>From aleph1 Wed Mar 4 16:05:49 1998 Return-Path: <cert_mailerat_private> X-Received: from coal.cert.org by dfw.dfw.net (4.1/SMI-4.1) id AA22914; Wed, 4 Mar 1998 16:05:00 CST X-Received: (from cert-advisory@localhost) by coal.cert.org (8.6.12/CERT) id OAA05962 for cert-advisory-queue-40; Wed, 4 Mar 1998 14:05:02 -0500 Date: Wed, 4 Mar 1998 14:05:02 -0500 Message-Id: <199803041905.OAA05962at_private> From: CERT Advisory <cert-advisoryat_private> To: cert-advisoryat_private Subject: CERT Summary CS-98.02 Reply-To: cert-advisory-requestat_private Organization: CERT(sm) Coordination Center - +1 412-268-7090 ReSent-Date: Wed, 4 Mar 1998 16:12:29 -0600 (CST) ReSent-From: Aleph One <aleph1at_private> ReSent-To: BUGTRAQat_private ReSent-Message-ID: <Pine.SUN.3.94.980304161229.19842Wat_private> -----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT* Summary CS-98.02 - SPECIAL EDITION March 4, 1998 This special edition of the CERT Summary reports denial of service attacks targeting a vulnerability in the Microsoft TCP/IP stack. Past CERT Summaries are available from ftp://ftp.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Denial of service attacks targeting Windows 95/NT machines - ---------------------------------------------------------- This special edition of the CERT Summary reports denial of service attacks targeting a vulnerability in the Microsoft TCP/IP stack. We have received reports from a number of sites and incident response teams indicating that a large number of machines were affected. The attacks involve sending a pair of malformed IP fragments which are reassembled into an invalid UDP datagram. The invalid UDP datagram causes the target machine to go into an unstable state. Once in an unstable state, the target machine either halts or crashes. We have received reports that some machines crashed with a blue screen while others rebooted. Attack tools known by such names as NewTear, Bonk, and Boink have been previously used to exploit this vulnerability against individual hosts; however, in this instance, the attacker used a modified tool to automatically attack a large number of hosts. The solution to protect Windows 95 and NT machines from this attack is to apply the appropriate Microsoft patch. The Microsoft patch, as well as more information about the vulnerability, can be found in the January 1998 Microsoft Market Bulletin entitled, "New Teardrop-like TCP/IP Denial of Service Program" available from: http://www.microsoft.com/security/newtear2.htm Although the first instance of this attack, which started March 2, 1998 appears to be over, keep in mind that the tools to launch this attack are now available and we expect to see more incidents of this type. - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email certat_private Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer on business days 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-requestat_private In the subject line, type SUBSCRIBE your-email-address CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://ftp.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to certat_private with "copyright" in the subject line. * CERT is registered in the U.S. Patent and Trademark Office. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNP2ZWnVP+x0t4w7BAQEqhQP/QDajvNSm4GFYeQlV9IZsgGCce6Q299wq zaJfeINKgKgsrJNr0aZPwlQh/Px/yfxsR1XmDj2uUEC/h3vN+kkfMT10BYwD9LPk iKJZ1HqXNfydksuaVdjsAaCUwTYLW7guNPrkufDB3dvo05CODTx4PjP/4a/l3vbj 5f7rb+kwSQQ= =gjWg -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:05 PDT