Cisco and Adobe Vulnerabilities

Posted on March 13, 2008 by Adam Hostetler

Cisco and Adobe have released details on new vulnerabilities. Cisco’s vulnerability is within their User-Changeable Password software. This vulnerability can be exploited by attackers to create cross-site scripting attacks and potentially to compromise the vulnerable host. Adobe’s vulnerabilities are reported in Form Designer and Form Client. These vulnerabilities, if exploited by an attacker, can be used to compromise a user’s system. To be exploited, a user would have to visit a malicious website. Both Cisco and Adobe have released updates for the affected products, so update as soon as possible.

Deeper Dive into Port 22 Scans

Posted on March 13, 2008 by Brent Huston

Today, I wanted to take a deeper dive into several port 22 (SSH) scans that a single HoneyPoint deployment received over the last 24 hours. SSH scanning is very common thing right now and our HoneyPoints and firewalls continually experience scans from hosts around the world.

The particular HoneyPoint we are using for this look at the issue is located outside of the US on a business-class network in South America.

Over the last 24 hours this HoneyPoint received SSH probes from 4 specific hosts. These hosts are detailed below:

60.191.x.x – a Linux system located in China on a telecomm company’s network

83.16.x.x – an unknown system located on a consumer (DHCP) iDSL segment in Poland – we could go no further with this host since it is likely to have changed IP addresses since the probe…

218.108.x.x – another Chinese Linux system on yet another Chinese telecomm company’s network (is there anything else in China??? )

216.63.x.x – a NAT device that is front-ending a business network and web server deployment for an optical company in El Paso, TX, USA

The pattern of the probes in each case was the same. Each host completed the 3 way TCP handshake and waited for the banner of the responding daemon. The system then disconnected and repeated the process again in about 90-120 seconds. Basically, simple banner grabbing. The probing system did not send any traffic, just grabbed the banner and moved on.

The HoneyPoint in question was configured to emulate the current version of OpenSSH, so the banner may not have been what the probing attack tool was looking for. It has since been reconfigured to emulate historic versions with known security vulnerabilities.

But, what of the hosts performing the scans? Well, all 3 of them that could be reliably analyzed were found to be running OpenSSH. Two were running 3.6.1p2 and the other was running 3.4p1. Both of these are older versions with known issues.

It is very likely that these are worm/bot infected hosts and the malware is merely looking for new hosts to spread to. Interestingly, 2 of these hosts appeared to be used for regular commerce. Both were acting as a primary web server for the company and one of them even had an e-commerce site running (it also had MySQL exposed to the Internet). No doubt, any commercial activity taking place on the device is also compromised.

MSI has alerted the relevant owners of these systems and at least one of them is moving to handle the security incident. Hopefully, their damage will be minimal and they can rebuild the system easily, since at this point it is likely to also be infected with a root kit. We will advise them as they need help and assist them until they get their problem solved.

In the meantime, I hope this gives you a better look at some of the SSH scanning that goes on routinely. On average, this particular HoneyPoint deployment is scanned for SSH every 5.25 hours. This time varies from locale to locale, with US sites getting scanned more often, particularly on commercial networks. The majority of these scans come from China, with Eastern Europe pulling a distant second. In some cases, some of our US HoneyPoint deployments get scanned for SSH every 1.5 hours on average, so it is a very common attack, indeed.

Obviously, you should check your own network for SSH exposures. You should also take a look at your logs and see if you can identify how your site stacks up against the average time between scans. Feel free to post comments with any insights or time averages you come up. It could make for some interesting reading.

Hardware Hacking Gets All Too Real

Posted on March 12, 2008 by Brent Huston

Hardware and wireless hacking have combined in a pretty scary way. This article talks about security researchers that have found ways to monitor, attack and exploit the most popular of pacemakers used today. According to the article, the attackers were able to gain remote access to the data and control system of the device. Once they tapped into it, they were able to siphon off health-related information and even cause the pacemaker to apply voltage or shutdown – essentially killing the human host of the device.

It really doesn’t get more scary than that. While the odds of such an attack occurring in real life against a specific person are very slim, it is simply another side effect of the integration of technology into our daily lives. As I have written about many times before, the integration of technology into so many aspects of our lives is a powerful thing. On one hand, it frees us up to do other work, makes our lives easier, more healthy, perhaps even longer than life would have been otherwise. However, many vendors simply fail to realize the implications of the risks that are inherent in their products. They fail to comprehend the basic methodologies of attackers and certainly fail to grasp how the combination of technologies in many of their products can create new forms of risk for the consumer.

I am quite sure that the company who created the pacemaker was truly interested in advancing the art of healthcare and extending the human life. They simply wanted to make things better and saw how adding remote management and monitoring to their device would allow patients to be diagnosed and the device operation modified without the need for surgery. That is quite an honorable thing and is sure to make patients lives easier and even reduce the rate of death since patients would no longer undergo the stressful and dangerous operations that used to be needed to make changes to the implanted pacemakers. These are very noble ideas indeed.

Unfortunately, the creators of the heart system were so focused on saving lives and so focused on medical technology, that they seem to have missed the idea of securing their pacemaker against improper access. This is certainly understandable, given that they are a medical company and not an IT firm, where such risks have been more public in their discussion. The problem is, in many cases today, there is essentially no difference between IT and other industries, since many of the same technologies are present in both.

Again, there is little to truly be immediately concerned about here. While the attack is possible, it does require technical knowledge and the vendors will undoubtably work on improving the product. However, upgrading existing users is unlikely. But, unless you happen to be a high profile target, you are obviously much safer with the device than without it. The big lesson here and the one I hope vendors, consumers and the public are learning is that we must add risk management and security testing processes to any device with a critical role, regardless of industry. Today, there are simply too many technologies that can impact our daily lives to continue to ignore their risks.

US-CERT Issues Warning for Excel Trojan

Posted on March 11, 2008 by Nathan Grandbois

The US-CERT has issued a warning in response to a Trojan actively exploiting MS08-014. First off, MS08-014 is for Microsoft Excel. The patch was released today that fixes critical vulnerabilities in MS Excel. These vulnerabilities could be exploited via a maliciously crafted Excel file to take complete control over a users system. Secondly, the Trojan they speak of is spreading through email with Excel attachments. The two attachment file names that US-CERT is aware of are OLYMPIC.xls and SCHEDULE.xls. These files may also contain Windows executables that can compromise an affected system. Patch now please.

Cisco Embraces the Scheduled Patch Cycle – Ummmm, Twice a Year???

Posted on March 11, 2008 by Brent Huston

Well, I think we all knew it was coming. More and more vendors are moving to the scheduled patch cycle instead of releasing as-needed patches. This both a boon and a disaster, depending on your point of view/level of risk tolerance.

In this article, Cisco announces that they will now release their patches every 6 months. I suppose they consider twice a year patching to be enough for the critical components of the network such as routers, switches and other devices. Heck, they are even going to move Linksys patching to every 6 months, so the home users of the product line can ignore them 2 times per year, on schedule, instead of ignoring the patch releases all “willy-nilly” like they presently do.

Why do all the vendors think scheduled patching is such a good idea? I suppose the only answer is that it helps them better schedule their own resources and such, since it CERTAINLY CAN’T BE ABOUT MINIMIZING THE RISK WINDOW BETWEEN VULNERABILITY DISCOVERY AND MITIGATION. Resource scheduling is also the most common cause I hear from IT folks who support this process of patch releases. I just hope that we can convince attackers to manage their resources a little better too, since it would be very nice if their vulnerability research, exploit development and wide-scale attacks could magically coincide with the appropriate patching processes. Then everything would be better for everyone and the world would be a very nice place indeed…

The problem is, the real world just doesn’t work like that. Exploits and vulnerabilities will continue to be discovered in real time, just as before, except now attackers will know the timeline for the value of their new attacks. In many ways, this serves to bolster the underground economy of attack development since you don’t need 0-day for Cisco products, 179-day exploits will do just fine!

I get the desire of IT and vendors to stabilize their work forces and to better schedule and manage their resources. I really do. Police would like to be able to schedule crime as well, so that they could have weekends and nights off to spend with their families. But, being a law enforcement officer comes with some requirements and schedule flexibility is one of them. The same goes for IT folks. In my opinion, scheduled patching, especially patching every 6 months, is simply a reinforcement of traditional IT thought processes. If my readers know one thing about the MSI vision, it is that thinking differently is the key to information security, since what we are doing to date does not seem to be working so well.

Cisco is a huge company. I know many consider them to be unresponsive to customer concerns, but I truly hope that IT professionals reach out to them on this and that they listen. Cisco devices truly do form the core of many, many, many networks. Their products literally power much of the Internet as we know it today. That gives them immense power, but also makes them a HUGE target. Given their critical role, six month patching just does not seem to be a reasonable solution to me. If you feel the same way, let them know!

RealPlayer Active Exploitation, MaxDB, others

Posted on March 11, 2008 by Nathan Grandbois

A vulnerability has been reported in RealPlayer. An activex control, rmoc3260.dll, is vulnerable to remote code execution. This can be exploited when a user browses to a malicious page, and will execute code in the context of the user running the application. SANS reports that this vulnerability is being actively exploited in the wild. If you have RealPlayer installed on your system, it is highly recommended that you update to the latest version, however there is no patch available for the issue. The only current work around is to disable the affected activex control.
Two vulnerabilities have been reported in SAP’s MaxDB. These vulnerabilities can be exploited remotely and could result in code execution under the context of the running user. SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1140135.
Multiple vulnerabilities have been reported for IBM Informix Dynamic Server. These vulnerabilities can be exploited to cause a buffer overflow. These vulnerabilities can be exploited remotely. There is not currently a patch available. For more information see CVE-2008-0727 and CVE-2008-0949.

March Windows Updates

Posted on March 10, 2008 by Adam Hostetler

Looks like Microsoft has released 4 critical Microsoft Office updates this month. All four updates are resolving issues that could lead to remote code execution. There are also several other non security related updates for Windows, WSUS, and Windows Update. Of course, as always, we recommend that you test the updates immediately and then deploy them to production.

0wned by Anti-Virus

Posted on March 10, 2008 by Brent Huston

A quick review of vulnerability postings to the emerging threats content of this blog is sure to make clear just how popular the anti-virus as exploitation vector has become. Major levels of security research and exploit development continue to be aimed at the anti-virus vendors and their products. And, why not? It stands to reason from the attacker view point. All of these years infosec folks have been staging education and awareness programs to make sure that nearly every PC on the planet has anti-virus software installed.

It stands to reason, that given the near ubiquity of AV tools, that it would be a very easy, albeit traditional, way to compromise systems at large. Vulnerabilities in anti-virus tools are an insidious mechanism for attack, often run with enhanced privileges and carry enough “in your face” and “gotcha” temptation to be a very interesting target. No wonder they have become a favorite attack vector.

On the other hand, from the security standpoint, who else besides anti-virus vendors and purveyors of critical applications linked into the defensive infrastructure should be the poster children for secure development. Every piece of code has bugs, mine included. But, shouldn’t anti-virus vendors be doing extensive code reviews, application assessments and testing? Isn’t this especially true of vendors with large corporate names, deep budgets and pockets and extensive practices in application security and testing?

Anti-virus tools are still needed for nearly every PC on the planet. Malware still remains a large concern. AV has its value and is still a CRITICAL component of information security processes, initiatives and work. Vendors just have to understand that, now more than ever, they are also a target. They have to do a better job of testing their AV applications and they have to embrace the same secure coding tools and processes that many of their own consultants are shouting from the virtual hills to the cyber-valleys. We still need AV, we just need better, stronger, more secure AV.

Panda Dos

Posted on March 10, 2008 by Nathan Grandbois

Panda Antivirus and Firewall is vulnerable to a denial of service and system compromise. The kernel driver included with Panda Antivirus and Firewall 2008 does not handle IOCTL requests correctly. This can result in a local denial of service or execution of code on the local system. There is currently a hotfix available for this issue. If you, or anyone you know, runs Panda Antivirus give them a heads up to run the update utility.

Your New TSA Approved Laptop Bag????

Posted on March 7, 2008 by Brent Huston

I read this article this morning about a movement by TSA to create “approved” laptop bags that would allow passengers to go through airport security without removing their laptop from their laptop case.

This appears to be really true. It really isn’t a joke. In fact, at first blush, it might even seem like a good idea. But…

The interesting part is that it is literally only a bag for your laptop. No power cords, media or other devices.

Now I don’t know about you, but I carry a LOT more stuff than just my laptop in my backpack. If you want an example, here is one from an article a while back in ITWorld.

Pack Contents

As you can see, there’s a lot more than my Mac in there.

While the idea of not removing my laptop seems like a good thing to me and I am sure that it would save us all time in the security line in a perfect world, I am completely unconvinced that even the most basic of laptop users only carries their laptop in these things. I can’t imagine that there would be any real time savings as the TSA explains that only “approved” laptop cases bearing the official TSA seal will be allowed and that you can’t have any folders, paper clips or anything else tucked around the laptop… Blah, blah, blah…

Ordinary citizens still can’t seem to figure out if they can take their makeup, water or beer on the flight, let alone whether or not they need to remove their shoes for the not-so-nice man with the badge. I still routinely have to wait behind people asking the same questions and others hopping around like a pogo-stick rider while they unbuckle, untie and wiggle off their shoes/boots/leggings/etc.

How on earth will special laptop bags even have a prayer of saving us time? Even worse, the whole idea of creating the bags, testing them, approving them and controlling counterfeits or unapproved bags with look alike seals – seems to be a place for a HUGE amount of tax payer dollars to get wasted. Can you imagine the large-scale bureaucracy that would take?

I say forget it. Just keep the same process going of laptop removal. It seems a lot easier, cheaper and as Bruce Schneier would remind us – just as useless in terms of real risk reduction anyway….

MSI :: State of Security

Insight from the Information Security Experts