NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2003

SANS Critical Vulnerability Analysis Vol 2 No 17

From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon May 05 2003 - 09:27:26 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS Critical Vulnerability Analysis
May 5, 2003 Vol. 2. No. 17
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents:
Widely Deployed Software:
(1) HIGH: Cisco ONS Platform Denial of Service
(2) HIGH: 3Com NBX Phone Manager Denial of Service
(3) HIGH: IPSec Aggressive Mode Preshared Secret Exposure
(4) MODERATE: Oracle Database Server Buffer Overflow

Other Software:
(5) HIGH: SGI nsd LDAP Password Authentication Bypass
(6) HIGH: Kerio Personal Firewall Overflow and Replay Attack
(7) MODERATE: Microsoft BizTalk Server Buffer Overflow

*************************** Sponsored Links ***************************
Privacy notice: These links redirect to non-SANS web pages.

Are remote users leaving your network open to hackers? Find out in
     PestPatrol's FREE whitepaper.
http://www.sans.org/cgi-bin/sanspromo/CVA46
- ----------------------------------------------
2. VanDyke Secure Shell solutions: strong security, interoperability,
     and simplicity for the end user. VanDyke Software.
http://www.sans.org/cgi-bin/sanspromo/CVA47
- ----------------------------------------------
3. PREVENT INTRUSIONS FOR GOOD. Identify attackers. Block them with
     countermeasures! FREE WP "THE FIRST 15 MINUTES".
http://www.sans.org/cgi-bin/sanspromo/CVA48
***********************************************************************
Highlighted Training Program of the Week!
Monterey CA in June is simply spectacular - and this SANS program
is right on Fisherman's Wharf. SANS Computer Security Bootcamp
2003 is the most intense learning environment that most people ever
experience. SANS pioneered immersion training for information security;
this unique process increases retention and comprehension, empowering
you to put what you are taught into practice. Tracks include SANS
Security Essentials and CISSP CBK, Firewalls, Intrusion Detection,
Hacker Techniques, Securing Windows, and the new best-seller, Auditing
Networks, Perimeters, and Systems.
http://www.sans.org/bootcamp03/
***********************************************************************

*********************************************
Widely Deployed
*********************************************

(1) HIGH: Cisco ONS Platform Denial of Service

Affected Products:
Cisco ONS15454 Optical Transport Platform (rel. 3.0-3.41)
Cisco ONS15327 Edge Optical Transport Platform (rel. 3.3-3.41)
Cisco ONS15454SDH Multiplexer Platform (rel. 3.3-3.41)
Cisco ONS15600 Multiservice Switching Platform (rel. 1.0)

Description:
Multiple Cisco ONS devices are vulnerable to a Denial of Service attack
that can be launched from Nessus. The affected ONS hardware platforms
are managed via control cards that are typically connected to a
protected internal network. These control cards provide Telnet and FTP
services that can be attacked by specially formed input, such as that
sent by a Nessus vulnerability scan. A successful attack causes both
the active and the standby ONS control cards to reboot simultaneously,
which causes the synchronous data channels traversing the switch to
drop traffic until the reboot completes (exception: ONS15600). In
addition, the management functions provided by the control cards
are unavailable during reboot. An attacker could execute this attack
repeatedly, leading to a persistent denial of service condition.

Council Site Actions:
Only one reporting council sites is using the ONS product. This site
does not have any externally facing ONS systems and the internal
devices are very limited. They consider this to be a very low threat
due to the small internal deployment, so no action will be taken.

Risk: A remote attacker can cause a Cisco ONS device to become
unavailable to the network.

Deployment: Significant.
According to the Cisco website, over 30,000 units are deployed
worldwide, typically in mission critical capacities.

Ease of Exploitation: Trivial.
The attack can be launched using the free Nessus vulnerability
scanner. The vulnerable services are typically not exposed to the
Internet however.

Status: Vendor confirmed. The problem is fixed in ONS software release
4.0 and later for the ONS15454, ONS15327, and ONS15454SDH platforms. A
fix for the ONS15600 will be made available in September 2003 in
software Release 1.1.

References:
Cisco Security Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0050.html
http://www.cisco.com/warp/public/707/cisco-sa-20030501-ons.shtml

Cisco Product Pages
http://www.cisco.com/warp/public/cc/pd/olpl/metro/on15454/index.shtml
http://www.cisco.com/warp/public/cc/pd/olpl/metro/on15327/index.shtml

SecurityFocus BID
Not yet available.

***********************************************************************

(2) HIGH: 3Com NBX Phone Manager Denial of Service

Affected Products:
3Com SuperStack 3 NBX
3Com NBX 100

Description:
The 3Com NBX products provide network telephony connectivity for up
to 1500 lines/devices. These products utilize the VxWorks real time
operating system (RTOS), and contain an FTP server that cannot be
restricted or disabled. The FTP server contains a buffer overflow
vulnerability that can be triggered by connecting to the FTP server
port and sending a command of the form "CEL AAAAAAAA" where the string
of A's is about 2048 characters long. The attack disables the FTP
server, the web-based administrative console and the call manager. All
diagnostics are disabled and no new calls can be established. Any calls
in progress cannot be interrupted, potentially leading to inflated
costs due to long distance calls not being disconnected properly. An
affected device requires a hard reboot to return to service.

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

Risk: Disabling of an organization's IP-based telephony system due
to failure of the 3Com NBX phone manager.

Deployment: Significant.
The 3Com voice product line is relied upon by many organizations
worldwide.

Ease of Exploitation: Trivial.
The attack can easily be executed using only a telnet client.

Status: The advisory indicates vendor confirmation, and that VxWorks
5.4 and 5.5 may also be affected. A solution is not yet available
from 3Com. A possible workaround is to block network access to port
21/tcp on the NBX.

References:
Security Advisory by Michael S. Scheidell
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0045.html

3Com NBX Solution Stories
http://www.3com.com/solutions/en_US/cgcase.html?cat=NBXss3&view=product
http://www.3com.com/solutions/en_US/cgcase.html?cat=NBX100&view=product

SecurityFocus BID
Not yet available.

******************************************************************

(3) HIGH: IPSec Aggressive Mode Preshared Secret Exposure

Affected Products:
IPSec servers that support "aggressive" mode authentication with
preshared secrets

Description:
When operating in aggressive mode, an IPSec server provides a
connecting client with a cleartext hash value derived from the
preshared secret. Attackers can collect a copy of the hash by sniffing
an attempt to establish a VPN tunnel (the attempt can fail). The
hash can then be used in an offline dictionary attack to recover the
preshared secret. VPN gateways that accept connection requests from
arbitrary IP addresses are especially at risk. Note that some servers
(e.g. Cisco routers) will automatically switch to aggressive mode if
the client requests it. This attack has been known for some time to
security researchers but has not been widely publicized. Proof-of-
concept tools is available to retrieve the hash from a vulnerable
server and execute the dictionary attack to recover the preshared
secret.

Council Site Actions:
Most of the reporting council sites do not use preshared secrets for
their VPN connections and most have "Aggressive Mode" set to "false"
on their concentrators. Several of the sites do have limited uses of
preshared keys and stated that in these cases they use strong, random
secrets. Also, some of these sites restrict the VPN connections by
IP address.

Risk: Remote attackers can recover the preshared secret and
authenticate to the VPN gateway as a valid user.

Deployment: Widely deployed.
Many VPN products support aggressive mode by default, and are
configured to accept connections from any IP address in order to
support traveling employees.

Ease of Exploitation: Trivial.
Tools are available to automate the hash collection and cracking
process. The password guessing task can be split across multiple
machines running in parallel for greater speed.

Status: Confirmed.
If preshared secrets and aggressive mode authentication must be used,
"strong" secrets that are unlikely to be cracked in a dictionary
attack should be selected and changed periodically. If possible,
aggressive mode can be disabled in favor of main mode authentication.

References:
Paper by Michael Thurman describing the attack
http://archives.neohapsis.com/archives/bugtraq/2003-04/0274.html

Posting by Damir Rajnovic, Cisco PSIRT
http://archives.neohapsis.com/archives/bugtraq/2003-04/0285.html

Posting by Curt Sampson
http://archives.neohapsis.com/archives/bugtraq/2003-04/0322.html

IKECrack Tool
http://ikecrack.sourceforge.net/

Posting by Anton Rager, IKECrack Author
http://archives.neohapsis.com/archives/bugtraq/2003-04/0306.html

SecurityFocus BID (published October 1999)
http://www.securityfocus.com/bid/7423/info/

*********************************************************************

(4) MODERATE: Oracle Database Server Buffer Overflow

Affected Products:
Oracle 9i, Releases 1 and 2
Oracle 8i, all Releases
Oracle 8, all Releases
Oracle 7.3.x

Description:
Oracle databases provide functionality that allows one Oracle database
to query another via a "database link". By default, any user able
to execute queries can create a database link by issuing the "CREATE
DATABASE LINK" command. This command accepts several argument clauses,
including "CONNECT TO", "IDENTIFIED BY" and "USING". If an attacker
supplies an overlong malicious string as an argument to the "USING"
clause, a stack buffer can be overflowed. An attacker could exploit
the flaw to gain full control of the database, and on Windows systems,
full control of the operating system as well.

Council Site Actions:
Six of the reporting council sites are running the affected Oracle
products. They all plan to install patches during the next regularly
schedule system maintenance window or are in the process of installing
patches now. Only one of the six sites has Internet facing systems
running the affected software. Several sites commented that due
to the sensitive and critical nature of the applications supported
by Oracle, the patch roll-out process is more tedious and requires
extensive testing on stage servers before production roll-out.

Risk: Remote compromise of Oracle database servers.
By default, any user with any level of access to the database would
be able to exploit the flaw. Note that the attack could be executed via

SQL injection attacks against a web-based database front end.

Deployment: Widely deployed.
According to the advisory, Oracle is the leader of the database market
with a 54% market share lead under ERP (Enterprise Resource Planning).

Ease of Exploitation: Straightforward.
The attacker must be able to execute two SQL commands for a successful
attack: first, CREATE DATABASE LINK is used to create a malformed link;
second, the overflow is triggered by using SELECT to fetch data via
the link. Sufficient details have been posted for a knowledgeable
attacker to craft an exploit.

Status: Vendor confirmed patches available for most platforms. The
Oracle advisory provides a patch availability matrix.

References:
NGSSoftware Security Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0048.html

Oracle Advisory
http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf

News Article
http://www.eweek.com/article2/0,3959,1047710,00.asp

SecurityFocus BID
http://www.securityfocus.com/bid/7453

*****************************************
Other
*****************************************

(5) HIGH: SGI nsd LDAP Password Authentication Bypass

Affected Products:
SGI IRIX 6.5.x prior to 6.5.20

Description:
IRIX provides a unified mechanism for handling all name service-related
functions called nsd. The nsd LDAP implementation does not properly
check whether an LDAP server provides the USERPASSWORD attribute for
each entry in its password database. An attacker can exploit the flaw
to gain unauthorized access to a target server by simply logging in
without a password.

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

Risk: Remote compromise of IRIX servers relying on the nsd LDAP
implementation for user authentication. A successful attacker would
gain the privileges of the user account logged in to.

Deployment: Moderate.
This vulnerability affects all supported versions of IRIX that utilize
LDAP authentication. The nsd daemon is installed by default.

Ease of Exploitation: Trivial.
Log in as a user with no password.

Status: Vendor confirmed, the problem is fixed in IRIX 6.5.20 and
patches are available for earlier versions.

References:
SGI Security Advisory
http://archives.neohapsis.com/archives/vendor/2003-q2/0038.html

SecurityFocus BID
http://www.securityfocus.com/bid/7442

*****************************************************************

(6) HIGH: Kerio Personal Firewall Overflow and Replay Attack

Affected Products:
Kerio Personal Firewall version 2.1.4 and prior

Description:
The remote administration server of the Kerio Personal Firewall has
been reported to contain two vulnerabilities. The most severe problem
is a pre-authentication stack-based buffer overflow that can be
exploited to execute arbitrary code. In addition, the administration
server is reportedly vulnerable to replay attacks. An attacker that
sniffs one of the encrypted/authenticated sessions may replay the
traffic at a later time to reissue the administration commands. That
is, any command that an attacker is capable of recording becomes
available to the attacker.

Council Site Actions:
Only one of the reporting council sites is running the Kerio firewall
product. They stated that Kerio is not supported by their central
IT department but they estimate it is installed on about 100 users'
desktop or laptop machines. They suspect that many of these users are
not vulnerable because the remote administration feature has always
been disabled. However, they are trying to confirm this fact. This
site is also investigating whether the vulnerability affects any
versions of the similar product named Tiny Personal Firewall.

Risk: Remote compromise of systems running Kerio Personal
Firewall. Attackers exploiting the buffer overflow vulnerability gain
the privileges of the firewall process.

Deployment: Moderate.
According to the Kerio website, Kerio products are used by thousands
of customers in 70 countries.

Ease of Exploitation: Straightforward.
Important technical details concerning the buffer overflow have been
posted. An attacker wishing to exploit the replay vulnerability must
be able to eavesdrop on live administrative sessions.

Status: Not confirmed, no solution currently available. The CORE
advisory indicates that the discoverers of the vulnerability attempted
to contact Kerio several times but have not yet received a response.

References:
Core Security Technologies Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0046.html

SecurityFocus BID -- Replay Attack
http://www.securityfocus.com/bid/7179

SecurityFocus BID -- Buffer Overflow
http://www.securityfocus.com/bid/7180

********************************************************************

(7) MODERATE: Microsoft BizTalk Server Buffer Overflow

Affected Products:
Microsoft BizTalk Server 2002

Description:
Microsoft's BizTalk 2002 Server provides a way for organizations
to easily exchange documents in a variety of formats, including the
HTTP format. A buffer overrun exists in the BizTalk component used to
receive HTTP documents (called "HTTP Receiver"), which is implemented
as an IIS ISAPI extension. Remote attackers can exploit the flaw to
crash the IIS server hosting the vulnerable ISAPI extension or to
execute arbitrary code. In the case of code execution, an attacker
gains the privileges of the IIS server process.

Council Site Actions:
Only one of the reporting council sites is running the BizTalk server
product. This site does not officially support BizTalk but they are
aware of a small number of machines where it is installed. The owners
of these systems typically obtain and install Microsoft patches on
their own. They will verify with the administrators.

Risk: Remote compromise of computers running BizTalk 2002 server at
the privilege level of the hosting IIS server process. IIS 5.0 runs
under the IWAM_comptername account by default.

Deployment: Moderate.
The HTTP Receiver process is not enabled by default. HTTP must be
explicitly enabled as a receive transport during the setup of the
BizTalk 2002 server. This vulnerability does not affect BizTalk 2000.

Ease of Exploitation: Unknown.
An attacker must send a specially crafted request to the IIS server
that will be handled by the vulnerable ISAPI extension. Few technical
details are currently available.

Status: Vendor confirmed, patch available for BizTalk 2002 running
on Windows 2000.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/MS03-016.asp

BizTalk Server Homepage
http://www.microsoft.com/biztalk/

SecurityFocus BID
Not yet available.

*******************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly six years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each reviews the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you
may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+tkkk+LUG5KFpTkYRAv4XAJ0diQ1j/RS6odLxlxK9cb8Zj5cgagCgimWb
1daMUKKiIbRJZLz+d87eB10=
=sBYZ
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]