CA ARCserve DoS, Multiple CMS Vulns

Posted on June 23, 2008 by Nathan Grandbois

Computer Associates ARCserve Backup 12.0.5454.0 and earlier can be Denial of Serviced by sending a specially crafted packet to port 41523. For more specific information please see CVE-2008-1979.

Several Content Management Systems are vulnerable to Remote File Inclusion (RFI) and SQL injection. As Adam said in a previous post, it appears that application developers are still not embracing the proper coding procedures that allow for these exploits to be developed. If you are an admin of a CMS please make sure that your application is tested regulary for any injection vulnerabilities.

Expect More Worms

Posted on June 20, 2008 by wstoner

The team at PandaLabs has discovered an application that converts any given executable into a worm. Apparently originating in Spain the tool allows a user to wrap any executable in worm code using a simple GUI interface. There are options for enabling Mutex, UPX compression, and disabling various operating system components. We will continue to see these types of tools lower the technical threshold of attackers and increase the number of malicious agents increase in the wild.

Security practitioners need to continue to assist their clients in developing defense in depth strategies that will reduce risk and exposure to these threats. Key elements to address would be identifying key at risk assests, moving towards enclave computing and adding more rigorous security testing of Internet facing applications (slowing their deployment if necessary). The need for security awareness training that is both engaging and current will continue to increase.

For more details on the tool itself you can visit: http://pandalabs.pandasecurity.com/archive/T2W-_2D002D003E00_-Trojan-to-Worm.aspx

Cisco IPS Denial of Service

Posted on June 19, 2008 by Adam Hostetler

Cisco has released an advisory for IPS platforms, they are susceptible to denial of service attacks. The vulnerability is in the handling of jumbo ethernet frames. A specially crafted packet can cause the device to kernel panic, a power cycle is required to reset the device. However, if the device is deployed in promiscous mode, or does not have a gigabit interface, it is not vulnerable. For vulnerable devices, Cisco has released updates and a workaround. Install the updates, or disable support for jumbo Ethernet to mitigate this issue.

SNMP Scans

Posted on June 17, 2008 by Adam Hostetler

We have noticed, and noticed around the net that there has been a sharp increase in SNMP port scans. No doubt this is due to the recent vulnerability and exploit code released. If you happen to be running SNMP exposed on your external network (something that should be discouraged), it would be a very good idea to update those devices, and also block those ports or restrict access if they do not absolutely need to be exposed.

Web App Security

Posted on June 16, 2008 by Adam Hostetler

Over the past few days more than 30 exploits have been released focusing on web applications. The exploits focus on SQL injection attacks, which are a major vulnerability lately, and that’s just for published web applications. Many more are being discovered in privately developed websites. It still seems that some developers out there are still not embracing secure coding practices.

Bot activity has still been seen spreading through websites also using these vulnerabilities. Causing normally trustable websites to deliver malware to unsuspecting users. Until all developers change their coding processes, we can expect these exploits and bot activity to keep increasing. In the mean time, we recommend that any applications you are developing undergo testing, and any web applications (such as CMS) you are using stay patched.

Multiple vulnerabilites in X Windows

Posted on June 13, 2008 by wstoner

Multiple vulnerabilities including buffer overflows, have been found in various vendors X Windows releases. These could lead to memory corruption and information leakage. The original advisories can be found at:http://labs.idefense.com/intelligence/vulnerabilities/

Microsoft Patch Tuesday details

Posted on June 10, 2008 by wstoner

MS08-030
Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)
Performing a large number of SDP requests could allow for code execution.

MS08-031
Cumulative Security Update for Internet Explorer (950759)
Vulnerabilities in MSIE allow code execution and cross domain information leaks.
Should be patched immediately as details on exploiting are publically available.
Rated:Critical
Replaces MS08-024.

MS08-032
Cumulative Security Update of ActiveX Kill Bits (950760)
A vulnerability in the Speech API could allows for remote execution in the context of the user viewing a specially crafted webpage. Speech recognition must be enabled.
Rated: Moderate
Replaces MS08-023.

MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
Input validation vulnerabilities may allow code execution via DirectX.
Rated: Critical
Replaces MS07-064.

MS08-034
Vulnerability in WINS Could Allow Elevation of Privilege (948745)
A privilege escalation vulnerability in WINS could allows an attacker to compromise a vulnerable system.
Rated: Important
Replaces MS04-045.

MS08-035
Vulnerability in Active Directory Could Allow Denial of Service (953235)
Input validation failure in the LDAP can lead to a Denial of Service.
Rated: Important
Replaces MS08-003.

MS08-036
Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)
Input validation vulnerabilities in PGM packets can be leveraged to cause a Denial of Service.

Rated:Important

Replaces MS06-052.

Windows Advance Notification for June

Posted on June 9, 2008 by Adam Hostetler

Tomorrow Microsoft will be releasing updates for their monthly patch cycle. It looks like there will be 3 critical rated vulnerabilities. One of which is in the bluetooth service. This one is interesting as it’s listed as being remotely exploitable. Assuming that it’s exploitable over the bluetooth interface, this one could be very interesting. Watch for exploits for this vulnerabilities showing up in every attackers repitoire if it’s viable.

F5 FirePass SSL VPN XSS

Posted on June 6, 2008 by Nathan Grandbois

The F5 FirePass SSL VPN appliance is vulnerable to cross site scripting attacks within the management console. This device, designed to protect against XSS attacks, contains a XSS within the /vdesk/admincon/webyfiers.php and /vdesk/admincon/index.php pages that could permit an attacker to force premature termination of the parameter value and to inject an event handler script. This vulnerability has been confirmed in version 6.0.2, hotfix 3. Previous versions may be affected. There’s no fix for it at the moment, so users/admins should not browse to untrusted sites while logged in to the management interface.

Increases in PHP Scanning

Posted on June 5, 2008 by Brent Huston

We are detecting increasing PHP scans for a series of known PHP vulnerabilities that thus far are originating from Asia.

To date, we see no new attacks, just checks for known bad pages, particularly admin interfaces and a couple of quick URLs to test for command injections. The scans seem to have begun in the last 24 hours and the traffic appears to be related to a possible new PHP scanner. Likely, some new tool has been released that contains a plethora of PHP vulnerabilities.

Organizations should ensure that any systems offering PHP or PHP applications have been properly assessed and patched.

HoneyPoint Security Server users are urged to deploy a web HoneyPoint or HornetPoint and to drop the hosts performing the scans into your firewall or router black hole lists. This should allow you to create a “one strike and you’re out” approach for black holing attacking systems.

Please let us know if you see any new PHP activity. We are currently watching this pattern for any zero-day type activity, but thus far, we have observed only known security issues. being probed.

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Emerging Threats