-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                  SANS Critical Vulnerability Analysis
November 18, 2002 Vol. 1. No. 17
***********************************************************************

Summary: Every week, the CVA prioritizes and summarizes the most
important vulnerabilities identified during the past week and provides
data on actions taken by security and systems managers at fifteen
very large organizations (the Council) to protect their computers and
networks from exploits of the reported vulnerabilities. See "About
the CVA Process and Council" at the end of this note for more data
on how the report is compiled.
***********************************************************************

Table of Contents:
- ------------------
Widely deployed software:
(1) HIGH: BIND Multiple Vulnerabilities

Other software:
(2) HIGH: Macromedia ColdFusion/JRun IIS ISAPI Buffer Overflow
(3) MODERATE: Linux html2ps/lprng Remote Command Execution
    Vulnerability
(4) LOW: NetWare iManager eMFrame Distinguished Name Buffer Overflow

***Sponsor: SANS Cyber Defense Initiative Training in San Francisco***

Planning to implement a vulnerability reduction program in 2003?

Make sure you have someone attending SANS' San Francisco training
program December 10-15. The two-evening, step-by-step vulnerability
remediation training session and the exhibition are open to everyone
who attends any of the nine in-depth security training tracks. Seven
of the tracks are hands-on. http://www.sans.org/CDI02

**********************************************************************

*******************************
   Widely Deployed Software
*******************************

(1) HIGH: ISC BIND Multiple Vulnerabilities

Affected Products:
ISC BIND 8 versions up to and including 8.3.3-REL
ISC BIND 4 versions up to and including 4.9.10-REL

Description:
BIND versions 4 and 8 contain a buffer overflow in the handling of
cached SIG resource records, allowing execution of arbitrary code with
the privileges of the "named" server process, typically root. For an
attack to be successful, a victim server must use recursion so that
(malicious) data received from remote authoritative nameservers is
cached. The buffer overflow occurs when the victim later retrieves
malicious data from the cache and packages it for inclusion in a DNS
response message. BIND 8 is also vulnerable to two denial of service
attacks that disable the server.

Risk: Remote compromise/remote exploit.
Remote root compromise of DNS server, or remotely cause the DNS
service to crash.

Deployment: Huge.
According to ISS, these vulnerabilities "affect nearly all currently
deployed recursive DNS servers on the Internet". ISC BIND 4 and BIND
8 are known to be vulnerable and have recursion enabled by default.
Other vendors' products may also be vulnerable.

Ease of Exploitation: Unknown.
The attacker must be in a position to reply maliciously to a forwarded
request from a recursive victim nameserver. Thus, the attacker must
control or impersonate a nameserver that is authoritative for some
domain. Russ Cooper of NTBugtraq states "our analysis shows that an
attack based on these vulnerabilities will be trivial". ISS claims that
no exploits are currently known to exist in the attacker community.
However, exploits should be expected soon given the large high-value
victim pool, the difficulty in fixing affected servers (see Status
section), and the availability of technical vulnerability information
via the ISC's "diff"-based patches. Further, because ISC pre-released
patches to a selected set of paying customers, it should be assumed
that attackers possessed the vulnerability information necessary for
exploitation at least a week before the issue was publicly announced.

Status: These vulnerabilities have been confirmed by the ISC, and
that organization strongly suggests upgrading to BIND 9.2.1. Patches
for the following versions have been posted: BIND 4.9.10, BIND 8.2.6,
and BIND 8.3.3. Updated versions of the BIND 4 and BIND 8 packages
with the fixes included are still under development. Many other vendors
are still researching the issue and have not yet released patches, due
to an extreme lack of coordination during the disclosure process. For
example, some open source operating system vendors were notified only
12 hours prior to the release of the CERT advisory, and even then claim
they were not provided with adequate technical detail to prepare fixes.

References:
- -----------------
ISS Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0071.html
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469

Internet Software Consortium (ISC) Advisory and Patches:
http://www.isc.org/products/BIND/bind-security.html

CERT Advisory:
http://www.cert.org/advisories/CA-2002-31.html

Debian Posting:
http://www.debian.org/security/2002/dsa-196
http://online.securityfocus.com/advisories/4684

Russ Cooper NTBugtraq Posting:
http://archives.neohapsis.com/archives/ntbugtraq/2002-q4/0065.html

Red Hat Posting:
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0041.html

User Posting about Difficulty Getting ISC Patches (after the
vulnerability was announced, but before the patches were posted):
http://archives.neohapsis.com/archives/bugtraq/2002-11/0166.html

SAC Information about the BIND Vulnerability Disclosure Process Failure
http://archives.neohapsis.com/archives/securityexpress/2002/0044.html

SecurityFocus Vulnerability Information:
http://online.securityfocus.com/bid/6160
http://online.securityfocus.com/bid/6159
http://online.securityfocus.com/bid/6161
http://online.securityfocus.com/bid/6186

Council Site Actions:
All council sites treated this issue as a serious problem that
required immediate action. Two of the council sites had already
upgraded to BIND V9, thus no action was necessary. One of the council
sites upgraded to BIND V9 as a result of the alert. Another council
site was in the process of upgrading to BIND 9, and the series of
alerts motivated that site to finish the upgrade ahead of schedule.
One council site reported that it had over 1000 DNS severs, but most
were running BIND V9. They are taking action to patch or disable
the servers that are running older versions. Other council sites are
either waiting for vendor supplied patches or are in the process of
testing the ISC patches. All council sites treated this issue as a
serious problem that required immediate action.

***************************
     Other Software
***************************

(2) HIGH: Macromedia ColdFusion/JRun IIS ISAPI Buffer Overflow

Affected Products:
Macromedia ColdFusion MX (version 6.0)(IIS ISAPI)
Macromedia JRun 4.0, 3.1 and 3.0 (ISS ISAPI)

Description:
The Macromedia JRun and ColdFusion IIS ISAPI handlers have a buffer
overflow vulnerability in the handling of very long filenames requested
via HTTP. A remote attacker can overwrite various structures in heap
memory and execute arbitrary code with SYSTEM privileges.

Risk: Remote compromise.
Remote SYSTEM-level compromise of IIS servers running Macromedia
ColdFusion or JRUN ISAPI handlers.

Deployment: Significant.
Macromedia JRun and ColdFusion are deployed at thousands of
organizations worldwide. However, ColdFusion MX currently has
a much smaller deployed base than previous ColdFusion versions
(e.g. ColdFusion 5), which are not affected by this vulnerability.

Ease of Exploitation: Straightforward.
The advisory provides examples of how to trigger the overflow,
which only requires issuing a HTTP GET request for "filename.jsp"
(for JRun) or "filename.cfm" (for ColdFusion) where "filename" is
longer than 4096 characters. eEye states that it is "rather trivial"
for attackers to exploit the flaw to compromise systems.

Status: Vendor confirmed, patches available. The ColdFusion MX patch
has been out since June 27th, 2002. The JRUN patch is a cumulative
patch.

References:
- ------------
eEye Security Advisory:
http://www.eeye.com/html/Research/Advisories/AD20021112.html

ColdFusion Patches:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23161

JRun Patches:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23500

Council Site Actions:
All but one of the council sites reported that the affected software
is not in production or widespread use, thus no action was necessary.
The one remaining council site has notified the web support staff to
verify the software is not in use.

**************************************************************

(3) MODERATE: Linux html2ps/lprng Remote Command Execution Vulnerability

Affected Products:
html2ps utility installed as a LPRng print filter

Description:
SuSE and Debian have released somewhat conflicting advisories
concerning a vulnerability in the html2ps utility when it is installed
as an LPRng print filter. SuSE is credited with discovering the flaw,
and states that the html2ps vulnerability allows remote attackers
to execute arbitrary commands in the context of the "lp" user. In
contrast, Debian states that the html2ps problem is only exploitable
once the attacker has already gained access to the "lp" account via
other methods. SuSE's advisory further discusses a different bug with
the runlpr program that allows the "lp" user to execute arbitrary
commands as root, and notes that, taken together, the html2ps bug
and the runlpr bug enable remote root compromise.

Risk: Possible remote root compromise of Linux systems.

Deployment: Moderate.
The vulnerable software is included with some popular Linux
distributions, and is installed as part of the LPRng print system.

Ease of Exploitation: Unknown.
Few technical details were provided.

Status: Vendor confirmed, fixed software available.

References:
- -----------------
SuSE Advisory:
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0471.html

Debian Advisory:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0515.html

html2ps Home Page:
http://www.tdb.uu.se/~jan/html2ps.html

SecurityFocus "runlpr Privilege Escalation" Vulnerability:
http://online.securityfocus.com/bid/6077

SecurityFocus "html2ps Remote Command Execution" Vulnerability:
http://online.securityfocus.com/bid/6079

Council Site Actions:
Only one of the reporting council sites is running the affected
software. That site has many Debian/GNU Linux systems, but few SuSE
Linux systems. For now, they are relying on Debian's information that
exploitation requires that the attacker had previously compromised
the lp account. With this limitation, they do not consider the
problem to be substantial and will rely on the administrators of the
Debian/GNU Linux systems to apply the update according to their own
normal procedures.

The remaining council reported that the affected software is not in
production or widespread use at any of the council sites.

**************************************************************

(4) LOW: NetWare iManager eMFrame Distinguished Name Buffer Overflow

Affected Products:
iManager eMFrame running on Netware6 SP2

Description:
iManager eMFrame contains a buffer overflow vulnerability in the
handling of very long user names supplied during the authentication
process. If an attacker supplies a Distinguished Name longer than
255 characters, eMFrame will terminate. It is not known whether the
condition can be exploited to execute attacker-supplied code.

Risk: Denial of service, possible code execution due to a buffer
overflow.

Deployment: Moderate.
The affected software appears popular with NetWare6 users.

Ease of Exploitation: Trivial/Unknown.
It is trivial to cause a denial of service. No information is available
concerning potential code execution.

Status: Vendor confirmed, patch available.

References:
- ------------
Novell Security Advisory:
http://archives.neohapsis.com/archives/novell/2002-q4/0000.html

SecurityFocus Vulnerability Information:
http://online.securityfocus.com/bid/6154/discussion/

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

************************************************************

About the CVA Process and Council
=================================
The CVA is produced in four phases:

Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor web
sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of
all new vulnerabilities and major vulnerability announcements made
during the week. The SANS Institute and Network Computing Magazine vet
the list through the major system manufacturers and jointly publish
it every week as the Security Alert Consensus. (SAC) Anyone may
subscribe to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

CRITICAL: Vulnerabilities are rated CRITICAL if the impact of
exploiting the vulnerability can disrupt critical or large segments of
a network (e.g. Internet facing services) or if the impact involves
a remote exploit that provides root access to the host. Typically,
for CRITICAL vulnerabilities, the vulnerability is easy or trivial to
exploit and/or exploit code is available. Critical vulnerabilities
usually involve server systems and/or high-value assets. Remediation
for alerts of this nature should begin within 48 hours, and in some
cases, immediately depending on the widespread use of the technology
within your organization.

HIGH: Vulnerabilities are rated HIGH if the impact of exploiting the
vulnerability is not as severe as CRITICAL alerts and the affected
software/platforms are generally not critical services within the
organization. A HIGH vulnerability may be something that effects
the client side (user hosts) and not a services such as Mail, DNS,
Web ,etc. Typically, there is a higher degree of difficulty in
exploiting HIGH vulnerabilities. Exploit code may not be available
or the attacker must entice the victim (e.g. visit a server or run an
attachment) to exploit the code. Remediation for alerts of this nature
should begin within five business days. If there is widespread use of
the technology at your organization or critical hosts are involved,
the remediation effort should begin sooner.

MODERATE: Vulnerabilities are rated MODERATE if the probable impact
of exploiting the vulnerability is considered low due to the limited
severity of the vulnerability, or there is a very high degree of
difficulty in exploiting the vulnerability, and an exploit is not
available in the wild. Moderate vulnerabilities may require the
attacker to have some type of user privileges or entice the victim in
order to exploit the problem. Remediation for alerts of this nature
should begin within 15 business days. If there is widespread use of
this technology at your organization or you run the affected software
on critical hosts, the remediation efforts should begin sooner.

******************************************************************
Subscriptions: The CVA is distributed free of charge to chief
information security officers and technical security managers of
organizations with at least 1000 systems, to GIAC certified security
professionals, and to recent alumni of SANS courses. Eligible
recipients may register all other technical and managerial security
staff in their organizations, or may forward it to any such persons
in their organizations, but not to people outside their organizations.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email

Copyright 2002. No copying or forwarding allowed except by registered
subscribers.
                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE92Ojx+LUG5KFpTkYRAtcvAJ0RKWFklgGTCQ6sVNmlmuSKJ7U8egCdGKq2
/ya9KtMYDvnHaJIyj+JmxKQ=
=rFyh
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]