Project Pre-Release – Vulnerabilities in Popular Content Management Systems Under Study

Posted on June 24, 2008 by Brent Huston

Over the next few weeks you will see more details from us about a project that we have been working on. As a part of our relationship with Syhunt, one of our elite partners for application security work, we have been testing and reviewing their new tool, Sandcat4PHP. The tool is a sophisticated and user friendly source code scanner for performing deep analysis of PHP applications including their surrounding javascript and HTML components.

Stay posted here for a pretty in-depth review of the new tool, its use and capabilities. We will be doing that review as a part of the project as well.

First, let me start with the purpose and the scope of the project. In the last few months we have worked with a number of clients who have had issues with the security of their content management system. More than a few of them are using popular products, but several are using proprietary tools as well. As such, we have worked on a few incidents and application reviews. That led to a pretty in-depth discussion between a couple of clients and ourselves about the state of content management system security, in general. As an off shoot of that discussion, we decided to test 5 of the most popular content managers using the new Syhunt PHP scanner, since we needed to review it anyway.

Next, we obtained a couple of lists of popular content managers. Selecting our five was pretty easy and we settled on the following:

WordPress, Joomla!, Mambo, Drupal and BitWeaver

We then downloaded the current versions of the CMS (as of that day, a couple of weeks ago…) and set up our testing environment.

We assessed the entire package, but only as downloaded from the web site. That means in most cases, that we tested only the core components and not any additional modules, plugins or components. We considered whatever was in the default download to be the basis for our work.

To date, we have begun our assessments and review of the CMS tools. We will be in contact with each of the CMS projects about the findings of the assessments and they will receive the details of the tool’s findings prior to public release of the technical details. Statistical and numeric data will also be forthcoming.

For now just let us say that we are evaluating our findings and that the tool performed very very well.

I look forward to sharing the details with everyone in the coming days.

Let me know if you have any questions about the product, the project or the work.

SNMP v3 Vulnerability and Exploit

Posted on June 13, 2008 by Adam Hostetler

A vulnerability was identified in many implementations of SNMPv3 which allows an attacker to bypass SNMP authentication. In just a few days a working exploit was released into the wild. With the exploit remote attackers may be able to access and modify any SNMP on an affected system.This could affect many devices, and firmware will need to be updated across the board. The extent of affected systems is not completely known yet, but assume that all devices that implement SNMPv3 are vulnerable.

June Virtual Event Announced – Social Engineering Assessments Primer

Posted on June 12, 2008 by Brent Huston

We are proud to announce our June Virtual Event topic for the month. Please join us as we cover a primer for social engineering assessments and how they can assist you in securing your organization. As always, our virtual events are long on information and short on sales and spin. They are also FREE!

Abstract:

This presentation will cover the reasons why your organization should consider a social engineering assessment as a part of their routine security auditing processes. Examples of test scenarios will be given, along with ideas on scoping such tests. Further, ways to appropriately use the results and tips on presenting the identiﬁed issues to upper management will be discussed.

Date: Tuesday, June 26th at 4pm Eastern

To register for the presentation and to receive the PDF of the slides as well as the dial in number, please send email to info@microsolved.com with “June Virtual Event” or the like in the subject line.

Editors note: Sorry for the need to create a subject clarification, but we are holding several events this month including live and virtual versions of our State of the Threat presentations. If you need more info about those presentations, just ask. Thanks!

Increases in PHP Scanning

Posted on June 5, 2008 by Brent Huston

We are detecting increasing PHP scans for a series of known PHP vulnerabilities that thus far are originating from Asia.

To date, we see no new attacks, just checks for known bad pages, particularly admin interfaces and a couple of quick URLs to test for command injections. The scans seem to have begun in the last 24 hours and the traffic appears to be related to a possible new PHP scanner. Likely, some new tool has been released that contains a plethora of PHP vulnerabilities.

Organizations should ensure that any systems offering PHP or PHP applications have been properly assessed and patched.

HoneyPoint Security Server users are urged to deploy a web HoneyPoint or HornetPoint and to drop the hosts performing the scans into your firewall or router black hole lists. This should allow you to create a “one strike and you’re out” approach for black holing attacking systems.

Please let us know if you see any new PHP activity. We are currently watching this pattern for any zero-day type activity, but thus far, we have observed only known security issues. being probed.

VMWare ESX and Java ASP Vulns, Akamai Exploit

Posted on June 5, 2008 by Nathan Grandbois

Sun’s Java Active Server Pages version 4.0.2 contains multiple vulnerabilities. These vulnerabilities are numerous and could result in a variety of negative consequences; including remote system compromise, bypassing security restrictions, and manipulation of data. Sun has released version 4.0.3 that corrects the issues in 4.0.2.

VMWare ESX server versions 2.x and 3.x are vulnerable to information disclosure, denial of service, and in some cases remote system compromise. All administrators and users of VMWare should consider applying the vendor provided patches to their software. Full details can be found at http://www.vmware.com/security/advisories/VMSA-2008-0009.html.

The Akamai download manager contains and input validation error in its’ ActiveX control. This could result in system compromise or a denial of service when a user visits a malicious web page. The vulnerability affects versions 2.2.3.5 and prior. A working exploit has already been released. Update to version 2.2.3.7, available at http://dlm.tools.akamai.com/tools/upgrade.html

SHOCKER – The FBI says Wi-Fi Hotspots are Insecure!!!

Posted on June 4, 2008 by Brent Huston

It’s hard to believe, but the FBI has recently announced that Wi-Fi Hotspots might not be secure.

I read it here, so it must be true… 😉

In a way I am glad to see public notices like this. Maybe if the FBI draws attention to the problems, average people will pay attention to the solution. Of course, their mitigation suggestions include the “keep your computer patched, use firewall and encryption” routine.

The sad part is that you can do all of these things and still fall victim to a number of security issues such as dns poisoning, DHCP spoofing, social engineering and a myriad of other problems. I guess that is a perfect reason why we push so hard for average folks to use our HoneyPoint:Network Trust Agent product. At less than 10 bucks, it adds yet more capability and ease of use to protecting even non-technical users when they are on untrusted networks, including wi-fi.

Public networks are likely to remain unsafe for users who are not vigilant for a long time to come. Firewalls and patches can help keep them safe, but until they make better decisions about information security and can resist many of the basic attacks that leverage social engineering and the like, free wi-fi will likely be a cyber-wild west for a while longer.

If you want to hear more about protecting mobile users against public network threats, drop us a line. Until then, we will wait to hear from the FBI. Maybe they can help us get the word out that there is help available for wi-fi users.

CA Content Mgr DoS, Unspecified WebSphere Issue

Posted on June 4, 2008 by Nathan Grandbois

A denial of service vulnerability has been reported in CA eTrust Content Manager. This vulnerability can also be exploited to compromise a vulnerable system. The vulnerability is caused due to boundary errors in certain FTP requests that could result in a stack based buffer overflow. The vulnerabilities are reported in CA eTrust Secure Content Manager 8.0.
CA has provided a patch for this issue.

Also, an unspecified vulnerability in IBM WebSphere Application Server has been reported. Very little details are available regarding this vulnerability. IBM has released fix pack 17 to address this issue (whatever it is).

Are Your Disaster Recovery Plans Ready For A Disaster?

Posted on June 2, 2008 by Adam Hostetler

One Data center just found out that theirs wasn’t, and a lot of their customers were also caught with no backup servers, only relying on the Data center’s disaster recovery. On Saturday ThePlanet Data center experienced an explosion in their power room that knocked approximately 9,000 servers offline, effecting over 7,500 customers. ThePlanet was unable to get power back on to those servers for over a day, due to the fire department not letting them turn the backup power on.

Two separate issues can be seen from this, one, the Data center’s disaster recovery plan failed to recover them from a disaster. While quite unlikely to happen, an explosion in the power room can happen, as seen here, and they were not prepared for it. Perhaps they could have worked with the fire department during the disaster recovery policy creation to identify ways that backup power could be served while the power room was down. Or possibly with 5 Data centers (as ThePlanet has) they could have had spare hot servers at the other sites to send backups to. We don’t know the details of their policy or exactly what happened yet, so we can only speculate ways that the downtime could have been prevented.

Secondly, many customers found out the hard way to not rely on someone else’s disaster recovery plans. These sites could have failed over to a site at another Data center, or even a backup at their own site, but they weren’t prepared, assuming that nothing could happen to the Data center their server is at.

The lesson learned from this mistake is that disasters happen, and you need to be prepared. No disaster scenario should be ignored just because “it’s not likely to happen”. So take a look at your plans, and if you host at a Data center, if your website is critical make sure there is a backup at a separate Data center or on your own site.

Time to Play Some Offense…

Posted on June 2, 2008 by Brent Huston

To quote, Allan Bergen, it sure looks like it might be “time to play some offense”…

Not surprising to me, I read today that the primary security concern of IT managers is the inside threat. It doesn’t surprise me because I have been working on educating organizations for several years about the seriousness of the insider threat. In fact, I would suggest that there are very very few threats that are NOT insider threats. Why? Because there really is no inside or outside. Thanks to disruptive technologies and evolved attacker capabilities – just about everything is exposed to attack. Just ask some of the recent vendors who were compromised in high profile “PCI-related” cases how well they feel that their “perimeter security” protected them…

The truth is, there are three powerful things that can be done to combat modern attacks, whether internal-based or executed by attackers half a world away.

1. Implement and enforce data classification – Know where your critical assets are, how they move around your environment throughout their lifecycle and then use tools like access controls, encryption and integrity verification to make sure that they are protected. Use logging analysis and event management to detect issues and make sure all of the controls, including role-based access controls, are HEAVILY and PERIODICALLY tested.

2. Embrace enclaving – Enclaving is like defense in depth throughout the whole network. Establish proper need to know boundaries, then build enclaves of security mechanisms around the data. Don’t build networks that trust user workstations with access to databases and other servers, segregate them with firewalls, detection mechanisms and access controls. Build as much security for the users as makes sense, but design the environment so that if users make bad decisions (which they will) and get popped – so what! Client side exploits and malware are only a concern if users have access to inordinate amounts of data. The problem is making sure that you get your controls and practices tight enough to limit the exposure that user compromise presents. That alone should go a LONG way toward minimizing your risk if done properly.

3. Move up the security stack to Threat Management and Risk Assessment – Use processes like risk assessment as a factor in business decision making. Security can truly empower business, but you have to let security teams stop being the “patch patrol” and “net cop” and let them get to actually helping you manage risk. They have to be able to identify threats, model threats and understand attacks and exposures. That requires education, dependable tools and upper management support. Encourage your security team to mature and begin to take real-world risk into consideration. Help them to resist the cult of the arcane technical security issue…

Of course, MicroSolved can help you with all three of these areas. We have the experience, insight and expertise to help you build effective enclaves and design data classification systems that make sense. We can help your team find security assessment goals that make more sense and provide ongoing assessment to keep them focused on the real-world risks. Our HoneyPoint products can help them model threats, frequency of attacks, understand the capability and intent of attackers and even give them deep insight into proactive risk metrics that they can leverage for “more science than academic” metrics of risk measurement. All of these things help your organization protect against the insider threat. All of them are available today.

The bottom line is this – if you are an IT manager looking to defend against the insider threat – give us a call. Together we can apply these strategies and others that your organization may need to effectively manage their risk and protect their assets.

At MicroSolved, we think differently about information security. So should you.

What is “Defensive Fuzzing”?

Posted on May 27, 2008 by Brent Huston

Since the release of HornetPoints with the newest version of HoneyPoint Security Server, I have been getting a lot of mail asking about “defensive fuzzing”. I thought I would take a moment and talk a little bit about it and explain a bit about its uses.

Defensive fuzzing is a patent-pending approach to network, system and application defense. It is based on the idea of using techniques from “fuzz testing”, but applying them against incoming connections in a defensive manner rather than as a test mechanism for known software. The idea is that attacker tools and malware probably fail to meet established best practices for software development and thus, are likely to have issues with unexpected input just as normal professionally developed software does. Further, “defensive fuzzing” lends itself to using fuzzing techniques as a protective mechanism to cause attacker tools, malware and other illicit code to abnormally terminate. Basically, by fuzzing incoming connections to a HornetPoint (which should have no real world use, thus all incoming connections are illicit) we can terminate scans, probes, exploits, worms, etc. and reduce the risk that our organization (and other organizations) face from these attacks.

For those of you who might not be familiar with fuzzing, you can read more about the basics of it here. However, keep in mind, that defensive fuzzing applies these techniques in new ways and for a protective purpose rather than a software testing process.

HornetPoints simply embody this process. They can be configured to fuzz many types of existing connections, emulating varying protocols and applications. For example, targeting spam and relay scanners can be done by implementing the SMTP HornetPoint. It listens on the SMTP port and appears to be a valid email relay. Instead, however, it not only captures the source and traffic from the spammers, but also fuzzes the connection as the spam is sent, attempting to terminate the spammer scanning tool, bot-net client or other form of malware that is generating the traffic. Obviously, success rates vary, but our testing has shown the process to be quite effective against a number of tools and code bases used by attackers today.

That is just one example and many more are possible. For more information about defensive fuzzing or HornetPoints, please leave us a comment or contact us. We would be happy to discuss this evolution in security with you!

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: General InfoSec