Patent Wierdness and the Security Market

Posted on by
Reply

CrowdedMarket.jpeg

So I was doing some patent research today and I have to say that some of the patents out there for information security are pretty weird.

I found patent applications for wireless access points that turn on radio jammers in response to attacks (thus blocking even legitimate users), ethernet cables that can be colored with special markers depending on the security of the system they are attached to, a physical key-based device that controls an ethernet air-gap and even a patent application that was denied for patenting the word “security”.

I had no idea that so many things had been patented, or attempted to be patented. Maybe I am not a “patent insider” – but a lot this sounds like junk, bad infomercials and “seen on TV” security products.

I think I should find a VC and maybe patent the special “security gnomes” that some software vendors believe protect their software from well-known exploits. Or the “magic security dust” that some managers believe allows them keep their data protected without investing in any real security staff or initiatives. If those don’t work, maybe I will patent some sort of “cyber-ninja” that seeks out and destroys cross-site scripting vulnerabilities and SQL injections. Why not? It might be as effective a control as colored ethernet cables…

For a couple of years now, Allan and I have been talking about just how noisy the information security market has become. Even after a large consolidation phase, there are still a bunch of vendors, some selling solutions and some selling snake oil. The average IT manager is probably getting 10+ calls a day from vendors selling them everything from firewalls to NAC and from AV software to USB blockers. No wonder average security consumers are having so much trouble knowing the real from the hype!

I didn’t start this blog post to be a rant or anything, but the oddity of the patent searches really left me in awe. The security space is crowded, noisy and a lot like a downtown Delhi market. There are exotic spices, rarities and a number of arcane items everywhere you look. Hopefully, there are also some honest to goodness, back to basics solutions mixed in too. Your mission, should you accept it, is to sort them out…

HP OpenView NNM 0day, lightthpd DoS

Posted on by
Reply

An exploit has been published for HP OpenView Network Node Manager (NNM). This exploit is preauthentication and can be exploited remotely. From what I’ve read it looks to be exploited over the HTTP port of OpenView and is exploiting the OVAS.exe service. No references to updates or fixes were found. Users should restrict network access to machines running this software.

There’s a vulnerability in lightttpd that can be exploited to cause a denial of service. The issue exists in the SSL error queue where a single connection could be exploited to deny all other SSL connections. This has been fixed in the SVN repository, available at:

http://trac.lighttpd.net/trac/changeset/2136
http://trac.lighttpd.net/trac/changeset/2139

InstallShield ActiveX Vuln, WP-Download SQL Injection

Posted on by
Reply

There’s a SQL injection in a the Wordress Download plugin. Data passed to wp-download.php is not properly sanitized before being processed by SQL. This could result in a SQL injection attack that could lead to the disclosure of usernames and passwords. WordPress admin’s should update to version 1.2.1.

There’s a major vulnerability in and activex control installed by Macrovision InstallShield InstallScript One-Click Install (OCI). The control gets installed via webpages prompting to install software. A large user base is likely affected by this. Basically, when the activex control is initiated it loads several DLL’s that are not sanity checked. These DLL’s could execute arbitrary code when loaded. This vulnerability has been confirmed in version 12.0. The following are the properties associated with the activex:

File: %WINDIR%\Downloaded Program Files\setup.exe

CLSID: 53D40FAA-4E21-459f-AA87-E4D97FC3245A

Macromedia has released a hotfix for this issue, available along with the KB entry for this vulnerability, at http://knowledge.macrovision.com/selfservice/microsites/search.do?cmd=displayKC&externalId=Q113640

A Very Good Idea – Open Source SQL Application Firewall

Posted on by
Reply

A few weeks ago I ran across this project, called GreenSQL. It is an open source database firewall to help organizations mitigate application vulnerabilities due to common SQL attacks like SQL injection and such.

It is a list-based heuristic proxy firewall that you can use to filter SQL traffic between the web server and the database server. This is a pretty powerful tool, even being list-based. As this project evolves, perhaps it will also include more powerful approaches such as anomaly-based analysis.

For now though, black listing, white listing and their approach to transaction risk weighting is a very powerful approach and much better than nothing.

That said, MSI has has not tested the application or performed any formal review, we just liked the idea that they were working on. Perhaps, in the future we will donate some lab cycles to a review and some testing, but we wanted to help them at least get the word out about their project.

If you are using MySQL for your web-based applications, it might be a good thing to spend some time looking at this project and testing the capabilities of the tool for your environment. Eliminating SQL attacks from web-applications will reduce a significant amount of risk from their deployment. By some estimates, that risk could be as high as 25% of the aggregate risk an application causes. No matter the metrics, this project is certainly a step forward.

CA Products ActiveX Vuln, VMWare Update Fixes DoS

Posted on by
Reply

Multiple CA products containing the DSM ListCtrl ActiveX Control are vulnerable to buffer overflow. Exploit code has been posted to a public area for this issue. This could allow attackers to cause a denial of service or execute code in the context of the user running the browser. Some mitigating factors taken from the original advisory:

” Mitigating Factors: For BrightStor ARCserve Backup for Laptops &
Desktops, only the server installation is affected. Client
installations are not affected. For CA Desktop Management Suite,
Unicenter Desktop Management Bundle, Unicenter Asset Management,
Unicenter Software Delivery and Unicenter Remote Control, only the
Managers and DSM Explorers are affected. Scalability Servers and
Agents are not affected.”

CA has posted an update for the affected software.

VMWare has issued an update for VMWare ESX. This update fixes a vulnerability that could cause a denial of service. Users/Administrators should apply ESX 2.5.5 Upgrade Patch 6.

TFTP Vulnerabilities

Posted on by
Reply

It appears that possibly a new tool to find vulnerabilities in tftp servers may be floating around. In the last several days 3 different TFTP programs have had 0Day exploits released. We’re not sure of the similarities in the exploits yet, but being across multiple products shows that there is some underlying issue. The currently affected TFTP servers are Quick TFTP, PacketTrap Networks TFTP Server, and TFTP Server for Windows. If you happen to use any of these, update as soon as possible. If you are using other TFTP server software, keep an eye out for updates.

Playing with VoIP Hopper

Posted on by
Reply

I have spent just a little time playing with VoIP Hopper, which was updated in mid-February. Thus far, this seems like a pretty useful tool for doing penetration testing and enumeration of your VLAN segments and VoIP deployments.

The tool is very capable. It can easily help you scan your installations with CDP discovery and can be very useful in testing VLAN architectures for common security holes.

It is a command line tool written in C, but you should have no problem compiling it in your favorite Linux environment. It even works nicely on a default BackTrack install, so it playing with it should be easy on your lab schedule.

There has been a lot of attention paid to VoIP security over the last couple of years and this is certainly a nice quick and dirty tool for looking around your install. It also sheds a little light on the mistaken idea that some service providers like to pretend is the gospel – VLANs really won’t keep your VoIP secure. You can use this tool to prove them wrong if they just won’t listen to reason…

Play nice with it and make sure you only use it in the lab or on authorized networks…

Slew of Cisco Alerts

Posted on by
Reply

The Cisco Systems Product Security Incident Response Team release a group of security advisories today. The majority of the vulnerabilities can result in Denial of Service for multiple products. Here’s the round up:

Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability

Devices running certain versions of Cisco IOS prior to 12.3 with VPDN enabled may be affected by the vulnerabilities. The vulnerabilities are a result of a memory leak and an inability to reuse virtual interfaces. See the original advisory for full details:
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml

Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Certain Processors

Some Cisco Catalyst 6500 Series and Cisco 7600 Routers running particular branches of Cisco IOS based on 12.2 may be vulnerable to a denial of service vulnerability. To be vulnerable they must be configured to use OSPF and MPLS enabled VPNs. Products known to be vulnerable are based on the Supervisor Engine 32 (Sup32), Supervisor Engine 720 (Sup720) or Route Switch Processor 720 (RSP720). See the original advisory for full details: http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml

Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers

Devices running Cisco IOS software with Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service attack. To be vulnerable the device must also  have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. See the original advisory for full details: http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml

Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS

All devices running Cisco IOS with the Data-link Switching (DLSw) feature enabled may be susceptible to a vulnerability that can result in a reload or memory leak when processing specially crafted UDP or IP Protocol 91 packets.  See the original advisory for full details: http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml

Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak

All devices running Cisco IOS and configured for MVPN are susceptible to a vulnerability that can allow an attacker to receive multicast traffic from other MVPN networks. See the original advisory for full details:  http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml

Be Careful Who You Trust…

Posted on by
Reply

j0289379.jpg

This usually goes without saying, but trusting the wrong people, organizations of mechanisms can seriously bite you.

Take for example, the current situation with ORDB.org. They are one of the older spam blacklists and they have been around a while. So long in fact, that when they shut down in 2006 few people took notice. But, we should have.

It turns out that a few organizations and a few vendors used the blacklist provider as another source for spam prevention. Since the project was shut down, the list was un-updated since the end of 2006. Mostly, that is no harm – no foul – unless you happened to have inherited one of those IP addresses on the list, then you might be a little mad…

But, as of this week, the ORDB list suddenly changed behavior for an as-of-yet-unknown reason. All of a sudden the blacklist started to block ALL IP addresses!

Now many folks would say, if the list shutdown in 2006, why do we care? Well, it turns out that a lot of vendor products and a few careless admins had left the list in their systems. They were still trusting the contents of the blacklist as a spam prevention tool. As you might imagine, what has ensued is a TON of blocked e-mails, a few mad customers and some bewildered troubleshooting technicians…

But, this is just that same old IT problem. Often, we build systems with trusts, configurations and dependencies that exist today. Maybe (most likely) they will not exist in the future. What happens when/if they don’t? Usually, things break. Maybe, if you are lucky, they break in big ways so that people notice. But, if they break in some small way, say in a subtle way that goes unnoticed, they could have dire affects on confidentiality, integrity and availability. As a quick example, what if you were scraping financial data from a website for use in a calculation – maybe an exchange rate. What happens if no one is checking and that website stops updating? Could your calculations be wrong? How would you know? If the exchange rate didn’t vary grossly, but only had small changes over time, what would the effect be? You see, even small issues like this could have HUGE impact. In this scenario, you could lose, mis-bill or the like by millions of dollars over time…

Trust for abandoned projects also raises another security issue. It is pretty likely that projects, systems and applications that are abandoned could become lack on being patched or maintained. If this were to occur and you are still dependent on the data – what would happen if an attacker took control of the project or system hosting it? I am not saying this happened at ORDB, but suppose it did. It seems to me that attacking and compromising old abandoned projects that people might still be dependent on is a pretty creative approach to causing some amount of chaos.

I guess the big question that the ORDB situation raises is; what other things like it are out there? What other abandoned projects or technologies are we dependent upon? How might this mechanism come to be used against us in the future?