-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**********************************************************************
                SANS Critical Vulnerability Analysis
November 4, 2002 Vol. 1. No. 15
**********************************************************************

This was a very quiet week. Although the SANS Security Alert Consensus
showed 26 new vulnerabilities, only two are worthy of your review
for possible immediate action.

Summary: Every week, the CVA prioritizes and summarizes the most
important vulnerabilities identified during the past week and provides
data on actions taken by security and systems managers at fifteen
very large organizations (the Council) to protect their computers
and networks from exploits of the reported vulnerabilities.

See "About the CVA Process and Council" at the end of this note for
more data on how the report is compiled.

**********************************************************************

TABLE OF CONTENTS:

Widely Deployed Software
- ----------------------------
(1) Moderate: phpBB Bulletin Board Privilege Escalation Vulnerability

Other Software
- ---------------
(2) Moderate: Kerberos kadmind Buffer Overflow

************************ SPONSORED LINKS *****************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Eliminate network vulnerabilities. Retina: #1-Rated Scanner. Now
with wireless threat detection!
http://www.sans.org/cgi-bin/sanspromo/CVA01

(2) Need to patch your computers? Try SysUpdate free - the first
Anti-Vulnerability application.
http://www.sans.org/cgi-bin/sanspromo/CVA02
**********************************************************************

*******************************
   Widely Deployed Software
*******************************

(1) phpBB Bulletin Board Privilege Escalation Vulnerability
==================================================================
Affected Products:
phpBB CGI Suite version 2.0.0

Description:
The admin_ug_auth.php script included in the phpBB CGI suite version
2.0.0 is used to set user permissions. This script does not properly
check whether received data has been submitted by an authenticated
administrator, allowing a malicious user to elevate a normal user
account to administrative status.

Risk: Local exploit.
A regular bulletin board user can gain administrative control over
the phpBB forum.

Deployment: Significant.
PhpBB is reported to be the "world's leading open source flat style
discussion forum software", and has been downloaded more than 1.2
million times from SourceForge.

Ease of Exploitation: Trivial.
Example exploit code has been posted.

Status: The affected phpBB version is an older version from April
2002. Non-vulnerable versions have been available since May.

References:
- -----------
SecurityFocus Bugtraq Posting:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0385.html

Exploit code:
http://www.securiteam.com/unixfocus/6F0120A5PU.html

SourceForge phpBB homepage (get updated software here):
http://sourceforge.net/projects/phpbb/

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

***************************
     Other Software
***************************

(2) Moderate: Kerberos kadmind Buffer Overflow
    This is an update to last weeks posting.

Affected Products:
KTH Heimdal Kerberos prior to version 0.5.1 and 0.4enb1
KTH eBones Kerberos prior to version 1.2.1
MIT Kerberos 4 all versions
MIT Kerberos 5 up to and including krb5-1.2.6
Other implementations derived from the vulnerable MIT or KTH code
may also be vulnerable.

Description:
The kadmind daemon shipped with multiple versions of KTH and MIT
Kerberos contains a buffer overflow that can allow remote attackers
to gain root access. kadmind provides remote administrative access to
the Kerberos authentication database, and runs on the Key Distribution
Center (KDC) server of a Kerberos realm. The problem lies in the code
that provides legacy version 4 compatibility.

See also item 4 in the SANS CVA V1N14 dated 10/25.

Risk: Remote compromise.
Remote root compromise of Kerberos authentication servers running
kadmind.

Deployment: Moderate.

Exploitation: Unknown.
There have been no substantial details posted. However, MIT reports
that the vulnerability is being actively exploited and it is assumed
that exploit code is available.

Status: Vendor confirmed, fixed software available.

References:
- ------------
MIT Advisory:
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt

Document Describing Potential Attack Signatures for MIT Kerberos:
http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt

CERT Advisory CA-2002-29:
http://www.cert.org/advisories/CA-2002-29.html

Debian Security Advisory
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0296.html

NetBSD Security Advisory
http://archives.neohapsis.com/archives/netbsd/2002-q4/0083.html

SuSE Security Advisory:
http://www.suse.com/de/security/2002_034_heimdal.html

Council Site Actions:
Several of the reporting council sites have Kerberos V5
implementations. They took action to verify that compatibility mode
for V4 was not turned on. The remaining council sites reported that
they are not running Kerberos.

**********************************************************************

About the CVA Process and Council
=================================
The CVA is produced in four phases:

Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor web
sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of
all new vulnerabilities and major vulnerability announcements made
during the week. The SANS Institute and Network Computing Magazine vet
the list through the major system manufacturers and jointly publish
it every week as the Security Alert Consensus. (SAC) Anyone may
subscribe to the SAC at http://www.sans.org/newlook/digests/

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

CRITICAL: Vulnerabilities are rated CRITICAL if the impact of
exploiting the vulnerability can disrupt critical or large segments of
a network (e.g. Internet facing services) or if the impact involves
a remote exploit that provides root access to the host. Typically,
for CRITICAL vulnerabilities, the vulnerability is easy or trivial to
exploit and/or exploit code is available. Critical vulnerabilities
usually involve server systems and/or high-value assets. Remediation
for alerts of this nature should begin within 48 hours, and in some
cases, immediately depending on the widespread use of the technology
within your organization.

HIGH: Vulnerabilities are rated HIGH if the impact of exploiting the
vulnerability is not as severe as CRITICAL alerts and the affected
software/platforms are generally not critical services within the
organization. A HIGH vulnerability may be something that effects
the client side (user hosts) and not a services such as Mail, DNS,
Web ,etc. Typically, there is a higher degree of difficulty in
exploiting HIGH vulnerabilities. Exploit code may not be available
or the attacker must entice the victim (e.g. visit a server or run an
attachment) to exploit the code. Remediation for alerts of this nature
should begin within five business days. If there is widespread use of
the technology at your organization or critical hosts are involved,
the remediation effort should begin sooner.

MODERATE: Vulnerabilities are rated MODERATE if the probable impact
of exploiting the vulnerability is considered low due to the limited
severity of the vulnerability, or there is a very high degree of
difficulty in exploiting the vulnerability, and an exploit is not
available in the wild. Moderate vulnerabilities may require the
attacker to have some type of user privileges or entice the victim in
order to exploit the problem. Remediation for alerts of this nature
should begin within 15 business days. If there is widespread use of
this technology at your organization or you run the affected software
on critical hosts, the remediation efforts should begin sooner.

**********************************************************************
Subscriptions: The CVA is distributed free of charge to chief
information security officers and technical security managers of
organizations with at least 1000 systems, to GIAC certified security
professionals, and to recent alumni of SANS courses. Eligible
recipients may forward this report to other employees of their
organizations, but not to people outside their organizations.

Visit http://www.sans.org/newlook/digests for subscription information.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email

Copyright 2002. No copying or forwarding allowed except by registered
subscribers.
                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9xnUv+LUG5KFpTkYRAjUtAJ4oX6RU/UiT93AH3a7B36DXRyS/EgCgkBRz
kpCY6jSk0JEFC0sFSyTc2s8=
=FAvF
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]