris systems and deface web pages running on IIS servers. Reports indicate more than 500 Solaris machines have been compromised by the sadmind/IIS worm and more than 6000 IIS servers have been defaced. Sites running either Solaris or IIS are strongly encouraged to review CA-2001-11 and those running IIS should review the advisories listed below in the "Other Recent IIS Security Issues" section as well. CERT Advisory CA-2001-11: sadmind/IIS Worm http://www.cert.org/advisories/CA-2001-11.html 2. Other Recent IIS Security Issues The CERT/CC has recently published information on two new vulnerabilities in IIS. Given the current level of exploitation of IIS by intruders and the sadmind/IIS worm, the CERT/CC strongly encourages sites to review the following advisories and take appropriate steps to protect IIS servers. + Superfluous Decoding Vulnerability in IIS A serious vulnerability in Microsoft IIS may allow remote intruders to execute commands on an IIS web server. This vulnerability closely resembles a previous vulnerability in IIS that was widely exploited. The CERT/CC urges IIS administrators to take action to correct this vulnerability. CERT Advisory CA-2001-12: Superfluous Decoding Vulnerability in IIS http://www.cert.org/advisories/CA-2001-12.html + Buffer Overflow Vulnerability in Microsoft IIS 5.0 A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine, allowing them to gain complete administrative control of the machine. A proof-of-concept exploit is publicly available for this vulnerability, which increases the urgency that system administrators apply the patch. CERT Advisory CA-2001-10: Buffer Overflow Vulnerability in Microsoft IIS 5.0 http://www.cert.org/advisories/CA-2001-10.html Additional advice on securing IIS web servers is available from: Microsoft Technet Security Tools http://www.microsoft.com/technet/security/tools.asp 3. Exploitation of snmpXdmid The CERT/CC has received dozens of reports indicating that a vulnerability in snmpXdmid is being actively exploited. Exploitation of this vulnerability allows an intruder to gain privileged (root) access to the system. CERT Advisory CA-2001-05: Exploitation of snmpXdmid http://www.cert.org/advisories/CA-2001-05.html 4. Exploitation of BIND Vulnerabilities On January 29, 2001, the CERT/CC published CERT Advisory CA-2001-02, detailing multiple vulnerabilities in multiple versions of ISC BIND nameserver software. Two of the vulnerabilities described in the advisory are still being actively exploited by the intruder community to compromise systems. CERT Incident Note IN-2001-03: Exploitation of BIND Vulnerabilities http://www.cert.org/incident_notes/IN-2001-03.html CERT Advisory CA-2001-02: Multiple Vulnerabilities in BIND http://www.cert.org/advisories/CA-2001-02.html 5. The "cheese" Worm The CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the "cheese" worm which may contribute to this pattern. CERT Incident Note IN-2001-05: The "cheese" Worm http://www.cert.org/incident_notes/IN-2001-05.html 6. Increase in Reconnaissance Activity Over the past several weeks, the CERT/CC has observed a significant increase in network reconnaissance activity. While some of this traffic may be attributed to the sadmind/IIS worm or the "cheese" worm, reports indicate active scanning for known vulnerabilities in other network services as well. In addition, we have seen a significant increase in the number of generalized port scans of hosts. In order to minimize exposure to this activity, the CERT/CC recommends that sites review and apply vendor-supplied security patches, disable non-critical network services, and actively monitor system and network logs for unusual activity. 7. Statistical Weaknesses in TCP/IP Initial Sequence Numbers A new vulnerability has been identified which is present when using random increments to constantly increase TCP ISN values over time. Systems are vulnerable if they have not incorporated RFC 1948 or equivalent improvements, or do not use cryptographically secure network protocols like IPsec. CERT Advisory CA-2001-09: Statistical Weaknesses in TCP/IP Initial Sequence Numbers http://www.cert.org/advisories/CA-2001-09.html _________________________________________________________________ Collaboration between the CERT Coordination Center and the Internet Security Alliance Using its standard process for collaborating with industry organizations, the CERT/CC, as part of the SEI, has entered into an agreement with the Electronic Industries Alliance, a not-for-profit organization in Virginia, to support the activity of the Internet Security Alliance (ISA). ISA is a member organization that is focused on the overall improvement of Internet security. Internet Security Alliance http://www.isalliance.org Frequently Asked Questions (FAQ) about the collaboration between CERT Coordination Center and the Internet Security Alliance http://www.cert.org/faq/certcc_ISA.html _________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Incident Notes http://www.cert.org/incident_notes/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Annual Reports http://www.cert.org/annual_rpts/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2001-02.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2001 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOxQFvgYcfu8gsZJZAQGhBwQAnOGWyK2i3snaTskm3SvFycSFQCIhatKI 0+UrWPAX4oR5dYcygJwg23/QSuN2deQuLatfJSRKHW+hYKVgJlHxoBED0CPspkhx ezU47UcqLFKk2QI3Bt3cG22i28qxjpEOZNn325MfrxJg/q2XdUFZcpqkdian5otJ Lv+z0JyeV/M= =I/U5 -----END PGP SIGNATURE-----