Cisco IPS Denial of Service

Posted on June 19, 2008 by Adam Hostetler

Cisco has released an advisory for IPS platforms, they are susceptible to denial of service attacks. The vulnerability is in the handling of jumbo ethernet frames. A specially crafted packet can cause the device to kernel panic, a power cycle is required to reset the device. However, if the device is deployed in promiscous mode, or does not have a gigabit interface, it is not vulnerable. For vulnerable devices, Cisco has released updates and a workaround. Install the updates, or disable support for jumbo Ethernet to mitigate this issue.

SNMP Scans

Posted on June 17, 2008 by Adam Hostetler

We have noticed, and noticed around the net that there has been a sharp increase in SNMP port scans. No doubt this is due to the recent vulnerability and exploit code released. If you happen to be running SNMP exposed on your external network (something that should be discouraged), it would be a very good idea to update those devices, and also block those ports or restrict access if they do not absolutely need to be exposed.

Web App Security

Posted on June 16, 2008 by Adam Hostetler

Over the past few days more than 30 exploits have been released focusing on web applications. The exploits focus on SQL injection attacks, which are a major vulnerability lately, and that’s just for published web applications. Many more are being discovered in privately developed websites. It still seems that some developers out there are still not embracing secure coding practices.

Bot activity has still been seen spreading through websites also using these vulnerabilities. Causing normally trustable websites to deliver malware to unsuspecting users. Until all developers change their coding processes, we can expect these exploits and bot activity to keep increasing. In the mean time, we recommend that any applications you are developing undergo testing, and any web applications (such as CMS) you are using stay patched.

SNMP v3 Vulnerability and Exploit

Posted on June 13, 2008 by Adam Hostetler

A vulnerability was identified in many implementations of SNMPv3 which allows an attacker to bypass SNMP authentication. In just a few days a working exploit was released into the wild. With the exploit remote attackers may be able to access and modify any SNMP on an affected system.This could affect many devices, and firmware will need to be updated across the board. The extent of affected systems is not completely known yet, but assume that all devices that implement SNMPv3 are vulnerable.

Windows Advance Notification for June

Posted on June 9, 2008 by Adam Hostetler

Tomorrow Microsoft will be releasing updates for their monthly patch cycle. It looks like there will be 3 critical rated vulnerabilities. One of which is in the bluetooth service. This one is interesting as it’s listed as being remotely exploitable. Assuming that it’s exploitable over the bluetooth interface, this one could be very interesting. Watch for exploits for this vulnerabilities showing up in every attackers repitoire if it’s viable.

Windows XP SP3 Ships With Old Adobe Flash

Posted on June 3, 2008 by Adam Hostetler

It appears that Windows XP SP3 is shipping with an old vulnerable version of Adobe Flash player. If you recently upgraded to SP3, it would be a good idea to check Windows Update again to make sure the update for MS06-069 (Flash player vulnerability) is installed. It may also be wise to manually check the version that’s installed.

Are Your Disaster Recovery Plans Ready For A Disaster?

Posted on June 2, 2008 by Adam Hostetler

One Data center just found out that theirs wasn’t, and a lot of their customers were also caught with no backup servers, only relying on the Data center’s disaster recovery. On Saturday ThePlanet Data center experienced an explosion in their power room that knocked approximately 9,000 servers offline, effecting over 7,500 customers. ThePlanet was unable to get power back on to those servers for over a day, due to the fire department not letting them turn the backup power on.

Two separate issues can be seen from this, one, the Data center’s disaster recovery plan failed to recover them from a disaster. While quite unlikely to happen, an explosion in the power room can happen, as seen here, and they were not prepared for it. Perhaps they could have worked with the fire department during the disaster recovery policy creation to identify ways that backup power could be served while the power room was down. Or possibly with 5 Data centers (as ThePlanet has) they could have had spare hot servers at the other sites to send backups to. We don’t know the details of their policy or exactly what happened yet, so we can only speculate ways that the downtime could have been prevented.

Secondly, many customers found out the hard way to not rely on someone else’s disaster recovery plans. These sites could have failed over to a site at another Data center, or even a backup at their own site, but they weren’t prepared, assuming that nothing could happen to the Data center their server is at.

The lesson learned from this mistake is that disasters happen, and you need to be prepared. No disaster scenario should be ignored just because “it’s not likely to happen”. So take a look at your plans, and if you host at a Data center, if your website is critical make sure there is a backup at a separate Data center or on your own site.

CA BrightStor Vulnerabilities

Posted on May 21, 2008 by Adam Hostetler

CA BrightStor has been found to contain several vulnerabilities. The issues identified are buffer overflows and directory traversal vulnerabilities. Both vulnerabilities exist in ARCServer Backup versions 11.0, 11.1, and 11.5. The buffer overflows exist in the xdr functions in the ARCServer server. The directory traversal could potentially also be used to execute code by writing to a startup or configuration file. CA has released updates for these issues, and they should be tested and deployed as soon as possible.

Debian SSH/SSL Predictable Keys

Posted on May 15, 2008 by Adam Hostetler

A serious issue was discovered this week in the OpenSSL packages distributed with Debian based distributions over the last year and a half. The issue revolves around a small piece of code that was removed, it turned out that removing this bit of code crippled the pseudo random number generator used when creating keys. The vulnerable code has been using only the process id of the service as the seed, which leaves a very small number of seeds that can be used (32,768 to be exact).

All SSL and SSH keys generated affected systems since September 2006 could be affected. All generated certificates will be need to recreated and resigned by the CA. This includes web site certificates as well as OpenVPN certificates. If your CA was created on an affected system, it will also need to be recreated, and the old one revoked. As for SSH, any systems using key authentication need to be audited. If the keys were generated on these affected systems, they should be updated and regenerated ASAP.

Debian and Ubuntu have released updated packages, as well as a tool for checking your keys. Upon installing the packages, it is possible to recreate the keys during the update. These updates should be installed immediately, and keys regenerated after installing the updates.

New Thunderbird Version, Rdesktop Vuln

Posted on May 9, 2008 by Adam Hostetler

A new version of the Mozilla Thunderbird Client was released today. The new version fixes a security issue that could allow JavaScript to escalate privileges and execute arbitrary code. It also fixes a crashing issue. If you use Thunderbird as your mail client it should be updated as soon as possible due to the mitigation of a security flaw.

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Adam Hostetler