Category Archives: Emerging Threats

Cisco IPS Denial of Service

Posted on by
Reply

Cisco has released an advisory for IPS platforms, they are susceptible to denial of service attacks. The vulnerability is in the handling of jumbo ethernet frames. A specially crafted packet can cause the device to kernel panic, a power cycle is required to reset the device. However, if the device is deployed in promiscous mode, or does not have a gigabit interface, it is not vulnerable. For vulnerable devices, Cisco has released updates and a workaround. Install the updates, or disable support for jumbo Ethernet to mitigate this issue.

SNMP Scans

Posted on by
Reply

We have noticed, and noticed around the net that there has been a sharp increase in SNMP port scans. No doubt this is due to the recent vulnerability and exploit code released. If you happen to be running SNMP exposed on your external network (something that should be discouraged), it would be a very good idea to update those devices, and also block those ports or restrict access if they do not absolutely need to be exposed.

Web App Security

Posted on by
Reply

Over the past few days more than 30 exploits have been released focusing on web applications. The exploits focus on SQL injection attacks, which are a major vulnerability lately, and that’s just for published web applications. Many more are being discovered in privately developed websites. It still seems that some developers out there are still not embracing secure coding practices.

Bot activity has still been seen spreading through websites also using these vulnerabilities. Causing normally trustable websites to deliver malware to unsuspecting users. Until all developers change their coding processes, we can expect these exploits and bot activity to keep increasing. In the mean time, we recommend that any applications you are developing undergo testing, and any web applications (such as CMS) you are using stay patched.

Microsoft Patch Tuesday details

Posted on by
Reply

MS08-030
Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)
Performing a large number of SDP requests could allow for code execution.

MS08-031
Cumulative Security Update for Internet Explorer (950759)
Vulnerabilities in MSIE allow code execution and cross domain information leaks.
Should be patched immediately as details on exploiting are publically available.
Rated:Critical
Replaces MS08-024.

MS08-032
Cumulative Security Update of ActiveX Kill Bits (950760)
A vulnerability in the Speech API could allows for remote execution in the context of the user viewing a specially crafted webpage. Speech recognition must be enabled.
Rated: Moderate
Replaces MS08-023.

MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
Input validation vulnerabilities may allow code execution via DirectX.
Rated: Critical
Replaces MS07-064.

MS08-034
Vulnerability in WINS Could Allow Elevation of Privilege (948745)
A privilege escalation vulnerability in WINS could allows an attacker to compromise a vulnerable system.
Rated: Important
Replaces MS04-045.

MS08-035
Vulnerability in Active Directory Could Allow Denial of Service (953235)
Input validation failure in the LDAP can lead to a Denial of Service.
Rated: Important
Replaces MS08-003.

MS08-036
Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)
Input validation vulnerabilities in PGM packets can be leveraged to cause a Denial of Service.

Rated:Important

Replaces MS06-052.

Windows Advance Notification for June

Posted on by
Reply

Tomorrow Microsoft will be releasing updates for their monthly patch cycle. It looks like there will be 3 critical rated vulnerabilities. One of which is in the bluetooth service. This one is interesting as it’s listed as being remotely exploitable. Assuming that it’s exploitable over the bluetooth interface, this one could be very interesting. Watch for exploits for this vulnerabilities showing up in every attackers repitoire if it’s viable.

F5 FirePass SSL VPN XSS

Posted on by
Reply

The F5 FirePass SSL VPN appliance is vulnerable to cross site scripting attacks within the management console. This device, designed to protect against XSS attacks, contains a XSS within the /vdesk/admincon/webyfiers.php and /vdesk/admincon/index.php pages that could permit an attacker to force premature termination of the parameter value and to inject an event handler script. This vulnerability has been confirmed in version 6.0.2, hotfix 3. Previous versions may be affected. There’s no fix for it at the moment, so users/admins should not browse to untrusted sites while logged in to the management interface.

Increases in PHP Scanning

Posted on by
Reply

We are detecting increasing PHP scans for a series of known PHP vulnerabilities that thus far are originating from Asia.

To date, we see no new attacks, just checks for known bad pages, particularly admin interfaces and a couple of quick URLs to test for command injections. The scans seem to have begun in the last 24 hours and the traffic appears to be related to a possible new PHP scanner. Likely, some new tool has been released that contains a plethora of PHP vulnerabilities.

Organizations should ensure that any systems offering PHP or PHP applications have been properly assessed and patched.

HoneyPoint Security Server users are urged to deploy a web HoneyPoint or HornetPoint and to drop the hosts performing the scans into your firewall or router black hole lists. This should allow you to create a “one strike and you’re out” approach for black holing attacking systems.

Please let us know if you see any new PHP activity. We are currently watching this pattern for any zero-day type activity, but thus far, we have observed only known security issues. being probed.

Are Your Disaster Recovery Plans Ready For A Disaster?

Posted on by
Reply

One Data center just found out that theirs wasn’t, and a lot of their customers were also caught with no backup servers, only relying on the Data center’s disaster recovery. On Saturday ThePlanet Data center experienced an explosion in their power room that knocked approximately 9,000 servers offline, effecting over 7,500 customers. ThePlanet was unable to get power back on to those servers for over a day, due to the fire department not letting them turn the backup power on.

Two separate issues can be seen from this, one, the Data center’s disaster recovery plan failed to recover them from a disaster. While quite unlikely to happen, an explosion in the power room can happen, as seen here, and they were not prepared for it. Perhaps they could have worked with the fire department during the disaster recovery policy creation to identify ways that backup power could be served while the power room was down. Or possibly with 5 Data centers (as ThePlanet has) they could have had spare hot servers at the other sites to send backups to. We don’t know the details of their policy or exactly what happened yet, so we can only speculate ways that the downtime could have been prevented.

Secondly, many customers found out the hard way to not rely on someone else’s disaster recovery plans. These sites could have failed over to a site at another Data center, or even a backup at their own site, but they weren’t prepared, assuming that nothing could happen to the Data center their server is at.

The lesson learned from this mistake is that disasters happen, and you need to be prepared. No disaster scenario should be ignored just because “it’s not likely to happen”. So take a look at your plans, and if you host at a Data center, if your website is critical make sure there is a backup at a separate Data center or on your own site.