From: CERT Advisory [mailto:cert-advisory@cert.org]
Sent: Wednesday, May 31, 2000 4:37 PM
To: cert-advisory@cert.org
Subject: CERT Summary CS-2000-02
CERT Summary CS-2000-02
May 31, 2000
Each quarter, the CERT Coordination Center (CERT/CC) issues the
CERT Summary to draw attention to the types of attacks reported to
our incident response team, as well as other noteworthy incident
and vulnerability information. The summary includes pointers to
sources of information for dealing with the problems.
Past CERT summaries are available from
http://www.cert.org/summaries/
Recent Activity
Since the last regularly scheduled CERT summary, issued in
February (CS-2000-01), we have published information on buffer
overflows in Kerberos authenticated services, improper validation
of SSL sessions in Netscape Navigator, the Love Letter Worm,
denial-of-service attacks using nameservers, and the exploitation
of unprotected Windows shares. We also continue to receive a large
number of reports of machines compromised by exploiting
vulnerabilities in BIND.
1. Multiple Vulnerabilities in BIND
We continue to receive daily reports of systems being root
compromised via one of the vulnerabilities in BIND. The “NXT bug”
described in advisory CA-99-14 is being exploited to gain root
access to systems running vulnerable versions of BIND. This
activity has been ongoing and constant since late last year. Sites
are strongly encouraged to follow the advice contained in CA-99-14
and CA-2000-03 to protect systems running BIND nameservers.
CERT Advisory CA-2000-03
Continuing Compromises of DNS servers
http://www.cert.org/advisories/CA-2000-03.html
CERT Advisory CA-99-14 Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-99-14-bind.html
2. Multiple Buffer Overflows in Kerberos Authenticated
Services
There are several buffer overflow vulnerabilities in the
Kerberos authentication software. The most severe vulnerability
allows remote intruders to gain root privileges on systems running
services using Kerberos authentication. If vulnerable services are
enabled on the Key Distribution Center (KDC) system, the entire
Kerberos domain may be compromised. For more details and vendor
information, see
CERT Advisory CA-2000-06
Multiple Buffer Overflows in Kerberos Authenticated Services
http://www.cert.org/advisories/CA-2000-06.html
3. Netscape Navigator Improperly Validates SSL Sessions
The ACROS Security Team of Slovenia recently discovered a flaw
in the way Netscape Navigator validates SSL sessions. Attackers can
trick users into disclosing information intended for a legitimate
web site, even if that web site uses SSL to authenticate and secure
transactions.
CERT Advisory CA-2000-05
Netscape Navigator Improperly Validates SSL Sessions
http://www.cert.org/advisories/CA-2000-05.html
4. Love Letter Worm
The “Love Letter” worm is a malicious VBScript program which
spreads in a variety of ways. As of 5:00 pm EDT(GMT-4) on May 8,
2000, the CERT/CC Coordination Center had received reports from
more than 650 individual sites indicating more than 500,000
individual systems were affected. In addition, we had several
reports of sites suffering considerable network degradation as a
result of mail, file, and web traffic generated by the “Love
Letter” worm. Despite several variations being found in the wild,
reports indicate that activity related to the Love Letter worm has
subsided. Information about the worm can be found in
CERT Advisory CA-2000-04
Love Letter Worm
http://www.cert.org/advisories/CA-2000-04.html
5. Denial-of-Service Attacks Using Nameservers
We have received a number of reports of intruders using
nameservers to execute packet flooding denial-of-service attacks,
which are described in a CERT incident note:
CERT Incident Note IN-2000-04
Denial of Service Attacks Using Nameservers
http://www.cert.org/incident_notes/IN-2000-04.html
6. Exploitation of Unprotected Windows Shares
Intruders are actively exploiting Windows networking shares that
are made available for remote connections across the Internet. This
is not a new problem, but the potential impact on the overall
security of the Internet is increasing. Unprotected Windows shares
allow worms like network.vbs (IN-2000-02) or the 911 Worm
(IN-2000-03) to spread. Exploitation may also lead to the
installation of Windows based DDoS agents (IN-2000-01). Here are
the URLs for information on these problems.
CERT Incident Note IN-2000-03
911 Worm
http://www.cert.org/incident_notes/IN-2000-03.html
CERT Incident Note IN-2000-02 Exploitation of Unprotected
Windows Shares
http://www.cert.org/incident_notes/IN-2000-02.html
CERT Incident Note IN-2000-01
Windows Based DDoS Agents
http://www.cert.org/incident_notes/IN-2000-01.html
New Windows Security Tech Tips
The CERT/CC and AusCERT (Australian Computer Emergency Response
Team) jointly published the following tech tips addressing security
issues related to Microsoft Windows-based systems. These documents
provide a broad range of information about Windows 95, Windows 98,
and Windows NT security. Some of this information applies to UNIX
systems as well.
Windows 95/98 Computer Security Information
http://www.cert.org/tech_tips/win-95-info.html
Windows NT Configuration Guidelines
http://www.cert.org/tech_tips/win_configuration_guidelines.html
Windows NT Security and Configuration Resources
http://www.cert.org/tech_tips/win-resources.html
Windows NT Intruder Detection Checklist
http://www.cert.org/tech_tips/win_intruder_detection_checklist.html
Steps for Recovering from a UNIX or NT System Compromise
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
“CERT/CC Channel”
The CERT/CC Current Activity web page is a regularly updated
summary of the most frequent, high-impact types of security
incidents and vulnerabilities currently being reported to the
CERT/CC. It is available from
“CERT/CC Current Activity” Web Page
The CERT/CC Current Activity web page is a regularly updated
summary of the most frequent, high-impact types of security
incidents and vulnerabilities currently being reported to the
CERT/CC. It is available from
http://www.cert.org/current/current_activity.html
The information on the Current Activity page is reviewed and
updated as reporting trends change.
What’s New and Updated
Since the last CERT summary, we have published new and updated
* Advisories
* Incident notes
* Tech tips/FAQs
* CERT/CC statistics
* Infosec Outlook newsletter
* Announcement of CERT Conference 2000
* Copies of Congressional testimony by our staff
* Security improvement implementations
There are descriptions of these documents and links to them on our
“What’s New” web page at
http://www.cert.org/nav/whatsnew.html
This document is available from:
http://www.cert.org/summaries/CS-2000-02.html
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available
from our web site
To be added to our mailing list for advisories and bulletins,
send email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.