From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon Apr 28 2003 - 10:57:20 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A note to our subscribers. The printed program for SANSFire 2003
(Washington DC July 15-19) and the National Information Assurance
Leadership Conference (July 21-22) should have arrived in your postal
mail boxes. If you did not get one and would like to have one in order
to determine which training fits your needs, email info@sans.org with
the subject "sansfire program." Include your name and surface mail
address and the number of programs you want. The SANSFire immersion
training tracks are also available at several other locations around
the US and the world and can be conducted on site at your location, as
well. Online information for all programs is available at www.sans.org.

                                Alan

***********************************************************************
                  SANS Critical Vulnerability Analysis
April 28, 2003 Vol. 2. No. 16
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents:
Widely Distributed Software
(1) HIGH: Cisco Secure ACS Username Buffer Overflow
(2) MODERATE: Microsoft Internet Explorer Multiple Vulnerabilities
(3) LOW: Microsoft Outlook Express MHTML Vulnerability

Other Software
(4) HIGH: BadBlue Server ext.dll Command Execution Vulnerability
(5) MODERATE: Apache mod_ntlm Heap Overflow and Format String
     Vulnerability
(6) MODERATE: Monkey HTTPd POST Body Buffer Overflow
(7) MODERATE: rinetd Connection List Resizing Vulnerability

Exploit Code Releases
(8) Snort stream4 Exploit

********************Sponsored by Qualys Inc.**************************

Eliminate SANS/FBI Top 20 Security Vulnerabilities from the Network -
FREE Network Vulnerability Scan!
Get INSTANT control of your network security. FREE Web service
automatically finds exposure to Top 20 threats identified by SANS/FBI.
Scan your network today and in minutes find out if your network is
susceptible to these vulnerabilities.
Click NOW to get started:
https://sans20.qualys.com/index.php?lsid=543

*******************Additional Sponsored Links ************************
Privacy notice: These links redirect to non-SANS web pages.

1. Alert! Spam & email attacks are getting worse. Learn to stop them.
      ***white paper/demo***
http://www.sans.org/cgi-bin/sanspromo/CVA43
- ----------------------------------------------
2. Improve network security while simplifying multivendor Firewall/VPN
     management **FREE WHITEPAPER/DEMO**
http://www.sans.org/cgi-bin/sanspromo/CVA44
- ----------------------------------------------
3. The Future of IDS from the Creators of Snort - data management
      problem solved. **FREE WHITEPAPER**
http://www.sans.org/cgi-bin/sanspromo/CVA45
***********************************************************************

*******************************************************
Widely Distributed Software
*******************************************************

(1) HIGH: Cisco Secure ACS Username Buffer Overflow

Affected Products:
Cisco Secure ACS for Windows v. 2.6.4, 3.0.3, 3.11 and prior

Description:
The Cisco Secure Access Control Server (ACS) allows an administrator to
centrally manage all user authentication, authorization and accounting
information for thousands of access gateways (VPN, firewall, VoIP
etc.) distributed throughout an enterprise. The server provides a
web-based management interface on port 2002/tcp. This service contains
a buffer overflow in handling overlong usernames presented during the
login transaction. Remote attackers can exploit the flaw to hang the
server or execute arbitrary code with Local System privileges.

Council Site Actions:
The Affected software is currently in use at two of the reporting
council sites. Both of these sites have already begun the update
process - both are doing them in a phased approach.

Risk: Remote compromise of Windows systems running Cisco ACS with
the privileges of the management server process, typically Local
System. A successful attacker would be able to change all access
control configurations managed by ACS.

Deployment: Significant.
This vulnerability affects all current versions of Cisco Secure ACS
for Windows, but does not affect Cisco Secure ACS for Unix.

Ease of Exploitation: Unknown.
An attacker must experiment with sending long usernames to a vulnerable
system to learn more. Exploitation may be straightforward.

Status: Vendor confirmed. Fixed software is available. Connections
to port 2002/tcp may also be blocked at the network perimeter.

References:
Cisco Security Bulletin
http://www.cisco.com/warp/public/707/cisco-sa-20030423-ACS.shtml

NSFocus Security Bulletin
http://lists.netsys.com/pipermail/full-disclosure/2003-April/009415.html

SecurityFocus BID
http://www.securityfocus.com/bid/7413

Cisco Secure ACS Product Description
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/

********************************************************************

(2) MODERATE: Microsoft Internet Explorer Multiple Vulnerabilities

Affected Products
Internet Explorer 5.01, 5.5 and 6.0

Description:
Microsoft has released an advisory describing four problems with
Internet Explorer (IE): (1) A buffer overflow vulnerability in IE's
URLMON.DLL that allows a hostile webserver to execute arbitrary code
on the system running IE. (2) A flaw in IE's file upload functionality
that allows a hostile webserver to steal arbitrary files from the
system running IE. (3) A parameter validation bug in the IE code
responsible for rendering third-party file formats that allows a
hostile web server to execute arbitrary script with the privileges of
the IE user. (4) A problem with parameter handling in IE's modal dialog
functions that allows a malicious website to bypass cross-domain zone
restrictions in order to steal cookies and other sensitive information
from the system running IE.

Council Site Actions:
All of the reporting council sites will be deploying the updated
software/patches during their next regularly scheduled system update.
For two sites, the update period fell this past weekend, so they
are already in the process of pushing out the patches. Several
sites commented that they don't officially support IE as one of the
standard browsers, but are aware that many users prefer this browser
over others.

Risk: Remote compromise of a system running Internet Explorer by a
malicious web server. A successful attacker would gain the privileges
of the IE user.

Deployment: Widely deployed.
These vulnerabilities affect all Internet Explorer users.

Ease of Exploitation: Varies.
A demonstration exploit was posted for the modal dialog vulnerability
in 12/02. Other vulnerabilities are new and few technical details
are available. For vulnerability (3), the relevant third-party plugin
must already be loaded into IE for the problem to be exploitable. In
problems (2) and (4), the attacker must know the exact path to the
file to be stolen, but this information is easily predicted for common
application (e.g. finance programs) data files.

Status: Vendor confirmed. Cumulative patches are available for Windows
98SE/ME/NT4/2000/XP.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms03-015.asp

SecurityFocus BID for Modal Dialog bug (disclosed 12/3/02)
http://www.securityfocus.com/bid/6306/discussion/

***********************************************************************

(3) LOW: Microsoft Outlook Express MHTML Vulnerability

Affected Products:
Microsoft Outlook Express 5.5 and 6.0 *Potentially affects users of
Internet Explorer that do not use Outlook Express to read email because
Internet Explorer calls Outlook Express to render MHTML content.

Description:
MHTML is the Internet standard that defines the MIME structure for
sending HTML content in email message bodies. Outlook Express contains
an MHTML URL handler that supports launching of MHTML documents via
MHTML:// URLs. This handler contains a vulnerability in processing
specially crafted URLs that allows for the execution of arbitrary
code. An attack could be delivered via an email message, or a web
client could be attacked by a hostile web server upon clicking on a
link. Users who have installed MS03-004 have some additional protection
in that the attacker is limited to executing/reading files already
present on the victim system, and to launching programs without
parameters. Some versions of Outlook would allow a hostile email to
launch an attack without requiring the user to click on a link.

Council Site Actions:
Most of the reporting council sites are responding to this problem.
They plan to roll-out the patches during their next regularly scheduled
system update. For several sites that is occurring over the weekend
and through next week. Several sites commented that Outlook Express
is not officially supported; however, they are aware that many users
choose this product as their primary mail reader.

Risk: Compromise of systems running Outlook Express by a hostile
email or web server. A successful attacker would gain the privileges
of the Outlook user.

Deployment: Significant.
Outlook Express is included with most versions of the Windows operating
system, and the vulnerable component may be called by Internet Explorer
regardless of whether the victim uses Outlook Express to manage email.

Ease of Exploitation: Unknown.
Limited technical details are available.

Status: Vendor confirmed. A fix is included in a cumulative Outlook
Express patch available for Windows 98SE/ME/NT4/2000/XP.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms03-014.asp

SecurityFocus BID
http://www.securityfocus.com/bid/5473

**********************************************************
Other Software
**********************************************************

(4) HIGH: BadBlue Server ext.dll Command Execution Vulnerability

Affected Products:
BadBlue 2.15 and prior for Windows

Description:
The ext.dll ISAPI component included with the BadBlue file sharing web
server does not properly validate HTTP requests, allowing a remote
attacker to execute arbitrary administrative commands. The advisory
provides an example of how to trick the server into creating a new
virtual directory that allows remote attackers to browse the entire
hard drive.

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

Risk: Remote compromise of a system running BadBlue.

Deployment: Moderate.
BadBlue is designed to provide a secure, search-enabled web server
for the enterprise peer-to-peer market.

Ease of Exploitation: Trivial.
The attacker must send specially crafted web requests to the
server. Exploit examples have been posted.

Status: The advisory indicates vendor confirmation, and that the
problems are fixed in BadBlue versions 2.16 and later. BadBlue 2.2
is currently available.

References:
Security Advisory
http://archives.neohapsis.com/archives/bugtraq/2003-04/0247.html

BadBlue version 2.2 Announcement with new feature list
http://pub26.ezboard.com/fbadbluediscussfrm1.showMessage?topicID=231.topic

BadBlue version 2.2 Downloads
http://www.badblue.com/down.htm

SecurityFocus BID
http://www.securityfocus.com/bid/7387

******************************************************************

(5) MODERATE: Apache mod_ntlm Heap Overflow and Format String
     Vulnerability

Affected Products:
Apache 1.3: mod_ntlm v. 0.4 and prior
Apache 2.0: mod_ntlmv2 v. 0.1

Description:
The mod_ntlm Apache module enables Apache services to perform Windows
NTLM authentication. The logging function in this module is reported to
contain two remotely exploitable vulnerabilities: a heap overflow and
a format string vulnerability. The advisory provides examples of how
to trigger the flaws to crash Apache. It is believed that an attacker
could further exploit the vulnerabilities to execute arbitrary code.

Council Site Actions:
Only one of the reporting council sites is running the affected
software. They are currently evaluating the impact since only internal
systems are involved. All other council sites reported the affected
software is not in production or widespread use.

Risk: Denial of service or remote compromise of Apache servers running
the mod_ntlm module. Successful attackers would gain the privileges
of the Apache process.

Deployment: Moderate.
The vulnerable module is typically not enabled.

Ease of Exploitation: Straightforward.
The advisory provides examples showing how to cause the DoS and the
location of the vulnerable Apache source code.

Status: This vulnerability has not been confirmed. A bug report
has been posted to the mod_ntlm project page at SourceForge, but no
response has been received.

References:
Security Advisory by Matthew Murphy
http://archives.neohapsis.com/archives/bugtraq/2003-04/0251.html

mod_ntlm Project Page
http://sourceforge.net/projects/modntlm

Bug Report at SouceForge by Matthew Murphy
http://sourceforge.net/tracker/index.php?func=detail&aid=723468&group_id=4906&atid=104906

SecurityFocus BIDs
http://www.securityfocus.com/bid/7388
http://www.securityfocus.com/bid/7393

*****************************************************************

(6) MODERATE: Monkey HTTPd POST Body Buffer Overflow

Affected Products
Monkey HTTP server 0.6.1 and prior

Description
The Monkey HTTP server for Linux contains a remotely-exploitable buffer
overflow in the handling of large POST body content. The PostMethod()
function attempts to write the variable-length body content into a
10,240-byte fixed-length buffer. An attacker could exploit the flaw
to execute arbitrary code on the system running Monkey.

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

Risk: Remote compromise of systems running the Monkey HTTP
daemon. Successful attackers would gain the privileges of the daemon
process.

Deployment: Small.
Monkey is an open source project that is supported on Red Hat and
Debian Linux.

Ease of Exploitation: Straightforward.
An attacker must craft a stack-based buffer overflow exploit.

Status: The advisory indicates vendor confirmation, and that the
problem is fixed in Monkey version 0.6.2 released March 24, 2003.

References:
Security Advisory by Matthew Murphy
http://archives.neohapsis.com/archives/bugtraq/2003-04/0248.html

Monkey HTTP Daemon Project Page
http://monkeyd.sourceforge.net

SecurityFocus BID
http://www.securityfocus.com/bid/7202/info/

**************************************************************

(7) MODERATE: rinetd Connection List Resizing Vulnerability

Affected Products
rinetd versions prior to 0.61-1.1 for Windows or Linux

Description
The rinetd IP redirection server contains a vulnerability in
performing connection list resizing. An attacker can exploit the
flaw by making multiple connections that fill the connection list and
cause a connection list resizing to occur. The vulnerability allows
remote attackers to cause a denial of service or potentially execute
arbitrary code.

Council Site Actions:

The affected software is not in production or widespread use at any
of the council sites.

Risk: Remote compromise of systems running rinetd. Successful attackers
would gain the privileges of the vulnerable daemon.

Deployment: Small.
rinetd is included with the Debian Linux distribution but is not a
default service.

Ease of Exploitation: Unknown.
An attacker can inspect the source code changes to gain information
about the flaw.

Status: Vendor confirmed. Fixed in rinetd version 0.61-1.1.

References:
Debian Security Advisory
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0201.html

Debian rinetd Page
http://packages.debian.org/stable/net/rinetd.html

ISS Description
http://www.iss.net/security_center/static/11811.php

SecurityFocus BID
http://www.securityfocus.com/bid/7377

*******************************************************
Exploit Code Releases
*******************************************************

(8) Snort stream4 Exploit

An exploit has been posted for the Snort TCP reassembly preprocessor
vulnerability discussed in last week's CVA. The exploit attempts to
force the machine running Snort to launch a remote shell back to the
attacker's machine (unverified).

Council Site Actions:
Most of the reporting council sites reported they had already patched
the affected systems. The release of the exploit had no impact on
their environments.

Exploit Code:
http://www.packetstormsecurity.nl/filedesc/p7snort191.sh.html

Last week's CVA (Item #1):
http://archives.neohapsis.com/archives/sans/2003/0054.html

***********************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly six years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each reviews the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?
 
Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you
may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansro@sans.org
for permission.

                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+rRwQ+LUG5KFpTkYRArFTAKCHv2CTcVHG2gTNx3RpDDVO8xaY+wCfR0JF
mC6EeCyMe8llCWmtBB7Zs68=
=O8Tl
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]