The Disaster Recovery Framework is able to receive and execute commands without authentication. This can allow an attacker to cause denial of service conditions, obtain sensitive configuration information, overwrite configuration parameters, or execute DRF-related commands, including arbitrary system commands with full administrative privileges.
For further details and mitigation suggestions please see the original advisory at:http://www.cisco.com/warp/public/707/cisco-sa-20080403-drf.shtml
There is quite a bit of talk online right now about a new bot-net that is supposedly quite a bit larger than Storm. This new bot-net, called Kraken, was discovered and initially revealed by another security team. Various folks are pointing at it as another evolutionary step in the growth of the bot-net threat and as a major new development in the area of cyber-crime.
Bot-nets, it seems, are today’s Internet worms. Their power, capability to produce FUD and impact make them on par with the Slammer, Code Red and Nimda worms of the past as significant threat evolutions. However, just like the worms of yesterday, there are some pretty common – albeit sometimes tough – things you can do to help minimize your risk of exposure.
First, segregate your network. Create enclaves that separate and manage access to servers that hold critical or sensitive data. Basically, segregate any and all user systems into untrusted areas and manage them as if they were untrusted systems (they are!!!)
Next, deploy egress controls as tightly as possible for all user -> Internet activity. Apply egress controls as tightly as possible to all enclaves.
Now, ensure that you have proper preventative and monitoring controls on all of the enclaves. Check for unneeded services, missing patches (OS and applications), bad configurations and known security issues. Mitigate or repair as many as possible. Monitor everything at the egress point for forensics and help with finding infected hosts. Deploy HoneyPoint sensors in user community and all enclaves.
Harden the user systems to the largest extent possible. AV, personal firewalls, patches, consider hardening or changing browsers. No matter what, consider user systems as untrusted hosts!
Educate your users about threats, their responsibilities and security mechanisms for their systems when outside the corporate network.
Monitor, manage and handle incidents quickly and with public consequences. If you find an infected machine and can trace it back to porn downloads on a company machine, fire the person and make a public example of the fact that actions against security policy (you have one of those, right?) have consequences…
Doing these basics will increase your overall security and greatly reduce your risk from bot-nets (and other threats). Is it easy? No. Is it expensive? It can be, depending on your size, complexity and technology level. Is it worth doing? Yes. It reduces risk and is much more interesting than ignoring the problem and/or continually working reactively to various incidents and compromises.
An exploit has been released into the wild for Tomcat Connector version jk2-2.0.2. The vulnerability exploited exists in the Host Header field of the apache jk2 module. At this point it’s known to work on Fedora Core versions 6,7, and 8. Other distros will likely also be affected by the exploit. If you are using the legacy 2.0.x tree of the Apache Tomcat Connector, upgrade to version 2.0.4, or use the newest version of mod_jk.
I thought this particular “hacker” article was pretty interesting. Thanks to Dr. Anton Chuvakin’s “Security Warrior” blog for pointing it out.
Once you look beyond the manifesto hype, you can really get a feel for what it represents. It represents a call to action to remind security professionals that the game has changed. The network and systems that it is composed of remain but a part of the security equation. The real target of the attackers that represent the REAL THREAT is the data that the network and systems hold.
Attackers have definitely moved up the stack. They do not care that most organizations are still focused on the network layer and more than a few are still trying to get the basics of that right. In fact, it simply empowers them more.
Today, attackers are focused on the application. That is true whether you look at holes like SQL injection and XSS or at the browser vulnerabilities that are at the root of a majority of malware and bot-net activity today. Today’s attackers have excellent tools for exploit development that have seriously changed the security landscape. More attackers understand the deeper nuances of computer science than ever before. Man security teams and professionals are lagging behind in knowledge, resources and capability.
One of the big reinforcers of this ideal to me was a presentation I gave a few weeks ago about application security. During the research for it, I found that according to several sources, a HUGE amount – roughly a third – of all reported security incidents last year involved SQL injection and XSS. Almost 2/3s of all reported incidents were web-application focused. Clearly, there is no denying that the attackers have moved up the security stack – the question is – have the defenders…
What are you, your security team and your security partners doing today to ensure that your data is protected tomorrow?
There appears to be two vulnerable ActiveX controls in Symantec Internet Security 2008. The following ActiveX controls are vulnerable:
Progid: SymAData.ActiveDataInfo.1
Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8
File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll
Version: 2.7.0.1
Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8
File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll
Version 2.7.0.1
These ActiveX are marked safe for scripting by Symantec. According to Symantec, although they are marked safe for scripting, they will only run from the “symantec.com” domain. Successful exploitation would require the use of XSS or DNS poisoning techniques, but could allow for complete control over a users system simply by viewing a malicious page. Symantec has issued updates to fix these vulnerabilities.
Multiple vulnerabilities have been announced for Apple Quicktime. I counted 11 different vulnerabilities in the advisory, ranging in criticality from disclosure of personal information to buffer overflows. Apple has released an update, version 7.4.5, that fixes these vulnerabilities.
Opera versions prior to 9.27 are vulnerable to multiple issues. These vulnerabilities could allow for the execution of code on the local host. Users should update to version 9.27.
So I was doing some patent research today and I have to say that some of the patents out there for information security are pretty weird.
I found patent applications for wireless access points that turn on radio jammers in response to attacks (thus blocking even legitimate users), ethernet cables that can be colored with special markers depending on the security of the system they are attached to, a physical key-based device that controls an ethernet air-gap and even a patent application that was denied for patenting the word “security”.
I had no idea that so many things had been patented, or attempted to be patented. Maybe I am not a “patent insider” – but a lot this sounds like junk, bad infomercials and “seen on TV” security products.
I think I should find a VC and maybe patent the special “security gnomes” that some software vendors believe protect their software from well-known exploits. Or the “magic security dust” that some managers believe allows them keep their data protected without investing in any real security staff or initiatives. If those don’t work, maybe I will patent some sort of “cyber-ninja” that seeks out and destroys cross-site scripting vulnerabilities and SQL injections. Why not? It might be as effective a control as colored ethernet cables…
For a couple of years now, Allan and I have been talking about just how noisy the information security market has become. Even after a large consolidation phase, there are still a bunch of vendors, some selling solutions and some selling snake oil. The average IT manager is probably getting 10+ calls a day from vendors selling them everything from firewalls to NAC and from AV software to USB blockers. No wonder average security consumers are having so much trouble knowing the real from the hype!
I didn’t start this blog post to be a rant or anything, but the oddity of the patent searches really left me in awe. The security space is crowded, noisy and a lot like a downtown Delhi market. There are exotic spices, rarities and a number of arcane items everywhere you look. Hopefully, there are also some honest to goodness, back to basics solutions mixed in too. Your mission, should you accept it, is to sort them out…
An exploit has been published for HP OpenView Network Node Manager (NNM). This exploit is preauthentication and can be exploited remotely. From what I’ve read it looks to be exploited over the HTTP port of OpenView and is exploiting the OVAS.exe service. No references to updates or fixes were found. Users should restrict network access to machines running this software.
There’s a vulnerability in lightttpd that can be exploited to cause a denial of service. The issue exists in the SSL error queue where a single connection could be exploited to deny all other SSL connections. This has been fixed in the SVN repository, available at:
http://trac.lighttpd.net/trac/changeset/2136
http://trac.lighttpd.net/trac/changeset/2139
There’s a SQL injection in a the Wordress Download plugin. Data passed to wp-download.php is not properly sanitized before being processed by SQL. This could result in a SQL injection attack that could lead to the disclosure of usernames and passwords. WordPress admin’s should update to version 1.2.1.
There’s a major vulnerability in and activex control installed by Macrovision InstallShield InstallScript One-Click Install (OCI). The control gets installed via webpages prompting to install software. A large user base is likely affected by this. Basically, when the activex control is initiated it loads several DLL’s that are not sanity checked. These DLL’s could execute arbitrary code when loaded. This vulnerability has been confirmed in version 12.0. The following are the properties associated with the activex:
File: %WINDIR%\Downloaded Program Files\setup.exe
CLSID: 53D40FAA-4E21-459f-AA87-E4D97FC3245A
Macromedia has released a hotfix for this issue, available along with the KB entry for this vulnerability, at http://knowledge.macrovision.com/selfservice/microsites/search.do?cmd=displayKC&externalId=Q113640