** Reminder ** – New Systems Should Be Patched Before Use

Posted on by
Reply

Please remind teens, kids and adults who might receive computers for the holidays this year to patch them before general use. They should ensure that software and network firewalls are in place before connecting them to ANY network.

They should also ensure that they have anti-malware software that is up to date for any and all operating systems (even Linux and OS X) and that they follow other general guidelines of safe computing.

Remember, fight the urge to save the safety speech for another time. If the system gets compromised while they are using it for a test drive – being safe later will likely not help them be protected against bots, identity theft and other illicit computing dangers. It only takes one moment of exposure to compromise the system on an irreparable scale.

Happy and safe holidays to everyone. Have a joyous, peaceful and wonderful holiday season!

Storm Worm Goes Active Again and Odd Port 56893/TCP Probes

Posted on by
Reply

Two fairly interesting items tonight:

1) SANS is getting reports that the Storm worm is active again. This time sending messages attempting to draw victims to the “merry christmasdude.com” <take out the space> domain. As of 10:30 PM Eastern tonight, the domain is being flooded with traffic, but appears to be functional. SANS is suggesting applying domain blocks to the domain, and it would probably be good to add mail and other content filtering rules as well, if you are still using the blacklist approach. Here is the whois for the domain:

Domain name: MERRYCHRISTMASDUDE.COM
Creation Date: 2007.11.27
Updated Date: 2007.12.17
Expiration Date: 2008.11.27
Status: DELEGATED
Registrant ID: P4DHBN0-RU
Registrant Name: John A Cortas
Registrant Organization: John A Cortas
Registrant Street1: Green st 322, fl.10
Registrant City: Toronto
Registrant Postal Code: 12345
Registrant Country: CA
Administrative, Technical Contact
Contact ID: P4DHBN0-RU
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008@yahoo.com
Registrar: ANO Regional Network Information Center dba RU-CENTER
Last updated on 2007.12.24 06:17:35 MSK/MSD

2) Also, on a secondary note, we are getting a rapid increase in probes to TCP 56893. This port has been a known port for an SSH trojan and botnet deployment in the past. This may be related to the Storm worm activity or may be another bot group gearing up for activity.

It looks like the holiday is likely to bring a high level of increase in bot activity and as always, attackers will be looking for new machines received as gifts that will suddenly appear online and may be missing a patch or two. Make sure you give some advice to new techies and computer owners this holiday – patch early, patch often and make sure you build layers of defense against today’s emerging threats!

Bricked HP Notebooks, IBM BoF, Cisco DoS

Posted on by
Reply

IBM Lotus Domino Web Access is vulnerable to a buffer overflow. An ActiveX control (dwa7.dwa7.1) is responsible for this error. This can be exploited remotely and successful exploitation could result in the execution of arbitrary code. The vulnerability is reported in dwa7W.dll version 7.0.34.1. Users should set the kill bit for this ActiveX control until an update is made available.

More issues with HP notebooks. Another buffer overflow has been discovered in the HP Software Update that could result in the modification of system files resulting in a non bootable system. Every HP machine containing the HP Software Update is vulnerable. A working POC exploit has been released to the public. At this time there is no update available.

Finally, there is a Denial of Service in Cisco Firewall Services Module. This is a result of an error processing data with Layer 7 application inspections. The vulnerability is reported in FWSM System Software version 3.2(3). Cisco has made an update and workaround available at http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml

HP InfoCenter POC, Adobe Flash Player

Posted on by
Reply

On Wednesday, 12 December, we posted about a vulnerability in HP software installed on laptops. Well, we now have reports that a working POC exploit that grants remote access exists. HP has provided a workaround by disabling the HP Info Center. More information, including the workaround, can be found at the following URLs:

ftp://ftp.hp.com/pub/softpaq/sp38001-38500/
ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38166.html

Clam AntiVirus is vulnerable to remote exploitation of an integer overflow. This error is in the processing of PE files packed with the MEW packer. Exploitation of this vulnerability can result in execution of code in the context of the application running libclamav. If the clamd process is exploited, code can be executed under the context of the clamav user.  This vulnerability exists within ClamAV 0.91.2. There is a workaround available by setting –no-pe when starting the clamscan. There is also an update available, which is version 0.92.

Multiple vulnerabilities have been reported in Adobe’s Flash Player. These affect Adobe Flash CS3, Adobe Flash Player 9.x, Adobe Flex 2.x, Macromedia Flash 8.x, Macromedia Flash Player 7.x, and Macromedia Flash Player 8.x. The vulnerabilities can result in a variety of outcomes, including Denial of Service and compromising users systems. There are updates available for each of the Flash players affected. Note that this will be the last update for Adobe Flash Player 7.

Additionally, there is a vulnerability that could allow system compromise in AIX 5.2, 5.3, and 6.1. The vulnerability is related to Perl Regular Expressions Unicode Data Buffer Overflow. There are interim fixes available here ftp://aix.software.ibm.com/aix/efixes/security/perl_ifix.tar.

Citrix Web Interface is vulnerable to an unspecified cross site scripting attack. The cross site scripting is in the online help portion of the software. More information can be found in the original advisory http://support.citrix.com/article/CTX115283

Apple Security Update, Various Overflows

Posted on by
Reply

Apple has released security update 2007-009. This update contains fixes for several critical vulnerabilities, plus fixes for other issues.  Updates are available for 10.4.11 and 10.5.1. For a complete list of vulnerabilities fixed, please visit http://docs.info.apple.com/article.html?artnum=307179.

There is buffer overflow in HP-UX. The issue lies in a function call to sw_rpc_agent_init within swagentd that if given malformed arguments, could result in a buffer overflow. This could allow attackers to execute arbitrary code. Authentication is not required. Hewlett-Packard has released an update to address this vulnerability, available from HP document ID #SB2294r1.

Trend Micro ServerProtect contains an insecure method exposure in the StRpcSrv.dll. The bug exists in the SpntSvc.exe daemon running on TCP port 5168. An attack against this vector could result in full file system access that could be leveraged to execute arbitrary code. An update to this issue has been release, and more information can be found at http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt.

The perl package Net::DNS is vulnerable to a denial of service. By sending a malformed DNS reply to a server or application running Net::DNS, it is possible to cause the package to crash. This would in turn crash any application running the Net::DNS module.  Net::DNS version 0.60 build 654 is vulnerable. This issue has been assigned CVE-2007-6341.

St. Bernard Open File Manager is vulnerable to a heap-based buffer overflow. This is due to a boundary error in ofmnt.exe, in which an attacker can send a malicious packet to the service and cause the overflow. This could result in the execution of code as a SYSTEM user. Version 9.6 build 602 available to customers addresses this issue. Other vendors using this software may have made updates available as well.

Mac Java, JUNOS, and a Samba Exploit

Posted on by
Reply

Mac OS X has multiple vulnerabilities in Java. An error in a Java access check could be exploited to add or remove items from a Keychain without prompting the user. This could be achieved by a specially crafted Java packet. This affects Mac OS X versions prior to 10.5. The next issue is in Java 1.4 and J2SE 5.0 that could allow for a denial of service, bypassing security mechanisms, or compromise a users system. Users of Mac OS X systems should update to Java release 6.

A vulnerability in Juniper JUNOS can be exploited to cause a denial of service. This can occur due to an error processing BGP UPDATE messages, and can be triggered by a specially crafted BGP message. Administrators of Juniper devices should apply the vender recommended updates, available at https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-12-008&viewMod%20e=view.

 The samba_mailslot() vulnerability reported earlier this month now has public exploit code available. Samba 3.0.27a is vulnerable to stack-based buffer overflow when processing “SAMLOGON” domain logon packets. Code is now available to exploit this vulnerability, although it currently only causes a denial of service. Samba 3.0.28 is currently available.

Ohio Voting Systems Review (EVEREST)

Posted on by
Reply

MicroSolved, Inc. announced today that it has completed its assessment of the security of Ohio’s electronic voting systems. The testing, a part of project EVEREST, was lead by the Ohio Secretary of State’s office and was designed to seek a comprehensive, independent and objective assessment of the risks to elections integrity associated with Ohio’s voting systems. The project leveraged MicroSolved’s advanced methodologies and in-depth experience to perform “red team” penetration testing of the voting systems. MicroSolved emulated various attacks against the voting systems and analyzed the impact of these attacks on the confidentiality, integrity and availability of the voting systems and their elections data.

While the study revealed several critical security issues in the various elections systems, MicroSolved also identified specific strategies for mitigating or managing these risks. “By applying the identified mitigation strategies, all of the administrative stakeholders in the elections process have an opportunity to demonstrate their commitment to the integrity of Ohio’s elections.”, said Brent Huston, CEO of MicroSolved. “While these strategies require hard work, significant investment in resources and continued vigilance, they represent the best approach to creating truly secure mechanisms for electronic voting in Ohio.”

“We appreciate the opportunity to participate in the EVEREST project and to help the Secretary of State further her goal of restoring trust in Ohio’s elections.”, Huston added.

For information about the specifics of the project, MicroSolved’s role and findings, please see http://www.microsolved.com/everest/.

QuickTime version 7.3.1

Posted on by
Reply

Apple has released QuickTime version 7.3.1 to address the RTSP vulnerability we talked about earlier. Coinciding with the release of this latest version, Apple has released information for two addition vulnerabilities. Both of the new vulnerabilities allow for the execution of code, so everyone with Quicktime on their systems should apply the update.

HP-UX, Solaris and Avaya

Posted on by
Reply

HP-UX DCE Denial of Service

An unspecified issue has been reported in HP-UX programs that run DCE. One such program is Software Distributor (SD). A successful exploit can cause a remote Denial of Service. Additionally, systems running some versions of OpenSSL are also prone to DoS and possibly system compromise.

For more details see: HP Support Document HPSBUX02294 SSRT071451 DCE DoS

HPSBUX02296 SSRT071504 OpenSSL DoS/Code Execution

Solaris 10 NFS Privilege Escalation
Solaris 10 systems running with kernel patches 120011-04 or later for SPARC and 120012-04 or later for x86 may allow unauthorized root access to files served by NFS. To be vulnerable the system must be running an NFS server and have one or more netgroups configured with root privileges. Full details can be found in the Sunsolve document 103162.

Avaya Products Using Samba
Avaya products that use samba may be at risk for system compromise. The affected products are: Intuity Audix LX, Messaging Storage Server and Message Networking. Full details can be found at ASA-2007-520

SquirrelMail 1.4.12 Package Was Compromised

Posted on by
Reply

After reports of squirrelly package checksums the developers have discovered that the distribution for version 1.4.12 was compromised by some third party. The compromised code involves PHP though the effect of the changes has not yet been determined. The development team “strongly recommend everybody that has downloaded the 1.4.12 package after the 8th December, to redownload the package.”

For full details and correct checksums see http://www.squirrelmail.org