Monthly Archives: July 2008

Oracle Critical Patches for July 2008

Posted on by
Reply

Oracle has released their set of critical patches for July 2008. These fix multiple issues across several product lines. Potential impact against unpatched systems include remote system access (as root), privilege escalation, Denial of Service issues and information leakage. If you are running any of the following products you should visit Oracle’s advisory and begin the patching process.

Affected products:

    BEA WebLogic Express 7.x thru 10.x
    BEA WebLogic Server 6.x thru 10.x
    Oracle Application Server 10g
    Oracle Database 10.x and 11.x
    Oracle E-Business Suite 11i and 12.x
    Oracle Enterprise Manager 10.x
    Oracle Hyperion Business Intelligence Plus 9.x
    Oracle Hyperion Performance Suite 8.x
    Oracle PeopleSoft Enterprise Customer Relationship Management (CRM) 9.x
    Oracle PeopleSoft Enterprise Tools 8.x
    Oracle Times-Ten In-Memory Database 7.x
    Oracle9i Application Server
    Oracle9i Database Enterprise Edition and Database Standard Edition

Original Advisory:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

Content Management System Research Project – Some Results

Posted on by
2

As I referred to earlier, our team has been doing some research on popular content management systems and potential security vulnerabilities in them. We were doing this as a part of a review of the Syhunt Sandcat4PHP product that our partner has released.

As a part of that project, we have identified significant vulnerabilities in each of the popular content managers we reviewed. Several of the products were found to have various types of injection vulnerabilities (SQL/command/etc.), arbitrary file disclosure and access issues and tons of cross-site scripting (XSS) problems. We are now in the process of notifying each of the product teams about the vulnerabilities we identified.

How bad were things? One word, abysmal…

Here is an inside glimpse of the raw math of the scanning tool’s findings:

CMS                    Injections & File Issues            XSS                   “Risk Rating”

==================================================

Bitweaver                         37                                 7                          42.25

Drupal                             97                                 2                           98.50

Joomla                               4                               15                           15.25

Mambo                             45                             207                        200.25

WordPress                          5                             166                        129.50

** The “risk rating” was based upon each injection and file issue being given a score of 1.0 and each XSS being given a score of .75, then adding them together. It should be noted that this was an arbitrarily chosen mechanism created to give a simple basis for comparison and is NOT reflective of any specific risk rating system or the like. Also, no general weighting or anything is included, so I use the term “risk” loosely…

I also dropped the data into InspireData, a quick and dirty visualization tool I like to play with. It produced these quick images (Note that you can download them for a clearer view):

CMSRiskScore.jpg

This graph shows a plot of the “risk score” by the product tested.

CMSByVulnMap.jpg

This graph shows a matrix of the products plotted across an axis for Injections and File Leaks and an axis for XSS. Interestingly, the red lines show the mean values of the plot just for a quick reference.

As I said before, our team is in the process of contacting each of the CMS projects that we tested and will be disclosing the vulnerability information to them for their mitigation. Our team did some basic testing and analysis on the data that the Syhunt tool found and determined it to be pretty good at finding the issues. We found very few false positives, and the ones we did find were areas where other functions are involved in testing inputs beyond the initial layer of the source code.

The Syhunt tool did very well. It is a great tool for a 1.00 release and very much worth the cost. If you have PHP and javascript applications in your environment, I would suggest grabbing your team a copy. If you have applications that you would like tested by a third party, please feel free to contact us for a quote. Let us know if we can be of any assistance or if you have questions about what we did or the like.

Please note that we will NOT be making disclosures of the identified vulnerabilities at this time, so don’t ask. We will be working with the project teams to mitigate any vulnerabilities identified.

Note that all products were downloaded from public sources and are “open” projects. Versions were current as of the download date. We only scanned the source of core products, no plugins/add ons/expansions or modules outside of the core products were tested in this project. Your paranoia may vary and you should not take any of the results of these tests as advice or endorsement of any of these projects or products. Use the results at your own risk…… 😉

DNS Patches May Break Some Things…

Posted on by
Reply

I just had a quick conversation with an IT technician who alluded to the idea that more than Zone Alarm may be broken by the new port randomization behaviors of “patched DNS”. These fundamental changes to the ports allocated for DNS traffic may confuse existing firewalls and other filtering devices that are unaware of the changes to DNS behaviors.

For example, if you have filtering devices that specific port ranges defined for egress or ingress of DNS traffic, especially if you are using a non-stateful device, this configuration may need to be changed to allow for the greater port range applied to the “patched DNS” setup. Systems that are also “DNS aware” might not expect the randomization of the ports that the patching is creating. As such, filtering devices, especially at the perimeter may well need to be reconfigured or upgraded as well to allow for continued operation of unimpeded DNS traffic.

There may be SEVERAL other nuances that become evident in some environments as the patch process for the DNS issue continues to evolve. Stay tuned to stateofsecurity.com and other security venues for information and guidance as it becomes available.

More on DNS Security Issue Management – Know & Control DNS + SOHO Issues

Posted on by
Reply

Just added this to Revision 2 of the whitepaper:

Attack Vector Management

Part of mitigating the risk of this security issue is also managing the availability of the attack vector. In this case, it is essential that security teams understand how DNS resolution operates in their environment. DNS resolution must be controlled to the greatest extent possible. That means that all servers and workstations MUST be configured to use a set of known, trusted and approved DNS servers whenever possible. In addition, proper egress filtering should be implemented to prevent external DNS resolution and contact with port 53 on unknown systems. Without control over desktop and server DNS use, the attack vector available for exploitation becomes unmanageably large. Upper management must support the adoption of these controls in order to prevent compromise as this and other DNS vulnerabilities evolve.

Home User and Small Office Vulnerability

Home users and small offices (or enclaves within larger organizations) should pay careful attention to how their DNS resolution takes place. Many home and small business firewall devices such as Linksys, D-Link, Netgear, etc. are likely to be vulnerable to these attacks and are quite UNLIKELY to be patched to current firmware levels. Efforts must be made to educate home and small office users about this issue and to update all of these devices as the patches and upgrades to their firmware becomes available.

DNS Security Issue Overview & Mitigation Whitepaper

Posted on by
Reply

Our engineering team has analyzed the available data on this emerging security issue and the fixes identified. As such, we have prepared the following white paper for our clients and readers.

Please review the paper and feel free to distribute it to your management team, co-workers and others who need to be involved in understanding and remediating the problems emerging with DNS.

You can obtain the white paper here.

If your organization needs any assistance in understanding or managing this vulnerability, please do not hesitate to contact us. We would be happy to assist in any way possible.

HoneyPoint Security Server Console Upgrade and New Deployment Worksheet Available

Posted on by
Reply

A new release of HoneyPoint Security Server Console was released today. Version 2.51 includes two bug fixes and several library upgrades. The new release seems to be a bit faster on Windows systems, likely due to upgrades in the back-end libraries.

The new version fixes a bug in the math of the email alerts to system administrators where the wrong event counts would be included. It also repairs a bug that caused a crash on some systems when changing the status of multiple events. While neither of these bugs are critical, we thought the speed changes were worth a release.

The new version also includes the recently updated User Guide that now includes full instructions for installing the HPoints as a service or daemon using common tools or the tools from the resource kit.

We are also pretty happy to announce the availability of a deployment worksheet that guides new users through the deployment of the console and HPoints and helps them gather and define the information needed to do a full roll out.

We are hard at work on new HPoints and we have several that are finishing the testing process, so stay tuned for more releases soon. Updates are also underway to the Personal Edition (including a whole new GUI) and we are just starting to plan for version 3 of the console, so if you have suggestions, send them in.

Both the updates and the deployment guide are now available on the FTP server. Please use your credentials assigned when you made your product purchase to download them. If you need assistance, simply give us a call!

Office Access Remote Code Execution

Posted on by
Reply

Microsoft Office Access 2000, 2002, and 2003 contain a vulnerable ActiveX control. This control is a component that enables a user to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. This can be exploited by malicious websites to take complete control (execute code remotely) over a visitors system. The ideal mitigation is to disable the affected ActiveX control by setting the killbit for the affected CLSIDs. Those CLSID’s are F0E42D50-368C-11D0-AD81-00A0C90DC8D9, F0E42D60-368C-11D0-AD81-00A0C90DC8D9, F2175210-368C-11D0-AD81-00A0C90DC8D9. See http://support.microsoft.com/kb/240797 for more information on setting the killbit.

Corporate Data Classification

Posted on by
Reply

One of the most urgent steps that many organizations are facing in their information security program is that of data classification. While this, and role-based access controls, are two of the most critical processes in the changing security landscape, they are also two of the most painful. Many organizations do not even know where their data is located, stored, processed or used to a full extent and are spending a great deal of resources just understanding “what they have” and “how it is used”.

While knowing where the data is and how it is used is essential, organizations must also embrace some type of mechanism for classifying data. In some cases this can be as easy as creating a standard set of data definitions such as Private Identity Data, Internal Use Only, Customer Confidential, etc. and then building a policy around how data of each type is to be created, managed, stored, processes, handled and destroyed. For many small businesses, this can be a relatively small undertaking and when done right can provide a real improvement in security – IF EVERYONE FOLLOWS THE RULES.

In larger organizations, classifications may be more diverse. There may be Private Employee Identity Data, Private Employee Healthcare Data, Customer Private Identity Data, Internal Use Only, Customer Confidential or others. Many organizations even go a little wild with this and build small acronyms and/or a legend into their policy so that you can label a word document of a contract with a client something like CCC for Customer Confidential – Contracts” or even worse, they will add a department code followed by some acronym that the department heads have made up. This is where the pain gets excruciating!

At MSI, we are big supporters of keeping the classifications as simple as possible. In most cases we are able to stick with “PII” for personal identity information, “Internal Use Only” for sensitive data not to be released outside of the company, “Confidential” for data that must be protected from all eyes except the intended participants and maybe a small set of divisions for other data outside of these such as HR, Finance, M&A, HIPAA, GLBA, etc. depending on what groups need to access the data or what regulations apply to the data. Of course, these can then be added to folder names, document headers, meta-tags and the myriad of other places used to quickly identify data.

Once you get your head around a working group of classifications, then comes the next task – identifying the appropriate controls for each type of data. That process takes experience, insight into specific business processes and a lot of patience. Start with data classification, though, and then build from there. As security evolves and becomes more nuanced, those with data classification schemes in place will be ahead of the coming curve. In the future, not all data will be treated or regulated the same, so make it easy on yourself and get started with data classification as soon as you can!

Microsoft Patches For July 2008

Posted on by
Reply

Tomorrow, Microsoft is releasing four security updates for multiple issues affecting Windows, Microsoft SQL Server and Microsoft Exchange Server. All four updates carry a rating of “important”, no “critical” updates on this round. Surprisingly, there’s no update for recent IE vulnerabilities. As usual, these updates should be tested and rolled out as soon as possible.