-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                  SANS Critical Vulnerability Analysis
January 20, 2003 Vol. 2. No. 2
***********************************************************************

Summary: Every week, the CVA prioritizes and summarizes the most
important vulnerabilities identified during the past week and provides
data on actions taken by security and systems managers at fifteen
very large organizations (the Council) to protect their computers
and networks from exploits of the reported vulnerabilities.

See "About the CVA Process and Council" at the end of this note for
more data on how the report is compiled.
***********************************************************************

Table of Contents (all have sizable deployments):
(1) CRITICAL: HSphere WebShell Multiple Vulnerabilities
(2) HIGH: ISC DHCPv3 nsupdate Buffer Overflow Vulnerability
(3) HIGH: BitKeeper Daemon Remote Command Execution Vulnerability
(4) MODERATE: Mambo SiteServer Command Execution Vulnerability

**********************************************************************

************* This Issue Sponsored by Qualys, Inc. *******************

ZAP SANS/FBI Top 20 security vulnerabilities - FREE Network Security
Scan!

Get INSTANT control of your network security. FREE Web service
automatically finds exposure to Top 20 threats identified by
SANS/FBI. Scan your network today and in just minutes find out if
your network is susceptible to these vulnerabilities.
Why wait for trouble? Click NOW to get started:
https://sans20.qualys.com/index.php?lsid=487

***************** ADDITIONAL SPONSORED LINKS **************************
1. Anti-Vulnerability technology offers next generation security
tools intelligence, accuracy, patching functions. Paper.
http://www.securityprofiling.com/WhatisAntiVulnerabilityTechnology.pdf

2. Fortinet's ASIC-powered Antivirus Firewalls stop viruses at the
edge in real time - FREE WHITEPAPER http://www.fortinet.com/SANS/CVA
***********************************************************************

(1) CRITICAL: HSphere WebShell Multiple Vulnerabilities

Affected Products:
HSphere WebShell v. 2.4 and possibly earlier versions
(developed by Positive Software Corporation)

Description:
HSphere Webshell contains a buffer overflow in the handling of
large "multi-part/form-data" MIME boundary strings submitted via
HTTP requests. Remote unauthenticated attackers can exploit the
vulnerability to execute arbitrary code as root. Multiple other
vulnerabilities, including various buffer overflows and command
execution problems, have also been discovered.

Risk: Remote root compromise of servers running HSphere Webshell.

Deployment: Significant.
HSphere is a popular product used by commercial web hosting providers
to manage large numbers of hosted websites. The product runs on
Linux, BSD and Windows platforms. The vulnerable Webshell component,
which provides web-based file upload/download support, is installed
by default.

Ease of Exploitation: Trivial.
Local and remote exploit codes were posted with the advisory.
Successful exploitation provides attackers with root shell access.

Status: Vendor confirmed, fixed software available.

References:
Security Advisory by Carl Livitt:
http://archives.neohapsis.com/archives/bugtraq/2003-01/0028.html

ISS Advisories:
http://www.iss.net/security_center/static/10999.php
http://www.iss.net/security_center/static/11001.php
http://www.iss.net/security_center/static/11002.php
http://www.iss.net/security_center/static/11003.php

SecurityFocus Vulnerability Information:
BIDs 6527, 6537-6540 cover these vulnerabilities

Vendor Site:
http://www.psoft.net/h_sphere2_info.html

Vendor Patch:
http://www.psoft.net/misc/webshell_patch.html

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.
***********************************************************************

(2) HIGH: ISC DHCPv3 nsupdate Buffer Overflow

Affected Products:
ISC dhcpd v3 servers with nsupdate support

Description:
Multiple remotely exploitable stack-based buffer overflow
vulnerabilities exist in the ISC implementation of DHCP. ISC DHCP
provides a feature called "nsupdate" that allows DHCP servers to
dynamically update DNS server records. The vulnerabilities exist
within the "minires" library used by nsupdate to resolve hostnames. A
remote attacker can exploit the flaws to execute arbitrary code with
the privileges of the dhcpd server process (typically root).

Risk: Remote root compromise of servers running ISC dhcpd.

Deployment: Significant.
The affected software is widely used and is known to ship with the
RedHat, SuSE and BSDI operating system distributions. ISC dhcpd
version 3 is compiled by default with nsupdate support.

Ease of Exploitation: Believed to be straightforward.
The attacker must send a DHCP message containing an over-long hostname
to a vulnerable DHCP server. Source code patches can be inspected
by an attacker to determine the precise location of the vulnerable
server code.

Status: Vendor confirmed, patched software available from the ISC
and some OS vendors.

References:
CERT Advisory:
http://www.cert.org/advisories/CA-2003-01.html

Background Information (older vulnerability):
http://www.linuxsecurity.com/advisories/other_advisory-2065.html

Council Site Actions:
Several of the council sites are using this software to provide
their site-wide DHCP service. However, they do not have the 'nsupdate'
feature enabled. Two of the sites plan to upgrade to version 3.0.1RC11
of the software during their next regularly scheduled patch update
cycle. Another site chose not to take action at this time since
their DHCP servers are accessible only to a small number of trusted
internal desktop LANS that are tightly controlled.

***********************************************************************

(3) HIGH: BitKeeper Daemon Remote Command Execution Vulnerability

Affected Products:
BitKeeper Project Management Suite version 3.0.x

Description:
BitKeeper contains an input sanitization vulnerability when running
in daemon mode. Remote attackers can execute arbitrary command-line
commands by sending malicious HTTP requests to the BitKeeper daemon.

Risk: Remote compromise of servers running BitKeeper at the privilege
level of the listening daemon.

Deployment: Moderate.
BitKeeper is a commercial source code control system that is designed
to provide a rich feature set and a high level of stability for
large software development projects. The product runs on Unix, Linux,
Windows, and MacOS/X platforms, and is often deployed in corporate
environments. The vulnerable daemon provides a web interface to
project resources.

Ease of Exploitation: Trivial.
The advisory provided an example of how to exploit the bug using only
a web browser.

Status: The advisory indicates vendor confirmation. BitKeeper 3.0.1
was released on January 15th, but it is not clear whether the new
release fixes the vulnerability.

References:
Security Advisory by Maurycy Prodeus:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0018.html

Vendor Site:
http://www.bitkeeper.com/

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.
*********************************************************************

(4) MODERATE: Mambo SiteServer Command Execution Vulnerability

Affected Products:
Mambo SiteServer Open Source versions 3.0.7 - 4.0.11

Description:
Mambo Site Server contains an input sanitization vulnerability that
allows remote attackers to upload arbitrary files to the Mambo server.
An attacker can upload a file containing malicious commands and then
run it by requesting the file via HTTP. In addition, various cross-site
scripting vulnerabilities have been discovered.

Risk: Remote compromise of systems running Mambo SiteServer with the
privileges of the server process.

Deployment: Moderate.
Mambo SiteSever is a popular, well-maintained open source web content
management system that integrates with Apache and runs on Linux,
MacOS/X and WindowsNT/2000.

Ease of Exploitation: Straightforward.
The advisory contains detailed information about the vulnerability
and how to exploit it.

Status: Vendor confirmed, patch available.

References:
Security Advisory by Mindwarper:
http://archives.neohapsis.com/archives/bugtraq/2003-01/0075.html

Vendor Security Patch:
http://www.mamboserver.com/Security_Patch_307.tar.gz

SecurityFocus Vulnerability Information:
http://online.securityfocus.com/bid/6572
http://online.securityfocus.com/bid/6571

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newsletters/sac/

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
  servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to chief
information security officers and technical security managers, to
GIAC certified security professionals, and to recent alumni of SANS
courses. Eligible recipients may register all other technical and
managerial security staff in their organizations, or may forward it
to any such persons in their organizations, but not to people outside
their organizations.

Copyright 2002. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

                         ==end==
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+K/J7+LUG5KFpTkYRAiDPAJ9DgN0fc2Rs+pxpZIGCbI/6/7qIxQCdE74c
9OKO8drNoC2UWA2jn/+7vEs=
=JPgc
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]