An Ouchie for “The Self Defending Network”

Posted on by
Reply

As we covered in an earlier post, there appears to be a security issue with Cisco Works.

Now, more information has emerged about what appears to be a back door that allows anyone who can telnet to a port on the Cisco Works box to execute OS commands with high levels of privilege. Essentially turning the Cisco configuration and monitoring tool into a pretty powerful weapon for an attacker.

No word yet on how this back door got into the code, what steps have been taken to make sure this doesn’t happen again or anything else beyond the “ooops and here is a patch” statement. Cisco is hopefully increasing their code management, security testing and QA processes to check for this and other forms of application security before they release code to the public.

Once again, Cisco has shown, in my opinion, a serious lack of attention to detail in security. Given their mission-critical role in many enterprise networks and the global Internet, we should and do expect more from them than from an average software developer. Please, Cisco, invest in code testing and application security cycles in the SDLC before something really bad happens to a whole bunch of us…

CA BrightStor ARCserve 0day

Posted on by
Reply

A 0day exploit has been released into the wild today for ARCserve. A buffer overflow vulnerability appears to exist in the file ‘ListCtrl.ocx’. At this point in time, it is not known how widespread this exploit will become. However, it was released on a popular exploit website, so it’s only a matter of time before the exploit is changed or put into an exploit framework. In the meantime, make sure ARCserve services are locked down as tight as possible until CA is able to release a fix for this issue.

Yet More SSH Fun – This Time With Humans!

Posted on by
Reply

2b.jpg

OK, so last week we took an overview of SSH scans and probes and we dug a bit deeper by examining one of our HoneyPoints and the SSH scans and probes it received in a 24 hour period.

This weekend, we reconfigured that same SSH HoneyPoint to appear as a known vulnerable version. And, just in time for some Monday morning review activity and our blog posting, we got what appears to be an automated probe and then about an hour later, a few attempts to access the vulnerable “service” by a real human attacker.

Here is some of the information we gathered:

The initial probe occurred from a 62.103.x.x IP address. It was the same as before, a simple connection and banner grab. The probe was repeated twice, as per the usual activity, just a few seconds apart.

This time, ~40 minutes later, we received more connections from the same source IP. The IP address only connected to port 22, they did no port scanning, web probes or other activity from that address or in that time frame.

The attacker made several connections using the DropBear SSH client. The attacker seemed to be using 0.47, which has a couple of known security issues, according to the banner the client sent to the HoneyPoint.

The attacker performed various SSH handshake attempts and a couple more versions of banner grabbing tests. Over the next ~20 minutes, the attacker connected 5 times to the HoneyPoint, each time, probing the handshake mechanism and grabbing the banner.

Finally, the attacker decided to move on and no more activity has been seen from the source IP range for a day and a half.

The attacker source IP was from a Linux system in Athens, Greece that appears to belong to an ISP. That system has both OpenSSH 3.9p1 and regular telnet exposed to the Internet. The system advertises itself by hostname via the telnet prompt and the name matches its reverse DNS entry.

We contacted the abuse contact of the ISP about the probes, but have not received any comment as of yet.

The interesting thing about this specific set of probes was that the human connections originated from the same place as one of the banner grabbing scans. This is not usual and is not something that we have observed in the recent past. Usually, the probes come from various IP addresses (likely some form of worm/bot-net) and we rarely see any specifically identifiable human traffic. So, getting the attention of the human attacker is certainly a statistical anomaly.

The other interesting behavior piece here was that the attacker did not bother to perform even a basic port scan of the target. They specifically focused on SSH and when it did not yield to their probes, they moved on. There were several common ports populated with interesting HoneyPoints, but this attacker did not even look beyond the initial approach. Perhaps they were suspicious of the SSH behavior, perhaps they were lazy or simply concentrating on SSH only attacks. Perhaps, their field of targets is simply so deep that they just moved on to easier – more usual targets. It is likely we will never know, but it is certainly interesting, no doubt.

Thanks for the readers who dropped me emails about their specific history of SSH problems. I appreciate your interest in the topic and I very much appreciate the great feedback on the running commentary! I hope this helps some security administrators out there, as they learn more about understanding threats against their networks, incident handling and basic event research. If there are other topics you would like to see covered in the future, don’t hesitate to let me know.

F-Secure Products at Risk of Compromise or DoS

Posted on by
Reply

Multiple F-Secure products contain unspecified issues in their handling of archive files. This could allow specially crafted archive files to be used as an attack vector. The results of a successful attack could cause a Denial of Service or possibly result in the compromise of the affected host. The products at risk are:

F-Secure Internet Security 2008
F-Secure Internet Security 2007
F-Secure Internet Security 2007 Second Edition
F-Secure Internet Security 2006
F-Secure Anti-Virus 2008
F-Secure Anti-Virus 2007
F-Secure Anti-Virus 2007 Second Edition
F-Secure Anti-Virus 2006
F-Secure Client Security 7.11 and earlier
F-Secure Anti-Virus Client Security 6.04 and earlier
F-Secure Anti-Virus for Workstations 7.11 and earlier
F-Secure Anti-Virus Linux Client Security 5.54 and earlier
F-Secure Anti-Virus for Linux 4.65 and earlier
Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier
Solutions based on F-Secure Protection Service for Business version 3.10 and earlier
F-Secure Mobile Anti-Virus™ for S60 2nd edition
F-Secure Mobile Anti-Virus™ for Windows Mobile 2003/5.0/6
F-Secure Mobile Security™ for Series 80

F-Secure Anti-Virus for Windows Servers 7.01 and earlier
F-Secure Anti-Virus for Citrix Servers 7.00 and earlier
F-Secure Anti-Virus Linux Server Security 5.54 and earlier

F-Secure Anti-Virus for Microsoft Exchange 7.10 and earlier
F-Secure Internet Gatekeeper 6.61, Windows and earlier
F-Secure Internet Gatekeeper for Linux 2.16 and earlier
F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier
F-Secure Messaging Security Gateway 4.0.7 and earlier

Details on patching the products list above can be found at:

http://www.f-secure.com/security/fsc-2008-2.shtml

Avaya (Solaris) Remote Denial of Service

Posted on by
Reply

Avaya has released an advisory covering CMS R12, R13/R13.1, R14 and Avaya IR 2.0, 3.0 that contain vulnerabilities that could lead successful security bypass or remote Denial of Service attacks. The issue at hand is actually in the underlying Solaris firewall. Full details can be found in the original advisories:

Avaya: http://support.avaya.com/elmodocs2/security/ASA-2008-119.htm

Solaris: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200183-1

3 Browser Security Tips for End-Users

Posted on by
Reply

browsers_mojomonster.gif

Browser security continues to be an absolutely vital part of providing safety and privacy to end-users and their systems. Browser-based attacks are easily the most common threat on the Internet today. Attacks range from old-style traditional exploits like buffer-overflows to modern, sophisticated attacks like Active-X injection, drive-by downloads of malware and exploitation of cross-site scripting attacks and other web applications issues to steal user credentials or even install arbitrary code. Recent attacks against huge numbers of sites have even made strategies such as only visiting sites “you know and trust” inadequate to ensure security. Today, all sites are targeted and even huge sites with common household names have been exploited and used for illicit activities.

Obviously, our dependence on the web grows with each passing day. Web 2.0 features and capabilities have also made strategies like disallowing all client-side scripts an impossibility for most users – even though this increases safety logarithmically. Users today want those features, bells and whistles that they have become accustomed to, and as usual, they will choose performance and ease of use over safety and privacy. So, that said, we wanted to put together a quick list of some ways for end-users to make their browsers as secure as possible. These are the basics, and some of these steps may interfere with some site operations (especially number 2), but we hope that users will adopt at least some of these suggestions to better protect themselves online.

1. Keep your browser up to date.

This is the easiest of all of the steps. However, it is also the one that removes the easiest of exploits from the attacker’s arsenal. Attackers are very good at exploiting known, public, well documented vulnerabilities – so the more of them your browser is vulnerable to, the easier it is for them to compromise your system. Combatting this is very very easy, simply keep your browser up to date. Browser updates are issued periodically by all of the major browser programmers and they often close a number of known security issues in each release. To help with this, many of the browsers have even begun to build in auto-update capabilities – so if your browser has this, make sure it is turned on. If you are a user of Internet Explorer, the updates are delivered as a part of the regular Windows Update process. This can be configured to automatically execute as well. Modify your current settings using the same Control Panel interface as the firewall configuration.

2. Harden your browser against common attacks.

This is a very powerful process as well. It will make you safer by an exponential amount. However, the side effect will be that some web sites may not work properly. You will have to tune and tweak these settings as needed to create your personal balance between risk and usability. This will obviously vary by your specific lifestyle online and your level of risk tolerance. Generally though, there is a fantastic guide to making these configuration changes here. It was created by CERT and walks users through browser hardening, step by step. Follow their instructions and you will get a much safer browsing experience.

3. Be aware of social engineering tactics.

Even if you do follow the other two steps, social engineering will still be a possibility. Attackers use social engineering to trick users into doing things that they should not do, like opening a file, divulging their passwords, etc. You should always remain aware of social engineering tactics and strategies. Many of them are covered in the definition page linked above. Another good place to keep current on emerging social engineering attacks he the SANS incident center. They routinely cover emerging threats against both corporate and end-user systems.

So, there you have it. Three tips, that once enacted and followed, make browser security a much more attainable process. Of course, like with most security undertakings, you have to periodically update them, ensure your settings remain as you desire and keep aware of new changes – but these three steps make it much easier for even basic users to be a bit safer online.

CiscoWorks Remote Command Shell?

Posted on by
1

A vulnerability has been reported in CiscoWorks Internetwork Performance Monitor.   The vulnerability appears to be the result of a command shell bound to a random port. The could be exploited  to execute commands on the system. Cisco has released patch IPM version 2.6 CSCsj06260.

A cross site scripting vulnerability has been reported in Nagios. From the description, it appears to be a reflective XSS, but further information is unavailable at this time. We also do not have the input fields that are vulnerable.  Versions prior to 2.11 are vulnerable. Please apply version 2.11 if you are running Nagios.

Cisco and Adobe Vulnerabilities

Posted on by
Reply

Cisco and Adobe have released details on new vulnerabilities.  Cisco’s vulnerability is within their User-Changeable Password software. This vulnerability can be exploited by attackers to create cross-site scripting attacks and potentially to compromise the vulnerable host. Adobe’s vulnerabilities are reported in Form Designer and Form Client.  These vulnerabilities, if exploited by an attacker, can be used to compromise a user’s system. To be exploited, a user would have to visit a malicious website. Both Cisco and Adobe have released updates for the affected products, so update as soon as possible.

Deeper Dive into Port 22 Scans

Posted on by
Reply

Today, I wanted to take a deeper dive into several port 22 (SSH) scans that a single HoneyPoint deployment received over the last 24 hours. SSH scanning is very common thing right now and our HoneyPoints and firewalls continually experience scans from hosts around the world.

The particular HoneyPoint we are using for this look at the issue is located outside of the US on a business-class network in South America.

Over the last 24 hours this HoneyPoint received SSH probes from 4 specific hosts. These hosts are detailed below:

60.191.x.x – a Linux system located in China on a telecomm company’s network

83.16.x.x – an unknown system located on a consumer (DHCP) iDSL segment in Poland – we could go no further with this host since it is likely to have changed IP addresses since the probe…

218.108.x.x – another Chinese Linux system on yet another Chinese telecomm company’s network (is there anything else in China??? )

216.63.x.x – a NAT device that is front-ending a business network and web server deployment for an optical company in El Paso, TX, USA

The pattern of the probes in each case was the same. Each host completed the 3 way TCP handshake and waited for the banner of the responding daemon. The system then disconnected and repeated the process again in about 90-120 seconds. Basically, simple banner grabbing. The probing system did not send any traffic, just grabbed the banner and moved on.

The HoneyPoint in question was configured to emulate the current version of OpenSSH, so the banner may not have been what the probing attack tool was looking for. It has since been reconfigured to emulate historic versions with known security vulnerabilities.

But, what of the hosts performing the scans? Well, all 3 of them that could be reliably analyzed were found to be running OpenSSH. Two were running 3.6.1p2 and the other was running 3.4p1. Both of these are older versions with known issues.

It is very likely that these are worm/bot infected hosts and the malware is merely looking for new hosts to spread to. Interestingly, 2 of these hosts appeared to be used for regular commerce. Both were acting as a primary web server for the company and one of them even had an e-commerce site running (it also had MySQL exposed to the Internet). No doubt, any commercial activity taking place on the device is also compromised.

MSI has alerted the relevant owners of these systems and at least one of them is moving to handle the security incident. Hopefully, their damage will be minimal and they can rebuild the system easily, since at this point it is likely to also be infected with a root kit. We will advise them as they need help and assist them until they get their problem solved.

In the meantime, I hope this gives you a better look at some of the SSH scanning that goes on routinely. On average, this particular HoneyPoint deployment is scanned for SSH every 5.25 hours. This time varies from locale to locale, with US sites getting scanned more often, particularly on commercial networks. The majority of these scans come from China, with Eastern Europe pulling a distant second. In some cases, some of our US HoneyPoint deployments get scanned for SSH every 1.5 hours on average, so it is a very common attack, indeed.

Obviously, you should check your own network for SSH exposures. You should also take a look at your logs and see if you can identify how your site stacks up against the average time between scans. Feel free to post comments with any insights or time averages you come up. It could make for some interesting reading.

Hardware Hacking Gets All Too Real

Posted on by
Reply

Hardware and wireless hacking have combined in a pretty scary way. This article talks about security researchers that have found ways to monitor, attack and exploit the most popular of pacemakers used today. According to the article, the attackers were able to gain remote access to the data and control system of the device. Once they tapped into it, they were able to siphon off health-related information and even cause the pacemaker to apply voltage or shutdown – essentially killing the human host of the device.

flatline.jpeg

It really doesn’t get more scary than that. While the odds of such an attack occurring in real life against a specific person are very slim, it is simply another side effect of the integration of technology into our daily lives. As I have written about many times before, the integration of technology into so many aspects of our lives is a powerful thing. On one hand, it frees us up to do other work, makes our lives easier, more healthy, perhaps even longer than life would have been otherwise. However, many vendors simply fail to realize the implications of the risks that are inherent in their products. They fail to comprehend the basic methodologies of attackers and certainly fail to grasp how the combination of technologies in many of their products can create new forms of risk for the consumer.

I am quite sure that the company who created the pacemaker was truly interested in advancing the art of healthcare and extending the human life. They simply wanted to make things better and saw how adding remote management and monitoring to their device would allow patients to be diagnosed and the device operation modified without the need for surgery. That is quite an honorable thing and is sure to make patients lives easier and even reduce the rate of death since patients would no longer undergo the stressful and dangerous operations that used to be needed to make changes to the implanted pacemakers. These are very noble ideas indeed.

Unfortunately, the creators of the heart system were so focused on saving lives and so focused on medical technology, that they seem to have missed the idea of securing their pacemaker against improper access. This is certainly understandable, given that they are a medical company and not an IT firm, where such risks have been more public in their discussion. The problem is, in many cases today, there is essentially no difference between IT and other industries, since many of the same technologies are present in both.

Again, there is little to truly be immediately concerned about here. While the attack is possible, it does require technical knowledge and the vendors will undoubtably work on improving the product. However, upgrading existing users is unlikely. But, unless you happen to be a high profile target, you are obviously much safer with the device than without it. The big lesson here and the one I hope vendors, consumers and the public are learning is that we must add risk management and security testing processes to any device with a critical role, regardless of industry. Today, there are simply too many technologies that can impact our daily lives to continue to ignore their risks.