The most trusted source for computer security training, certification and research.

2006 SANS Top 20 Spring Update Technical Details

Top Vulnerabilities in Windows Systems
Internet Explorer
Windows Libraries and Components
Windows Office
Top Vulnerabilities in Cross-Platform Applications
Backup Software
Web Applications
Database Applications
Media Players
Mozilla/Firefox Browsers and Thunderbird Email Client
Top Vulnerabilities in UNIX Systems
Mac OS X
Other UNIX Software
Top Vulnerabilities in Networking Products
Cisco Call Manager Multiple Denial of Service Vulnerabilities
Multiple Vendor IPSec IKE Implementation Flaws

Technical Details on Specific Vulnerabilities


<< Back to 2006 SANS Top 20 Spring Update

Top Vulnerabilities in Windows Systems

Internet Explorer
Affected:
Internet Explorer 5.x and 6.x running on Windows 98/ME/SE, Windows NT Workstation and Server, Windows 2000 Workstation and Server, Windows XP Home and Professional, and Windows 2003 are all potentially vulnerable.
Description:

During the past 6 months, multiple critical vulnerabilities have been announced in Internet Explorer that could be exploited to compromise a user's system. Many of the flaws announced were 0-days i.e. exploits were circulating on the Internet before the patch was released by Microsoft.

  1. Cumulative Security Update for Internet Explorer (MS06-013)
  2. Cumulative Security Update for Internet Explorer (MS06-004)
  3. Cumulative Security Update for Internet Explorer (MS05-054)

Note that the latest cumulative update for Internet Explorer includes all the previous cumulative updates.

CVE Entries:

CVE-2005-2831, CVE-2005-1790, CVE-2006-0020, CVE-2006-1185, CVE-2006-1186, CVE-2006-1188, CVE-2006-1189, CVE-2006-1190, CVE-2006-1245, CVE-2006-1359, CVE-2006-1388

Please refer to the sections W2.5 and W2.6 in the Top20-2005 on how to protect against Internet Explorer vulnerabilities and how to harden Internet Explorer.

References:
Windows Libraries and Components
Affected:
Windows all versions
Description:

The Microsoft Graphics Rendering Engine and Embedded Web Font Processing contain critical vulnerabilities that can be exploited to execute arbitrary code on a user's system. Patches for Graphics Rendering Engine also address the 0-day vulnerabilities in handling WMF (Windows Metafiles) that have been exploited to install spyware and other malware on users' systems. Exploit code for the Web Font Processing flaw has been included in certain testing tools.

  1. Vulnerability in Windows Explorer Could Allow Remote Code Execution (MS06-015)
  2. Vulnerability in Embedded Web Font Processing Could Allow Remote Code Execution (MS06-002)
  3. Vulnerabilities in Graphics Engine Could Allow Remote Code Execution (MS06-001)
  4. Vulnerabilities in Graphics Engine Could Allow Remote Code Execution (MS05-053)
CVE Entries:

CVE-2004-2289, CVE-2005-2123, CVE-2005-2124, CVE-2005-4560, CVE-2006-0010, CVE-2006-0012

Please refer to the sections W3.5 in the Top20-2005 on how to protect against Windows libraries' vulnerabilities.

References:
Windows Office
Affected:
Office 2000 SP3, Office XP SP3, Office 2003 SP1/SP2, Microsoft Works Suites 2000-2006, Office X/2004 for Mac OS
Description:

Microsoft Office, specially the Excel program, contains many vulnerabilities that can be exploited to execute arbitrary code on a user's system. For certain flaws, the proof-of-concept files have been publicly posted on the Internet. The specially crafted Excel/Office documents can be posted on a web server, file server, P2P share or attached to an email. Note that although browsers like IE and Firefox typically present a user prompt prior to opening an Office document, since these documents are generally considered "safe" as opposed to executable files, users are likely to open these documents even from untrusted sites.

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS06-012).

CVE Entries:

CVE-2005-4131, CVE-2006-0009, CVE-2006-0028, CVE-2006-0029, CVE-2006-0030, CVE-2006-0031

Please refer to the sections W4.5 in the Top20-2005 on how to protect against Office vulnerabilities.

References:
top^

Top Vulnerabilities in Cross Platform Applications

Backup Software
Affected:
Symantec Veritas Backup client and server software, EMC Legato software
Description:
Symantec Veritas backup software continues to have many security related flaws that can be exploited to compromise the backup software client or server application. Exploits for these flaws are being used in the wild. EMC Legato is another backup software that was reported to contain buffer overflow vulnerabilities during the past 6 months.
CVE Entries:

Veritas:

CVE-2005-3116, CVE-2006-0989, CVE-2006-0990, CVE-2006-0991

EMC Legato:

CVE-2005-3658

Please refer to the sections C1.4 and C1.5 in the Top20-2005 to refer to general protection measures as well as the ports used by these backup software to be blocked at the network perimeter.

References:

Veritas:

EMC Legato:

Web Applications
Affected:
A large number of web application packages
Description:

During the past 6 months, as many as 139 remote command execution, 370 SQL injection and 376 cross-site scripting vulnerabilities have been reported in web applications. The affected web packages include the popularly used ones such as phpBB, MediaWiki, Horde, PHPMyAdmin, Mambo (to name a few). These vulnerabilities can be easily exploited to execute arbitrary PHP code and/or arbitrary back-end database commands that may result in compromising the web application or the server itself. Bots incorporate these exploits fairly quickly and currently these exploitation attempts are among the most frequently carried out attacks on the Internet.

It is important to patch the flaws in the web package you are using as soon as it is announced. If a patch is not available, please use other means to block the malicious access to the vulnerable scripts. Please refer to section C3.5 and C3.6 in the Top20-2005 on how to harden PHP installations.

Database Applications
Affected:
Multiple Oracle Products, Sybase EAServer version 5.2 and prior
Description:

Oracle announced 2 cumulative security patches in January and April 2006 that fix a large number of buffer overflows, SQL injections and privilege escalation vulnerabilities. Exploit code and technical details about some of these flaws are publicly available. Note that proof-of-concept worm code targeting unpatched Oracle default installations is available and can be re-used. Exploit code targeting a buffer overflow vulnerability in Sybase EAServer has also been publicly released.

Please refer to the sections C4.5  and C4.6 in the Top20-2005 to refer to general measures to harden Oracle database security.

References:

Oracle January and April 2006 Critical Updates

Oracle E-Business Suite Diagnostics

Oracle PL/SQL Gateway Security Bypass (0-day)

Sybase

Media Players
Affected:
Apple QuickTime/iTunes, Windows Media Player, RealNetworks RealPlayer, Macromedia Flash Player and Nullsoft Winamp player running versions prior to the current available at the vendor site.
Description:

Apple QuickTime, iTunes, Windows Media Player, RealNetworks RealPlayer, Nullsoft Winamp and Adobe Macromedia Flash player have been found to contain multiple buffer overflow and memory corruption vulnerabilities. Malicious media files could exploit these flaws to compromise users' systems. For many of the flaws, exploit code and/or the complete technical details have been publicly posted.

Please refer to the sections C7.5 in the Top20-2005 to refer to general protection measures for media player vulnerabilities.

CVE Entries:

Apple QuickTime/iTunes

CVE-2005-2340, CVE-2005-2753, CVE-2005-2754, CVE-2005-2756, CVE-2005-3707, CVE-2005-3708, CVE-2005-3709, CVE-2005-3711, CVE-2005-3713, CVE-2005-4092

Windows Media Player

CVE-2006-0005, CVE-2006-0006

Nullsoft Winamp

CVE-2005-3188, CVE-2006-0476, CVE-2006-0720

RealNetworks RealPlayer

CVE-2005-2629, CVE-2005-2630, CVE-2005-2922, CVE-2005-3677, CVE-2006-0323

Adobe Macromedia Flash Player

CVE-2005-2628, CVE-2006-0024

References:

Apple QuickTime/iTunes

Microsoft Windows Media Player

Nullsoft Winamp

RealNetworks RealPlayer

Adobe Macromedia Flash Player

Mozilla/Firefox Browsers and Thunderbird Email Client
Affected:
Firefox versions prior to 1.5.0.2, Mozilla versions prior to 1.7.13, Thunderbird versions prior to 1.5.0.2
Description:

Multiple vulnerabilities in Mozilla and Firefox browsers can be exploited to execute arbitrary code on users' systems. If you are not running the latest version of these browsers your system is vulnerable. Exploit code for some of the flaws is publicly available.

Please refer to the sections C9.4 in the Top20-2005 to refer to general protection measures for these vulnerabilities.

References:
top^

Top Vulnerabilities in UNIX Systems

Mac OS X
Affected:
Mac OS X version 10.4.5 and prior
Description:

Apple has released three critical security updates within the past 6 months - Security Update 2005-009, 2006-001, 2006-002. These updates fix a number of vulnerabilities including a 0-day flaw in Safari browser that can be exploited to completely compromise a Mac OS X system. Worms such as Leap.A have also targeted iChat users to install malware on their systems.

Please refer to the sections U1.3 and U1.4 in the Top20-2005 on how to harden Mac OS X and protect from these vulnerabilities in general.

References:
Other UNIX Software
Affected:
Sendmail MTA, Novell GroupWise Messenger, NetMail and SuSE Linux Enterprise server
Description:

Sendmail is the most common mail transfer agent (MTA) used on the Internet and according to certain estimates handles between 50 and 75% of the e-mail traffic.

Sendmail and Novell's multiple products such as Messenger, NetMail and SuSE Linux Enterprise server contain vulnerabilities that can be exploited to execute arbitrary code and compromise the servers running these software. Exploit code has been publicly posted for many of these flaws.

CVE Entries:

Sendmail:

CVE-2006-0058

Novell:

CVE-2005-3655, CVE-2006-0092

References:

Sendmail

Novell GroupWise Messenger

Novell SuSE Linux Enterprise Server

Novell Netmail

top^

Top Vulnerabilities in Networking Products

Cisco Call Manager Multiple Denial of Service Vulnerabilities
Affected:
Cisco CallManager version 3.2 and prior, Cisco CallManager versions 3.3.x prior to 3.3(5)SR1a, Cisco CallManager versions 4.0.x prior to 4.0(2a)SR2c, Cisco CallManager versions 4.1.x prior to 4.1(3)SR2
Description:
Cisco Call Manager, which runs on Windows platform, is the main server in a Cisco enterprise VoIP deployment. The Call Manager is responsible for the call processing and routing functions. DoS vulnerabilities in Cisco Call Manager can be easily exploited to disrupt VoIP services in an organization.
References:

Cisco Advisory

Multiple Vendor IPSec IKE Implementation Flaws
Affected:
Cisco, Juniper, Sun, HP, Nortel, CheckPoint and OpenSWAN products
Description:
IP Security (IPSec) protocol suite is a standard for securing communications by encrypting and/or authenticating all the IP packets. Internet Key Exchange (IKE) is a part of the IPSec protocol that provides automated key management and peer authentication. The IPSec protocols are used for establishing VPN tunnels. Cisco, Juniper, Sun, HP, Nortel, CheckPoint, OpenSWAN have confirmed vulnerabilities in their products that process IPSec protocol. A test suite that can be used to exploit the vulnerabilities to cause a DoS or execute arbitrary code is publicly available. In many VPN set-ups, the default port 500/udp is used for IPsec negotiation, which makes it easier to spoof a malformed IKE packet.
References:

CERT Advisory

NISCC UK Advisory

PROTOS Test Suite by University of OULU, Finland

<< Back to 2006 SANS Top 20 Spring Update

top^

This course, on the first day, made clear several topics that I had questions on for years. The explanations provided were unlike other information contained on websites and in books
-M. Cook, Arrowhead International

SEC401@CDI 2009-sky

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT