Increases in PHP Scanning

Posted on June 5, 2008 by Brent Huston

We are detecting increasing PHP scans for a series of known PHP vulnerabilities that thus far are originating from Asia.

To date, we see no new attacks, just checks for known bad pages, particularly admin interfaces and a couple of quick URLs to test for command injections. The scans seem to have begun in the last 24 hours and the traffic appears to be related to a possible new PHP scanner. Likely, some new tool has been released that contains a plethora of PHP vulnerabilities.

Organizations should ensure that any systems offering PHP or PHP applications have been properly assessed and patched.

HoneyPoint Security Server users are urged to deploy a web HoneyPoint or HornetPoint and to drop the hosts performing the scans into your firewall or router black hole lists. This should allow you to create a “one strike and you’re out” approach for black holing attacking systems.

Please let us know if you see any new PHP activity. We are currently watching this pattern for any zero-day type activity, but thus far, we have observed only known security issues. being probed.

Windows XP SP3 Ships With Old Adobe Flash

Posted on June 3, 2008 by Adam Hostetler

It appears that Windows XP SP3 is shipping with an old vulnerable version of Adobe Flash player. If you recently upgraded to SP3, it would be a good idea to check Windows Update again to make sure the update for MS06-069 (Flash player vulnerability) is installed. It may also be wise to manually check the version that’s installed.

Are Your Disaster Recovery Plans Ready For A Disaster?

Posted on June 2, 2008 by Adam Hostetler

One Data center just found out that theirs wasn’t, and a lot of their customers were also caught with no backup servers, only relying on the Data center’s disaster recovery. On Saturday ThePlanet Data center experienced an explosion in their power room that knocked approximately 9,000 servers offline, effecting over 7,500 customers. ThePlanet was unable to get power back on to those servers for over a day, due to the fire department not letting them turn the backup power on.

Two separate issues can be seen from this, one, the Data center’s disaster recovery plan failed to recover them from a disaster. While quite unlikely to happen, an explosion in the power room can happen, as seen here, and they were not prepared for it. Perhaps they could have worked with the fire department during the disaster recovery policy creation to identify ways that backup power could be served while the power room was down. Or possibly with 5 Data centers (as ThePlanet has) they could have had spare hot servers at the other sites to send backups to. We don’t know the details of their policy or exactly what happened yet, so we can only speculate ways that the downtime could have been prevented.

Secondly, many customers found out the hard way to not rely on someone else’s disaster recovery plans. These sites could have failed over to a site at another Data center, or even a backup at their own site, but they weren’t prepared, assuming that nothing could happen to the Data center their server is at.

The lesson learned from this mistake is that disasters happen, and you need to be prepared. No disaster scenario should be ignored just because “it’s not likely to happen”. So take a look at your plans, and if you host at a Data center, if your website is critical make sure there is a backup at a separate Data center or on your own site.

Apple Releases Security Update

Posted on May 29, 2008 by wstoner

If you’re running an OS X version below 10.5.3 it is time to upgrade or install security update 2008-003.
This update fixes multiple issues that could result in system access, security bypass and privilege escalation, DoS, Cross Site scripting and a number of information exposure issues.

The original advisory is available at: http://support.apple.com/kb/HT1897

Snort Issues In Case You Missed Them and Malicious SWF

Posted on May 27, 2008 by Brent Huston

In case you missed it last week, Snort seems to be suffering from a problem with odd TTL values, which could allow an attack to get by Snort without detection. 2.8.1 has been released and includes the fix for the issue. Users of Snort should upgrade as soon as possible or apply the following workaround until they can update:

/From iDefense/

In the snort.conf file, set the ttl_limit configuration value to 255 as shown below.

preprocessor frag3_engine: ttl_limit 255

This will set the allowable difference to the maximum possible value, and prevent fragments from being dropped.

/End iDefense Content/

Also, SANS is talking about malicious SWF files that have been found online. Looks like they are using some encoded images that can cause some issues with what may be a previously known flash player vulnerability. Advise your users to be wary of flash enabled sites that they would consider “untrusted”. Of course, your milage may vary with this one, but at least awareness might help….

Lastly, as refresher, if you are a Notes/Domino user, it might be a good idea to check out patches that have been released lately. There have been a number of issues in the last few weeks and we are seeing an increase in Domino fingerprinting on some of our non-US HoneyPoints. Looks like quick scans for names.nsf and a couple of other common Notes files. So far though, we have not seen any attacker activity out of the norm, but it may be the precursor to an attack or other activity. Just an FYI…

Lotus Domino Cross Site Scripting and Buffer Overflows

Posted on May 21, 2008 by wstoner

At least two injection attack vectors have been discovered in IBM’s Lotus Domino Web Servers versions 6.x, 7.x and 8.x. These can lead to a stack based buffer overflow which may allow remote code execution and Cross Site Scripting attacks that can allow the execution of arbitrary HTML and script code. We recommend that you update your web servers as is appropriate.

The original advisories can be viewed at:
http://www-1.ibm.com/support/docview.wss?uid=swg21303057

and

http://www-1.ibm.com/support/docview.wss?uid=swg21303296

Avaya CMS Denial of Service

Posted on May 21, 2008 by wstoner

A vulnerability has been reported in Avaya Call Management System that can be exploited to create Denial of Service. For more information see the original advisory at:
http://support.avaya.com/elmodocs2/security/ASA-2008-206.htm

CA BrightStor Vulnerabilities

Posted on May 21, 2008 by Adam Hostetler

CA BrightStor has been found to contain several vulnerabilities. The issues identified are buffer overflows and directory traversal vulnerabilities. Both vulnerabilities exist in ARCServer Backup versions 11.0, 11.1, and 11.5. The buffer overflows exist in the xdr functions in the ARCServer server. The directory traversal could potentially also be used to execute code by writing to a startup or configuration file. CA has released updates for these issues, and they should be tested and deployed as soon as possible.

Code Execution Exploit for Internet Explorer 7.0/8.0b

Posted on May 16, 2008 by wstoner

Internet Explorer has been found to be vulnerable to a cross-zone scripting when a user prints an HTML page and the browser is using its “Print Table of Links” options. The vulnerability exists because printing takes place in the local zone not the Internet zone. Any links within the page are not validated allowing for malicious code to be injected and run. The solution is simply to print without the “Print Table of Links” option. The original advisory can be read at: http://aviv.raffon.net/2008/05/14/InternetExplorerQuotPrintTableOfLinksquotCrossZoneScriptingVulnerability.aspx

Fear Renewed: The Cisco Router Rootkit

Posted on May 15, 2008 by Brent Huston

The media is all abuzz about a possible Cisco router rootkit that may be part of a presentation at a near future security conference.

While various issues with Cisco gear have emerged over the years and there has been at least one really public overreaction on the part of Cisco to vulnerability disclosure talks, there is probably little to really get spun up about here for the average corporate manager or infosec person.

The big news is that hostile, difficult to detect code could be introduced to routers at any point in their lifespan if an attacker has access to introduce images onto the router. This is a common problem with almost every type of device. There have been a number of trojan horse loads for everything from home firewalls to other forms of network gear for a number of years. Sure, the Cisco router is almost ubiquitous, and sure, it powers a lot of the Internet at large, but I think we pretty much always assumed that attackers with physical access and opportunity could introduce bad things to a device if they gained opportunity.

So before you give in to the hype or fear mongering, consider how this is different than any other form of software/firmware or the like. Likely, you already have a process in place for blowing new firmware onto all devices you purchase before putting them into use (right???). If not, it might be time to think about writing one…

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Emerging Threats