@RISK: The Consensus Security Vulnerability Alert

Most of the clean up effort reported by the twelve organizations on the @RISK Security Council this week revolved around problems with Microsoft software. In addition to trying to provide protections against exploits of the Internet Explorer vulnerability that Microsoft had not patched (Part I, Number 1), they are also going back to be sure all their Internet-facing machines are patched with MS03-049 to protect against the new attack vectors reported to exploit the RPC vulnerability (Part I, Number 4 - Update).

The Internet Explorer vulnerability surprised Microsoft so much that the company's spokespeople first announced that they believed it hadn't been exploited (wrong!) and then expressed anger about the "irresponsible way it was announced." It would have been better for them to have gotten the patch out instead of trying to spin the news media. But this vulnerability reminds us that some part of defense will, at least for the foreseeable future, rely on users to practice "defensive computing." As an @RISK reader, you probably share the concern. Have you found a solution that works to make users more careful? Have you experimented with inoculation programs in which you tricked your users into doing something they should not have done and then embarrassed them when they took the bait? Any other effective methods? Please let us know so we can share your experiences with the community (with attribution or anonymously) Email info@sans.org with the subject "Defensive computing" if you have found a solution that actually works.

Alan

Table Of Contents

Widely Deployed Software

• (1) MODERATE: Microsoft Internet Explorer URL Obfuscation Vulnerability Affected Products: Internet Explorer 5.01, 5.5 and 6.0 on Windows platforms Description: Internet Explorer (IE) contains a flaw in processing URLs for display in the address bar

• Status: The vendor has confirmed but no patches are currently available. Microsoft has posted a Knowledge Base article describing ways to identify a spoofed website.

• Council Site Actions: All sites plan to deploy the patch on a normal cycle once one is available from Microsoft. One site has sent out an educational advisory to all users and is in the process of hardening the Outlook/IE configuration. They are making the following changes: - - - Configure Outlook to use IE Restricted Zone - - - Bolt down Restricted Sites Security Zone - - - Set Internet Zone to High This site also commented they are worried about "phishing" and this being used in such attacks against their site. They are beta testing a product called DomainWatch ( http://www.cogenta.com/domainwatch.htm) to identify phishing-related attacks to their organization. Another site commented that their principal workaround for unpatched Internet Explorer vulnerabilities, such as this one, is to make sure that alternate web browsers (Mozilla or Netscape) are available on all of their supported desktops. They also support e-mail packages that are typically unaffected by Internet Explorer vulnerabilities (unlike, for example, Outlook).

• References: Posting by Zap The Dingbat (discovered the bug)
  • http://archives.neohapsis.com/archives/bugtraq/2003-12/0114.html
  • Posting by Jakob Balle:
  • http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0280.html
  • Posting by Nick FitzGerald
  • http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/3425.html
  • Posting by Duane Maurer
  • http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0294.html
  • Proof-of-Concept Exploits
  • http://www.zapthedingbat.com/security/ex01/vun1.htm
  • http://www.frijters.net/url.html
  • http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0272.html
  • Microsoft Knowledge Base Article: Identifying Spoofed Websites
  • http://support.microsoft.com/?id=833786
  • Secunia Advisory
  • http://www.secunia.com/advisories/10395
  • Background on the JavaScript "unescape" Function
  • http://www.javascripter.net/faq/unescape.htm
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/9182

Other Software

• (2) HIGH: Cyrus IMSPd abook_dbname() Buffer Overflow Affected Products: Carnegie Mellon Cyrus IMSPd versions 1.4, 1.5a6, 1.6a3, 1.7

• Description: The Internet Message Support Protocol (IMSP) is designed to be a companion to the IMAP protocol and provide additional functionality such as address books and extended mailbox management. The Cyrus Project's IMSP server (IMSPd) is an open source implementation for UNIX systems which listens on port 406/tcp by default. IMSPd has been found vulnerable to a buffer overflow attack which can potentially yield root privileges to a remote unauthenticated attacker. The overflow is exploited by sending a specially crafted message that provides an overlong argument to IMSPd's "abook_dbname" function. The discoverer of the flaw has reportedly developed a working exploit but has not released it to the public.

• Status: Versions 1.6a4 and 1.7a reportedly contain the fixes.

• Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.References: Posting by Felix Lindner (discovered the flaw) http://archives.neohapsis.com/archives/bugtraq/2003-12/0222.html IMSP Protocol RFC http://asg.web.cmu.edu/cyrus /rfc/imsp.html"> http://asg.web.cmu.edu/cyrus /rfc/imsp.html Vendor Homepage http://asg.web.cmu.edu/cyrus SecurityFocus BID http://www.securityfocus.com/bid/9227

• (3) MODERATE: Cisco ACNS Software Buffer Overflow Affected Products: ACNS Software 4.x versions prior to 4.2.11 ACNS software 5.x versions prior to 5.0.5

• Description: The Cisco Application and Content Networking Software (ACNS) contains a buffer overflow vulnerability that can be exploited by providing an overlong password during user authentication. Remote attackers can leverage the flaw to cause a denial-of-service or to execute arbitrary code on a vulnerable Cisco device. Affected products running ACNS software include Content Routers, Content Distribution Manager and Content Engine. The vulnerability was discovered by Cisco during internal testing and no exploits are known to exist at this time.

• Status: Vendor confirmed. ACNS software versions 4.2.11 and 5.0.5 have been released to fix the problem. A workaround is to disable the Content Engine GUI server using the "no gui-server enable" command.

• Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

• References: Cisco Advisory
  • http://www.cisco.com/warp/public/707/cisco-sa-20031210-ACNS-auth.shtml
  • Cisco ACNS Software
  • http://www.cisco.com/en/US/products/sw/conntsw/ps491
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/9187

Patches

• (4) UPDATE: Microsoft RPC Vulnerabilities Additional Attack Vectors

• Description: CORE Security Technologies has publicly documented additional attack vectors for the RPC buffer overflow vulnerabilities disclosed in Microsoft Security Bulletins MS03-049 (Workstation Service), MS03-043 (Messenger Service), MS03-026 (DCOM RPC Interface), and MS03-001 (Locator Service). The most important point noted in CORE's announcement is that some of the affected RPC interfaces are bound to high numbered TCP and/or UDP ports on a Windows system. Thus, networks that only filter traffic on well known RPC-capable ports such as 135/tcp, 135/udp, 139/tcp and 445/tcp are still exposed to attacks issued against high numbered ports. Various public exploits could be modified to take advantage of this exposure. Systems that have had the appropriate Microsoft patches applied are immune to all attack vectors.

• Council Site Actions: All council sites responded that their systems (or at least all of their Internet-facing systems) have been patched. Several sites also said their systems are exposed to only the limited set of ports necessary for the services running on those hosts. Some sites are also actively scanning for systems that may not have been patched in the earlier cycles or new systems that have been installed, but not patched yet. Several sites also expressed concern regarding this new information given the large impact of blaster and SQLslammer in previous attacks and they plan on closely watching for any potential activity.

• References: CORE Security Advisory
  • http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0066.html
  • Previous @RISK and CVA Postings
  • Microsoft Workstation Service Buffer Overflow
  • http://www.sans.org/newsletters/risk/vol2_46.php (Item #1)
  • Microsoft Messenger Service Buffer Overflow
  • http://www.sans.org/newsletters/cva/vol2_41.php (Item #1)
  • Microsoft Windows DCOM RPC Interface Buffer Overflow
  • http://www.sans.org/newsletters/cva/vol2_28.php (Item #2)
  • Microsoft RPC Locator Service Buffer Overflow
  • http://www.sans.org/newsletters/cva/vol2_3.php (Item #1)