CA BrightStor ARCserve is in the penalty box again this week. The number of critical vulnerabilities in CA's back-up products is deeply troubling because many organizations using CA software do not patch their back-up products and many more do not even know about the vulnerabilities in CA backup products. Yet organizations put their most sensitive data on their back-ups.
Project In Which You Might Contribute: Career models for information security. If you know of someone who has accomplished a lot in security by exploiting deep technical skills, and moved up in their organizations, please write is a little note about them to firstname.lastname@example.org. We have been asked by five different publications for articles or interviews on how to make a successful career in information security. A couple of the editors have heard that security folks with soft skills are no longer in demand and they want to hear about models of success for people with more technical backgrounds. No names or companies will be disclosed without written permission.
@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).
****************** Cool Stuff At SANSFIRE 2007 ********************
The 40 handlers of the Internet Storm Center (isc.sans.org) are better informed about how the sophisticated new attacks work than any group other than the criminals carrying them out. If your job is protecting systems against the new wave of more sophisticated attacks, consider coming to SANSFIRE 2007 in Washington in the last week in July. There the Internet Storm Center handlers will be giving numerous free evening briefings, exclusively for the SANSFIRE attendees, on what they have uncovered about how newest hacker techniques work. Course list for SANSFIRE: http://www.sans.org/sansfire07/
Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process
Description: Computer Associates BrightStor ARCserve Backup contains multiple buffer overflows in its handling of Sun RPC requests. Sun RPC is an Internet-standard remote procedure call (RPC) mechanism. By sending an RPC request to the affected system containing specially-crafted strings, an attacker can trigger any of these buffer overflows. Successfully exploiting these buffer overflows will allow an attacker to execute arbitrary code with the privileges of the vulnerable process. The affected process runs on an arbitrary TCP port; this port can be discovered via the Sun RPC "portmap" mechanism.
Status: Computer Associates confirmed, updates available. Council Site Actions:
Description: QuickTime player, a very widely used multimedia player, installs its own Java libraries. The Java library installed by QuickTime contains a vulnerability that can be exploited to execute arbitrary code on a Windows or Mac system. The exploitation can occur when a user visits a malicious webpage with a Java-enabled web browser. Note that QuickTime must be installed to use an Apple iPod; therefore the install base of QuickTime is in the millions of users. Most web browsers are Java-enabled by default. Hence, this flaw can be exploited to compromise millions of computer systems. The vulnerability was demonstrated to conduct a successful 0-day attack against a fully patched Mac OS X system at the CanSecWest security conference. The technical details of the vulnerability are not publicly available. Blog and other postings indicate that researchers are working towards uncovering the flaw.
Status: Apple has been provided with the vulnerability details. A workaround is to disable the Java support for web browsers. Council Site Actions:
Description: Asterisk, a popular open source Voice-over-IP (VoIP) telephony platform, contains multiple vulnerabilities: (a) Two stack-based buffer overflows exist in the handling of "T38FaxRateManagement" and "T38FaxUdpEC" SDP parameters. A specially-crafted SDP packet containing one of these parameters can trigger a buffer overflow. Successfully exploiting any of these buffer overflows will allow an attacker to execute arbitrary code with the privileges of the Asterisk process. Note that T38 fax functionality must be enabled on the Asterisk system for the system to be vulnerable. (b) Asterisk fails to properly handle certain malformed responses from remote SIP endpoints. A malicious endpoint sending an invalid UDP response could cause an Asterisk process to die. This could prevent further telephony service. Note that, because Asterisk is open source, technical details for these vulnerabilities are available via source code analysis. Additionally, proofs-of-concept and technical details are publicly available for some of these vulnerabilities.
Status: Asterisk confirmed, updates available. Council Site Actions:
Description: The Courier IMAP server, a popular open source mail server, contains a remote command execution vulnerability. Several scripts used by the IMAP server fail to properly sanitize the "XMAILDIR" variable. By sending a specially-crafted request, it is suspected that an attacker could execute arbitrary shell commands with root privileges. However, it has not been confirmed that this vulnerability is exploitable without authenticated access.
Status: The latest version of Courier IMAP is confirmed to not be vulnerable. However, there is not been an official confirmation of this vulnerability in the Courier IMAP change log. Council Site Actions:
Status: 3proxy is a popular cross-platform web proxy, supporting multiple platforms and operating systems. 3proxy fails to properly handle certain overly-long requests. A specially-crafted request to the proxy could trigger a buffer overflow, and allow arbitrary code execution with the privileges of the 3proxy process. Note that, because 3proxy is open source, technical details for this vulnerability are available via source code analysis. Status: 3proxy confirmed, updates available. Council Site Actions:
Description: The version of PHP included with certain Cisco products contains a well-known vulnerability that has been patched in more recent versions of PHP. A specially-crafted request to the portion of the system utilizing PHP could result in a buffer overflow. Successfully exploiting this buffer overflow could lead to arbitrary code execution with the privileges of the PHP process.
Status: Cisco confirmed, updates available. Council Site Actions:
Description: Technical details have been released for a vulnerability patched in last week's Apple Security Update (Update 2007-004). By sending a specially-crafted request to an RPC service containing a length specifier greater than 0x80000000, an attacker could trigger an integer overflow and execute arbitrary code with the privileges of the affected process. Note that RPC services are automatically started if needed.
This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5436 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.
(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.
Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.