-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                   SANS Critical Vulnerability Analysis
December 22, 2002 Vol. 1. No. 22
***********************************************************************

Summary: Every week, the CVA prioritizes and summarizes the most
important vulnerabilities identified during the past week and provides
data on actions taken by security and systems managers at fifteen
very large organizations (the Council) to protect their computers
and networks from exploits of the reported vulnerabilities.

See "About the CVA Process and Council" at the end of this note for
more data on how the report is compiled.
***********************************************************************

Table of Contents
- -------------------
Widely Deployed Software:
(1) HIGH: Multi-Vendor SSH Multiple Vulnerabilities (SSHredder)
(2) MODERATE: Microsoft Virtual Machine (VM) Multiple Vulnerabilities
(3) MODERATE: Macromedia Flash Malformed SWF Header Vulnerability
(4) LOW: Multi-Vendor XML Parser Malformed DTD Denial of Service

Other Software:
(5) MODERATE: Fetchmail Heap Overflow Vulnerability
(6) LOW: zkfingerd Format String Vulnerabilities
(7) LOW: PFingerd DNS Name Format String Vulnerability

*************** This issue sponsored by SANS 2003 *******************
Why Do People Come Back Year After Year To SANS Annual Conferences?

"No other organization delivers courses with the technical detail,
organization and 'mentoring' that SANS provides. Many conferences turn
out to be very expensive marketing messages. SANS' vendor neutral
approach assures that I get the info that will best protect/support
my network. Ultimately, I come away from the conference a little more
paranoid but much better armed to protect my system."
(Tom E. Gonzales, Colorado State Employees Credit Union)

"The one primary reason that I keep coming back to SANS events is
the quality of the faculty."
(Jim Clausing, AT&T)

Early registration earns free bonus book: http://www.sans.org/SANS2003

***********************************************************************

***********************************************************************
Additional sponsored link from Security Profiling:
Anti-Vulnerability technology offers next generation security tools
intelligence, accuracy, patching functions.
Paper: http://www.sans.org/cgi-bin/sanspromo/CVA04

**********************************************************************

********************************************************
Widely Deployed Software
********************************************************

(1) HIGH: Multi-Vendor SSH Multiple Vulnerabilities (SSHredder)

Affected Products (from the Rapid7 Advisory):
  o F-Secure Corp. SSH servers and clients for UNIX
       v3.1.0 (build 11) and earlier
  o F-Secure Corp. SSH for Windows
       v5.2 and earlier
  o SSH Communications Security, Inc. SSH for Windows
       v3.2.2 and earlier
  o SSH Communications Security, Inc. SSH for UNIX
       v3.2.2 and earlier
  o FiSSH SSH client for Windows
       v1.0A and earlier
  o InterSoft Int'l, Inc. SecureNetTerm client for Windows
       v5.4.1 and earlier
  o NetComposite ShellGuard SSH client for Windows
       v3.4.6 and earlier
  o Pragma Systems, Inc. SecureShell SSH server for Windows
       v2 and earlier
  o PuTTY SSH client for Windows
       v0.53 and earlier (v0.53b not affected)
  o WinSCP SCP client for Windows
       v2.0.0 and earlier
Note: OpenSSH is not affected.

Description:
SSHv2 client/server implementations from multiple vendors contain
various vulnerabilities that could allow remote, unauthenticated
attackers to execute arbitrary code with the privileges of the SSH
process or cause a denial of service. Successful exploitation of
code-execution vulnerabilities against SSH servers would typically
provide attackers with SYSTEM privileges under Windows and root
privileges under Unix. Exploitation of clients would provide the
privileges of the user running the client.

All vulnerabilities were discovered using the automated SSHredder
test suite, which has been made publicly available by Rapid7.
SSHredder contains over 600 distinct test cases that stress an SSH
implementation by sending invalid or atypical packets during the
connection initialization, key exchange, and negotiation phases of
the protocol. These phases occur prior to user authentication.

Risk: Remote root/SYSTEM-level compromise of SSH servers, SSH client
compromise, and denial of service.

Deployment: Significant.
The vulnerabilities affect many popular products in use today, however
some products are affected more severely than others. The advisories do
not discuss the problems with particular implementations individually.

Ease of Exploitation: Straightforward.
No code execution exploits are known to exist, but an attacker can use
the SSHredder test suite to determine how a particular implementation
is vulnerable, and go from there to craft an exploit. Attackers can
also use the existing test suite to wage denial of service attacks.

Status: Vendor confirmed, patches available in some cases.
See the following link for vendor specific information:
http://www.kb.cert.org/vuls/id/389665#systems

References:
Rapid7 Advisory:
http://www.rapid7.com/advisories/R7-0009.txt

CERT Advisory:
http://www.cert.org/advisories/CA-2002-36.html

Rapid7 SSHredder Test Suite:
http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666

Council Site Actions:
All Council sites are using one or more of the SSH vendor products,
but not all sites were running affected versions. All sites reported
that inbound SSH connections were blocked at the perimeters;
therefore it was not necessary to treat this as an urgent problem.
Several of the Council sites are using the PuTTY client on their
desktop systems. These sites already have plans in place to upgrade
to the newest version. Other council sites plan to upgrade to the
latest vendor versions or apply patches when they become available.
One site plans to obtain the SSHredder tool and do some testing
internally to better understand their level of vulnerability.

*********************************************************

(2) MODERATE: Microsoft Virtual Machine (VM) Multiple Vulnerabilities

Affected Products:
All builds of Microsoft VM up to and including 5.0.3805 (shipped with
nearly all versions of Windows and Internet Explorer)

Description:
Microsoft has released MS02-069 ("Flaw in Microsoft VM Could Enable
System Compromise"). The Microsoft Java VM contains eight new
vulnerabilities, the most serious of which could allow a malicious
Java applet to take control of the system on which it is running.
A hostile applet could be automatically executed when a user opens
a web page or HTML email.

Risk: Client compromise with the privileges of the user running the
hostile applet.

Deployment: Huge.
This vulnerability affects nearly all Windows and Internet Explorer
users. The following systems are known to be vulnerable: Windows
95/98/98SE/ME/NT4/2000/XP. The MS advisory includes further
instructions showing how to determine if a system is vulnerable.

Ease of Exploitation: Unknown.
An attacker would need to craft an applet that invokes COM (Component
Object Model) objects in a way that bypasses the VM's security checks
that distinguish between trusted and untrusted applets.

Status: Vendor confirmed, patch available from the Windows Update
website.

References:
Microsoft Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-069.asp

Windows Update Site:
http://v4.windowsupdate.microsoft.com/en/default.asp

Council Site Actions:
All Council sites reported being effected by this vulnerability.
Most of them plan to apply the patches during their next regularly
scheduled patch update process since they have controls in place to
help mitigate the risk. Several sites are still working with upper
management to gain support for installing perimeter and/or desktop
pro-active malware filtering software.

**************************************************************

(3) MODERATE: Macromedia Flash Malformed SWF Header Vulnerability

Affected Products:
Macromedia Flash Player versions less than 6.0.65.0

Description:
The Macromedia Shockwave Flash player contains a buffer overflow
in the handling of malformed SWF file headers, which could allow a
malicious flash movie to execute arbitrary code and take control of
the system on which it is running. Hostile flash content could be
automatically run when a user opens a web page or HTML email.

Risk: Client compromise with the privileges of the user running Flash.

Deployment: Huge.
According to Macromedia, the player software is deployed by 98 percent
of web users.

Ease of Exploitation: Straightforward.
No exploits are known to exist, but the discoverers of the
vulnerability (researchers from eEye Digital Security) provide
limited technical details and assert that the flaw is easy to
exploit. Attackers would need to hand-edit a Macromedia Flash movie
(SWF file) to insert malicious content.

Status: Vendor confirmed, updated software available.

References:
Macromedia Software Updates:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23569

eEye Vulnerability Advisory:
http://www.eeye.com/html/Research/Advisories/AD20021216.html

Macromedia Deployment Information:
http://www.macromedia.com/macromedia/

Council Site Actions:
This software is not in production use at most of the Council sites,
although they are aware of potential widespread use by the user
community. Most of the Council sites have not taken any action other
than notifying the desktop support groups due to the fact that a user
must visit a malicious web site in order to be affected by the problem.

*****************************************************************

(4) LOW: Multi-Vendor XML Parser Malformed DTD Denial of Service

Affected Products:
  o Expat Developers Expat XML parser
  o Apache Group Xerces XML parser
  o IBM WebSphere
  o Sun Microsystems SunONE
  o Apache Group Apache Axis
  o Macromedia ColdFusion/MX (Professional, Enterprise, J2EE Editions
        released through October 2002)
  o Macromedia JRun 4.0
  o Sybase EAServer v. 4.1, 4.1.1, 4.1.2, 4.1.3
  o BEA WebLogic Integration 2.1 and 7.0
  o BEA WebLogic Server/Express 6.0, 6.1, 7.0. 7.0.0.1
  o HP (undisclosed list of products)
  o Potentially other vendors' products

Description:
Various XML parsers contain a denial of service vulnerability in the
parsing of a malformed DTD, causing the parser to enter an infinite
loop and consume 100% CPU and/or excessive amounts of memory. Some
products can be exploited by sending a malicious POST request to
their web interface, for example.

Risk: Remote denial of service.

Deployment: Significant.
The vulnerable parsers are deployed in a variety of popular products.

Ease of Exploitation: Unknown.
An exploit is said to exist, but is not widely available at present.

Status: Some vendors have confirmed and made patches available,
others are still investigating.

References:
Bugtraq Posting by Amit Klein:
http://archives.neohapsis.com/archives/bugtraq/2002-12/0140.html

SecurityFocus Vulnerability Information:
http://online.securityfocus.com/bid/6363 (Macromedia)
http://online.securityfocus.com/bid/6378 (BEA, Xerces)

Council Site Actions:
Most of the Council sites reported that the affected software is not
in use at their site, thus no action is necessary.

**************************************************************
Other Software
**************************************************************

(5) MODERATE: Fetchmail Heap Overflow Vulnerability

Affected Products:
Fetchmail version 6.1.3 and prior

Description:
Fetchmail contains a heap overflow vulnerability in the handling
of email headers containing local addresses. An attacker can send
a maliciously crafted email to a victim and, when the message is
processed by fetchmail, attacker-supplied code will be executed
potentially with root privileges. This vulnerability is present in the
default configuration of fetchmail and has been proven exploitable
on Linux. BSD systems running fetchmail are also affected but will
only crash when processing the malformed email.

Risk: System compromise, potentially at the root privilege level.

Deployment: Moderate.
Fetchmail is included with many popular Linux distributions. The
vendor homepage suggests that fetchmail may have hundreds of thousands
of users.

Ease of Exploitation: Unknown.
An attacker must craft an email containing specially formed address
headers to exploit the flaw. e-matters claims to have a working
exploit for Linux but has not released it to the public.

Status: Vendor confirmed, fixed version 6.2.0 available.

References:
e-matters Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0107.html

SecurityFocus Vulnerability Information:
http://online.securityfocus.com/bid/6390

Fetchmail Home Page:
http://www.tuxedo.org/~esr/fetchmail/

Council Site Actions:
Two Council sites reported limited use of the Fetchmail software.
One site has already patched the Linux systems through their regular
auto-update process. The other site notified the desktop support group.
For them, the threat is limited since all users who might be using the
product retrieve their email from one of the internally supported
mail systems, rather than their one MTA.

******************************************************************

(6) LOW: zkfingerd Format String Vulnerabilities

Affected Products:
zkfingerd version 0.9.1 and prior

Description:
The zkfingerd daemon contains multiple format string vulnerabilities
in the handling of user-supplied data. Successful exploitation allows
remote attackers to execute arbitrary code with the privileges of
the daemon.

Risk: Remote compromise of the server running zkfingerd.

Deployment: Small.
zkfingerd is designed to be a highly configurable replacement for
standard Linux finger daemons. The open source project is said to be
in the beta development stage.

Ease of Exploitation: Unknown.
No exploits are known to exist, but the advisory provides some
technical details showing the location of the vulnerable server code
and a high level description of how to exploit the flaw. An attacker
must send a finger request to the server, and craft the requested
username so that it contains formatting characters such as %n.

Status: Vendor confirmed, updated software available from the project
CVS tree.

References:
NGSSoftware Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0112.html

xkfingerd Open Source Project Page:
http://sourceforge.net/projects/zkfingerd

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

***************************************************************

(7) LOW: PFingerd DNS Name Format String Vulnerability

Affected Products:
PFinger version 0.7.8 and prior

Description:
The PFinger daemon contains a format string vulnerability in
the handling of malicious hostnames obtained via DNS. Successful
exploitation allows a remote attacker to execute arbitrary code on
the system with the privileges of the daemon (does not run as root
by default).

Risk: Remote compromise of the server running pfinger.

Deployment: Small.
PFinger is designed to be a highly configurable and secure replacement
for the Unix GNU finger daemon. The open source project is said to
be in the beta development stage.

Ease of Exploitation: Difficult.
In this attack scenario the attacker sends a finger request to
a vulnerable daemon, and the daemon then uses DNS to retrieve the
hostname of the client system. The vulnerability arises in the handling
of the information contained in the DNS reply, thus an attacker must
be able to control the DNS information in order to exploit the flaw.

Status: Vendor confirmed, fixed software available in version 0.7.9.

References:
NGSSoftware Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0113.html

PFinger Project Pages:
http://www.xelia.ch/unix/pfinger/
http://freshmeat.net/projects/pfinger/?topic_id=88

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
  servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to chief
information security officers and technical security managers, to
GIAC certified security professionals, and to recent alumni of SANS
courses. Eligible recipients may register all other technical and
managerial security staff in their organizations, or may forward it
to any such persons in their organizations, but not to people outside
their organizations.

Copyright 2002. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+BxjY+LUG5KFpTkYRAndPAJ44aNhEFVhWlWgmPU0bmabhBrvTBgCfYtkZ
T35rskY7m4w14Qgwapj1pNE=
=QuhH
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]