OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: The SANS Institute (CriticalVulnerabilityAnalysis_at_sans.org)
Date: Mon Oct 21 2002 - 12:58:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    From: Alan Paller, Director of Research, SANS

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    *****************************************************************
                    SANS Critical Vulnerability Analysis
    October 21, 2002 Vol. 1. No. 13
    *****************************************************************

    Summary: Every week, the CVA prioritizes and summarizes the most
    important vulnerabilities identified during the past week and provides
    data on actions taken by security and systems managers at fifteen
    very large organizations (the Council) to protect their computers
    and networks from exploits of the reported vulnerabilities. In
    other words it tells you where actions are needed and eliminates the
    need for you to search out details on all the new vulnerabilities.
    Please forward this note to anyone who has security and system
    administration responsibility. They can register to get it themselves
    at https://server2.sans.org/sansnews

    See "About the CVA Process and Council" at the end of this note for
    more data on how the report is compiled.
    ******************************************************************

    Widely Deployed Software
    =========================
    (1) Moderate: Outlook Express S/MIME Parsing Buffer Overflow

    Other Software
    ===============
    (2) Moderate: Linux Heartbeat Daemon Format String Overflow
    (3) Moderate: Syslog-NG Daemon Macro Expansion Buffer Overflow
    (4) Moderate: MySimpleNews CGI Suite Multiple Vulnerabilities

    Exploit Codes
    ==============
    (5) Windows 2000 NetDDE LOCAL/SYSTEM Privilege Escalation Exploit

    *******************************
       Widely Deployed Software
    *******************************

    (1) Moderate: Outlook Express S/MIME Parsing Buffer Overflow

    Affected Products:
    Microsoft Outlook Express 5.5 and 6.0
    Earlier Outlook Express versions may also be affected.

    Description:
    The certificate verification function of Outlook Express incorrectly
    parses malformed S/MIME certificates on incoming email, allowing a
    malicious email to execute arbitrary code on the user's system.

    Risk: Windows system compromise with the privileges of the Outlook
    Express user opening or previewing a hostile email. Also a potential
    to cause the mail client to fail.

    Deployment: Huge.
    Outlook Express is a very popular email client for Windows that ships
    as part of Internet Explorer. By default Outlook Express is installed
    on every Windows system.

    Ease of Exploitation: Standard.
    An attacker must send a specially crafted email that contains a
    malformed S/MIME certificate. If some aspect of the certificate
    contains overlong data, a buffer is overflowed in Outlook Express.
    An attacker can vulnerability the problem by trying different
    certificate values and noticing when the software crashes.

    Status: Vendor confirmed, patch available.
    A fix for this issue is also included in Windows XP SP1 and IE 6.0 SP1.

    References:
    Microsoft Security Advisory:
    http://www.microsoft.com/technet/security/bulletin/MS02-058.asp
    http://archives.neohapsis.com/archives/microsoft/2002-q4/0004.html

    SecurityFocus Vulnerability Information:
    http://online.securityfocus.com/bid/5944

    Council Site Actions:
    Outlook Express is not in wide-spread use at council sites. Most of
    the council sites stated however, that the software was most likely
    installed on a large number of hosts within their organizations.
    Most of the reporting council sites have notified their desktop
    support group to include the patch during the next regularly scheduled
    patch update.

    *******************************
        Other Software
    *******************************
    (2) Moderate: Linux Heartbeat Daemon Format String Overflow

    Affected Products:
    Linux. SuSE and Debian have included the vulnerable software
    in past distributions.

    Description:
    The heartbeat daemon used for high-availability Linux clusters has
    been found to contain various exploitable format string vulnerabilities
    which enable a remote attacker to execute arbitrary code on the system
    with root privileges.

    Assessment:
    Risk: Remote root compromise.

    Deployment: Moderate.
    The vulnerable daemon is included with some standard Linux
    distributions, but is not enabled by default.

    Ease of Exploitation: Unknown.
    According to SuSE, the attacker must send malicious UDP packets to the
    UDP port heartbeat is listening on -- 694/udp by default. According
    to Debian, the attacker must send "specially crafted TCP packets"
    to exploit the bug.

    Status: The vulnerability has been confirmed by SuSE and Debian.
    Both have released updated software to fix the problem. In addition,
    SuSE recommends blocking traffic to the heartbeat port at the network
    perimeter.

    References:
    SuSE:
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0203.html

    Debian:
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0224.html

    SecurityFocus Vulnerability Information:
    http://online.securityfocus.com/bid/5955

    Council Site Actions:
    One of the reporting council sites is running the vulnerable software.
    This site has sent notification to its Linux support group as an FYI.
    The other council sites reported no action taken.

    ==============================================================

    (3) Moderate: Syslog-NG Daemon Macro Expansion Buffer Overflow

    Affected Products:
    Syslog-NG versions 1.5.20 (development), 1.4.15 (stable) and prior

    Description:
    The syslog-NG daemon does not properly expand macro strings in
    configuration templates, leading to a remotely exploitable buffer
    overflow which can execute arbitrary code under certain configurations.

    Assessment:
    Risk: Remote root compromise.

    Deployment: Small.

    Ease of Exploitation: Unknown.
    The syslog-NG server must be configured to use templated filenames or
    templated output to be vulnerable. The specifics of how to exploit the
    vulnerability depend on the exact template being used. The attacker
    can send maliciously crafted log messages to the server to cause the
    buffer overflow.

    Status: Vendor confirmed, patch available.

    References:
    Vendor statement and patches:
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0151.html

    Updated Debian DEBs are listed at:
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0256.html

    SecurityFocus Vulnerability Information:
    http://online.securityfocus.com/bid/5934

    Council Site Actions:
    The affected software is not in production or widespread use at any
    of the council sites. They reported that no action was necessary.

    =============================================================

    (4) Moderate: MySimpleNews CGI Suite Multiple Vulnerabilities

    Affected Products:
    MySimpleNews PHP CGI Suite version 1 (runs on Unix/Linux)

    Description:
    The MySimpleNews PHP CGI suite allows a remote attacker to execute
    arbitrary PHP code, recover the MySimpleNews administrator password,
    and delete the MySimpleNews application from the web server where
    it resides.

    Risk: Remote system compromise.
    Remote compromise of web servers running MySimpleNews, with the
    privileges of the server process.

    Deployment: Small.

    Ease of Exploitation: Trivial.
    The advisory provides examples of how to easily exploit the
    vulnerabilities.

    Status: Vendor has not confirmed, no patch available.

    References:
    Bugtraq Posting:
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0027.html

    ISS Advisories:
    http://www.iss.net/security_center/static/10296.php
    http://www.iss.net/security_center/static/10298.php
    http://www.iss.net/security_center/static/10299.php

    SecurityFocus Vulnerability Information:
    http://online.securityfocus.com/bid/5865
    http://online.securityfocus.com/bid/5866
    http://online.securityfocus.com/bid/5867

    Council Site Actions:
    The affected software is not in production or widespread use at any
    of the council sites. They reported that no action was necessary.

    *******************************
            Exploit Codes
    *******************************

    (5) Windows 2000 NetDDE LOCAL/SYSTEM Privilege Escalation Exploit

    Affected Products:
    Microsoft Windows 2000 (all versions and service pack levels)

    Name of Exploit:
    GetAd.c
    GetAd.exe

    Description:
    An attacker that gains unprivileged access to a Windows 2000 system
    can leverage the Winlogon NetDDE Agent to escalate the attacker's
    privileges to the LOCAL/SYSTEM level. The vulnerability principle
    behind this attack well known and is not expected to be addressed
    by Microsoft. This proof-of-concept exploit starts an administrative
    command shell on vulnerable systems when run by an unprivileged user.
    The underlying attack technique has been called "shatter", and involves
    an unprivileged process passing code to a higher privileged process
    for execution. Any Windows 2000 vulnerability that allows execution
    of code at an unprivileged level could potentially be exploited to
    allow LOCAL/SYSTEM access if the intruder crafts the attack to also
    take advantage of this issue.

    Security Advisory, Exploit Source and Compiled Binary:
    http://getad.chat.ru/

    SecurityFocus Info (includes list of vulnerable systems):
    http://online.securityfocus.com/bid/5927/info

    Exploit Code Posted to PacketStorm:
    http://www.packetstormsecurity.nl/filedesc/GetAd.c.html

    Paper about Shatter Attacks:
    http://security.tombom.co.uk/shatter.html

    Council Site Actions:
    Most of the reporting council sites acknowledged this as a potential
    problem, but not one to be overly concerned about at this time. Most
    sites will monitor for when a patch is available and then determine
    if the patch should be applied. Several council sites stated that
    the frequently announced LOCAL/SYSTEM privilege escalation exploits
    are one reason why they do not use Windows systems for sensitive
    applications within their organizations.

    ===========================================================

    About the CVA Process and Council
    =================================
    The CVA is produced in four phases:

    Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
    Forristal, and the Neohapsis team scour all of the major vendor
    web sites as well as bugtraq and other sources of new vulnerability
    information and compile what they believe to be a complete list of
    all new vulnerabilities and major vulnerability announcements made
    during the week. The SANS Institute and Network Computing Magazine vet
    the list through the major system manufacturers and jointly publish
    it every week as the Security Alert Consensus. (SAC) Anyone may
    subscribe to the SAC at http://www.sans.org/newlook/digests/SAC.htm

    Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
    vulnerabilities and announcements that demand immediate action. This
    reduces the list from 30-50 each week down under 10. Vicki has been on
    the front lines of intrusion detection and vulnerability testing for
    nearly five years and her work in the field is legendary. The product
    she helps update, TippingPoint's UnityOne (www.tippingpoint.com),
    builds an active intrusion detection and suppression system into the
    network infrastructure of its clients.

    Phase 3: Very technical security managers at fifteen of the largest
    user organizations in the United States each review the "immediate
    action" vulnerabilities and describe what they did or did not do
    to protect their organizations. Council members include banks and
    other financial organizations, government agencies, universities,
    major research laboratories, ISPs, health care, manufacturers,
    insurance companies and a couple more. The individual members have
    direct responsibility for security for their systems and networks. All
    were concerned that information about their security configuration
    would leak out, and agreed to serve only if their identities were
    not revealed.

    Phase 4: SANS compiles the responses and identifies the items on which
    the Council members took or are taking action, produces the weekly CVA,
    and distributes it via email to all eligible persons

    **********************************************************************
    Critical Vulnerability Analysis Scale Ratings

    CRITICAL: Vulnerabilities are rated CRITICAL if the impact of
    exploiting the vulnerability can disrupt critical or large segments of
    a network (e.g. Internet facing services) or if the impact involves
    a remote exploit that provides root access to the host. Typically,
    for CRITICAL vulnerabilities, the vulnerability is easy or trivial to
    exploit and/or exploit code is available. Critical vulnerabilities
    usually involve server systems and/or high-value assets. Re-mediation
    for alerts of this nature should begin within 48 hours, and in some
    cases, immediately depending on the widespread use of the technology
    within your organization.

    HIGH: Vulnerabilities are rated HIGH if the impact of exploiting the
    vulnerability is not as severe as CRITICAL alerts and the affected
    software/platforms are generally not critical services within the
    organization. A HIGH vulnerability may be something that effects
    the client side (user hosts) and not a services such as Mail, DNS,
    Web ,etc. Typically, there is a higher degree of difficulty in
    exploiting HIGH vulnerabilities. Exploit code may not be available
    or the attacker must entice the victim (e.g. visit a server or run an
    attachment) to exploit the code. Re-mediation for alerts of this nature
    should begin within five business days. If there is widespread use of
    the technology at your organization or critical hosts are involved,
    the re-mediation effort should begin sooner.

    MODERATE: Vulnerabilities are rated MODERATE if the probable impact
    of exploiting the vulnerability is considered low due to the limited
    severity of the vulnerability, or there is a very high degree of
    difficulty in exploiting the vulnerability, and an exploit is not
    available in the wild. Moderate vulnerabilities may require to
    attacker to have some type of user privileges or entice the victim in
    order to exploit the problem. Re-mediation for alerts of this nature
    should begin within 15 business days. If there is widespread use of
    this technology at your organization or you run the affected software
    on critical hosts, the re-mediation efforts should begin sooner.

    ******************************************************************
    Subscriptions: The CVA is distributed free of charge to chief
    information security officers and technical security managers of
    organizations with at least 1000 systems, to GIAC certified security
    professionals, and to recent alumni of SANS courses. Others may
    also subscribe. Registered users may forward the CVA to others.

    To change your subscription, address, or other information, visit
    http://www.sans.org/sansurl and enter your SD number (from the
    headers.) You will receive your personal URL via email.

    Copyright 2002. No copying or forwarding allowed except by registered
    subscribers. No posting is allowed to web sites.

                             ==end==

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQE9tCB0+LUG5KFpTkYRAqDqAJ9J56XvBr7v8zOUAjRln7/xOSg4fACeNdUz
    5LaaBCVp3YAhub2zcxnNS3Y=
    =6sjj
    -----END PGP SIGNATURE-----