Another week of skyrocketing numbers of new vulnerabilities discovered. We'll be publishing exact numbers in ten days, but to give you a preview we are seeing more than 50% increases in the numbers of vulnerabilities from last year. And a lot of them are critical.
This week, users of Microsoft, Cisco Oracle, Apple, Firefox, and even Kerberos software all have work to do.
@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).
******************** Security Training News******************************
1) SANS@HOME: Live courses with SANS best teachers - without leaving your home or office - amazingly effective and satisfying. Hacker Techniques, Auditing, SANS Security Essentials, Firewalls, all start within the next two weeks. Sign up today at www.sans.org
2) SANS Network Security 2005 in New Orleans (October) just opened for registration http://www.sans.org/ns2005
Why Attend SANS Training Instead of Less Effective Courses? "SANS reminds me of 'The Matrix'. You can take the blue pill and go on happily thinking your network is safe, or you can take the red pill and find out what the computer world is really like. This class is the red pill, and if it doesn't drive you insane in the process, you will leave better prepared to handle the real world of security." (Shawn Wenzel, Par Pharmaceutical)
********************** Sponsored Links: *********************************
1) Twelve Intrusion Prevention Systems (IPS) are tested and evaluated. Find out which one is selected as the SC Magazine "Best Buy." http://www.sans.org/info.php?id=817
2) Stop Phishers from Hijacking your Website! How businesses can protect their websites from phishing attacks. Download free whitepaper. http://www.sans.org/info.php?id=818
Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process
Description: Microsoft has issued a security bulletin MS05-037 to make the Internet Explorer Javaproxy.dll buffer overflow fix widely available. Microsoft had earlier issued an advisory on July 5, 2005 that contained the fix. Reports indicate that the exploit code posted for this flaw has been modified to install Trojans on compromised systems. Hence, this patch should be applied on a priority basis.
Council Site Actions: All reporting council sites are responding to this item. They are either treating this as a critical issue and are remediating right away, or are scheduling it for their next regularly scheduled system update process. One site said they have deleted the file on affected systems.
Description: The International Color Consortium (ICC) has designed an open, vendor-neutral cross-platform color management system that ensures color fidelity when an image is moved across different systems. Microsoft implements the ICC specification in its color management modules (icm32.dll and mscms.dll). A stack-based buffer overflow can be triggered when these DLLs decode certain ICC color tags. Hence, any image with malformed ICC color tags can trigger the buffer overflow that may be exploited to execute arbitrary code. The malicious image can be hosted on a website or a shared folder, or sent via email or instant messenger. Note that although no further technical details have been posted, Microsoft reports that the flaw is being exploited in the wild.
Status: Apply the patch referenced in the Microsoft Bulletin MS05-036.
Council Site Actions: All reporting council sites are responding to this item. They are either treating this as a critical issue and are remediating right away, or are scheduling it for their next regularly scheduled system update process. One site does not yet have a site-wide strategy for updating Office on desktop machines. Therefore, they rely on automatic update or the users manually visiting the Office Update site.
Description: Microsoft Word contains a stack-based buffer overflow that can be triggered by a Word document containing overlong font names. This can be exploited to execute arbitrary code. The code execution is reportedly challenging due to the fact that the user-supplied data is written in the process memory as Unicode. In order to exploit the flaw, an attacker needs to convince a victim to open a crafted Word file. The technical details about the flaw have been publicly posted. Note that an e-mail virus can likely exploit this flaw to spread itself.
Status: Apply the patch referenced in the Microsoft Bulletin MS05-035. Users should be advised not to open Word documents from unknown parties.
Council Site Actions: All reporting council sites are responding to this item. They are either treating this as a critical issue and are remediating right away, or are scheduling it for their next regularly scheduled system update process. One site does not yet have a site-wide strategy for updating Office on desktop machines. Therefore, they rely on automatic update or the users manually visiting the Office Update site. One site is also evaluating whether to speed up their migration (already underway) to Office 2003 or go to Office XP SP3 and then install patch.
Description: Oracle has released a cumulative security patch for a wide range of products on July 12, 2005. This patch corrects a number of SQL injection vulnerabilities in the Oracle E-Business suite that can be exploited to execute SQL statements with the privileges of the "APPS" account. For the Application and Database server, the patch fixes vulnerabilities in Oracle's mod_ssl and mod_access that may be exploited by an unauthenticated attacker. Some researchers have posted the advisories for the flaws they discovered; other advisories are awaited.
Status: Apply the Oracle CPU July 2005 with a priority for Internet facing servers. Some researchers have also brought to the attention the fact that the April 2005 Cumulative Security Patch does not offer the protection it intends to. They have also posted certain workarounds that are listed in the references.
Council Site Actions: Most of the affected council sites are still evaluating their risk level and remediation process. Several said they will most likely deploy the patches during their next regularly scheduled system update process.
Description: Cisco Call Manager, which runs on Windows platform, is the main server in a Cisco enterprise VoIP deployment. The Call Manager is responsible for the call processing and routing functions. The Cisco Call Manager runs a process aupair.exe for database related functions. This process contains a DoS vulnerability as well as a heap-based overflow that can be exploited by an unauthenticated attacker to execute arbitrary code. Note that causing a denial-of-service to Call Manager may result in loss of phone service in an enterprise. Compromising a Call Manager can lead to further compromise of the VoIP infrastructure such as the media gateways, toll fraud, eavesdropping etc. Limited technical details regarding how to trigger the overflow have been posted in the advisories.
Status: Cisco has released updates that also address other DoS vulnerabilities in Call Manager.
Council Site Actions: Only one council site responded to this item. They will patch their systems in Development ahead of the normal patch cycle and then push into production after QA process.
Description: zlib is a popular compression library that is widely used by programs across all OSs including Linux, Mac OS and Windows. This library contains a buffer overflow that can be triggered by a specially crafted compressed file. An attacker, who can deliver such a crafted file to a program using zlib, may exploit the overflow to execute arbitrary code. For example, a webserver can set "Content-Encoding" HTTP header to gzip, which may lead to an overflow in the browser using the zlib library. The technical details required to craft a malicious file may be obtained by examining the patch.
Status: The vendor will release an official update soon. Many Linux vendors have already provided updates. A list of applications that use zlib can be found at: http://www.gzip.org/zlib/apps.gz.html. Many of these applications may require an update from the corresponding vendor.
Council Site Actions: Only a few of the council sites are responding to this item. One site said their Linux systems will obtain updated packages from the Linux vendor, as the packages become available. Another site will patch their externally accessible servers immediately, and then roll out to internal servers as part of their standard patch cycle. The other sites are still evaluating their risk/exposure level and formulating a remediation response.
Status: Apple has released an update 10.4.2 to correct this issue. The update alerts users if an attempt is made to replace system widgets with a new widget.
Council Site Actions: Only one council site is responding to this item. They have approximately five hundred Mac OS X 10.4 machines, and the great majority has already been updated through the Software Update facility.
Description: Mozilla/Firefox browsers and Thunderbird email client contain multiple vulnerabilities that can be exploited to execute arbitrary code or arbitrary scripts on the client systems. Complete technical details and exploit code have been publicly posted.
Status: Upgrade to Firefox 1.0.5 and Mozilla 1.7.9. Thunderbird fix is not available at this time.
Council Site Actions: Only four of the reporting council sites are responding to this item. Two of the sites already have the latest builds available for their users to download. The two other sites don't officially support Firefox and Mozilla but have notified their users and believe the users will get the updated versions manually.
Description: Kerberos, a network protocol created at MIT, is used to provide strong authentication for client/server applications. The MIT Kerberos implementation is widely used by many network vendors and Linux/Unix flavors. (a) The krb5_recvauth function, which processes an authentication message stream, contains a double-free vulnerability i.e. under certain conditions, the function frees the same memory twice. This can be potentially exploited by an unauthenticated attacker to execute arbitrary code with the privileges of the program invoking the krb5_recvauth function. The main program that uses the vulnerable function is kpropd (Kerberos Propagation Daemon). This program runs on the slave Kerberos Key Distribution Centers (KDC) and receives updates from the Master KDC. Compromising kpropd may result in compromising the entire organization ("Kerberos realm"). Other programs that are known to use the vulnerable function are: klogind and krshd, the kerberized versions of rlogin and rsh. Note that the double free memory bugs are generally harder to leverage to execute arbitrary code, and the exploit code tends to be platform dependent (as opposed to be universal). Hence, a widespread exploitation of this flaw is less probable. (b) The KDC authenticates a client, and provides the client with "tickets" that can be used to access other kerberized services. The KDC contains heap corruption and single byte heap overflow vulnerabilities that may be exploited by an unauthenticated attacker to possibly execute arbitrary code on the KDC server or to cause a denial-of service to the KDC server. The KDC server compromise can also result in compromising the entire organization ("Kerberos realm"). An attacker controlled KDC server can be further used to compromise the Kerberos clients. Exploit code is not currently available. The technical details required to leverage these flaws can be obtained by examining the patch files.
Status: MIT Kerberos krb5-1.4.2 will fix these vulnerabilities. Third party programs can be re-compiled with the patches provided in the advisories. A workaround for the krb5_recvauth overflow is to block the ports used by kpropd, klogind and krshd at the network perimeter which are 754/tcp, 543/tcp and 544/tcp respectively.
Council Site Actions: Three of the reporting council sites responded to this item. Two of these sites have already patched their systems. One site is still evaluating their risk/exposure level and will patch if necessary. They said they block kpropd, klogind and krshd at their security perimeters.
Description: MailEnable, a Windows-based mail server, contains a stack-based buffer overflow in its IMAP server. An authenticated attacker can trigger the flaw by sending an overlong argument to the STATUS command. The flaw can be exploited to execute arbitrary code with SYSTEM privileges. Note that the ISPs who are using this mail server should apply the update immediately to prevent their user base from compromising the mail system.
Status: Vendor has supplied hotfixes.
This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4405 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.
(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.
Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.