From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon May 26 2003 - 09:30:08 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                  SANS Critical Vulnerability Analysis
May 26, 2003 Vol. 2. No. 20
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.
***********************************************************************

Table of Contents:
Widely Deployed Software:
(1) LOW: Linux Kernel Route Cache Hash Collision DoS
(2) LOW: Multiple IMAP Clients Buffer Overflows

************** This Issue Sponsored By Qualys, Inc. *******************

Discover Rogue Devices on Your Network for FREE Qualys FreeMap is a

Web-based technology that let's you discover systems on your network
including routers, VPN servers and wireless access points and rogue
devices. Take advantage of this service before someone takes advantage
of your network. Get your FreeMap now!

https://freemap.qualys.com/?lsid=600

***********************************************************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Instantly stop DDoS attacks. Prevent worm propagation.
Hands-on, online demo--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/CVA54
- --------------------------------------------------------
(2) Simplify secure file transfer! Download a white paper and
evaluation software.
http://www.sans.org/cgi-bin/sanspromo/CVA55
- --------------------------------------------------------
(3) Citadel's Hercules automatically remediates vulnerabilities
identified by commercial scanners. Download a FREE Aberdeen White Paper:
http://www.sans.org/cgi-bin/sanspromo/CVA56

***********************************************************************
Highlighted Training Program of the Week!
Monterey CA in June is simply spectacular - and this SANS program is
right on Fisherman's Wharf. SANS Computer Security Bootcamp 2003 is
the most intense learning environment that most people ever experience.
SANS pioneered immersion training for information security; this unique
process increases retention and comprehension, empowering you to put
what you are taught into practice. Tracks include SANS Security
Essentials and CISSP CBK, Firewalls, Intrusion Detection, Hacker
Techniques, Securing Windows, and the new best-seller, Auditing
Networks, Perimeters, and Systems.
http://www.sans.org/bootcamp03/
***********************************************************************

Widely Deployed Software
***************************

(1) LOW: Linux Kernel Route Cache Hash Collision DoS

Affected Products:
Linux kernel versions 2.4.1 through 2.4.20

Description:
The networking code in the Linux 2.4 kernel uses a hash table to provide
for efficient searching of cached routing information associated with
active traffic flows. When the kernel observes a new traffic flow (flows
are uniquely identified based on IP addresses and TOS settings), a hash
value corresponding to the flow is calculated and added to the table.
The hashing mechanism employed allows for the possibility of hash
collisions - that is, different flows may map to the same hash. Because
such collisions rarely occur in practice, the kernel uses a simple
linear list to handle collisions and track different flows mapping to
the same hash value.

A problem arises with the implementation because it is possible to
predict which combinations of IP addresses and TOS values will result
in hash collisions. A remote attacker can generate a stream of packets
with carefully chosen source addresses and TOS values that will result
in many hash collisions on the receiving machine. The victim is tricked
into generating a very large linear list which then must be searched (a
time consuming process) each time a new packet arrives. Once the list
grows large enough the victim system hangs. Vulnerable systems with
large amounts of memory are most at risk because they can be forced to
store the largest linear lists. One researcher reports that a machine
with 4 GB of RAM can be hung with a specially crafted traffic stream of
only 400 packets per second.

Council Site Actions:
Most of the reporting council sites have implementations of Red Hat
Linux. However, they are all treating this as a low risk, low
vulnerability problem. Most sites plan to upgrade when a new kernel,
production release kernel has been deployed. Most of these sites also
stated that their perimeter security policy limits or prohibits the type
of traffic used for the attack.

Risk: Remote attackers can cause Linux systems to hang by sending a
low-bandwidth stream of specially crafted spoofed packets.

Deployment: Widely deployed. This vulnerability affects all systems
running the Linux 2.4 kernel. Affected operating systems include RedHat,
Caldera, Mandrake, SuSE, Slackware, Conectiva, Sun Cobalt RaQ, CRUX,
Astaro and Sun Linux.

Ease of Exploitation: Challenging. The attacker must discover a set of
IP address/TOS combinations that all map to the same hash on a
vulnerable system, and develop exploit code to generate the crafted
packets.

Status: Vendor confirmed. A fix for the problem is provided in Linux
kernel version 2.4.21-rc3, and a patch is available for version 2.4.20.
Some Linux OS vendors have released updated kernel software. The fix
works by making it more difficult for attackers to predict the
combinations of spoofed source addresses and TOS values that will
trigger hash collisions on a victim.

References:
RedHat Security Advisory:
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0056.html

SecurityFocus BID:
http://www.securityfocus.com/bid/7601

Postings by by Florian Weimer:
http://marc.theaimsgroup.com/?l=linux-kernel&m=104956079213417
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0073.html

Paper on Algorithmic Complexity Attacks:
http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003/index.html

Changelog for Linux kernel version 2.4.21-rc3:
http://www.kernel.org/pub/linux/kernel/v2.4/testing/patch-2.4.21.log

Patch for Linux kernel version 2.4.20:
http://www.enyo.de/fw/security/notes/linux-2.4.20-nethashfix.patch

*********************************************************************

(2) LOW: Multiple IMAP Clients Buffer Overflows

Affected Products:
Literal String Size Declaration Problem:
   - Microsoft Outlook Express 6.0
   - Mozilla 1.3, 1.4a
   - Qualcomm Eudora 5.2.1
   - Ximian Evolution 1.2.4
   - Sylpheed 0.8.11
Mailbox Size Declaration Problem:
   - GNOME Balsa 2.0.6, 2.0.10
   - Mutt 1.2.1, 1.2.5, 1.3.12, 1.3.x, 1.4.0, 1.4.1
   - University of Washington imap 2002b
   - University of Washington PINE 4.30, 4.33, 4.44, 4.52, 4.53
 
Description:
Multiple IMAP clients have been found vulnerable to heap-based buffer
overflow attacks in handling particularly chosen literal string sizes
and mailbox sizes declared by an IMAP server. Malicious IMAP servers
can exploit the flaws to crash a client application or, in some cases,
to execute arbitrary code on the client system.

Council Site Actions:
All reporting council sites are treating this as a low risk, low
vulnerability problem. All but one of the reporting council sites have
limited IMAP implementations, and at each of these sites, the client
connects to an internal production IMAP server. Thus, the risk is very
low. One site has a large deployment of IMAP clients, but they felt
the risk was low enough to not warrant any action at this time. They
plan to upgrade sometime in July.

Risk: IMAP client compromise by a malicious IMAP server. Successful
attackers gain the privileges of the user running the IMAP client
software.

Deployment: Widely deployed. These vulnerabilities affect multiple IMAP
clients to varying degrees. At present, the following clients are
thought to only be susceptible to the DoS (code execution not possible):
Mutt, Balsa, Sylpheed, and Outlook Express.

Ease of Exploitation: Code Execution - Difficult.
An attacker must entice a victim client to connect to a malicious IMAP
server in addition to crafting a reliable buffer overflow exploit. DoS
attacks are simpler to accomplish but still require the victim to
connect to a hostile server.

Status: Some vendors have confirmed and released updated versions of
the affected clients. SecurityFocus is tracking these issues and
reporting updates on vendor fixes (see BID links below).

References:
Posting by Timo Sirainen:
http://archives.neohapsis.com/archives/bugtraq/2003-05/0157.html

Security Focus BIDs:
http://www.securityfocus.com/bid/7602 http://www.securityfocus.com/bid/7603

 
******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org for
permission.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+0gw2+LUG5KFpTkYRAuA1AJ9SKym7bpqk3p1GX8jNCk0OsRlGzACfTUnF
pI5zM2LqhF736dI58CKbB+0=
=sbwF
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]