From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon Mar 24 2003 - 08:01:46 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                  SANS Critical Vulnerability Analysis
March 24, 2003 Vol. 2. No. 11
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents:

Widely Deployed Software
(1) CRITICAL: SUN XDR Library XDRMEM_GETBYTES Integer Overflow
(2) CRITICAL: Microsoft Windows 2000 ntdll.dll Buffer Overflow
(3) CRITICAL: Kerberos v4 Multiple Protocol Weaknesses
(4) HIGH: Samba SMB/CIFS Packet Reassembly Buffer Overflow
(5) MODERATE: Microsoft Windows Script Engine Integer Overflow
(6) MODERATE: BEA WebLogic Unprotected Internal Applications
(7) MODERATE: OpenSSL Timing Attack Private Key Disclosure

Other Software
(8) MODERATE: McAfee ePolicy Orchestrator Format String Vulnerability

************************* Sponsored Links ***************************
Privacy notice: These links redirect to non-SANS web pages.

GFI LANguard S.E.L.M.: Event-log-based intrusion detection and network-
     wide event log management - Download free starter-pack!
http://www.sans.org/cgi-bin/sanspromo/CVA29
- ---------------------------------
Stop spam! Learn the Top 10 enterprise techniques to control spam
     ***request the white paper
http://www.sans.org/cgi-bin/sanspromo/CVA30
- --------------------------------
Instantly stop DDoS attacks and port scans. Hands-on, online demo-
     launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/CVA31
***********************************************************************

**************************************************************
Widely Deployed Software
**************************************************************

(1) CRITICAL: SUN XDR Library XDRMEM_GETBYTES Integer Overflow

Affected Products:
Applications using vulnerable implementations of SunRPC-derived
XDR libraries, including:
  * SUN Microsystems network services library (libnsl)
  * BSD-derived libraries with XDR/RPC routines (libc)
  * GNU C library with SunRPC (glibc)

Description:
The SUN Microsystems XDR libraries provide a platform-independent
mechanism for applications to converse over the network. These
libraries are widely used in RPC implementations that run on multiple
platforms. An integer overflow vulnerability exists the XDRMEM_GETBYTES
library function, making any application linked against an affected
library potentially vulnerable. An example showing how to trigger
the bug via a malformed call to the Solaris rpcbind service has
been posted. Because RPC services often run as root, exploitation
of this flaw can result in remote root compromise. This vulnerability
was previously reported in the February 17, 2003 CVA (item #2).

Risk: Remote compromise.
Remotely exploitable buffer overflows in multiple applications, which
can lead to the execution of arbitrary code with root privileges. There
have also been reports of being able to crash the rpcbind service.

Deployment: Widely deployed. Affected products/vendors include:
Cray, FreeBSD, Linux (Caldera, Conectiva, Debian, EnGarde, Mandrake,
Openwall, RedHat, SuSE, Trustix), HP-UX, AIX, Kerberos 5, OpenAFS,
OpenBSD, IRIX and Solaris.

Ease of Exploitation: Unknown.
A few examples of how to exploit the condition to cause a DoS are
available, no exploits enabling system compromise have yet been
released.

Status: Some vendors have confirmed and are providing patches; others
are still investigating the problem. Consult the CERT advisory and
SecurityFocus pages to find a patch from your vendor.

References:
CERT Advisory and Vulnerability Note
http://www.cert.org/advisories/CA-2003-10.html
http://www.kb.cert.org/vuls/id/516825

eEye Advisory
http://www.eeye.com/html/Research/Advisories/AD20030318.html

Previous report in 2/17/03 SANS CVA (item #2):
http://www.sans.org/newsletters/cva/vol2_6.php

Early Leak of Advisory to Full Disclosure List (3/16/03)
http://lists.netsys.com/pipermail/full-disclosure/2003-March/004526.html

News Article about Leaks
http://www.ds-osac.org/view.cfm?key=7E4457414B50&type=2B170C1E0A3A0F162820

SecurityFocus BID
http://www.securityfocus.com/bid/7123

Council Site Actions:
Most of the reporting council sites are still evaluating the
criticality of this vulnerability (due to the conflicting reports) and
have notified their Unix support departments. Almost all sites plan to
roll out the patches when they become available. Most of the sites
reported that they block incoming RPC-based services at their network
perimeters, which helps mitigate or reduce the threat of this problem.

*************************************************************

(2) CRITICAL: Microsoft Windows 2000 ntdll.dll Buffer Overflow

Affected Products:
Microsoft Windows 2000

Description:
A buffer overflow vulnerability has been discovered in a core Windows
2000 operating system component used to interact with the Windows
kernel. This component, called ntdll.dll, is part of the Win32 API
libraries and is utilized by many applications. Currently the only
proven exploitation method is via a malformed WebDAV request to an IIS
5.0 server, although additional attack vectors are believed to exist.
An exploit for the vulnerability has been recovered, apparently from
a compromised military system. The recovered exploit utilizes a very
long GET request containing more that 65,000 characters in the URL,
along with the WebDAV "Translate: f" header. The underlying bug can
also be triggered by using WebDAV-specific HTTP methods such as LOCK
and SEARCH with very long URLs. Successful exploitation allows a
remote attacker to gain SYSTEM privileges.

Risk: Remote compromise.
A malicious user could potentially run any code of their choosing on
the victim's system.

Deployment: Widely deployed.
The vulnerable component is present by default in all Windows 2000
installations. Only systems running IIS 5.0 are vulnerable to the
WebDAV attack vector. (IIS enables WebDAV support by default). Note
that researchers from NGSSoftware have been able to isolate additional
attack vectors, some of which do not involve IIS. Thus all Windows
2000 systems should be considered vulnerable to attack.

Ease of Exploitation: An exploit is known to exist but is very closely
traded. Many people predict that a worm will soon be developed.

Status: Vendor confirmed, patches available. Note that the patch is
known to cause problems under some configurations. Please see the
NTBugtraq FAQ and the Microsoft Bulletin for details.

Severity: CRITICAL (remote SYSTEM-level server compromise, exploit
available, widely deployed)

References:
Microsoft Security Bulletin MS03-007
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

CERT Advisory
http://www.cert.org/advisories/CA-2003-09.html

NTBugtraq FAQ (describes problems with patch)
http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=74

List of Applications Using ntdll.dll
http://www.bugtoaster.com/dw15/Reports/ApplicationDetail.asp?
Company=Microsoft+Corporation&BaseName=ntdll.dll

Incidents.org Advisory
http://isc.incidents.org/analysis.html?id=183

News Article: US Military Computer Attacked
http://www.msnbc.com/news/886524.asp?0cv=CB10

SecurityFocus BID
http://www.securityfocus.com/bid/7116

Snort Signatures provided by SecurityFocus
http://archives.neohapsis.com/archives/sf/pentest/2003-03/0131.html

NGS Software Vulnerability Analysis
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0144.html

Council Site Actions:
This problem was treated as a high priority and urgent problem by
all reporting council sites. The lack of clear information from
Microsoft and the conflicting reports from outside sources have made
risk evaluations and remediation efforts challenging for many of
the council sites. NTDLL.DLL is a critical system problem that needs
patching on all systems regardless of whether IIS is running. This is
a potentially daunting task for sites with large MS installations.

Several sites are following a common plan: 1) Identify all IIS servers;
2) Disable IIS where possible; 3) Disable WebDAV where possible; 4)
immediately take some action to mitigate vulnerability of remaining
servers that use WebDAV (either patching, installing URLScanner
or modifying MaxClientRequestBuff). Other sites reported that they
patched externally facing systems and are working on patching internal
systems over the next week. One site reported they installed Snort
filters in addition to other mitigation steps. They have not seen
any evidence of attacks so far.

*************************************************************

(3) CRITICAL: Kerberos v4 Multiple Protocol Weaknesses

Affected Products:
Kerberos version 4 protocol
Some implementations that support both Kerberos 4 and Kerberos 5

Description:
MIT has released a critical security advisory detailing the existence
of many cryptographic weaknesses in the Kerberos version 4 protocol.
These design flaws could allow an attacker to impersonate any user
in a Kerberos realm and may lead to root-level compromise of the
Kerberos Key Distribution Center (KDC) and any hosts that rely on it
for authentication. Kerberos version 5 is not vulnerable; however,
implementations using both Kerberos 4 and Kerberos 5 often use the same
keys for both protocols. Thus Kerberos 5 services can be compromised
via the Kerberos 4 vulnerabilities.

Risk: Remote compromise and potential takeover of KDC server.

Deployment: Significant.
Kerberos is one of the most widely used authentication protocols on
the Internet, and is implemented in dozens of applications.

Ease of Exploitation: Straightforward.
An attacker familiar with Kerberos can easily implement the attacks
detailed in the leaked paper.

Status: Vendor confirmed, MIT has released patches.

References:
CERT Vulnerability Note
http://www.kb.cert.org/vuls/id/623217

MIT Advisory
http://archives.neohapsis.com/archives/bugtraq/2003-03/0235.html

Early Leak of Detailed Advisory to Full Disclosure List (3/15/03)
http://lists.netsys.com/pipermail/full-disclosure/2003-March/004525.html

News Articles
http://www.ds-osac.org/view.cfm?key=7E4457414B50&type=2B170C1E0A3A0F162820
http://www.eweek.com/article2/0,3959,937375,00.asp

SecurityFocus BID
http://www.securityfocus.com/bid/7113

Council Site Actions:
Kerberos V4 is not in widepsread or production use at most of the
reporting council sites. Several sites sent out notification to the
appropriate support groups as an FYI. One of the sites with a Kerberos
V4 deployment immediately reconfigured its Kerberos servers to block
exploitation of the vulnerability (i.e., cross-realm authentication
using Kerberos V4 was disabled, even though it was actively in
use). That site is converting more of its production Kerberos V4
applications to Kerberos V5. The other two sites with small V4
implementations are awaiting a response back from their support teams.

************************************************************

(4) HIGH: Samba SMB/CIFS Packet Reassembly Buffer Overflow

Affected Products:
Samba versions 2.0.x to 2.2.7a inclusive

Description:
Samba smbd contains a remotely exploitable buffer overflow
vulnerability in the code responsible for performing SMB/CIFS packet
reassembly. Remote attackers can exploit the flaw to execute arbitrary
code with root privileges on a vulnerable Samba server.

Risk: Compromise of root server with the ability to run arbitrary code.

Deployment: Significant.
Samba is the Unix server standard for providing SMB/CIFS-based file
and print services. Affected products/vendors include: HP-UX, Linux
(Debian, RedHat, Caldera, Conectiva, Debian, Mandrake, SuSE, Trustix)
FreeBSD, Solaris, and MacOS X.

Ease of Exploitation: Unknown.
Technical specifics were not provided.

Status: Vendor confirmed, software upgrade available.

References:
Samba Team Announcement
http://www.samba.org/samba/whatsnew/samba-2.2.8.html

SecurityFocus BID
http://www.securityfocus.com/bid/7106

Council Site Actions:
Most of the reporting council sites plan to patch their affected
systems during their next regularly scheduled system update cycle.
One site plans to roll the patches next week. Several sites are
still investigating the risk level. Another site reported that their
critical systems are protected by firewalls that limit who can access
them. They still plan to roll the patches during the next update cycle.

*************************************************************

(5) MODERATE: Microsoft Windows Script Engine Integer Overflow

Affected Products:
Microsoft Windows ME/2000/XP
Microsoft Windows 98 and 98 Second Edition
Microsoft Windows NT 4.0 and NT 4.0 Terminal Server

Description:
The Windows Script Engine is responsible for executing code written in
various scripting languages. Internet Explorer relies on the engine to
process script code supplied by web pages and HTML email messages. The
engine component responsible for processing JavaScript/JScript,
jscript.dll, contains an integer overflow vulnerability. A malicious
website or HTML email message can exploit the flaw to execute arbitrary
code on a client system by providing specially crafted script code. In
some Outlook configurations the user only needs to open a hostile email
(no need to click on a link) for the attack to be successful.

Risk: Remote compromise.
A malicious user could potentially run code of their choice on the
victim's system.

Deployment: Widely deployed.
This vulnerability affects all Windows users.

Ease of Exploitation: Straightforward.
An example showing how to exploit the flaw to crash Internet Explorer
has been posted. To compromise a system, an attacker must craft
malicious JavaScript containing shellcode and trick the victim into
loading it via a malicious web page or email.

Status: Vendor confirmed, patches available.

References:
Microsoft Security Bulletin MS03-008
http://www.microsoft.com/technet/security/bulletin/MS03-008.asp

iDefense Advisory
http://www.idefense.com/advisory/03.19.03.txt

Council Site Actions:
Most of the council sites are already rolling out the patches, or are
in the process of testing the patches for roll-out in the near future.

************************************************************

(6) MODERATE: BEA WebLogic Unprotected Internal Application
    Vulnerability

Affected Products:
WebLogic Server and Express 6.0, 6.1 and 7.0 (all platforms-- includes
Linux, Windows, HP-UX, Solaris and AIX)

Description:
BEA's WebLogic web-based server console contains many undocumented,
default applications used for internal tasks. These applications
are not properly protected and can be accessed remotely without
authentication. A remote attacker can call the applications directly
and use them to upload an arbitrary program to the server and run it
with the privileges of the server process.

Risk: Remote system compromise.
A malicious user can access applications and upload files from the
victim's system.

Deployment: Significant.
According to the company's website, BEA products are deployed by
more than 13,000 customers worldwide, including the majority of the
Fortune Global 500. The BEA WebLogic server is a core component of
the BEA offering.

Ease of Exploitation: Straightforward.
An attacker can easily experiment with a vulnerable server to figure
out how to call the internal functions.

Status: Vendor confirmed, patches available.

References:
S21SEC Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0135.html

SPI Advisory
http://archives.neohapsis.com/archives/bugtraq/2003-03/0238.html

BEA Systems Advisory
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp

SecurityFocus BID
http://www.securityfocus.com/bid/7122

Council Site Actions:
The affected application is in use at only one of the reporting
council sites. They are in the process of checking with the support
group for risk level and plan to patch during the normal preventative
maintenance cycle.

***************************************************************

(7) MODERATE: OpenSSL Timing Attack Private Key Disclosure

Affected Products:
OpenSSL version 0.9.7a and 0.9.6i
potentially other products

Description:
OpenSSL contains a feature called 'RSA-blinding' that shields network
computations from timing attack that could expose RSA private keys.
However it is the responsibility of the OpenSSL-enabled application to
turn on RSA-blinding. Typically the feature is not enabled, leaving
many applications (including Apache's mod_ssl module) vulnerable to
remote attack. Researchers have found that an attack may be practical
under highly stable (< 1 ms latency variance) network conditions. In
general, any application that performs RSA private key operations
may be vulnerable.

Risk: Potential remote compromise of RSA key.

Deployment: Widely deployed.
Affected products include: NetBSD, Linux (Slackware, Conectiva,
Debian, EnGarde, Mandrake, SuSE, RedHat, Trustix), and OpenBSD. It
is possible that products other than OpenSSL are also affected.

Ease of Exploitation: Challenging.
The attack must be waged under highly stable network conditions,
and generates thousands of failed SSL/TLS connections to the server.
Networks with less than 1 ms of variance for transmitting the attack
packets are vulnerable. The research paper provides technical attack
details.

Status: This vulnerability has been confirmed. The next version of
OpenSSL will enable RSA-blinding by default in an effort to keep
applications secure.

References:
OpenSSL Advisory
http://www.openssl.org/news/secadv_20030317.txt

Research Paper
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0130.html
http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

Early Leak of Advisory to Full Disclosure List (3/15/03)
http://lists.netsys.com/pipermail/full-disclosure/2003-March/004524.html

SecurityFocus BID
http://www.securityfocus.com/bid/7101

Council Site Actions:
All reporting council sites are treating this as a low risk and do
not plan to take any action at this time.

**************************************************************
Other Software
**************************************************************

(8) MODERATE: McAfee ePolicy Orchestrator Format String Vulnerability

Affected Products:
McAfee Security ePolicy Orchestrator 2.5.1 (Windows 2000 SP1)

Description:
The web-based remote management console for McAfee ePolicy Orchestrator
contains a remotely exploitable format string vulnerability in handling
malformed HTTP GET requests. Attackers can exploit the flaw to execute
arbitrary code with SYSTEM privileges.

Risk: Remote system compromise.
A malicious user can anonymously execute arbitrary code on the
victim's system.

Deployment: Moderate.
ePolicy Orchestrator provides a web-based interface that allows
enterprise administrators to centrally manage desktop and server
anti-virus products. The vulnerable service runs on port 8081/tcp
and is typically not exposed to the Internet.

Ease of Exploitation: Unknown.
Technical specifics were not provided.

Status: Vendor confirmed, customers may contact the vendor to obtain
a patch.

References:
Stake Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0133.html

SecurityFocus BID
http://www.securityfocus.com/bid/7111

Council Site Actions:
Only one of the reporting council sites is running the affected
software. They reported they are patching it immediately, but
that it is a medium priority effort because the attack vector is
mostly internal. But they also noted that they have thousands of
VPN users so it is not clear whether their network is an Internal or
External network.

************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly six years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:
   
- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
  servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.
                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+fwRp+LUG5KFpTkYRAibiAJ4na6cTMKbFhFBQrQNp5MqR6CHGMACeMArQ
8UK7PkkUzAi+nkzF9jEcnq0=
=SJ9q
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]