-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                   SANS Critical Vulnerability Analysis
February 17, 2003 Vol. 2. No. 6
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents
- -----------------
Widely Deployed Software:
(1) MODERATE: SQLBase EXECUTE Command Parameter Buffer Overflow
(2) LOW: AIX libnsl Signed Integer Overflow

Other Software:
(3) MODERATE: Opera Browser Username Buffer Overflow
(4) MODERATE: AbsoluteTelnet Client Terminal Titlebar Buffer Overflow

**************************** Sponsored Links **************************
Privacy notice: These links redirect to non-SANS web pages.

"Levering IP Connectivity" Ensure your security solution is clear-cut
and cost effective. CDI's whitepaper:
http://www.sans.org/cgi-bin/sanspromo/CVA17
- ----------------------------------------------------------------------
Get a FREE Security Token - Strong (Two-Factor) Authentication For
2/3 Less Than The Leading Competitor
http://www.sans.org/cgi-bin/sanspromo/CVA18
***********************************************************************

**************************************************************
Widely Deployed Software
**************************************************************

(1) MODERATE: SQLBase EXECUTE Command Parameter Buffer Overflow

Affected products:
SQLBase 8.0.0 and 8.1.0

Description:
The SQLBase SQL server contains a buffer overflow in handling large
parameters passed to the EXECUTE command. Attackers can exploit the
vulnerability to execute arbitrary code with Windows SYSTEM privileges.
The standard default database that ships with SQLBase is called
"Island", and it allows remote users to authenticate using the SYSADM
account and a blank password. Attackers that can access the Island
database (or attackers with valid authentication credentials) can
issue the EXECUTE command and exploit the vulnerability.

Risk: Remote SYSTEM-level compromise of Windows hosts running the
SQLBase SQL server.

Deployment: Significant.
SQLBase is a relational database management system for Windows.
According to the vendor website, SQLBase is currently deployed at
thousands of companies worldwide and has more than one million users.

Ease of Exploitation: Unknown, but assumed to be straightforward.
An example showing how to trigger the overflow to crash the SQLBase
service was provided in the advisory.

Status: This bug was originally discovered in release 8.0.0. The
vendor acknowledged and released version 8.1.0 which was supposed
to fix the problem. According to the advisory, the updated version
still contains the overflow, it just takes a longer malicious input
to trigger the flaw. The vendor has not acknowledged the problem
in version 8.1.0 and no working patch is available. Traffic to port
2155/tcp can be blocked to limit access to the vulnerable service.

References:
- ---------------
VulnWatch posting by Arjun Pednekar:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0062.html

ISS Advisory:
http://www.iss.net/security_center/static/11269.php

Secunia Advisory:
http://www.secunia.com/advisories/8023/

Vendor Website (Gupta Technologies):
http://www.guptaworldwide.com/

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

************************************************************

(2) LOW (speculative): AIX libnsl Signed Integer Overflow

Affected Products:
AIX (assume all versions)

Description:
IBM has released APAR IY38434, which fixes a signed integer overflow
vulnerability in the libnsl library, specifically in XDRMEM_GETBYTES.
Any program using libnsl could potentially be affected. Libnsl, the
network services library, provides functions that allow application
programs to interface to network services and includes a remote
procedure call mechanism. The only description provided by IBM is
"malicious data could cause programs depending on libnsl to crash". It
is unknown whether the vulnerability could be exploited by remote
attackers to execute code. Similar vulnerabilities discovered in the
past have enabled remote root compromise.

Risk: Unknown, but possibly remote root compromise of servers running
network programs linked against the vulnerable library. Risk assessment
at this point has been performed based on similar vulnerabilities
discovered in the past since no details have been provided by IBM.

Deployment: Significant.
All AIX versions are believed to rely on the vulnerable
libraries. Based on information associated with a different
remotely-exploitable libnsl integer overflow bug, it appears that
AIX may share libnsl code with SUN (and potentially other vendors),
suggesting that platforms other than AIX may be vulnerable.

Ease of Exploitation: Unknown. No technical details were provided in
the advisory.

Status: This vulnerability has been confirmed and fixed by the vendor.

References:
- ------------
IBM Advisory:
http://archives.neohapsis.com/archives/aix/2003-q1/0001.html

Background information provided by reports about
DIFFERENT (but similar) vulnerabilities:
http://www.ciac.org/ciac/bulletins/i-072.shtml
http://www.ciac.org/ciac/bulletins/h-06a.shtml
http://www.cert.org/advisories/CA-2002-25.html

Council Site Actions:
AIX is in use at a number of the council sites; however, most of the
installations are small, and these sites are currently treating this
as a low priority and just investigating the potential threat level at
this stage. Several of the sites that are not using AIX platforms have
chosen to investigate the level of vulnerability on other platforms.

**************************************************************
Other Software
**************************************************************

(3) MODERATE: Opera Browser Username Buffer Overflow

Affected Products:
Opera 6.05 build 1140
Opera 7 beta2 build 2577
possibly other Opera releases

Description:
The Opera web browser contains a buffer overflow in handling URLs
containing very long usernames. Attackers can exploit the flaw to
execute arbitrary code on the system running Opera. Exploitation
requires that the Opera browser attempt to load a malicious URL, which
could be accomplished by clicking on a link or viewing a malicious
web page that automatically loads the URL, for example.

Risk: Compromise of the system running Opera.

Deployment: Moderate.
The Opera browser is ranked third among browsers worldwide behind
Internet Explorer and Netscape. The software was designed to be
compact, making it a popular browser solution for embedded devices.
Opera runs on Windows, OS/2, Linux, BeOS, BelA, Symbian OS, and QNX.

Ease of Exploitation: Straightforward.
The attacker must craft a URL of the form: http://USERNAME, where
USERNAME is an over-sized string. The advisory provides example
exploit code (said to launch calc.exe) and many technical details.

Status: According to the advisory, the vendor has been advised of the
problem but has not confirmed. No patch is available, but the advisory
suggests a workaround that involves modifying Opera's language file.

References:
- ------------
Advisory and Exploit Code by nesumin:
http://www.securiteam.com/windowsntfocus/5MP0B0096Y.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0121.html

Vendor Website:
http://www.opera.com

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

**************************************************************

(4) MODERATE: AbsoluteTelnet Client Terminal Titlebar Buffer Overflow

Affected Products:
AbsoluteTelnet client version 2.00 and 2.11

Description:
The AbsoluteTelnet client contains a buffer overflow when handling
escape sequences sent by the server which set the terminal titlebar
to an oversized string. A malicious terminal server could exploit
the vulnerability to execute arbitrary code on the client with
the privileges of the user running AbsoluteTelnet. On a multi-user
terminal server, a malicious user could alternatively exploit the
vulnerability to compromise another user. In this case, the attacker
needs to place the malicious escape sequence in a file and trick
the victim into viewing the file contents over the connection (the
AbsoluteTelnet client interprets the escape sequence arriving across
the TCP channel as a command).

Risk: Remote terminal client compromise by a hostile server.

Deployment: Moderate.
AbsoluteTelnet is a popular shareware terminal client for Windows that
supports telnet, SSH and a number of advanced options. Download.com
reports over 200,000 downloads of the version 2.11 software since
Dec. 30, 2002.

Ease of Exploitation:
DoS -- Trivial. Examples showing how to trigger a client crash were
included with the advisory.

Code execution -- Unknown, but believed to be straightforward.
Version 2.11 is more difficult to exploit than version 2.00 because
the client performs a unicode conversion on the attacker-supplied
string. According to CERT, an exploit is publicly available.

Status: Vendor confirmed. Users are advised to upgrade to version
2.12 RC10 which contains a fix.

References:
- -------------
Bugtraq posting by Knud:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0089.html

CERT Vulnerability Note #VU666073:
http://www.kb.cert.org/vuls/id/666073

Download.com AbsoluteTelnet page:
http://download.com.com/3000-2155-10177893.html?tag=just_in

Vendor Website:
http://www.celestialsoftware.net/

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
  servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.
                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+UOoq+LUG5KFpTkYRAodAAKCO0SJqod3TYu/2xI/XtZkstBMn5ACfX0jO
tXXW298+x/jVIx+8VdgrcIA=
=iJBd
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]