From: Alan Paller, Director of Research, SANS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                SANS Critical Vulnerability Analysis
October 28, 2002 Vol. 1. No. 14
***********************************************************************

Summary: Every week, the CVA prioritizes and summarizes the most
important vulnerabilities identified during the past week and provides
data on actions taken by security and systems managers at fifteen
very large organizations (the Council) to protect their computers
and networks from exploits of the reported vulnerabilities.

See "About the CVA Process and Council" at the end of this note for
more data on how the report is compiled.
***********************************************************************

Widely Distributed Software
- ----------------------------
(1) Moderate: Windows XP Help Center ActiveX Control File Deletion

Other Software
- ---------------
(2) High: VBZoom Bulletin Board Multiple Vulnerabilities
(3) High: PAM Unstable Release Treats Disabled Passwords as Empty
(4) Moderate: Heimdal Kerberos kadmind Remote Buffer Overflow
(5) Low: Cisco Catalyst CatOS Embedded HTTP Server Remote DoS
(6) Low: NetBSD Short ESP Packet IPSec Remote DoS

***** This issue sponsored by SANS CDI Conference in San Francisco*****
World-class, hands-on training: ten tracks (firewalls, Windows,
Nix, forensics, management, essentials, intrusion detection, hacker
exploits, more), for both GIAC and CISSP candidates, all in San
Francisco, December 15-20. Bonus program: How to implement a top
20 vulnerability remediation program. Register this week today to
save. Complete program at http://www.sans.org/CDI02/
***********************************************************************

*******************************
   Widely Deployed Software
*******************************

(1) MODERATE: Windows XP Help Center ActiveX Control File Deletion

Affected Products:
Microsoft Windows XP Systems

Description:
A malicious website or HTML-formatted email can delete arbitrary
files on Windows XP systems as soon as the hostile page is opened.
The problem arises because XP's Help Center ActiveX control exposes
functionality to web pages that should only be available to the local
system. A victim user would be aware of the attack upon seeing the
Help Center console open unexpectedly, but would be unable to prevent
the file deletion except by killing the process (even selecting Cancel
does not stop the attack).

Risk:
Arbitrary file deletion on Windows XP systems by a hostile website
or HTML email.

Deployment: Huge.
The vulnerability affects all Windows XP users.

Exploitation: Trivial.
The original advisory provided an example of how to exploit the bug
via a simple link. Other exploits using JavaScript, refreshes or
other methods are easily written.

Status: Vendor confirmed, patch and updated service pack available.

References:
Microsoft Security Advisory:
http://www.microsoft.com/technet/security/bulletin/MS02-060.asp
http://archives.neohapsis.com/archives/microsoft/2002-q4/0005.html

Original Vulnerability Disclosure and Exploit Information:
http://archives.neohapsis.com/archives/bugtraq/2002-08/0129.html

Council Site Actions:
Most of the council sites had limited deployments of XP. One site
treated this as an urgent issue since the exploit could potentially
delete files from network shares where users had read/write access.
This site deployed Service Pack 1 when they first were notified of
the vulnerability. They used the Server Manager to determine which
PC's were connecting to the domain running XP. They also had the
local technical support people load SP1 on all systems running XP.

The other council sites that reported deployments of XP plan to roll
out SP1 with the next regularly schedule patch update. They commented
that their perimeter security controls block ActiveX at the borders
so there is limited exposure for this vulnerability.

The remaining reporting council sites are not running any supported
XP installations and took no action.

***************************
     Other Software
***************************

(2) HIGH: VBZoom Bulletin Board Multiple Vulnerabilities

Affected Products:
VBZoom Forum CGI Suite version 1.01

Description:
The VBZoom Bulletin Board system contains two vulnerabilities that
can be exploited by a remote, unauthenticated attacker: (1) arbitrary
user passwords can be reset via SQL injection; and (2) arbitrary
attacker-supplied PHP script can be uploaded and executed. Other
arbitrary file types can be uploaded as well.

Risk:
Arbitrary attacker-supplied PHP script execution with the privileges
of the web server process, and arbitrary VBZoom user impersonation.

Deployment: Unknown.
The vulnerable software appears to be developed and distributed
by an Arabic company, thus deployment may be significant in Middle
Eastern countries.

Exploitation: Trivial.
Example exploits for both vulnerabilities were distributed with the
advisories, and can be executed using a web browser.

Status: Vendor has not confirmed, no known fix.

References:
Bugtraq Postings:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0111.html
http://archives.neohapsis.com/archives/bugtraq/2002-10/0126.html

SecurityFocus Vulnerability Information:
http://online.securityfocus.com/bid/5926
http://online.securityfocus.com/bid/5919

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

=============================================================

(3) HIGH: PAM Unstable Release Treats Disabled Passwords as Empty

Affected Products:
PAM version 0.76

Description:
PAM version 0.76 treats disabled accounts using a '*' in the password
field as having an empty password.

Risk: Remote login exploit.
Remote attackers can bypass authentication mechanisms and log in to
vulnerable systems using a disabled account name and no password.

Deployment: Small.
The vulnerability affects only PAM version 0.76, which is classified
as an "unstable" distribution.

Exploitation: Trivial.
No exploit required. An attacker could easily write a script to search
the Internet for systems that allow login using account names that
are often disabled.

Status: Vendor confirmed, fixed software available.

References:
Debian Security Advisory
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0304.html

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

Several council sites reported they have PAM installations, but
not the affected version.
==============================================================

(4) MODERATE: Heimdal Kerberos kadmind Remote Buffer Overflow

Affected Products:
Heimdal Kerberos releases prior to version 0.5.1 and 0.4enb1

Description:
The kadmind daemon of the Heimdal Kerberos package contains a buffer
overflow that can allow remote attackers to gain root access. kadmind
provides remote administrative access to the Kerberos authentication
database. The problem lies in the code that provides version 4
compatibility.

Risk:
Remote root compromise of Kerberos authentication servers running
kadmind.

Deployment: Moderate.
Certain versions of NetBSD, SuSE and Debian contain the vulnerable
daemon, but kadmind is run only in Kerberos environments and is not
enabled by default.

Exploitation: Unknown.
Few technical details were provided, no exploits are known to exist.

Status: Vendor confirmed, fixed software available.
 
References:
Debian Security Advisory
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0296.html

NetBSD Security Advisory
http://archives.neohapsis.com/archives/netbsd/2002-q4/0083.html

SuSE Security Advisory:
http://www.suse.com/de/security/2002_034_heimdal.html

Council Site Actions:
One council site reported use of this software, and it was used only
For limited testing. They notified the group doing the testing.
Other council sites reported that the affected software is not
in production or widespread use at any of the council sites. They
reported that no action was necessary.

==============================================================

(5) LOW: Cisco Catalyst CatOS Embedded HTTP Server Remote DoS

Affected Products:
Cisco Catalyst switches running CatOS versions 5.4 through 7.3 which
contain as "cv" in the image name.

Description:
Some versions of CatOS running on Cisco Catalyst switches contain
a buffer overflow in the embedded CiscoView HTTP server. A remote
attacker who sends a very long web request to the server can cause
the switch to reset. The attack can be sent repeatedly, resulting in
a denial of service.

Risk:
A remote attacker can cause Cisco Catalyst switches to reboot
repeatedly.

Deployment: Moderate.
Only some versions of CatOS contain the embedded HTTP server, which
enables web-based management of the switch. The server is not enabled
by default.

Exploitation: Straightforward.
No detailed technical information has been posted, but an attacker
would only need to experiment with sending long HTTP requests to
discover how to reset a vulnerable switch.

Status: Vendor confirmed, fixed software available. The HTTP server
can also be disabled as a workaround.

References:
Cisco Security Advisory
http://archives.neohapsis.com/archives/cisco/2002-q4/0001.html

Council Site Actions:
Most of the reporting council sites said they require the HTTP
service to be turned off by default in the switch configurations.
Most sites also block inbound HTTP requests at the perimeters, thus
this was considered a low threat.

A few of the reporting sites said they planned to run a query on their
switches to verify that HTTP is in fact turned off. All reporting
council sites with deployed Cisco switches plan to deploy the patch
during the next regularly scheduled patch cycle for the network
devices.

==============================================================

(6) LOW: NetBSD Short ESP Packet IPSec Remote DoS

Affected Products:
1) NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3, 1.6 beta with IPSec ESP enabled
in the kernel, and using an ESP security association (SA).
2) Other vendor products using a KAME-based IPSec implementation may
also be affected.

Description:
The NetBSD IPSec implementation has a vulnerability that could allow
a remote attacker to cause a kernel panic. The attacker must send a
very short, specially-formed ESP packet to a victim to trigger the DoS.

Risk:
Remote attackers can cause kernel panic on a victim system.

Deployment: Moderate.
NetBSD users running IPSec ESP are known to be affected.

Exploitation: Straightforward.
No detailed technical information has been posted, but an attacker
would only need to experiment with sending short ESP packets to a
vulnerable system to discover how to cause the kernel panic.

Status: Vendor confirmed, fixed software available.

References:
NetBSD Security Advisory
http://archives.neohapsis.com/archives/netbsd/2002-q4/0085.html

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

==============================================================

About the CVA Process and Council
=================================
The CVA is produced in four phases:

Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor web
sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of
all new vulnerabilities and major vulnerability announcements made
during the week. The SANS Institute and Network Computing Magazine vet
the list through the major system manufacturers and jointly publish
it every week as the Security Alert Consensus. (SAC) Anyone may
subscribe to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

CRITICAL: Vulnerabilities are rated CRITICAL if the impact of
exploiting the vulnerability can disrupt critical or large segments of
a network (e.g. Internet facing services) or if the impact involves
a remote exploit that provides root access to the host. Typically,
for CRITICAL vulnerabilities, the vulnerability is easy or trivial to
exploit and/or exploit code is available. Critical vulnerabilities
usually involve server systems and/or high-value assets. Re-mediation
for alerts of this nature should begin within 48 hours, and in some
cases, immediately depending on the widespread use of the technology
within your organization.

HIGH: Vulnerabilities are rated HIGH if the impact of exploiting the
vulnerability is not as severe as CRITICAL alerts and the affected
software/platforms are generally not critical services within the
organization. A HIGH vulnerability may be something that effects
the client side (user hosts) and not a services such as Mail, DNS,
Web ,etc. Typically, there is a higher degree of difficulty in
exploiting HIGH vulnerabilities. Exploit code may not be available
or the attacker must entice the victim (e.g. visit a server or run an
attachment) to exploit the code. Re-mediation for alerts of this nature
should begin within five business days. If there is widespread use of
the technology at your organization or critical hosts are involved,
the re-mediation effort should begin sooner.

MODERATE: Vulnerabilities are rated MODERATE if the probable impact
of exploiting the vulnerability is considered low due to the limited
severity of the vulnerability, or there is a very high degree of
difficulty in exploiting the vulnerability, and an exploit is not
available in the wild. Moderate vulnerabilities may require to
attacker to have some type of user privileges or entice the victim in
order to exploit the problem. Re-mediation for alerts of this nature
should begin within 15 business days. If there is widespread use of
this technology at your organization or you run the affected software
on critical hosts, the re-mediation efforts should begin sooner.

******************************************************************
Subscriptions: The CVA is distributed free of charge to chief
information security officers and technical security managers of
organizations with at least 1000 systems, to GIAC certified security
professionals, and to recent alumni of SANS courses. Eligible
recipients may forward this report to other employees of their
organizations, but not to people outside their organizations.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email

Copyright 2002. No copying or forwarding allowed except by registered
subscribers.
                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9vThw+LUG5KFpTkYRAuGZAJ9El7mnd9T4R6mzjobOZAp4XU9xEACeMiMO
4oXDfsvHjqeH0tmTULuo9n4=
=W4a7
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]