-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                  SANS Critical Vulnerability Analysis
December 16, 2002 Vol. 1. No. 21
***********************************************************************

Summary: Every week, the CVA prioritizes and summarizes the most
important vulnerabilities identified during the past week and provides
data on actions taken by security and systems managers at fifteen
very large organizations (the Council) to protect their computers
and networks from exploits of the reported vulnerabilities.

See "About the CVA Process and Council" at the end of this note for
more data on how the report is compiled.

***********************************************************************

TABLE OF CONTENTS:

Widely Deployed Software:
(1) CRITICAL: Sun Cobalt RaQ4 Server Remote Root Compromise
(2) HIGH: Cyrus SASL Library Multiple Buffer Overflows
(3) MODERATE: openLDAP Multiple Buffer Overflows
(4) MODERATE: Multiple FTP Clients Directory Traversal Vulnerability

Other Software:
(1) HIGH: ActiveState ActivePerl perlIIS.dll Buffer Overflow
(2) HIGH: Enceladus Server Suite FTP Server Buffer Overflow
(3) LOW: smb2www Remote Command Execution

****** This Issue Sponsored by SANS2003: SANS' Largest Conference *****

SANS is the conference for people who are serious about securing
their networks and systems. Here are four reasons why:

1. "Relevant material, great instructors - and it lived up to its
'firehose' reputation. Excellent!" Chris McCown, Intel Corp.
2. "The one primary reason that I keep coming back to SANS events is
the quality of the faculty." Jim Clausing, AT&T
3. "SANS' value lies in the fact that you have industry leaders that
actually practice, not just preach, authoring and instructing the
classes." Cory Steers, State Farm Insurance
4. "There is simply no substitute for hands-on experience." Kaelin
Colclasure, Resilience Corp.

And this spring's National IA Leadership Conference - the SANS
program for CIOs and CISOs - is also at SANS2003 - along with a huge
expo. Please join us in San Diego, March 7-12, 2003.
http://www.sans.org/SANS2003
***********************************************************************

**********************************************************
Widely Deployed Software
**********************************************************

(1) CRITICAL: Sun Cobalt RaQ4 Remote Root Compromise

Affected Products: Sun Cobalt RaQ4 Server

Description:
The Sun cobalt RaQ4 is a server appliance, which offers a full
suite of Internet services. The RaQ4 is pre-configured with Apache
Web server, Sendmail, FTP Server, DNS, FrontPage Server Extensions,
PHP and CGI scripts.

The Cobalt RaQ4 server with the Security Hardening Package(SHP)
installed can be remotely exploited. The overflow.cgi script does not
sanitize user input for the "email" parameter, which allows arbitrary
command execution with the root privileges.

Risk: Remote root compromise.

Deployment: Significant.
Multiple Cobalt RaQ4 servers are regularly deployed as clusters by
Internet Service Providers to handle millions of transactions per
day. The servers are used for deploying business critical applications
and e-commerce solutions. Many of the servers have the Security
Hardened Package installed.

Ease of Exploitation: Trivial.
Exploit code is publicly available.

Status: Vendor Confirmed. Sun has released a patch, which will
uninstall the SHP from the Cobalt RaQ4 server. A workaround is to block
access to Cobalt RaQ4 Server administrative ports 81/TCP and 444/TCP.

References:
CERT Advisory:
http://www.cert.org/advisories/CA-2002-35.html

Sun Alert Notification:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/49377

Patch available at:
http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg

Exploit Code:
http://online.securityfocus.com/archive/1/302259

Council Site Actions: Only one of the council sites reported use of the
Colbalt RaQ4 server. They investigated a small pocket of derivative
Cobalt print systems and determined the systems are not affected by
the vulnerability.

**************************************************************

(2) HIGH: Cyrus SASL Library Multiple Buffer Overflows

Affected Products: Cyrus SASL library versions 2.x (prior to 2.1.10).

Description:
SASL, the Simple Authentication and Security Layer, is used by multiple
protocols to accomplish authentication. Cyrus SASL Library is a part
of the Electronic Mail Project at Carnegie Mellon University aimed at
providing a highly scalable enterprise mail system. Servers running
the Cyrus SASL library are vulnerable to multiple buffer overflows,
which could be exploited to run arbitrary commands in the security
context of the process using the library. A malformed user name can
trigger the buffer overflow.

Risk: Remote command execution.
Root level compromise if the program using the SASL library is running
with super-user privileges.

Deployment: Significant.
The Cyrus SASL library is included in many popular packages such as
sendmail (version 8.10.0 and higher), Cyrus IMAP server and openLDAP.
The library also ships with all the popular Linux server packages:
RedHat, Mandrake, Debian, SCO and SuSE.

Ease of Exploitation: Difficult.
The vulnerability details are known but no exploit code is currently
available. The vulnerability posting also states that exploiting the
buffer overflow may not be easy due to limited heap memory available
for overwriting.

Status: Vendor confirmed. Version 2.1.10 has been released to fix
the issue.

References:
BugTraq Posting with vulnerability details:
http://archives.neohapsis.com/archives/bugtraq/2002-12/0075.html

Cyrus SASL homepage:
http://asg.web.cmu.edu/sasl/sasl-projects.html

Council Site Actions:
The affected software is in use at four of the Council sites. Two
Sites reported it running in non-production environments. Both sites
chose to update the library to be consistent with production systems.
A third Council site reported using this library in two site-wide
services that are maintained by their central IT department. Because
the services are important, and the possibility of exploiting the
vulnerability is apparently not confirmed, they will first test the
new version for a short time, and then schedule deployment later this
month. They are also investigating non-production uses of this code and
will take appropriate action. The fourth site is trying to determine
where the software is in use. In particular, they have Sendmail >
8.10, but are not certain whether they use the features that would
utilize the SASL library yet.

**************************************************************

(3) MODERATE: openLDAP Multiple Buffer Overflows

Affected Products: openLDAP versions 2.0, 2.0.1-23

Description:
OpenLDAP is a project aimed at developing open source, robust and
commercial grade implementation of the Lightweight Directory Access
(LDAP) protocol. The SuSE security team reviewing the openLDAP package
has found multiple buffer overflow vulnerabilities, which could allow
a remote attacker to compromise the system running the openLDAP server.

Risk: Remote exploit.
A remote attacker can exploit the buffer overflow vulnerabilities
to cause a denial of service to directory services by crashing the
openLDAP server or to execute arbitrary commands in the security
context of the openLDAP server.

Deployment: Significant.
The vulnerable versions of the software are included in many Linux
server distributions such as RedHat, Caldera, SuSE, Connectiva,
Mandrake, and SCO.

Ease of Exploitation: Difficult.
The SuSE security team has not revealed any information about the
vulnerability. No exploits are known to exist.

Status: Confirmed by SuSE. Fixed software RPM packages are available
for SuSE Linux distributions.

References:
SuSE Announcement:
http://www.suse.com/de/security/2002_047_openldap2.html
http://www.linuxsecurity.com/advisories/suse_advisory-2642.html

Update for various architectures and versions available at:
ftp://ftp.suse.com/pub/suse

Council Site Action:
Only two Council sites are running the affected software. At one
site, the openLDAP software is used extensively by at least one
department. At this site, software is not installed or supported
by their central IT department but by the individual departments.
They notified the departments regarding the vulnerability. The second
site has already begun the installing the updated RPMs.

**************************************************************

(4) MODERATE: Multiple FTP Clients Directory Traversal Vulnerability

Affected Products: wget packages prior to version 1.8.2-4, Sun, OpenBSD
and SGI FTP clients. The status of many other vendors is not known.

Description:
Many FTP clients fail to check the presence of absolute path or "../"
(directory traversal) in the filenames returned by an FTP server. As
a result, when an ftp client issues a "mget" request, a malicious
FTP server can overwrite or add files in any directories for which
the client has write permission.

Risk: Remote exploit.
A rogue FTP server can overwrite files like .profile or .forward
to execute arbitrary commands in the security context of the user
running the ftp client. A system compromise is possible if the ftp
client is run with super-user privileges.

Deployment: Huge.
All the operating systems ship with an ftp client. wget is commonly
used to automate downloads or maintain mirror sites and in many cases
is run with root privileges.

Ease of Exploitation: Difficult.
No exploit code is publicly available to run a malicious FTP server
although SGI has been supplied with a proof-of-concept FTP server.
The malicious FTP server has to entice the client to issue "mget"
command to exploit this vulnerability.

Status: A few vendors have confirmed the vulnerability. Status of
many vendors is not known. A workaround is to disable the use of
non-interactive FTP mget command.

References:
CERT Advisories:
(1) Multiple FTP clients contain directory traversal vulnerabilities:
http://www.kb.cert.org/vuls/id/210409

(2) wget contains directory traversal vulnerability:
http://www.kb.cert.org/vuls/id/210148

Steve Christey's posting at VulnWatch:
http://lists.insecure.org/lists/vulnwatch/2002/Oct-Dec/0080.html

Securiteam Advisory:
http://www.securiteam.com/securitynews/6G00B0A6AC.html

Vendor Patches:
RedHat wget packages:
http://rhn.redhat.com/errata/RHSA-2002-229.html

1997 BugTraq Posting by Matt Power:
http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482

Council Site Actions:
Several of the Council sites are running the affected software. Due to
the difficulty in exploiting the vulnerability, they have chosen to
implement the patches during the next regular patch update cycle.

**********************************************************
Other Software
**********************************************************

(1) HIGH: ActiveState ActivePerl perlIIS.dll Buffer Overflow

Affected Products: ActivePerl 5.6.1 prior to Build 630

Description:
ActivePerl is a Perl implementation for the Windows platform.
PerlIIS.dll is an ISAPI extension used for execution of Perl scripts
with .plx extension. The DLL contains a buffer overflow in handling
of long file names with .plx extension requested via HTTP. A remote
attacker can execute arbitrary commands with SYSTEM privileges on
IIS 4.0 and IWAM_machinename account privileges on IIS 5.0 webserver.

Risk: Remote compromise of the IIS server running ActivePerl ISAPI
extensions.

Deployment: Significant.
ActivePerl is installed on thousands of IIS servers.

Ease of Exploitation: Trivial.
Exploits are publicly available.

Status: Vendor Confirmed. Patch available. Upgrade to version 5.6.1.630
to fix the issue. A workaround is to configure the IIS webserver to
check that the requested filename exists before invoking the DLL.

References:
NSFOCUS Advisory:
http://www.nsfocus.com/english/homepage/sa01-07.htm

SecurityFocus Posting:
http://online.securityfocus.com/bid/3526

Exploit Code:
http://online.securityfocus.com/bid/3526/exploit/

Council Site Actions:
The affected software was only in use at two Council sites and both
reported a very limited use of the software. They will install patch
during the next regular patch update cycle.

**********************************************************

(2) HIGH: Enceladus Server Suite FTP Server Buffer Overflow

Affected Products: Enceladus Server Suite Version 3.9

Description:
Enceladus Server Suite is a lightweight Web and FTP server for Windows.
The FTP server is vulnerable to a buffer overflow in its "CD" (change
directory) command. Supplying an overlong argument to the "CD" command
causes the FTP server to crash. The vulnerability can be exploited
to execute arbitrary commands with the 'system' level privileges.

Risk: Remote system level compromise

Deployment: Small.
Enceladus Server Suite is a shareware for Windows targeted at home
users and small businesses.

Ease of Exploitation: Straightforward.
The vulnerability details are available. Tamer Sahin's Vulnwatch
posting provides the details as to how to crash the FTP server. Many
similar exploits for stack-based overflows on Windows platform are
available which may facilitate writing an exploit.

Status: Vendor has not confirmed, no patch is currently available.

References:
Security Office Advisory:
http://www.securityoffice.net/articles/enceladus

Tamer Sahin's Vulnwatch posting:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0097.html

Vendor's homepage:
http://www.mollensoft.com/product3.html

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

**************************************************************

(3) LOW: smb2WWW Remote Command Execution

Affected Products: All versions of smb2WWW except 980804-16.1,
980804-8.1 and 980804-17.

Description: smb2WWW is a CGI program, which enables browsing and
downloading files on Windows and OS/2 networks via a web browser.
Smb2www, which runs on a Unix/Linux webserver can be remotely
exploited to execute arbitrary commands with the privileges of the
'www-data' user.

Risk: Remote command execution.

Deployment: Unknown.
The program ships with Debian/Linux 2.2 and 3.0 packages.

Ease of Exploitation: Difficult.
The details of the exploit are not publicly available.

Status: Vendor confirmed. Debian has released fixes for Debian/GNU
Linux 2.2 & 3.0 packages.

References:
Debian Security Advisory:
http://www.debian.org/security/2002/dsa-203

SMB2WWW homepage:
http://us1.samba.org/samba/smb2www/

Council Site Action:
Only one Council Site report limited use of the affected software.
Once the patches are available, they will schedule installation during
the next regular patch update cycle.

************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
  servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
***********************************************************
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.
CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to chief
information security officers and technical security managers, to GIAC
certified security professionals, and to recent alumni of SANS courses.
Recipients may forward the CVA to other technical and managerial
security staff in their organizations, but not to people outside their
organizations.

Copyright 2002. All rights reserved. No copying, forwarding, or
reuse allowed, other than those listed in the preceding paragraph,
without written permission from the SANS Institute. Email
sansrosans.org for permission.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE9/dJn+LUG5KFpTkYRAmWMAJ0V22eANTY6BXBHurQcabLuQh8d8QCfdBIu
75TTIQYBP0Iv85a1Ocv8p7Q=
=VVQF
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]