MSI Strategy & Tactics Talk Ep. 20: Denial of Service Attacks

We haven’t seen anywhere near the thresholds that could happen with massive scale bot-nets. I think it’s clear that bot-nets are the future weapon of DoS and we’ll continue to see that until somebody takes away the capability. In addition, mobile devices are going to experience an increase in DoS attacks. – Brent Huston, MSI CEO and Security Evangelist

Denial of Service attacks were alive and well in 2011 as seen with WordPress and MasterCard. What have we learned from these types of attacks?  In this episode of MSI Strategy & Tactics, the techs discuss what DoS attacks and how organizations can respond. Take a listen! Discussion questions include:

  • Organizations have been dealing with denial of service attacks for a while now, what lessons should they have learned?
  • What about this new hashdos attack against web sites?
  • How should they create and test dos detection and response plans?
  • What is the future of denial of service attacks?
Panelists:
Brent Huston, CEO, Founder, and Security Evangelist
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Wifi Users Beware – Your System Can Turn Against You

Researchers at this years DEFCON event have demonstrated an attack that causes access points to turn against legitimate users. The attack works by utilizing the built in DDoS protection mechanisms and turning it against the users. By sending a specially crafted packet to the AP, an attacker could cause the AP to assume that the legitimate clients are the ones performing the DoS attack, and cause them to be locked out. Eight examples were demonstrated at DEFCON 16.

CA ARCserve DoS, Multiple CMS Vulns

Computer Associates ARCserve Backup 12.0.5454.0 and earlier can be Denial of Serviced by sending a specially crafted packet to port 41523. For more specific information please see CVE-2008-1979.

Several Content Management Systems are vulnerable to Remote File Inclusion (RFI) and SQL injection. As Adam said in a previous post, it appears that application developers are still not embracing the proper coding procedures that allow for these exploits to be developed. If you are an admin of a CMS please make sure that your application is tested regulary for any injection vulnerabilities.

Cisco IPS Denial of Service

Cisco has released an advisory for IPS platforms, they are susceptible to denial of service attacks. The vulnerability is in the handling of jumbo ethernet frames. A specially crafted packet can cause the device to kernel panic, a power cycle is required to reset the device. However, if the device is deployed in promiscous mode, or does not have a gigabit interface, it is not vulnerable. For vulnerable devices, Cisco has released updates and a workaround. Install the updates, or disable support for jumbo Ethernet to mitigate this issue.

VMWare ESX and Java ASP Vulns, Akamai Exploit

Sun’s Java Active Server Pages version 4.0.2 contains multiple vulnerabilities. These vulnerabilities are numerous and could result in a variety of negative consequences; including remote system compromise, bypassing security restrictions, and manipulation of data. Sun has released version 4.0.3 that corrects the issues in 4.0.2.

VMWare ESX server versions 2.x and 3.x are vulnerable to information disclosure, denial of service, and in some cases remote system compromise. All administrators and users of VMWare should consider applying the vendor provided patches to their software. Full details can be found at http://www.vmware.com/security/advisories/VMSA-2008-0009.html.

The Akamai download manager contains and input validation error in its’ ActiveX control. This could result in system compromise or a denial of service when a user visits a malicious web page. The vulnerability affects versions 2.2.3.5 and prior. A working exploit has already been released. Update to version 2.2.3.7, available at http://dlm.tools.akamai.com/tools/upgrade.html

CA Content Mgr DoS, Unspecified WebSphere Issue

A denial of service vulnerability has been reported in CA eTrust Content Manager. This vulnerability can also be exploited to compromise a vulnerable system. The vulnerability is caused due to boundary errors in certain FTP requests that could result in a stack based buffer overflow. The vulnerabilities are reported in CA eTrust Secure Content Manager 8.0.
CA has provided a patch for this issue.

Also, an unspecified vulnerability in IBM WebSphere Application Server has been reported. Very little details are available regarding this vulnerability. IBM has released fix pack 17 to address this issue (whatever it is).

CA Products ActiveX Vuln, VMWare Update Fixes DoS

Multiple CA products containing the DSM ListCtrl ActiveX Control are vulnerable to buffer overflow. Exploit code has been posted to a public area for this issue. This could allow attackers to cause a denial of service or execute code in the context of the user running the browser. Some mitigating factors taken from the original advisory:

” Mitigating Factors: For BrightStor ARCserve Backup for Laptops &
Desktops, only the server installation is affected. Client
installations are not affected. For CA Desktop Management Suite,
Unicenter Desktop Management Bundle, Unicenter Asset Management,
Unicenter Software Delivery and Unicenter Remote Control, only the
Managers and DSM Explorers are affected. Scalability Servers and
Agents are not affected.”

CA has posted an update for the affected software.

VMWare has issued an update for VMWare ESX. This update fixes a vulnerability that could cause a denial of service. Users/Administrators should apply ESX 2.5.5 Upgrade Patch 6.

Asterisk Vulnerabilities

Several vulnerabilities exist in various Asterisk products that can lead to Denial of Service conditions, the bypassing of security restrictions and may allow the compromise of an affected system.

Two of the vulnerabilities are a result of errors that can arise when RTP codecs are processed. If more than 32 RTP payloads are sent a stack-based buffer overflow may occur. In the other case a specially crafted SIP packet can be used to write 0 into certain memory locations. The final vulnerability is a result of problems that exist in SIP channel driver.

Make sure that you have updated to the releases below, as is applicable to your site:
Asterisk:

Update to version 1.2.27.
or
Update to version 1.4.18.1.

Asterisk Business Edition:
Update to version B.2.5.1 and C.1.6.2.

s800i (Asterisk Appliance):
Update to version 1.1.0.2.

Asterisk Appliance Developer Kit:
Fixed in the SVN repository. Please see the vendor’s advisories for details.

Panda Dos

Panda Antivirus and Firewall is vulnerable to a denial of service and system compromise. The kernel driver included with Panda Antivirus and Firewall 2008 does not handle IOCTL requests correctly. This can result in a local denial of service or execution of code on the local system. There is currently a hotfix available for this issue. If you, or anyone you know, runs Panda Antivirus give them a heads up to run the update utility.