August 05, 2005 - Current Activity

US-CERT has seen reports indicating an increase in scanning activity of port 6070/tcp. This port is used by Computer Associates BrightStor ARCserve.

Recently, Computer Associates released security advisory (Vulnerability ID: 33239) describing a vulnerability in BrightStor ARCserve. Since this time exploits have been published that take advantage of this vulnerability. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

VU#279774 - Computer Associates BrightStor ARCserve Backup Agents vulnerable to buffer overflow

While reports of successful system compromises using this vulnerability have not been confirmed, US-CERT encourages BrightStor ARCserve users to upgrade or install patches, as recommended by Computer Associates vulnerability description.

US-CERT is aware of a new Computer Associates BrightStor ARCserve Backup Agents vulnerability. If exploited, the vulnerability could allow a remote attacker to execute arbitrary code on a vulnerable machine with SYSTEM privileges. Public exploits are available. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

VU#279774 - Computer Associates BrightStor ARCserve Backup Agents vulnerable to buffer overflow

Although there is limited information concerning the vulnerability, US-CERT encourages BrightStor ARCserve users to upgrade or install patches, as recommended by Computer Associates vulnerability description.

A presentation at the 2005 Black Hat Conference demonstrated proof-of-concept exploit code that targeted a vulnerability affecting Cisco IOS. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

VU#930892 - Cisco IOS vulnerable to DoS or arbitrary code execution via specially crafted IPv6 packet

All readers are encouraged to review the fixes, updates, and workarounds described in the Cisco Security Advisory.

US-CERT is aware of several new Mozilla Suite and Mozilla Firefox vulnerabilities, some of which have public exploits available. The vulnerabilities range in severity from moderate to critical. If exploited, the critical vulnerabilities could allow a remote attacker to execute arbitrary commands on the user's system with the privileges of the user running the vulnerable browser.

Although there is limited information concerning several of these vulnerabilities, US-CERT encourages Firefox users to upgrade to version 1.0.5 as and Mozilla Suite users to upgrade to version 1.7.10 as soon as possible.

US-CERT is aware of multiple vulnerabilities in Oracle products. The severity of these vulnerabilities varies, but impacts include remote execution of arbitrary SQL commands, disclosure of sensitive information, and denial of service. Many of these vulnerabilities are corrected by the Oracle Critical Patch Update (CPU) for July 2005.

US-CERT is also aware of recent public reports that identify additional vulnerabilities that are reportedly not addressed by the July Oracle CPU. Please note:

• US-CERT has no independent confirmation that the workarounds described in some of the vulnerability reports completely mitigate the problems described.
• US-CERT encourages users to carefully evaluate the intended changes that these workarounds introduce in their environment or application.

For additional information, please refer to US-CERT Technical Cyber Security Alert TA05-194A and the Oracle Critical Patch Update for July 2005. US-CERT is continuing to investigate these reports and will provide further information as it becomes available.

US-CERT is aware of a vulnerability in Microsoft's Remote Desktop Protocol (RDP). Services that utilize the Remote Desktop Protocol (i.e., Terminal Services, Remote Desktop Services, Remote Assistance) could be affected.

By sending a specially crafted RDP request, a remote attacker could cause a denial-of-service condition on an affected system. We have no evidence of successful exploitation of this vulnerability. With the exception of Windows XP Media Center Edition, services that utilize the Remote Desktop Protocol are not enabled by default.

Microsoft has published a Security Advisory about this issue and is continuing to investigate the problem. Until a patch is available to address this vulnerability, US-CERT strongly encourages users to review the workarounds section of the Microsoft Security Advisory.

US-CERT is aware of a buffer overflow vulnerability in the zlib compression library. Applications linked to the zlib library may abruptly and abnormally terminate resulting in a denial-of-service condition. At the present time we do not have any evidence of successful exploitation. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

VU#680620 - zlib inflate() routine vulnerable to buffer overflow

US-CERT encourages administrators to apply the appropriate fixes as soon as possible.

US-CERT is aware of a working public exploit for a vulnerability in a common PHP extension module (XML-RPC) that could allow a remote attacker to execute code of their choosing on a vulnerable system. Any application, typically web-based, that uses a flawed XML-RPC PHP implementation is vulnerable to exploitation. XML-RPC allows software to make procedure calls over the Internet typically using HTTP and XML.

A remote attacker could exploit the XML-RPC vulnerability to execute PHP code of their choosing. The code would be executed in the context of the server program that runs the corresponding web-based application. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

VU#442845 - Multiple PHP XML-RPC implementations vulnerable to code injection

US-CERT encourages administrators to apply the appropriate updates, patches, or fixes as soon as possible. If upgrading is not feasible or convenient at this time, then administrators should consider disabling the affected XML-RPC libraries.

US-CERT is aware of a working public exploit for a vulnerability in the Microsoft JVIEW Profiler (javaprxy.dll) component, an interface to the Microsoft Java Virtual Machine. This vulnerability can be exploited when a user attempts to view an HTML document (e.g., a web page or an HTML email message) that attempts to instantiate the JVIEW Profiler COM object in a certain way.

Successful exploitation could allow an attacker to execute arbitrary code on the user's system with privileges of the user. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

VU#939605 - JVIEW Profiler (javaprxy.dll) COM object contains an unspecified vulnerability

Microsoft has published a Security Advisory about this issue and is continuing to investigate the problem. Until a patch is available to address this vulnerability, US-CERT strongly encourages users to review the workarounds section of Vulnerability Note VU#939605.

US-CERT is aware of a public exploit for a vulnerability in phpBB's "viewtopic.php" script. We have seen reports of attempts at exploitation, but we have no confirmed evidence of successful system compromises. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

VU#497400 - phpBB viewtopic.php fails to properly sanitize input passed to the "highlight" parameter

A fix for this vulnerability was addressed in version 2.0.11, but did not adequately resolve the issue. In 2004, this vulnerability lead to the propagation of the Santy worm.

The phpBB Development Team has released phpBB version 2.0.16 to fully correct this issue. US-CERT encourages administrators to apply the appropriate fixes as soon as possible.

US-CERT has received reports of an email message circulating purporting to be a Microsoft Security Bulletin. The email directs the user to download and install an executable that is supposed to be a cumulative patch. Through the use of social engineering that attacker is hoping to trick the user into thinking they will be installing a cumulative patch when in fact they are installing a version of SDBot, a commonly used Trojan horse.

This variant of SDBot is part of a family of backdoor Trojan horse programs commonly controlled remotely by an attacker via Internet Relay Chat (IRC). Some variants of SDBot may not be detected by anti-virus applications.

In 2003, a similar email message masquerading as a Microsoft Security Bulletin was circulated via email. Users that clicked on the link in this email message were infected with the Swen mass-mailing worm.

US-CERT recommends:

• Users do not follow unsolicited web links received in email messages.
• Users should manually type in the URL when attempting to go to the web sites recommended in an email.
• Users install anti-virus software, and keep its virus signature files up-to-date.

US-CERT has seen reports indicating an increase in scanning activity of port 445/tcp.  This port is used by Server Message Block(SMB) to share files, printers, serial ports and communicate between computers in a Microsoft Windows environment. Scanning for port 445/tcp has been active for a number of years.

In 2004, Microsoft released a bulletin (MS04-011) describing a vulnerability in the Local Security Authority Subsystem Service (LSASS). Since this time a number of exploits have been published that take advantage of this vulnerability. More recently, Microsoft published two security bulletins (MS05-011 and MS05-027) that describe vulnerabilities in the Server Message Block (SMB). More information about these vulnerabilities can be found in the following US-CERT Vulnerability Notes:

VU#753212 - Microsoft LSA Service contains buffer overflow in DsRolepInitializeLog() function (MS04-011)
VU#652537 - Microsoft Windows SMB packet validation vulnerability (MS05-011)
VU#489397 - Microsoft Server Message Block vulnerable to buffer overflow (MS05-027)

The LSASS and SMB services utilize RPC for communications. Ports configured to support RPC (i.e., port 445/tcp) may be scanned to locate vulnerable hosts. Scanning for port 445/tcp could be a result of attempts to exploit any of the vulnerabilities referenced above or attempts to authenticate to Microsoft Windows systems through brute force password attacks.

More recently, an exploit was released that attempts to take advantage of the vulnerability described in MS05-011. While reports of successful system compromises using this vulnerability have not  been confirmed, US-CERT strongly recommends that users patch their systems as soon as possible.

US-CERT has received reports of increased scanning activity on port 10000/tcp. This increase is believed to be related to the public release of a new exploit for a recently published vulnerability in VERITAS Backup Exec Remote Agent. More information about the vulnerability can be found in US-CERT Vulnerability Note:

VU#492105 - VERITAS Backup Exec Remote Agent fails to properly validate authentication requests

Normally the VERITAS Backup Exec Remote Agent listens on network ports 6101/tcp and 10000/tcp. Reports indicate that once the vulnerability has been exploited, port 6101/tcp will still be listening but the service on port 10000/tcp will have crashed.

Possible workarounds include using a firewall to restrict incoming connections to trusted workstations running the Backup Exec client software which uses port 10000/tcp.

VERITAS has issued patches for each vulnerable version of Backup Exec Remote Agent. Information about this patch and other recent critical patches can be found in the VERITAS Patch summary for Security Advisories VX05-001, VX05-002, VX05-003, VX05-005, VX05-006, VX05-007. Administrators are strongly encouraged to apply the appropriate fixes as soon as possible.

US-CERT has received reports of the existence of a working exploit for a recently published vulnerability in Microsoft Outlook Express. While reports of successful system compromise using this vulnerability have not yet been confirmed, US-CERT urges users to review the information in US-CERT Vulnerability Note:

VU#130614 - Microsoft Outlook Express vulnerable to remote code execution

Microsoft has released a patch to address this vulnerability in Microsoft Security Bulletin MS05-030. Administrators are encouraged to apply the appropriate fixes as soon as possible.

US-CERT continues to receive reports of phishing attempts. Because of recent media reports regarding attacks against financial institutions, users may see an increase in targeted phishing emails.  Phishing emails may appear as requests from a financial institution asking the user to click on a link that takes them to a fraudulent site that looks like the legitimate one.  The user is then asked to provide personal information that can further expose them to future compromises.

US-CERT warns users to expect media reports about financial institution breaches to be leveraged in future phishing attempts.  Users are encouraged to take the following measures to protect themselves from this type of phishing attack:

1. Don’t follow unsolicited web links received in email messages
2. Contact your financial institution immediately if
   • you believe your account has been compromised.
   • you are unsure whether an email you received purporting to come from them is legitimate.