-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                SANS Critical Vulnerability Analysis
December 1, 2002 Vol. 1. No. 19
***********************************************************************
Summary: Every week, the CVA prioritizes and summarizes the most
important vulnerabilities identified during the past week and provides
data on actions taken by security and systems managers at fifteen
very large organizations (the Council) to protect their computers
and networks from exploits of the reported vulnerabilities.

See "About the CVA Process and Council" at the end of this note for
more data on how the report is compiled.

***********************************************************************

Table of Contents:

Widely Deployed Software
(1) HIGH: Simultaneous Queries DNS Spoofing Vulnerability
(2) MODERATE: Solaris XFS Daemon Buffer Overflow
(3) LOW: RealPlayer/RealOne Multiple Buffer Overflows
(4) LOW: Netscape/Sun Java Runtime Environment zlib Double Free Bug

Other Software
(5) HIGH: WSMP3d Web/MP3 Server Multiple Buffer Overflows
(6) MODERATE: NetScreen Multiple Vulnerabilities

********** This Week's Sponsor: SANS CDI Programs *********************

SANS Cyber Defense Initiative Conferences in
 - San Francisco (12/15-20/02) - http://www.sans.org/CDI02
 - New Orleans (1/13-18/03) - http://www.sans.org/CDI03NewOrleans
 - Austin (1/12-17/03) - http://www.sans.org/CDI03Austin
 - San Antonio (1/25-30/03) - http://www.sans.org/CDI03SanAntonio
featuring SANS most popular immersion training tracks, from Security
Essentials to Auditing to Hacker Exploits, to Intrusion Detection
to UNIX and Windows hardening. The instructors at these programs
include all of SANS top rated faculty. San Francisco also features a
special evening program for all attendees on Implementing a SANS/FBI
Top Twenty vulnerability remediation program.

***********************************************************************

***********************************************************************
Widely Deployed Software
***********************************************************************

(1) HIGH: Simultaneous Queries DNS Spoofing Vulnerability

Affected Products:
ISC BIND 4.9.11 and prior
ISC BIND 8.2.7 and prior, and 8.3.4 and prior
Other DNS server implementations may also be vulnerable

Description:
A remote attacker can use an adaptation of the probabalistic "birthday
attack" to trick a DNS server into accepting a spoofed name query
response with far fewer packets than a brute force attack requires. If
the attacker generates multiple spoofed DNS queries for the same
resource record sourced from different IP addresses, a vulnerable
server will forward all of the queries, thus entering a state where
there are multiple open server requests for the same record. At this
point the attacker can send many spoofed DNS replies to the server,
and has a surprisingly good chance of successfully causing the server
to accept a fake response.

Risk: Remote attackers can cause DNS servers to accept, and possibly
cache, false DNS record information. By controlling the mapping between
hostnames and IP addresses in this manner, attackers can masquerade
as any desired Internet server.

Deployment: Huge. Some experts estimate that 60% of currently deployed
DNS servers are vulnerable.

Ease of Exploitation: Straightforward. This attack has been reasonably
well known in the DNS developer community for some time, thus it is
likely that attackers were also aware of the vulnerability prior to
the public announcement. Some reports indicate that the vulnerability
is being actively exploited.

Status: Vendor confirmed. The recommended action is to upgrade to BIND
9.2.1. Administrators can also reduce risk by limiting a server's
use of recursion, as non-recursive name servers are more resistant
to exploitation.

References:

CERT Vulnerability Note:
http://www.kb.cert.org/vuls/id/457875

CAIS/RNP (Brazilian Research Network PSIRT) Security Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0087.html

Bugtraq Discussions:
http://archives.neohapsis.com/archives/bugtraq/2002-11/0360.html
http://archives.neohapsis.com/archives/bugtraq/2002-11/0344.html

Council Site Actions:
Some council members are treating the issue as already well-known and
are taking no immediate action to upgrade servers, but are watching for
signs of exploitation and taking other actions to mitigate risk. Other
sites are either already running BIND 9 or have recommended that
administrators upgrade to BIND 9.

***********************************************************************

(2) MODERATE: Solaris XFS Daemon Buffer Overflow

Affected products:
Solaris 2.5.1, 2.6, 7, 8 (Sparc/Intel)
Solaris 9 (Sparc)
Solaris 9 Update2 (Intel)

Description:
The Solaris X Window Font Service (XFS) daemon, fs.auto, contains a
remotely exploitable buffer overflow. The affected service is installed
and listening on port 7100/tcp by default in all versions of Solaris.
Remote attackers can exploit the flaw to execute arbitrary code with
the privileges of the "nobody" user.

Risk: Remote compromise of Solaris systems running XFS.

Deployment: Huge, this vulnerability affects all default installations
of Solaris.

Ease of Exploitation: Unknown. Few technical details were provided. An
attacker would need to experiment with sending malformed requests to
a listening XFS daemon to discover how to trigger the vulnerability.

Status: Vendor confirmed, patches currently under development.
Administrators can also restrict access to port 7100/tcp at the
network perimeter as a workaround.

References:

CERT Advisory:
http://archives.neohapsis.com/archives/cc/2002-q4/0007.html

ISS Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0092.html

X Font Service Protocol Specification:
http://www.x-docs.org/FSProtocol/fsproto.pdf

Council Site Actions:
Most council sites were not affected as XFS is not included in their
organization's standard Solaris image. One site reported that they
will notify administrators of affected systems when patches become
available from Sun, or if reports of active exploitation are received.

***********************************************************************

(3) LOW: RealPlayer/RealOne Multiple Buffer Overflows

Affected Products:
RealOne / RealPlayer / RealOne Enterprise media players

Description:
Three exploitable buffer overflows have been found in the Real
Networks media players. It is possible for an attacker to craft
specially formatted multimedia files that, when processed by Real
Player, execute attacker-supplied code in the security context of
the currently logged on user.

Risk: Client compromise.

Deployment: Large. There are an estimated 115 million users of the
affected products worldwide.

Ease of Exploitation: Challenging. The attacker must build either a
stack or heap overflow exploit, and some attack scenarios require the
victim user to execute particular media player commands. Clicking on
a malicious link can allow a hostile webserver to initiate an attack.

Status: Vendor confirmed, patch available. However, it has been
reported that the patch does not fix the problems.

References:

NGSSoftware Vulnerability Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0085.html

Vendor Announcement and Patch:
http://service.real.com/help/faq/security/bufferoverrun_player.html

News Article Describing Problems with Patch:
http://online.securityfocus.com/news/1721

Council Site Actions:
Council members reported that they are currently waiting for vendor
patches that actually fix the vulnerability. One site reported that
the flaw would need to be being actively exploited before any action
would be taken.

***********************************************************************

(4) LOW: Netscape/Sun Java Runtime Environment zlib Double Free Bug

Affected Products:
Sun Java Runtime Environment (JRE)
Netscape 7 for Linux (includes vulnerable Sun JRE)
Netscape 6 for Linux and Windows (includes vulnerable Sun JRE)
HP-UX versions of Java running on any HP-UX platform

Description:
Sun's implementations of the Java Runtime Environment (JRE) include
versions of zlib that are vulnerable to the double free bug reported
by CERT in March 2002. Some versions of Netscape are affected since
they include an affected version of the JRE. Theoretically, malicious
Java applets can exploit the vulnerability to execute arbitrary code
with the privileges of the program running the JRE.

Risk: Java client compromise.

Deployment: Significant. Any product that incorporates a vulnerable
version of the JRE is vulnerable, including popular versions of
Netscape.

Ease of Exploitation: Challenging. No code execution exploits are
known to exist. Although the vulnerability allows the attacker to
manipulate the dynamic memory structures of a running program, it is
uncertain whether the bug could be exploited in practice to execute
arbitrary code. Depending on how the vulnerable zlib routines are
called from the JRE, exploitation may only a result in a denial of
service or information leakage.

Status: Vendor confirmed, updated software available.

References:

Sun Security Advisory:
http://archives.neohapsis.com/archives/bugtraq/2002-11/0281.html

HP Security Advisory:
http://archives.neohapsis.com/archives/hp/2002-q4/0041.html

CERT zlib Double Free Vulnerability Information:
http://www.kb.cert.org/vuls/id/368819
http://www.cert.org/advisories/CA-2002-07.html

Council Site Actions:
Council member actions differed based on the fact that no cases
of in-the-wild exploitation have yet been reported. Some council
members intend to wait for such a report before acting. Other members
have informed their user communities of the Netscape issue, and are
working with their development teams to ensure that any applications
developed in-house do not use the vulnerable JRE.

***********************************************************************
Other Software
***********************************************************************

(5) HIGH: WSMP3d Web/MP3 Server Multiple Buffer Overflows

Affected Products:
WSMP3d web-server-0.0.6 and prior

Description:
WSMP3d is an open source server for Linux that can deliver both
MP3 and web content to clients. The server contains stack and heap
buffer overflow vulnerabilities that allow remote attackers to execute
arbitrary code with root privileges.

Risk: Remote root compromise of systems running the WSMP3d server.

Deployment: Small. The open source project appears to be in the early
stages of development.

Ease of Exploitation: Trivial. Example exploit code that binds a root
shell to a TCP port was included with the advisory.

Status: Vendor has not confirmed, a source code patch was included
with the advisory.

References:

Advisory and Exploit Code:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0091.html

Vendor site:
http://wsmp3.sourceforge.net/

Council Site Actions:
The affected software in not use at any of the council sites.
They reported that no action was necessary.

***********************************************************************

(6) MODERATE: NetScreen Multiple Vulnerabilities

Affected Products:
URL Filter Bypass: ScreenOS 4.0.0 and prior
H.323 DoS: ScreenOS 2.8 through 4.0.0
Predictable ISNs: ScreenOS 4.0.0 and prior

Description:
NetScreen devices fail to provide protection against HTTP attacks
where a malicious URL is fragmented into multiple packets. This flaw
allows attackers to evade the filtering mechanism and attack hosts
protected by the firewall using freely available tools. In addition,
a remote attacker can consume all firewall session state resources
by causing the device to track too many half-open H.323 control
sessions, resulting in a "complete denial of service". The device
also generates predictable TCP initial sequence numbers, making it
vulnerable to TCP sequence number guessing attacks.

Risk: Remote attackers can evade the firewall's HTTP attack
filtering mechanism, cause the device to fail, and possibly bypass
IP address-based authentication mechanisms.

Deployment: Significant. NetScreen devices are deployed in many
enterprise networks.

Ease of Exploitation: URL filter evasion -- Trivial. Tools that can be
used to obfuscate attacks in this manner are freely available. Other
attacks -- Straightforward.

Status: Vendor confirmed, updated software available.

References:

URL Filter Bypass:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0093.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0094.html

H.323 DoS
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0096.html

Predictable ISNs:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0095.html

Council Site Actions:
The affected product is not in use at any of the council sites.
They reported that no action was necessary.

************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
  servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to chief
information security officers and technical security managers, to
GIAC certified security professionals, and to recent alumni of SANS
courses. Eligible recipients may register all other technical and
managerial security staff in their organizations, or may forward it
to any such persons in their organizations, but not to people outside
their organizations.

To change your subscription, address, or other information, visit
https://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

Copyright 2002. No copying or forwarding allowed except by registered
subscribers.
                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE9618T+LUG5KFpTkYRApJLAJ9pMZK/UwRa8tdum+oHiI5a7xyyXQCfTWNQ
dNeIOC0waBvt6xkBTA0h468=
=Gk3W
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]