-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                  SANS Critical Vulnerability Analysis
December 8, 2002 Vol. 1. No. 20
***********************************************************************
Summary: Every week, the CVA prioritizes and summarizes the most
important vulnerabilities identified during the past week and provides
data on actions taken by security and systems managers at fifteen
very large organizations (the Council) to protect their computers
and networks from exploits of the reported vulnerabilities.

See "About the CVA Process and Council" for more data on how the
report is compiled.

For a free subscription, go to https://www.sans.org/sansnews/
***********************************************************************

Table of Contents:

Widely Deployed Software
(1) HIGH: Sybase Adaptive Server Multiple Buffer Overflows
(2) HIGH: Cyrus IMAP Server Remote Buffer Overflow
(3) HIGH: Samba Encrypted Password Change Request Buffer Overflow
(4) HIGH: Linksys Wireless Router Multiple Vulnerabilities

Other Software
(5) HIGH: Pico HTTP Server (pServ) Multiple Buffer Overflows

****************** This Issue Sponsored by: Qualys **********************

ZAP Top 20 security vulnerabilities - FREE Network Security Scan!

Get INSTANT control of your network security. FREE Web service
automatically finds exposure to Top 20 threats identified by
SANS/FBI. Scan your network today -- in just minutes learn if your
network is susceptible to attack. Why wait for trouble?

Click NOW to get started:
https://sans20.qualys.com/index.php?lsid=324

***********************************************************************

***********************************************************************
Additional sponsored link from SPI Dynamics:
ALERT! "Outsmart Web Application Attackers"- FREE 15 Day Product
Trial, which delivers Comprehensive Vulnerability Report.
http://www.sans.org/cgi-bin/sanspromo/CVA03

************************************************************************

************************
Widely Deployed Software
************************

(1) HIGH: Sybase Adaptive Server Multiple Buffer Overflows
===================================================================
Affected Products:
Sybase Adaptive Server versions 12.0 and 12.5

Description:
Sybase Adaptive Server contains three stack-based buffer overflow
vulnerabilities that allow an attacker with non-privileged login
credentials to gain complete control of the server. The affected
software is very widely deployed in the securities, banking, and
healthcare industries, and in government and e-commerce environments.

Risk: Non-privileged users can execute arbitrary code under the
security context of the server, database, or extended stored procedure
server.

Deployment: Widely deployed, mission critical. According to the vendor
website, Sybase's installed base spans 90% of the world's securities
firms and 60% of its banks. The affected product is also widely used
by the US government and in the telecommunications, pharmaceuticals,
and healthcare industries. The Adaptive Server Enterprise product is
a data management platform for mission-critical, transaction-intensive
enterprise applications.

Ease of Exploitation: Straightforward. The security advisories include
technical details showing how to trigger the overrun conditions.

Status: Vendor confirmed, patches available. Users should apply
patches 12.5.0.2 and 12.0.0.6 ESD#1.

Severity: High (vulnerability details available, server root
compromise, widely deployed, high value assets, attacker must have
limited user privileges)

Council Actions: Sybase is widely used among Council sites. Those
using it in mission critical applications implemented the patches
immediately. The other Council members felt their perimeter
protection, based on port blocking, allowed them to tell the Sybase
administrators about the problem and have it corrected in the next
regular patch cycle.

References:
Application Security Inc. Advisories:
http://archives.neohapsis.com/archives/bugtraq/2002-11/0337.html
http://archives.neohapsis.com/archives/bugtraq/2002-11/0339.html
http://archives.neohapsis.com/archives/bugtraq/2002-11/0345.html

Sybase Adaptive Server Product Information:
http://www.sybase.com/products/databaseservers/ase
http://www.sybase.com/sb_content/1019280/aseIndustrySolutions.swf

Sybase patches are available at:
http://downloads.sybase.com/swd/swx

(2) HIGH: Cyrus IMAP Server Remote Buffer Overflow
=================================================================
Affected Products:
Cyrus IMAP Server version 2.1.10 and prior

Description:
The Cyrus IMAP server for Unix contains a remotely exploitable buffer
overflow that allows non-authenticated attackers to execute arbitrary
code with the privileges of the server process (typically not root).

Risk: Remote server compromise with the privileges of the Cyrus
IMAP daemon. Since Cyrus stores all email under a single user ID,
a successful attacker would be able to read all messages stored on
the compromised system.

Deployment: Significant. The Cyrus IMAP server project was started by
the Carnegie Mellon University in 1994. The software is especially
popular with Linux and Solaris users, and is included with some
Linux distributions.

Ease of Exploitation: Straightforward. This is a heap-based buffer
overflow. The Bugtraq advisory contains many technical exploitation
details and a source code patch showing the location of the flawed
server code.

Status: Vendor confirmed. Users should upgrade to version 2.0.17 or
2.1.11 to fix the problem.

Severity: High (server non-root compromise, many vulnerability details,
significant deployment)

Council Actions: One Council site reported using Cyrus IMAP server
for email for more than 10,000 users. A close analysis of the
background information on the vulnerability led that site to conclude
that exploitation depends on certain properties of the malloc/free
implementation which were not present in the malloc/free implementation
in the operating system uses at that site. Nevertheless, they plan
to schedule an outage e-mail system to install a new version of the
Cyrus software

References:
Bugtraq Posting by Timo Sirainen:
http://archives.neohapsis.com/archives/bugtraq/2002-12/0014.html

CERT Vulnerability Note VU #740169:
http://www.kb.cert.org/vuls/id/740169

Vendor Announcement:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=19339

(3) HIGH: Samba Encrypted Password Change Request Buffer Overflow
==========================================================
Affected Products:
Samba versions 2.2.2 through 2.2.6

Description:
Samba contains a buffer overflow in code that handles password change
requests from clients. A malicious client can send an encrypted
password that, when decrypted by the smbd server, causes a stack-based
buffer overrun. Theoretically, the vulnerability could be exploited
by an unauthenticated remote attacker to execute arbitrary code with
root privileges.

Risk: Remote root compromise.

Deployment: Significant. Samba is the Unix server standard for
providing SMB/CIFS-based file and print services, and is included in
many Linux distributions.

Ease of Exploitation: Difficult. No exploits are known to exist,
and the Samba team states that they were unable to craft one
themselves. According to the Samba announcement, the attack would
have to be crafted such that converting a DOS codepage string to
little endian UCS2 unicode results in an executable block of code.

Status: Vendor confirmed, fixed software available. Users are advised
to upgrade to Samba version 2.2.7.

Severity: High (server root compromise, significant deployment,
unusually difficult exploit)

Council Actions: SAMBA was in use at nearly all of the Council sites.
Because exploitation is difficult, and they found no exploit in the
wild, all Council sites, even those with Samba systems accessible from
the Internet, decided to update centrally managed sites on the next
regularly planned update cycle. For systems managed by end users,
most sites block access at the perimeter and plan to tell the users
to patch the vulnerability on their next update cycle. One site
plans to do a version survey of all Samba systems in January 2003,
and then force updates to vulnerable systems.

References:
Samba Announcement:
http://www.samba.org/samba/whatsnew/samba-2.2.7.html

Vendor Announcements:
SuSE, RedHat, Mandrake, Conectiva, Debian, Trustix
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0894.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0044.html
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0212.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0022.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0746.html
http://archives.neohapsis.com/archives/bugtraq/2002-11/0324.html

(4) HIGH: Linksys Wireless Router Multiple Vulnerabilities
================================================================
Affected Products:
Linksys BEFW11S4 v2. Firmware versions 1.42.7, 1.43, 1.43.3
Linksys BEFSR41/BEFSR11/BEFSRU31. Firmware versions 1.42.7, 1.43,
1.43.3
Linksys BEFSR81. Firmware version 2.42.7.1
Linksys BEFN2PS4. Firmware version 1.42.7
Linksys BEFSX41. Firmware versions 1.43, 1.43.3, 1.43.4
Linksys BEFVP41. Firmware versions 1.40.2, 1.40.3
Linksys HPRO200
Linksys BEFN2PS4

Description:
Multiple remotely-exploitable vulnerabilities have been found in
Linksys wireless routers, allowing an attacker to gain complete
control of a vulnerable device. The flaws allow an attacker to
bypass authentication requirements and execute arbitrary code on the
device via a buffer overflow. For the most part, the flaws affect
the embedded HTTP server that is typically only enabled on the LAN
interface. However, CORE has demonstrated that a malicious HTML page
can be constructed that will, when loaded in a browser by a user
on the LAN network, contact the Linksys, bypass authentication, and
reconfigure the device to allow remote management from the Internet. At
that point the attacker is free to control the device remotely, and
exploit the buffer overflow to execute code. A user could encounter a
hostile web page while browsing the Internet, or receive it in an email
message. Most exploit attempts would be successful since all devices
use the same IP address (192.168.1.1) for the LAN interface by default.

Risk: Remote attackers can gain complete control of the device.

Deployment: Widely deployed. The affected products are used in many
small business and home office environments, and have won several
industry awards.

Ease of Exploitation: Straightforward/Trivial. The CORE advisory
contains examples and low-level technical details about how to exploit
the vulnerabilities.

Status: Vendor confirmed, firmware upgrades are available for some
products, others are still under development.

Severity: High (exploit code, server root compromise, significant
deployment, attacker must entice victim, mostly home user issue).

References:
CORE Security Technologies Advisory:
http://www.corest.com/common/showdoc.php?idx=263&idxseccion=10

Linksys Firmware Upgrades:
http://www.linksys.com/download/

**************
Other Software
**************

(5) HIGH: Pico HTTP Server (pServ) Multiple Buffer Overflows
================================================================
Affected Products:
pServ version 2.0b5 and possibly other versions

Description:
Pico HTTP server contains multiple remotely exploitable buffer
overflows that allow attackers to execute arbitrary code with the
privileges of the server process, typically root.

Risk: Remote root compromise.

Deployment: Small. Pico server is a freeware, open source HTTP server
for Unix designed to be small and easily portable.

Ease of Exploitation: Straightforward. The security advisory discusses
several stack-based buffer overrun vulnerabilities in detail, providing
sufficient information for an attacker to begin crafting an exploit.

Status: Vendor has not confirmed, no patch currently available.

Severity: High (server root compromise, vulnerability details
available, small deployment)

References:
Bugtraq Posting by Matthew Murphy:
http://archives.neohapsis.com/archives/bugtraq/2002-12/0001.html

pServe SourceForge Project Page:
http://sourceforge.net/projects/pserv

************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor web
sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of
all new vulnerabilities and major vulnerability announcements made
during the week. The SANS Institute and Network Computing Magazine vet
the complete list through the major system manufacturers and jointly
publish it every week as the Security Alert Consensus. (SAC) You may
subscribe to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical and highly skilled security managers at fifteen
of the largest user organizations in the United States each review the
"immediate action" vulnerabilities and describe what they did or did
not do to protect their organizations. Council members include banks
and other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed. The Council also includes representatives from the
National Infrastructure Protection Center and the White House Office
of Cyber Security.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all subscribers.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
  servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Please feel free to share this issue with interested parties via
email, but no posting is allowed on internal or external web sites.
To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

                    Copyright 2002, SANS Institute
                           ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE98/fn+LUG5KFpTkYRAg1NAKChAfFB5jzFs0Ipd44CgJ1y3lHLFwCfU2dD
uNFpvFIvNjjuNYNK6yyWUKA=
=TDIQ
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]