NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2003

SANS Critical Vulnerability Analysis Vol 2 No 15

From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon Apr 21 2003 - 08:44:53 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS Critical Vulnerability Analysis
April 21, 2003 Vol. 2. No. 15
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents:

Widely Deployed Software
(1) HIGH: Snort TCP Reassembly Preprocessor Integer Overflow
(2) MODERATE: Oracle Concurrent Manager Server Information Exposure
(3) MODERATE: FileMaker Pro/Server Password Disclosure Vulnerability

Other Software
(4) HIGH: MailMax IMAP Password Buffer Overflow

*********************************************************************

Highlighted Security Training Opportunity:
Portland, OR, May 5-10: Four training tracks: SANS Security Essentials;
Firewalls, VPNs, Perimeter Protection; Hacker Techniques; and System
Forensics. http://www.sans.org/northpacific03

*************************** Sponsored Links ***************************
Privacy notice: These links redirect to non-SANS web pages.

1. Do you have 128-bit SSL encryption? Get VeriSign's FREE Guide
Sponsored by VeriSign - The Value of Trust
http://www.sans.org/cgi-bin/sanspromo/CVA41
- ----------------------------------------------
2. Audit, Track, Update... Improve network security while simplifying
Firewall/VPN management **FREE WHITEPAPER/DEMO**
http://www.sans.org/cgi-bin/sanspromo/CVA42

***********************************************************************

************************
Widely Deployed Software
************************

(1) HIGH: Snort TCP Reassembly Preprocessor Integer Overflow

Affected Products:
Snort IDS versions 1.8 through 1.9.1
Snort CVS - current branch up to version 2.0.0 beta

Description:
A remotely exploitable integer overflow exists in the Snort TCP
stream reassembly preprocessor named "stream4". A problem with the
TCP sequence number handling allows a 32-bit integer variable to
be overflowed. An attacker can exploit the vulnerability by sending
TCP traffic with specially crafted sequence numbers to any IP address
monitored by Snort. Successful exploitation allows an attacker to cause
a denial of service or execute arbitrary code with root privileges.

Council Site Actions:
The affected software is in use at five of the reporting council
sites. Other sites are using Snort, but are running later versions or
are not running the preprocessor module. Of the affected sits, most
are updating their Snort deployments to the latest code, on a high
priority basis. One site has already completed the upgrade. Another
site currently runs Snort only in a tightly controlled test
environment. They will upgrade to the latest version before their
wide-scale roll-out.

Risk: Remote root compromise of systems running Snort.

Deployment: Significant.
The Snort IDS is widely used by the open source community and
is also installed on some commercial network security appliances
(e.g. Silicon Defense Sentarus Sensor, Guardent Security Defense
Appliance, Sourcefire Network Sensor).

Ease of Exploitation: Straightforward.
The Core Advisory shows how to trigger the overflow to cause a
segmentation fault. Core has also built a working code execution
exploit and made it available as a CORE IMPACT penetration test module.

Status: Vendor confirmed, the problem is fixed in Snort version
2.0. The stream4 module can be disabled as a workaround, but doing
so blinds the sensor to attacks that use TCP segmentation-based
techniques to evade detection.

References:
Core Security Advisory
http://archives.neohapsis.com/archives/bugtraq/2003-04/0215.html

CERT Advisory
http://www.cert.org/advisories/CA-2003-13.html

Vendor Advisory
http://www.snort.org/advisories/snort-2003-04-16-1.txt

******************************************************************

(2) MODERATE: Oracle Concurrent Manager Server Information Exposure

Affected Products:
Oracle E-Business Suite 11i, Releases 1 through 8
Oracle Applications 11.0, All Releases
Oracle Applications 10.7, All Releases

Description:
The Oracle E-Business Suite Report Review Agent (RRA) contains a
vulnerability that allows remote attackers to read sensitive data on
Oracle Applications Concurrent Manager servers, including password
files. To exploit the flaw, an attacker must be able to access the
TNS listener port on a vulnerable system, and communicate using the
SQL*Net protocol. The Integrigy advisory notes that it is common
for a Concurrent Manager server to also act as a database server,
putting database information at risk.

Council Site Actions:
The affected software is in use at only two of the reporting council
sites. Both sites have notified their Oracle support teams and
are awaiting further analysis. Both sites also commented that that
problem is mitigated to some extent since the systems running the
Oracle applications are behind firewalls.

Risk: Information exposure potentially leading to remote compromise
of Oracle Applications Concurrent Manager server, and exposure of
sensitive data stored in the database.

Deployment: Significant.
The E-Business Suite provides a set of data management applications
for a variety of business functions including sales, marketing,
human resources, finance and manufacturing.

Ease of Exploitation: Unknown.
The advisory states that the Oracle Applications FNDFS program can be
used to retrieve any file on the server accessible to the oracle or
applmgr accounts. Few technical details are publicly available Many
organizations do not allow Internet access to the vulnerable service,
but are still open to attack from internal networks.

Status: Vendor has confirmed, patches available.

References:
Integrigy Security Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0016.html
http://www.integrigy.com/alerts/FNDFS_Vulnerability.htm

Oracle Security Alert and Patches
http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf

CERT Vulnerability Note
http://www.kb.cert.org/vuls/id/168873

Product Website
http://www.oracle.com/applications/

SecurityFocus BID
http://www.securityfocus.com/bid/7325

*****************************************************************

(3) MODERATE: FileMaker Pro Password Disclosure Vulnerability

Affected Products:
  FileMaker Pro 6.0 and earlier
  FileMaker Pro 6.0 Unlimited or earlier
  FileMaker Server 5.5 or earlier
  *Affects all platforms: Windows, MacOS and Linux

Description:
The FileMaker network protocol has been found to disclose passwords to
remote attackers. The vulnerability stems from a design flaw which
sends all database passwords to an unauthenticated client, and then
trusts the client to enforce the validity of the user's password. The
passwords arrive in an obfuscated format but may be recovered.

Council Site Actions:
Four of the reporting council sites are running the affected software,
albeit in very small numbers. One site said that given the small
number of installations and the difficulty in finding them, action was
not warranted at this time. A second site has a single, non-production
server running the software. The functions provided by that server
are being migrated to other systems. They plan to decommission the
server if a patch is not available by May 2nd. The third site has
several machines that are directly exposed to the Internet and have
FileMaker databases with web publishing enabled. Their central IT
department provides full support for FileMaker on both Windows and
Macintosh platforms, and this contributes to the prevalence of the
software. This site is not using FileMaker for critical business
functions, but believes it would be a substantial inconvenience
if FileMaker data were modified by outsiders. They are looking
at the information in the vendor bulletin about "direct access to
the databases via FileMaker Pro networking" to see if they have a
reasonable option for continuing to publish FileMaker data. The last
site merely notified the appropriate support group.

Risk: Remote compromise of systems running FileMaker.

Deployment: Significant.
FileMaker provides a suite of database software applications for
business workgroups. The vendor website states that FileMaker is
deployed by millions of customers worldwide. Most organizations do
not expose the vulnerable service to the Internet, but are still open
to attack from internal networks.

Ease of Exploitation: Straightforward.
The server sends a complete list of passwords to the client. The
attacker must only overcome the obfuscation.

Status: Vendor confirmed, however no fix is currently available.
The vendor advisory contains some suggested workarounds that can
mitigate risk.

References:
Security Advisory
http://archives.neohapsis.com/archives/bugtraq/2003-04/0168.html

Vendor Advisory
http://www.filemaker.com/ti/108462.html

Vendor Website
http://www.filemaker.com/
http://www.filemaker.com/company/index.html

SecurityFocus BID
http://www.securityfocus.com/bid/7315

******************************************************************

***************
Other Software
***************

(4) HIGH: MailMax IMAP Password Buffer Overflow

Affected Products:
SmartMax MailMax versions prior to 5.0.10.8 - IMAP server running on
Windows 2000/XP/NT4

Description:
MailMax provides SMTP, IMAP4 and POP3 support along with a
variety of advanced features. The MailMax IMAP service contains
a remotely-exploitable buffer overflow in handling overlong user
passwords, allowing an attacker to crash the server or execute
arbitrary code with SYSTEM privileges.

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

Risk: Remote SYSTEM-level compromise of hosts running MailMax IMAP4
servers.

Deployment: Moderate.
The product is ranked highly at popular shareware sites.

Ease of Exploitation: Trivial/Unknown.
An example showing how to trigger the overflow to cause a denial of
service has been posted, however few technical details are available
concerning the code execution.

Status: Vendor confirmed, to be fixed in upcoming releases. In the
meantime, the vendor has provided updates for the affected files.

References:
Security Advisory by Dennis Rand
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0017.html

Confirmation of Exploitability by Mark Litchfield
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0018.html

MailMax Demo Download from Tucows
http://www.tucows.com/preview/195574.html

SecurityFocus BID
http://www.securityfocus.com/bid/7326

Security Fixes
http://www.securityfocus.com/bid/7326/solution/

***********************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly six years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each reviews the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you
may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.

==end==
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+o9Zk+LUG5KFpTkYRAqeNAKCgRcFtBvA9xnHBkCG24EXaO20A/ACaA/TG
CJ+IN2djMtmohqsihTv7SWQ=
=ahOW
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]