|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
SANS Critical Vulnerability Analysis Vol 2 No 09
From: The SANS Institute (CriticalVulnerabilityAnalysis
sans.org)
Date: Mon Mar 10 2003 - 09:19:39 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
***********************************************************************
SANS Critical Vulnerability Analysis
March 10, 2003 Vol. 2. No. 9
***********************************************************************
The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.
***********************************************************************
Table of Contents:
Widely Deployed Software:
(1) CRITICAL: Sendmail Crackaddr() Address Header Parsing Overflow
(2) HIGH: Snort RPC Preprocessor Buffer Overflow
(3) MODERATE: Macromedia Flash Player Code Execution Vulnerability
Other Software:
(4) HIGH: VERITAS BMR Remote Command Execution Vulnerability
(5) LOW: Hypermail Multiple Vulnerabilities
(6) LOW: tcpdump ISAKMP Parsing DoS
**************************** Sponsored Link ***************************
Privacy notice: This link redirects to a non-SANS web page.
Anti-Vulnerability plugin for Snort IDS provides intelligence,
accuracy, and remote patching functions. Free trial download.
http://www.sans.org/cgi-bin/sanspromo/CVA25
***********************************************************************
***************************************************************
Widely Deployed Software
***************************************************************
(1) CRITICAL: Sendmail Crackaddr() Address Header Parsing Overflow
Affected Products:
Sendmail open source versions prior to 8.12.8 (all platforms)
Sendmail Pro (all versions)
Sendmail Switch 2.1, 2.2, 3.0
Sendmail for NT 2.x and 3.0
Description:
Sendmail contains a heap-based buffer overrun in code responsible for
parsing header and command values that can contain lists of email
addresses (e.g. To:, From:, CC:, Mail From:). The problem arises
because Sendmail's crackaddr() function fails to properly handle the
"<" and ">" characters. Remote attackers may exploit the flaw to gain
root privileges by sending a specially crafted command or email message
to a vulnerable server. Note that the vulnerability can be triggered
by an email simply passing through a Sendmail system, and malicious
messages can be forwarded to, and thus compromise, mail handlers that
are not Internet-facing. One exploit has been posted to Bugtraq and at
least one other is known to be circulating in the attacker community.
Risk: Remote root compromise of systems running Sendmail.
Deployment: Widely deployed.
According to ISS, Sendmail has been documented to handle between 50%
and 75% of all email traffic, and is the most common mail transfer
agent (MTA) used on the Internet.
Ease of Exploitation: Varies.
The vulnerability is challenging to exploit, and may not be exploitable
on all platforms. However, exploit code for Sendmail 8.11.6 running
on Slackware 8.0 has been posted publicly, providing attackers with
a tool that can be adapted to attack other platforms.
Status: The vendor has released both fixed source code and
patches. Users can verify that a Sendmail binary contains the patch
by running the following command in the directory where the program
is located:
strings sendmail | grep 'Dropped'
if the word 'Dropped' prints to the screen, the binary contains
the patch.
References:
ISS X-Force Advisory and Additional Information
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
http://www.iss.net/security_center/static/10748.php
CERT Advisory
http://www.cert.org/advisories/CA-2003-07.html
Sendmail Advisory
http://www.sendmail.org/8.12.8.html
SecurityFocus Vulnerability Information
http://www.securityfocus.com/bid/6991
Last Stage of Delerium Analysis and Exploit (linx86_sendmail.c)
http://archives.neohapsis.com/archives/bugtraq/2003-03/0054.html
Method to Verify that a Sendmail Binary Contains the Patch
http://archives.neohapsis.com/archives/bugtraq/2003-03/0078.html
Council Site Actions:
All reporting council sites took immediate action in response to this
vulnerability -- most of them patched Internet accessible systems
within hours of the patch release. One site had an extensive number
of affected hosts and patched 30% (the most critical servers) of
them within the first 24 hours. They will continue patch roll-out
and closely monitor for exploit conditions.
Most of the council sites already installed the patches or are in
the process of installing the patches to both external and internal
hosts. All council sites considered this a critical problem, even for
non-Internet facing systems since the exploit could be used to spread
WORM code throughout an enterprise. Hence, they sense an urgency in
rolling out patches to all systems running the affected code.
**************************************************************
(2) HIGH: Snort RPC Preprocessor Buffer Overflow
Affected Products:
Snort 1.8 through 1.9.0 and 2.0 beta
Description:
A remotely exploitable buffer overflow exists in the Snort RPC
preprocessor. The preprocessor performs length comparisons incorrectly
when handling RPC fragments. A remote attacker can cause the sensor
to execute arbitrary code by sending specially crafted RPC traffic
to any IP address monitored by Snort. Because the Snort process
typically runs as root, attacker-supplied code will be executed with
root privileges. The vulnerable preprocessor is enabled by default.
Risk: Remote root compromise of systems running Snort. Note that
compromise of an IDS sensor typically provides an attacker with access
to large volumes of sensitive network data that can be leveraged to
further compromise the network.
Deployment: Significant.
Snort is widely used by the open source community and is also
installed on some commercially available network security appliances
(e.g. Silicon Defense Sentarus Sensor, Guardent Security Defense
Appliance, Sourcefire Network Sensor)
Ease of Exploitation: Unknown.
Few technical details were provided. An attacker could study the
differences between the fixed and vulnerable source code to discover
information.
Status: Vendor confirmed, the problem is fixed in Snort version 1.9.1.
As a workaround, the RPC preprocessor can be disabled. In addition,
blocking out-bound traffic from the Snort sensor will make it more
difficult for an attacker to take advantage of this flaw.
References:
ISS X-Force Advisory and Additional Information
http://www.iss.net/security_center/static/10956.php
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951
CERT Vulnerability Note
http://www.kb.cert.org/vuls/id/916785
SecurityFocus Vulnerability Information
http://www.securityfocus.com/bid/6963
Snort Website
http://www.snort.org
Council Site Actions:
Four of the reporting council sites have SNORT implementations and
all of them took immediate action. One site initially disabled the
RPC preprocessor and then upgraded to version 1.9.1 Two other sites
completed upgrading their affected systems last week and the fourth
site is in the process of upgrading their systems and will be done
within the next few days.
****************************************************************
(3) MODERATE: Macromedia Flash Player Code Execution Vulnerability
Affected Products:
Macromedia Flash prior to version 6,0,79,0
Description:
Macromedia has released a critical update and an advisory that
indicates that Flash Player contains a code execution security
vulnerability. The advisory states that the patch protects users from
Flash content that attempts to execute malicious code, and mentions
exploits involving buffer overflows and the compromise of sand-box
integrity. Further information was not made available.
Risk: Compromise of the system running Flash Player, with the
privileges of the user running Flash.
Deployment: Huge.
According to Macromedia, Flash player is deployed to 98% of web users.
Ease of Exploitation: Unknown.
Few technical details were provided.
Status: Vendor confirmed, the problems are fixed in version 6,0,79,0.
References:
Macromedia Advisory
http://archives.neohapsis.com/archives/vendor/2003-q1/0068.html
SecurityFocus Vulnerability Information
http://www.securityfocus.com/bid/7005
Macromedia Background Information:
http://www.macromedia.com/macromedia/
Council Site Actions:
All but one of the council sites reported that Macromedia Flash
is not a supported product within their organization. However,
most of them also stated they realized that many users down-load
and install this application (along with other similar types of
applications). Several council members voiced their frustration in
dealing with vulnerabilities that affect client applications that
are not officially supported by the organization. They typically
inform the appropriate support groups and suggest that patches should
be deployed. However, the support groups often reply with "we don't
support that software".
The remaining council site stated that they will roll out the
patch/upgrade during the next regularly schedule patch update.
***************************************************************
Other Software
***************************************************************
(4) HIGH: VERITAS BMR Remote Command Execution Vulnerability
Affected Products:
VERITAS Bare Metal Restore (BMR) for Tivoli Storage Manager
versions 3.1.0, 3.1.1, 3.2.0 and 3.2.1
Description:
Bare Metal Restore for Tivoli Storage Manager is a disaster recovery
product that allows Windows and Unix machines to be completely
restored from Tivoli Storage Manager backups. The Main Server
is the administrative component of BMR, and can be managed via a
browser-based GUI. A VERITAS security advisory indicates that remote
attackers can exploit a vulnerability in the Main Server to execute
arbitrary commands with administrator/root privileges.
Risk: Remote root compromise of the VERITAS BMR Main Server.
Deployment: Moderate.
The product is most often used in large enterprises with thousands
of systems.
Ease of Exploitation: Unknown.
Few technical details were provided.
Status: Vendor confirmed, patch available.
References:
VERITAS Advisory
http://archives.neohapsis.com/archives/bugtraq/2003-02/0333.html
SecurityFocus Vulnerability Information
http://www.securityfocus.com/bid/6928
VERITAS Additional Details and Solution
http://seer.support.veritas.com/docs/252933.htm
http://seer.support.veritas.com/docs/254442.htm
http://seer.support.veritas.com/docs/254666.htm
BMR Background Information:
http://www.tkg.com/#bmrtsm
http://support.veritas.com/FAQ/faq_ddProduct_BMRTSM.htm
http://www-3.ibm.com/software/tivoli/solutions/storage/
Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.
**************************************************************
(5) LOW: Hypermail Multiple Vulnerabilities
Affected Products:
Hypermail prior to version 2.1.7
Description:
Hypermail is an open source program that converts email messages from
Unix mailbox format into cross-linked HTML pages. A SuSE security
audit revealed that the program contains multiple vulnerabilities,
the most serious of which allows remote attackers to execute arbitrary
code on the system running Hypermail. Other vulnerabilities include
denial of service, information exposure, a temp file race condition,
and the mail CGI program can be used as an email relay by spammers. No
further technical details have yet been provided.
Risk: Remote compromise of systems running Hypermail, with the
privileges of the Hypermail process.
Deployment: Moderate.
Hypermail is popular with Unix administrators providing web-based
access to mailing list archives.
Ease of Exploitation: Unknown.
Few technical details were provided. An attacker could study the
differences between the fixed and vulnerable source code to discover
information.
Status: Vendor confirmed, the problems are fixed in Hypermail version
2.1.7.
References:
SuSE Advisory
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0588.html
SecurityFocus Vulnerability Information
http://www.securityfocus.com/bid/6973
Hypermail Website
http://www.hypermail.org/
Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.
**************************************************************
(6) LOW: tcpdump ISAKMP Parsing DoS
Affected Products:
tcpdump versions prior to 3.7.2 are believed to be vulnerable.
Description:
Tcpdump contains a denial of service vulnerability in the decoding of
ISAKMP (port 500/udp) packets. A remote attacker can spoof a malicious
ISAKMP packet which, when read by a vulnerable tcpdump application,
will cause tcpdump to enter an infinite loop and ignore all subsequent
network traffic.
Risk: Remote DoS to any program relying on tcpdump to process network
traffic, including the Navy's open source SHADOW IDS.
Deployment: Small. This vulnerability is most important to
organizations relying on long-running tcpdump-based programs to
perform traffic analysis for security purposes.
Ease of Exploitation: Trivial.
Exploit code that generates the malicious ISAKMP packets has been
posted. An attacker's biggest challenge is figuring out where (and
perhaps when) to send the packets so that they are processed by a
tcpdump application.
Status: Vendor confirmed, the problem is fixed in tcpdump version
3.7.2.
References:
iDefense Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0100.html
Exploit Code by "The Saliva Twist" (ST-tcphump.c)
http://www.packetstormsecurity.nl/filedesc/ST-tcphump.c.html
SecurityFocus Vulnerability Information
http://www.securityfocus.com/bid/6974
tcpdump Website
http://www.tcpdump.org/
Council Site Actions:
Only four of the council sites reported use of the TCPDUMP program
- - mostly by the network administration or infosec teams. One site
already updated its versions of the TCPDUM program. A second site
will upgrade the affected systems during the normal update cycle.
The remaining two sites don't plan any action at this time since
their use of the TCPDUMP program is very limited and should not be
affected by the vulnerability.
************************************************************
About the CVA Process and Council
The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm
Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly six years and her work in the field is legendary.
Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.
Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.
**********************************************************************
Critical Vulnerability Analysis Scale Ratings
In ranking vulnerabilities several factors are taken into account,
such as:
- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?
Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.
CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.
HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.
MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.
LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.
Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.
CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion
******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.
To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.
Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.
==end==
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+bJLT+LUG5KFpTkYRAswgAJsHhvaxXBsYFe1rD4DU5n4op8BUIwCfZbc2
ORvbpPWYGusOLIkAyuKtUO4=
=y1nX
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]