SANS Top-20 2007 Security Risks (2007 Annual Update)

Client-side Vulnerabilities in:

C1. Web Browsers

C1.1 Description

Microsoft Internet Explorer is the world's most popular web browser and is installed by default on every Microsoft Windows system. Unpatched or older versions of Internet Explorer contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious web page or reads a malicious email. Exploit code for many of these critical Internet Explorer flaws is publicly available. In addition, Internet Explorer has been leveraged to exploit vulnerabilities in other core Windows components such as HTML Help and the Graphics Rendering Engine. During the past year, hundreds of vulnerabilities in ActiveX controls installed by Microsoft and other software vendors have been discovered. These are also being exploited via Internet Explorer.

Mozilla Firefox is the second most popular web browser after Internet Explorer. It also has a fair share of vulnerabilities. In 2007, it has released several updates to address publicly disclosed vulnerabilities. Similarly to Internet Explorer, unpatched or older versions of Firefox contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The web sites exploiting the browser vulnerabilities typically host a several exploits, and even launch the appropriate exploit(s) based on which browser the potential victim is using.

With the explosion of rich content in web sites, a parallel increase has been seen in the number of Browser Helper Object and third-party plug-ins used to access various MIME file types such as multimedia and documents. These plug-ins often support client-side web scripting languages such as Macromedia Flash or Shockwave. Many of these plug-ins are installed (semi-)transparently by a website. Users may thus not be aware that an at-risk helper object or plug-in is installed on his/her system. These additional plug-ins introduce more avenues for hackers to exploit to compromise computers of users visiting malicious web sites.

In October 2007, for example, systems running Windows XP and Windows Server 2003 with Windows Internet Explorer 7 were found not to handle specially crafted Uniform Resource Identifiers (URIs) properly. By creating a specially crafted URI in a PDF document attackers were able to execute arbitrary commands on vulnerable systems.

While some plug-ins such as Adobe Reader and Quicktime perform version checks and provide an update feature, these are often bothersome and ignored by users. It is often also difficult to detect which version of a plug-in is installed. For example, systems may have different versions of Shockwave installed for reasons of backward compatibility, but the user cannot easily discover which version or versions are running.

These flaws have been widely exploited to install spyware, adware and other malware on users' systems. The spoofing flaws have been leveraged to conduct phishing attacks. In some cases, these vulnerabilities were zero-days i.e. no patch was available at the time the vulnerabilities were publicly disclosed. Many reported plug-ins were also widely exploited by malicious web sites before patches were made available by the vendor.

In 2007 alone, Microsoft has released multiple updates for Internet Explorer.

• Cumulative Security Update for Internet Explorer (939653) (MS07-057)
• Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127) (MS07-050)
• Cumulative Security Update for Internet Explorer (937143) (MS07-045)
• Cumulative Security Update for Internet Explorer (933566) (MS07-033)
• Vulnerabilities in GDI Could Allow Remote Code Execution (925902) (MS07-017)
• Cumulative Security Update for Internet Explorer (931768) (MS07-027)
• Cumulative Security Update for Internet Explorer (928090) (MS07-016)
• Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969) (MS07-004)

Note that the latest cumulative update for Internet Explorer includes all the previous cumulative updates. Also note that MS07-017 does not list vulnerabilities in Internet Explorer; however, the most common avenue of exploitation is via Internet Explorer.

C1.2 Operating Systems Affected

While in theory any web browser on any operating system is vulnerable, the most common web browsers will tend to be targeted most by attackers. The two most popular web browsers on the Internet today are Microsoft Internet Explorer and Mozilla Firefox.

Internet Explorer 5.x, 6.x and 7 running on all versions of Windows are affected

Firefox running on any version of compatible operating systems is potentially vulnerable.

As plug-ins are generally used to enable access to third party file formats, many plug-in vulnerabilities apply to all compatible browsers on all operating systems. Any web browser running on any version of any operating system is potentially vulnerable.

C1.3 CVE Entries

Internet Explorer
CVE-2006-4697, CVE-2007-0024, CVE-2007-0217, CVE-2007-0218, CVE-2007-0219, CVE-2007-0942, CVE-2007-0944, CVE-2007-0945, CVE-2007-0946, CVE-2007-0947, CVE-2007-1749, CVE-2007-1750, CVE-2007-1751, CVE-2007-2216, CVE-2007-2221, CVE-2007-2222, CVE-2007-3027, CVE-2007-3041, CVE-2007-3826, CVE-2007-3892, CVE-2007-3896

Firefox
CVE-2007-0776, CVE-2007-0777, CVE-2007-0779, CVE-2007-0981, CVE-2007-1092, CVE-2007-2292, CVE-2007-2867, CVE-2007-3734, CVE-2007-3735, CVE-2007-3737, CVE-2007-3738, CVE-2007-3845, CVE-2007-4841, CVE-2007-5338

Adobe Acrobat Reader
CVE-2007-0044, CVE-2007-0046, CVE-2007-0103, CVE-2007-5020

The CVEs for plug-ins like Media Players are listed in the section C4.

C1.4 How to Determine If You Are at Risk

You can use any vulnerability scanner to check whether your systems are patched against these vulnerabilities.

For Internet Explorer, consider using the Microsoft Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), Windows Live Scanner or Systems Management Server (SMS) to check the security patch status of your systems.

To see the plug-ins most recently used by Internet Explorer 7, select Tools -> Internet Options. Under the Programs tab, select Manage Add-ons. You can select different views of browser plug-ins, including those currently loaded, plug-ins that have been used by Internet Explorer, and those configured to run without requiring permission. You can disable any of these by clicking on a specific add-on and selecting Disable.

For Firefox, select Tools -> Options -> Content -> File Types -> Manage to see how Firefox will handle various file formats.

Third-parties have begun releasing tools, such as Secunia PSI (currently in beta), which scan for browser helper object versions and patches.

C1.5 How to Protect against These Vulnerabilities

• If you are using Internet Explorer on your Windows XP system, the best way to remain secure is to upgrade to Windows XP Service Pack 2. The improved operating system security and Windows Firewall will help mitigate risk. For those unable to use Windows XP with Service Pack 2, switching away from Internet Explorer to an alternative browser is the safest path.
• Users should upgrade to version 7 of Internet Explorer, which provides improved security over previous versions. The latest version of Internet Explorer, IE7, is being distributed by Microsoft as a Critical Update (KB926874)
• Keep the systems updated with all the latest patches and service packs. If possible enable Automatic Updates on all systems.
• Pay attention to Microsoft Security Advisories; implementing suggested mitigations before the patch becomes available could alleviate exposure to zero day attacks.
• To prevent exploitation of remote code execution vulnerabilities at Administrator level, use tools like Microsoft DropMyRights to implement "least privileges" for Internet Explorer.
• Prevent vulnerable ActiveX components from running inside Internet Explorer via the "killbit" mechanism.
• Many spyware programs are installed as Browser Helper Objects. A Browser Helper Object or BHO is a small program that runs automatically every time Internet Explorer starts and extends the browser's capabilities. Browser Helper Objects can be detected with Antispyware scanners.
• Use intrusion prevention/detection systems, anti-virus, anti-spyware and malware detection software to block malicious HTML script code.
• Windows 98/ME/NT are no longer supported for updates. Legacy users should consider upgrading to Windows XP.
• Consider using other browsers such as Mozilla Firefox that do not support ActiveX technology.

C1.6 How to Secure Web Browsers

To configure the security settings for Internet Explorer:

• Select Internet Options under the Tools menu.
• Select the Security tab and then click Custom Level for the Internet zone.
• Most of the flaws in IE are exploited through Active Scripting or ActiveX Controls.
• Under Scripting, select Disable for Allow paste operations via script to prevent content from being exposed from your clipboard. Note: Disabling Active Scripting may cause some web sites not to work properly. ActiveX Controls are not as popular but are potentially more dangerous as they allow greater access to the system.
• Select Disable for Download signed and unsigned ActiveX Controls. Also select Disable for Initialize and script ActiveX Controls not marked as safe.
• Java applets typically have more capabilities than scripts. Under Microsoft VM, select High safety for Java permissions in order to properly sandbox the Java applet and prevent privileged access to your system.
• Under Miscellaneous select Disable for Access to data sources across domains to avoid cross-site scripting attacks.
• Ensure that no un-trusted sites are in the Trusted sites or Local intranet zones as these zones have weaker security settings than the other zones.
• Microsoft has published a "Internet Explorer 7 Desktop Security Guide" to enhance Internet Explorer security. It examines the new features and setting that can be modified to provide a more "locked down" security configuration for Internet Explorer 7.

To configure the security settings for Firefox:

• Select Options under the Tools menu.
• Further customization of Firefox configuration can be obtained at http://kb.mozillazine.org/About:config.

To update the plug-ins used by the web browsers:

• Most plug-ins come with "Check for Updates" feature. It can usually be found under "Options", Preferences" or "Help" menus.
• Select the "Check for Updates" to ensure you have the latest version of the software.

C1.7 References

US-CERT Securing Web Browser Information
http://www.us-cert.gov/reading_room/securing_browser/browser_security.html

Internet Explorer 7 Desktop Security Guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en

Microsoft Internet Explorer Weblog
http://blogs.msdn.com/ie/

Mozilla Security Center
http://www.mozilla.org/security/

Firefox Vulnerabilities
http://www.mozilla.org/projects/security/known-vulnerabilities.html

@Risk: The Consensus Security Alert
https://www.sans.org/newsletters/risk/

C2. Office Software

C2.1 Description

This section includes vulnerabilities for office productivity suites that include e-mail clients, word processors, spreadsheet applications, document viewers and presentation applications. Vulnerabilities in office products are typically exploited via the following attack vectors:

• An attacker sends a specially crafted office document in an email. When the attachment is opened, the malformed contents in the document exploit vulnerabilities in the office software.
• An attacker hosts a malicious document on a web server or shared folder, and entices a user to browse to the web page or the shared folder. Note that, in most situations, Internet Explorer automatically opens Microsoft Office documents. Hence, browsing the malicious web page or folder is sufficient for vulnerability exploitation in many cases.
• An attacker runs an NNTP (news) server or hijacks an RSS feed that sends malicious documents to news and RSS clients.

In all these scenarios, viruses, trojans, spyware, ad-ware, rootkits, keyboard loggers, or any other program of the attacker's choice, can be installed on victim's computer.

Microsoft Office is the most widely used email and productivity suite worldwide. It includes Outlook, Word, PowerPoint, Excel, Visio, FrontPage and Access. A large number of critical flaws were reported in MS Office applications and a few of them (CVE-2006-5574, CVE-2006-1305, CVE-2006-6456, CVE-2006-6561, CVE-2006-5994, CVE-2007-0515, CVE-2007-0671, CVE-2007-0045) were zero-day issues in which exploit code, technical details or proof-of-concept was publicly disclosed before any fix became available from Microsoft.

The critical flaws that were reported this year in Office products:

• Microsoft Excel Remote Code Execution (MS07-002)
• Microsoft Outlook Remote Code Execution (MS07-003)
• Microsoft Word Remote Code Execution (MS07-014)
• Microsoft Office Remote Code Execution (MS07-015)
• Microsoft Excel Remote Code Execution (MS07-023)
• Microsoft Word Remote Code Execution (MS07-024)
• Microsoft Office Remote Code Execution (MS07-025)
• Microsoft Outlook Express and Windows Mail (MS07-034)
• Microsoft Excel Remote Code Execution (MS07-036)
• Microsoft Excel Remote Code Execution (MS07-044)
• Adobe Reader and Acrobat Remote Code Execution (APSB07-18)
• Adobe Reader and Acrobat Cross Site Scripting (APSA07-01)

C2.2 Operating Systems Affected

Windows 9x, Windows 2000, Windows XP, Windows 2003, Windows Vista, MacOS X are all vulnerable depending on the version of Office software installed.

C2.3 CVE Entries
CVE-2007-0027, CVE-2007-0028, CVE-2007-0029, CVE-2007-0030, CVE-2007-0031, CVE-2007-0034, CVE-2007-0208, CVE-2007-0209, CVE-2007-0515, CVE-2007-0671, CVE-2007-0215, CVE-2007-1203, CVE-2007-0035, CVE-2007-0870, CVE-2007-1747, CVE-2007-1658, CVE-2007-1756, CVE-2007-3030, CVE-2007-3890

C2.4 How to Determine If You Are at Risk

Microsoft Office installations running without the patches referenced in the Microsoft Bulletins listed from the CVE entries are vulnerable. Use a vulnerability scanner to check whether your systems are patched against these vulnerabilities. Also consider using the Microsoft Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), Windows Live OneCare or Systems Management Server (SMS) to check the security patch status of your systems.

C2.5 How to Protect against Office Vulnerabilities

• Keep the systems updated with all the latest patches and service packs. If possible enable Automatic Updates on windows systems.
• Do not open attachments from unknown sources. Practice caution when opening unexpected e-mail attachments even from known sources.
• Do not “click browse” to avoid opening documents from unknown web sites. Click browsing is a habit of browsing the web by clicking on links in e-mails or online forums. Use the bookmark feature in every browser to create links to your frequently used web sites.
• Disable the Internet Explorer feature of automatically opening Office documents.
• Configure Outlook and Outlook Express with enhanced security.
• Use a vulnerability scanner to determine your risk.
• Use intrusion prevention/detection systems and anti-virus and malware detection software to prevent malicious server responses and documents from reaching end users.
• Use mail and web filtering systems at the network perimeter to prevent malicious Office documents from reaching end-user systems.

C2.6 References

Securing Microsoft Office
http://www.microsoft.com/technet/security/guidance/clientsecurity/2007office/default.mspx

C3. Email Clients

C3.1 Description

E-mail is one of the vital applications of the Internet. E-mail provides tremendous savings it terms of time, money and efficiency. Given its omnipresence, e-mail provides a common vector for multiple vulnerabilities.

Multiple avenues of attack that can be employed through email:

• Distribution of malware (viruses, Trojans, keyloggers, spyware, adware, rootkits etc);
• Phishing - Attempts to lure email user into revealing his/her passwords or other confidential information;
• Spam - unsolicited (junk) email;
• Social engineering;
• Denial of service attacks - sending high volume of email messages to a potential “victim” server or mailbox;

These attacks can result in:

• damage to applications, data, or operating system;
• disclosure of confidential information;
• propagation of malware;
• use of affected systems as “bots” (infected machines under the control of persons other than the intended users, used as proxies for attacks on other systems or for storage and distribution of pirated content and pornography);
• lack of availability of systems and services;
• waste of time, money and labor.

Virtually all contemporary operating systems can be used as platforms for e-mail client applications.

The most popular e-mail applications currently are

• Microsoft Outlook (Microsoft Windows only) and Outlook Express (Microsoft Windows only; old versions were available for Apple Macintosh);
• Mozilla Thunderbird (Microsoft Windows, Linux, Mac OS X);
• Mail.app (Macintosh only)

There are other popular email clients (Opera mail, Pegasus, Mozilla SeaMonkey, The Bat!, Eudora etc), but their usage share is relatively low.

No matter what operating system or e-mail client application is used, precautions should be taken whenever handling email (See C3.4 How to Protect Against The Email Vulnerabilities for details).

C3.2 Operating Systems Affected

Windows 2000 Workstation and Server, Windows XP Home and Professional, Windows Vista, Windows Server 2003, Mac OS X, Linux and Unix are all potentially vulnerable.

C3.3 CVE Entries

Microsoft Outlook Express, Outlook, Vista Windows Mail
CVE-2006-4868, CVE-2007-0033, CVE-2007-0034, CVE-2007-3897

Mozilla Thunderbird, SeaMonkey
CVE-2006-4565, CVE-2006-4571, CVE-2006-5463, CVE-2006-5747, CVE-2006-6502, CVE-2006-6504, CVE-2007-0777, CVE-2007-0779, CVE-2007-1282, CVE-2007-2867, CVE-2007-3734, CVE-2007-3735, CVE-2007-3845

Eudora
CVE-2006-0637, CVE-2006-6024, CVE-2006-6336, CVE-2007-2770

C3.4 How To Protect Against Vulnerabilities in Email Clients

• Remove all e-mail client software from production server systems, or where otherwise unnecessary.
• Do not to run any email client on servers or workstations with confidential information.
• When you must run any email client application on any system, be sure to:
• Use the latest version of the email client and enable the automatic update feature provided by the application or operating system.
• Use anti-virus software with current virus signatures. Configure the anti-virus software to monitor files in real-time if possible, and configure automatic daily update of virus signatures if possible.
• Do not run the email client as an administrative user, or other user account with elevated privileges.
• If you absolutely must run email while logged on as Administrator on Windows system, use tools like “Drop My Rights” for lowering privileges available to the email application.
• Do not open any email messages from unknown or suspicious sender;
• Do not answer junk mail (spam), even if there is an option to unsubscribe;
• View email messages as plain text, or with as little formatting as possible: HTML and RTF (two common enhanced formatting schemes for email messages) can allow scripting and other avenues for exploitation;
• Do not open any attachments without scanning them first with anti-virus program;
• Configure your email client to not send return receipts or read confirmations;
• For secure email exchange use digital signatures or/and encryption.

Application-specific configuration details and, settings that can improve security of email client

Outlook/Outlook Express/Windows Mail

Outlook Express is bundled with Internet Explorer and installed by default on Windows 98, 2000, XP, 2003.
Windows Vista replaced Outlook Express with Windows Mail.

• If Outlook Express is not required on the system, it is recommended to uninstall it.
• If Outlook Express is installed on the system, keep it updated.
• Outlook Express updates are bundled with Internet Explorer updates, so updating Internet Explorer to the new version or service pack level also upgrades Outlook Express.

Configuration settings for Outlook Express

• Outlook Express - Tools - Options - Read - Select “Read all messages in plain text”
• Outlook Express - Tools - Options - Receipts - Select “Never send a read receipt”
• Outlook Express - Tools - Options - Security - Select the Internet Explorer security zone to use - Select “Restricted sites zone”
• Outlook Express - Tools - Options - Security - Select “Warn me when other applications try to send mail as me”
• Outlook Express - Tools - Options - Security - Select “Do not allow attachments to be saved or opened that could potentially be a virus”
• Outlook Express - Tools - Options - Security - Select “Block images and other external content in HTML email”
• Outlook Express - Tools - Options - Maintenance - Select “Empty messages from the Deleted Items folder on exit”
• Outlook Express - Tools - Accounts - Mail - Select “Properties” for each email account - Server - Unselect “Remember password”

Configuration settings for Outlook

Settings for Outlook 2003:

• Outlook - Tools - Options - Preferences - Email Options - Select “Read all standard mail in plain text”
• Outlook - Tools - Options - Security - Security Zones - Zone - Select “Restricted sites”
• Outlook - Tools - Options - Security - Download pictures - Change Automatic Download settings - Select “Don’t allow pictures or other content automatically in HTML e-mail”
• Outlook - Tools - Options - Security - Download pictures - Change Automatic Download settings - Select “Warn me before downloading content when editing, forwarding or replying to e-mail”
• Outlook - Tools - Options - Preferences - Junk e-mail - Options - Choose the level of junk e-mail protection you want - Select “Low”, “High” or “Safe Lists only”
• Outlook - Tools - Options - Preferences - Junk e-mail - Options - Select “Don’t turn on links in messages that might connect to unsafe or fraudulent sites”
• Outlook - Tools - Options - Other - Select “Empty the Deleted Items folder upon exiting”
• Outlook - Tools - E-mail Accounts - Select “Change…” for each email account - Unselect “Remember password”

Same or similar settings can be accessed in Outlook 2007 as follows:
Outlook 2007 - Tools - Trust Center - E-mail Security

Configuration settings for Mozilla Thunderbird (versions 2.0 and later)

• Thunderbird - View - Message body as - Select “Plain text”
• Thunderbird - View - Unselect “Display attachments inline”
• Thunderbird - Tools - Options - Advanced - Config editor … - javascript.allow.mailnews - Set to “False”
• Thunderbird - Tools - Options - Advanced - Config editor … - javascript.enabled - Set to “False”
• Thunderbird - Tools - Options - Advanced - Config editor … - javascript.options.strict - Set to “True”
• Thunderbird - Tools - Options - Privacy - E-mail scams - Select “Tell me if the message I’m reading is a suspected email scam”
• Thunderbird - Tools - Options - Privacy - Anti-Virus - Select “Allow anti-virus clients to quarantine individual messages”

C3.5 References

Browsing the Web and Reading E-mail Safely as an Administrator
http://msdn2.microsoft.com/en-us/library/ms972827.aspx

How to view all e-mail messages in plain text format
http://support.microsoft.com/kb/831607

Overview of Cryptography in Outlook 2003
http://office.microsoft.com/en-us/ork2003/HA011402871033.aspx

Digital signatures and encryption (Outlook 2007)
http://office.microsoft.com/en-us/outlook/CH100622261033.aspx

Service Packs (Microsoft Office and Microsoft Outlook)
http://support.microsoft.com/sp/

Microsoft Office downloads
http://office.microsoft.com/en-us/downloads/FX101321101033.aspx?pid=CL100570421033

Block or unblock links in suspicious phishing messages
http://office.microsoft.com/en-us/outlook/HA011841931033.aspx

Customizing the Outlook Security Features Administrative Package
http://office.microsoft.com/en-us/orkXP/HA011364471033.aspx

Security and privacy-related preferences (Thunderbird)
http://kb.mozillazine.org/Category:Security_and_privacy-related_preferences

Security Policies (Thunderbird)
http://kb.mozillazine.org/Security_Policies

C4. Media Players

C4.1 Description

To play or display any multimedia content (music, video, pictures, drawings, etc.), regardless of origin, your computer needs an application called a media player. Music and videos are commonly downloaded from the Internet, usually for entertainment, news, education, and/or business content.

Most modern operating systems are automatically configured with at least one standard media player software package. Third party applications are also available that play formats not normally supported by the standard application set. Such support is usually required for proprietary formats that vendors must license in order to add compatibility to their media player application. These additional applications are usually installed on an as-needed basis - at times even automatically - in order to provide support for the requested multimedia content. Once these applications are installed they may be easily forgotten and overlooked by IT administrators who are responsible for patch management and support, usually because they are not aware of their existence on each deployed system.

Over the past year vulnerabilities have been released for most popular media players available today. While the severity of the vulnerabilities varies, these vulnerabilities can often be used to install malware such as viruses, bot-net applications, root kits, spy-ware, and ad-ware.

While this list does provide a detailed overview of popular media players and their associated vulnerabilities, it does not attempt to be an exhaustive list of all media players and their associated vulnerabilities. Many of these vulnerabilities do have publicly available exploit code and are being actively exploited in the wild.

The media players for the major platforms are:

• Windows: Windows Media Player, RealPlayer, Apple Quicktime, Adobe Flash Player, Apple iTunes
• Mac OS: RealPlayer, Apple Quicktime, Apple iTunes, Adobe Flash Player
• Linux/Unix: RealPlayer, Adobe Flash Player

C4.2 Operating Systems Affected

• Microsoft Windows
• Linux/Unix
• Mac OS X

C4.3 CVE Entries

RealPlayer
CVE-2007-2497, CVE-2007-3410, CVE-2007-5601

Apple iTunes
CVE-2007-3752

Adobe Flash Player
CVE-2007-3457, CVE-2007-5476

Apple Quicktime
CVE-2007-0462, CVE-2007-0588, CVE-2007-0466, CVE-2007-0711, CVE-2007-0712, CVE-2007-0714, CVE-2007-2175, CVE-2007-2295, CVE-2007-2296, CVE-2007-0754, CVE-2007-2388, CVE-2007-2389, CVE-2007-2392, CVE-2007-2393, CVE-2007-2394, CVE-2007-2396, CVE-2007-2397, CVE-2007-5045, CVE-2007-4673

Windows Media Player
CVE-2006-6134, CVE-2007-3035, CVE-2007-3037, CVE-2007-5095

C4.4 How to Determine If You Are Vulnerable

Using any media player that has not been patched or upgraded to the most recent version is a potential problem. Good system inventory and patch management practices will help you be proactive against threats from and attacks via media player applications.

C4.5 How to Protect Against Media Player Vulnerabilities

The following are some common best practices to protect against vulnerabilities associated with media players:

• Ensure media players are regularly updated with all the latest patches. Most players support updating via the help or tools menus.
• Carefully review default installations of operating systems and other products to ensure they do not include unwanted media players.
• Configure operating systems and browsers to prevent unintentional installation.
• Use anti-malware tools such as anti-virus and IDS software on the client desktop to prevent compromise.
• On centrally managed systems use the principle of least privilege, and limit installation of additional software by the end-user, when possible. This will make patch management and vulnerability management easier and more affective.
• On centrally managed systems when possible inventory installed software in order to identify potential risks in the environment.
• Install media player components only on systems requiring such components (e.g. workstations vs. servers).

C4.6 References

RealNetworks Media Player Products Home Page
http://www.realnetworks.com/products/media_players.html
http://www.realnetworks.com/support/updates.html

Apple QuickTime Home Page
http://www.apple.com/quicktime/
http://www.apple.com/support/quicktime/

Apple iTunes Home Page
http://www.apple.com/itunes/
http://www.apple.com/support/itunes/

Windows Media Player
http://www.microsoft.com/windows/windowsmedia/default.aspx
http://www.microsoft.com/windows/windowsmedia/player/11/security.aspx
http://www.microsoft.com/windows/windowsmedia/player/10/security.aspx
http://www.microsoft.com/technet/security/current.aspx

Adobe Flash Player Homepage
http://www.adobe.com/products/flashplayer/security/
http://www.adobe.com/downloads/updates/

Security Reports and Other Links
https://www2.sans.org/newsletters/risk/
http://findarticles.com/p/articles/mi_m0EIN/is_2006_Dec_18/ai_n16912185

General Networking Measures to Mitigate the Impact of Client-side Vulnerabilities:

• Users should be restricted from surfing any potentially dangerous URLs via URL blocking
  • The Pentagon, for instance, has blocked access to all social networking sites like MySpace and YouTube.
    • Reference: http://thelede.blogs.nytimes.com/2007/05/14/pentagon-blocks-myspace-and-youtube/
  • Deploy a commercial or an open-source URL filtering solution to prevent users visiting web sites serving exploits and malware.
    • References: http://www.squidguard.org/, http://code.google.com/apis/safebrowsing/
• Users should be blocked from downloading any media files from the Internet.
• Users should not be allowed SMTP, POP or IMAP access to their personal or service provider mail servers. This helps prevent potentially unfiltered and unscanned content entering in an organization's network via email.
• Email gateway anti-virus, spyware and other malware scanning solutions should be deployed.
• Web browser, email client, media player and office software should not be used on a production server. If possible, block outbound access from servers to the port 80/tcp.

Server-side Vulnerabilities in:

S1 Web Applications

S1.1 Description

Web-based applications such as Content Management Systems (CMS), Wikis, Portals, Bulletin Boards, and Discussion Forums are used by small and large organizations. A large number of organizations also develop and maintain custom-built web applications for their businesses (indeed, in many cases, such applications are the business). Every week hundreds of vulnerabilities are reported in commercially available and open source web applications, and are actively exploited. Please note that the custom-built web applications are also attacked and exploited even though the vulnerabilities in these applications are not reported and tracked by public vulnerability databases such as @RISK, CVE or BugTraq. The number of attempted attacks for some of the large web hosting farms range from hundreds of thousands to even millions every day.

Number of PHP File Include attacks recorded at a web hosting facility by TippingPoint IPS

All web frameworks (PHP, .NET, J2EE, Ruby on Rails, ColdFusion, etc.) and all types of web applications are at risk from web application security defects, ranging from insufficient validation through to application logic errors. The most exploited types of vulnerabilities are:

• PHP Remote File Include: PHP is the most common web application language and framework in use today. By default, PHP allows file functions to access resources on the Internet using a feature called "allow_url_fopen". When PHP scripts allow user input to influence file names, remote file inclusion can be the result. This attack allows (but is not limited to):
  • Remote code execution
  • Remote root kit installation
  • On Windows, complete system compromise may be possible through the use of PHP’s SMB file wrappers
• SQL Injection: Injections, particularly SQL injections, are common in web applications. Injections are possible due to intermingling of user supplied data within dynamic queries or within poorly constructed stored procedures. SQL injections allow attackers:
  • To create, read, update, or delete any arbitrary data available to the application
  • In the worst case scenario, to completely compromise the database system and systems around it
• Cross-Site Scripting (XSS): Cross site scripting, better known as XSS, is the most pernicious and easily found web application security issue. XSS allows attackers to deface web sites, insert hostile content, conduct phishing attacks, take over the user’s browser using JavaScript malware, and force users to conduct commands not of their own choosing - an attack known as cross-site request forgeries, better known as CSRF.
• Cross-site request forgeries (CSRF): CSRF forces legitimate users to execute commands without their consent. This type of attack is extremely hard to prevent unless the application is free of cross-site scripting vectors, including DOM injections. With the rise of Ajax techniques, and better knowledge of how to properly exploit XSS attacks, CSRF attacks are becoming extremely sophisticated, both as an active individual attack and as automated worms, such as the Samy MySpace Worm.

S1.2 How to Determine If You Are at Risk

Web scanning tools can help find these vulnerabilities, particularly if they are known bugs. However, to find all potential vulnerabilities requires a source code review as well as an application penetration test. These should be done by the developers prior to release of any important web application.

Inspect your web application framework's configuration and harden appropriately.

System administrators should consider scanning web servers periodically with vulnerability scanners, particularly if they run a large or diverse range of user-supplied scripts (such as on a hosting farm).

No person should be engaged to write web applications unless they can pass the GSSP Secure Software Programming exam that covers the essential security skills and knowledge that developers need to produce more secure applications.

S1.3 How to Protect against Web Application Vulnerabilities

From the PHP system administration and hosting perspective:

• Upgrade to PHP 5.2 as it eliminates many latent PHP security issues and allows for safer APIs, such as PDO
• Always test and deploy patches and new versions of PHP as they are released
• Frequent web scanning is recommended in environments where a large number of PHP applications are in use
• Consider using the following PHP configuration:
  • register_globals (should be off, will break insecure apps)
  • allow_url_fopen (should be off, will break apps that rely on this feature, but protect against a very active exploit vector)
  • magic_quotes_gpc (should be off, will break older insecure apps)
  • open_basedir (should be enabled and correctly configured)
  • Consider using least privilege execution features like PHPsuexec or suPHP
  • Consider using Suhosin to control the execution environment of PHP scripts
• Use Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests. Consider using Apache's mod_security to block known PHP attacks
• As a last resort, consider banning applications which have a track record of active exploitation, and slow response times to fix known security issues.

From the developer perspective:

• If you use PHP, migrate your application to PHP 5.2 as a matter of urgency.
• To avoid the coding issues above:
  • Develop with the latest PHP release and a hardened configuration (see above)
  • Validate all input according to the variable type it is being assigned
  • Encode all output using htmlentities() or a similar mechanism to avoid XSS attacks
  • Migrate your data layer to PDO - do not use the old style mysql_*() functions as they are known to be faulty
  • Do not use user-supplied input with file functions to avoid remote file inclusion attacks
• Join secure coding organizations, such as OWASP (see references) to boost skills, and learn about secure coding
• Test your apps using the OWASP Testing Guide with tools like WebScarab, Firefox's Web Developer Toolbar, Greasemonkey and the XSS Assistant
• Measure your skill using the GSSP exams and fill in the gaps in your knowledge.

S1.4 References

OWASP - Open Web Application Security Project
http://www.owasp.org

OWASP Testing Guide
http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents

OWASP Guide - a compendium of secure coding
http://www.owasp.org/index.php/Category:OWASP_Guide_Project

OWASP Top 10 - Top 10 web application security weaknesses
http://www.owasp.org/index.php/Top_10_2007

Suhosin, a Hardened PHP project to control the execution environment of PHP applications
http://www.hardened-php.net/suhosin/

PHPSecInfo
http://phpsec.org/projects/phpsecinfo/index.html

GSSP Exam blueprints and testing schedule
http://www.sans.org/gssp

S2. Windows Services

S2.1 Description

The family of Windows Operating systems supports a wide variety of services, networking methods and technologies. Many of these components are implemented as Service Control Programs (SCP) under the control of Service Control Manager (SCM), which runs as "services.exe". Vulnerabilities in the services that implement these operating system functions are some of the most common avenues for exploitation. When you first install Microsoft Windows Server 2003, Microsoft Windows XP, or Windows Vista some services are installed and configured to run by default whenever the computer is restarted. On Windows Server 2003 the specific services enabled with correspond to the role that is assigned to each server. You may not need all of the default services in your environment, and you should disable any unneeded services to enhance security. A service must log on to access resources and objects in the operating system, and most services are not designed to have their default logon account changed. If you change the default account password, the service will probably fail. If you select an account that does not have permission to log on as a service, the Microsoft Management Console (MMC) Services snap-in automatically grants that account the ability to log on as a service on the computer. However, this automatic configuration does not guarantee that the service will start. Windows Operating Systems include three built-in local accounts that are used as the logon accounts for various system services:

Local System account. The Local System account is a powerful account that has full access to the computer and acts as the computer on the network. If a service uses the Local System account to log on to a domain controller, that service has access to the entire domain. Some services are configured by default to use the Local System account, and this should not be changed. The Local System account does not have a user-accessible password.

Local Service account. The Local Service account is a special, built-in account that is similar to an authenticated user account. It has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your computer if individual services or processes are compromised. Services that use the Local Service account access network resources as a null session with anonymous credentials. The name of this account is NT AUTHORITY\Local Service, and it does not have a user-accessible password.

Network Service account. The Network Service account is also a special, built-in account that is similar to an authenticated user account. Like the Local Service account, it has the same level of access to resources and objects as members of the Users group, which helps safeguard your computer. Services that use the Network Service account access network resources with the credentials of the computer account. The name of the account is NT AUTHORITY\Network Service, and it does not have a user-accessible password.

Graphical user interface (GUI) - based tools can help you edit services. However, versions of these tools that were included with earlier versions of the Windows operating system (before Windows Server 2003) automatically apply permissions to each service when you configure any of the properties of a service. Tools such as the Group Policy Object Editor and the MMC Security Templates snap-in use the Security Configuration Editor DLL to apply these permissions. For example, when you use the MMC Security Templates snap-in to configure the startup state of a service in Windows XP, the following dialog box will display:

Figure 1. Services Security Dialog Box

Regardless of whether you click OK or Cancel, the permissions will be applied to the service that is being configured. Unfortunately, the permissions that this dialog box proposes do not match the default permissions for most services that are included with Windows. In fact, the permissions will cause a variety of problems for many services. We suggest you not alter the permissions on services that are included with Windows XP or Windows Server 2003 because the default permissions are already quite restrictive. You have several options to deal with this scenario:

• Use the Security Configuration Wizard, an optional Windows component that is included with Windows Server 2003 Service Pack 1 (SP1). Use this approach when you need to configure services and network port filters for various Windows Server 2003 server roles.
• Run the MMC Security Template snap-in and Group Policy Object Editor on a server that runs Windows Server 2003 with SP1. Use this approach when you need to configure services for security templates or Group Policies that will be applied to Windows XP.
• Use a text editor such as Notepad to edit the security templates or Group Policies on a computer that runs Windows XP Professional. This method is the least desirable, but some organizations or users may have no choice.

Several of the core system services provide remote interfaces to client components through Remote Procedure Calls (RPC). They are mostly exposed through named pipe endpoints accessible through the Common Internet File System (CIFS) protocol, well known TCP/UDP ports and in certain cases ephemeral TCP/UDP ports. Historically, there have been many vulnerabilities in services that can be exploited by anonymous users. When exploited, these vulnerabilities afford the attacker the same privileges that the service had on the host.

S2.2 Operating Systems Affected

Windows XP Home and Professional, Windows 2003 and Windows Vista are all potentially vulnerable.

S2.3 CVE Entries

CVE-2007-0213, CVE-2007-1748, CVE-2007-0938, CVE-2006-5584, CVE-2006-5583, CVE-2006-4691

CVE-2006-0027, CVE-2006-1314, CVE-2006-2370, CVE-2006-2371, CVE-2006-3439

S2.4 How to Determine If You Are at Risk

• Use any vulnerability scanner to check whether your systems are patched against these vulnerabilities. You can also consider using the Microsoft Windows Server Update Services (WSUS), Microsoft Baseline Security Analyzer (MBSA), Windows Live Scanner or Systems Management Server (SMS) to check the security patch status of your systems.
• Verify the presence of a patch by checking the registry key mentioned in the Registry Key Verification section of the corresponding security advisory. Additionally, it is advisable to also make sure the updated file versions mentioned in the advisory are installed on the system.
• To check if your system is vulnerable to an issue in an optional service, you need to determine if the service is enabled. This can be done through the Service Manager interface, which can be invoked from Services in Administrative Tools.

S2.5 How to Protect against Windows Services Vulnerabilities

• US Government users of Windows are now required to use the Federal Desktop Core Configuration for Windows XP or Vista. (http://fdcc.nist.gov/ ) Other organizations will find the FDCC to be a reliable and safe configuration, as well.
• Enable the Windows Firewall and/or install a 3rd party firewall on the host. Ensure that rules are applied to restrict access to the Windows machine except for those connections that are explicitly required. For example many of these vulnerabilities are found on interfaces offered through CIFS, and blocking ports 139/tcp and 445/tcp is essential for preventing remote attacks. It is also a good practice to block inbound RPC requests from the Internet to ports above 1024 to block attacks to other RPC based vulnerabilities. In enterprise environments the host Windows Firewall can be configured by General Policy Objects via Microsoft Active Directory.
• For Windows 2003 SP1 and R2 utilize the Security Configuration Wizard wherever possible in concert with the Windows firewall to reduce attack surface
• Utilize egress (as well as ingress) filtering on external network firewalls as part of defense-in-depth architecture to reduce threats of external as well as internal attack.
• Keep the systems updated with all the latest patches and service packs as part of defense-in-depth architecture. If possible enable Automatic Updates on all systems.
• Use intrusion prevention/detection systems at the network and host level as part of defense-in-depth architecture to prevent/detect attacks exploiting these vulnerabilities.
• Eliminate exposure to vulnerabilities by disabling the unneeded services. For Windows clients (XP, 2003 and/or Vista), the following services should generally be disabled:

Service name	Display name	Enterprise Client desktop/laptop	Standalone desktop/laptop
Alerter	Alerter	Disabled	Disabled
ClipSrv	ClipBook	Disabled	Disabled
Browser	Computer Browser	Not Defined	Disabled
Fax	Fax	Not Defined	Disabled
MSFtpsvr	FTP Publishing	Disabled	Disabled
IISADMIN	IIS Admin	Disabled	Disabled
cisvc	Indexing Service	Not Defined	Disabled
Messenger	Messenger	Disabled	Disabled
mnmsrvc	NetMeeting® Remote Desktop Sharing	Disabled	Disabled
RDSessMgr	Remote Desktop Help Session Manager	Not Defined	Disabled
RemoteAccess	Routing and Remote Access	Disabled	Disabled
SNMP	SNMP Service	Disabled	Disabled
SNMPTRAP	SNMP Trap Service	Disabled	Disabled
SSDPSrv	SSDP Discovery Service	Disabled	Disabled
Schedule	Task Scheduler	Not Defined	Disabled
TlntSvr	Telnet	Disabled	Disabled
TermService	Terminal Services	Not Defined	Disabled
Upnphost	Universal Plug and Play Device Host	Not Defined	Disabled
W3SVC	World Wide Web Publishing	Disabled	Disabled

Table 1. Disabled Windows Services on Windows Clients

Earlier versions of the operating system, especially Windows NT and Windows 2000, enabled many of these services by default for user convenience . These non essential services increase the exploitable surface significantly. For Windows machines that are used as servers (i.e. Print Server, File Server) refer to the appropriate configuration guides listed as references below and/or use automated tools such as the Windows 2003 Security Configuration Wizard to configure the services appropriately.

In some cases, null session access to the vulnerable interface could be removed as a work-around. It is a good practice to review your current RestrictAnonymous settings and keep them as stringent as possible based on your environment. http://www.securityfocus.com/infocus/1352

S2.6 References

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx

Windows XP Security Guide
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx

Windows Server 2003 Security Guide
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

Using Windows Firewall
http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx

Security Configuration Wizard for Windows Server 2003
http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx

How to use IPSec IP filter lists in Windows 2000
http://support.microsoft.com/kb/313190

How to block specific network protocols and ports by using IPSec
http://support.microsoft.com/kb/813878

How to configure TCP/IP filtering in Windows 2000
http://support.microsoft.com/kb/309798

S3. UNIX/Mac OS Services

S3.1 Description

Most Unix/Linux systems include multiple standard services in their default installation. Mac OS X often suffers from the same vulnerabilities as Unix systems, since it is based on Unix. Unnecessary services should be disabled, and all servers facing open networks should be protected by a firewall.

For services which provide remote login and/or remote service, traffic cannot be simply blocked by firewalls. Buffer overflow vulnerabilities and flaws in authentication functions can often allow a vector for arbitrary code execution, sometimes with administrative privileges, so gathering vulnerability information and patching rapidly are very important. Every year, buffer overflow vulnerabilities in Unix/Linux services are found.

These services, even if fully patched, can be the cause of unintended compromises. Brute-force attacks against remote services such as SSH, FTP, and telnet are still the most common form of attack to compromise servers facing the Internet. Over the last couple of years a concerted effort has been made by attackers to recover passwords used by these applications via brute-force attacks. Increasingly worms and bots have brute-force password engines built into them. Systems with weak passwords for user accounts are actively and routinely compromised; often privilege escalations are used to gain further privileges, and rootkits installed to hide the compromise. It is important to remember that brute forcing passwords can be a used as a technique to compromise even a fully patched system.

Security-conscious administrators should use SSH or another encrypted protocol as their method of interactive remote access. If the version of SSH is current and it is fully patched, the service is generally assumed to be safe. However, regardless of whether it is up to date and patched SSH can still be compromised via brute-force password-guessing attacks. Use public key authentication mechanism for SSH to thwart such attacks. For the other interactive services, audit passwords to ensure they are of sufficient complexity to resist a brute-force attack.

Minimizing the number of running services on a host will also make it more secure. Many services have been used to further exploits and some combinations of services (such as web servers and FTP servers that share published directories) are particularly prone to exploits.

S3.2 Affected OSs

All versions of Unix/Linux/Mac OS Server are potentially at risk from improper and default configurations. All those OS versions may be affected by accounts having weak or dictionary-based passwords for authentication.

S3.3 CVE Entries

Remote services
CVE-2006-5815, CVE-2007-0882, CVE-2007-2446, CVE-2007-0731, CVE-2007-2791, CVE-2007-1654

Kernel/Libraries
CVE-2007-4995, CVE-2007-5191, CVE-2006-6652, CVE-2007-3641, CVE-2007-5079, CVE-2007-1351

Management Console/Tools
CVE-2007-3093, CVE-2007-3094, CVE-2007-3260, CVE-2007-3232, CVE-2007-2282, CVE-2007-0980

Others
CVE-2007-2173, CVE-2006-5616

S3.4 How to Determine If You Are Vulnerable

Default installations (either from the manufacturer or by an administrator) of operating systems or network applications may include a wide range of unneeded and unused services. In many cases the uncertainty about operating system or application needs leads many manufacturers or administrators to install a large amount of software in case it is needed in the future. This simplifies the installation process significantly but also introduces a wide range of unneeded services and user accounts that have default, weak, or known passwords.

The use of an updated vulnerability scanner or a port mapper can be highly effective in discovering any potential vulnerabilities left by default installations, such as unneeded and/or outdated services or applications. Also, a password cracker can help to avoid the use of weak or easily compromised passwords.

Note: never run a password cracker/vulnerability scanner, even on systems for which you have root-like access, without explicit, written permission from your employer. Administrators with the most benevolent of intentions have been fired and prosecuted for running password cracking tools without the authority to do so.

S3.5 How to Protect Against These Vulnerabilities

Disable unnecessary services

• Scan the server with a port scanner or vulnerability assessment tool to determine what unnecessary services are running on a system. Disable the services that are not required by any necessary applications.
• Establish and enforce reliable patch management procedures
• Install the latest vendor patches regularly to mitigate vulnerabilities in exposed services. Patch management is a critical part of the risk management process.
• Patch management tools are useful to find unpatched systems. Especially in a network where a lot of servers run, patching all servers is important, since only one unpatched server makes your network exploitable.

Use secure configuration

• Use the Center for Internet Security benchmarks from www.cisecurity.org for your OS and services you use. Also consider using Bastille (www.bastille-linux.org) to harden Linux and HP-UX based hosts.
• Consider moving services from default ports where possible. Automated scanners tend to only scan default ports.
• Ensure services are protected by vendor-supplied security mechanisms (for example SELinux or address space randomization).

Improve perimeter defense/monitoring log

• Deploy hardware/software firewall and IDS/IPS to detect and block attacks and protect required services. If possible, limit the source IP addresses for remote logins and services.
• In a mission critical network, use real-time log monitoring to find evidence of attacks. Log management and SIM tools are useful for real-time analysis of several kinds of logs.

Block brute force attacks

• Don't use default passwords on any account.
• Enforce a strong password policy. Don't permit weak passwords or passwords based on dictionary words.
• Audit to ensure your password policy is being adhered to.
• Limit the number of failed login attempts to exposed services.
• Limit the accounts that can log in over the network; root should not be one of them.
• Prohibit shared accounts and don't use generic account names like tester, guest, sysadmin, admin, etc.
• Log failed login attempts. A large number of failed logins to a system may require a further check on the system to see if it has been compromised.
• Consider using certificate based authentication.
• If your Unix system allows the use of PAM authentication modules, implement PAM modules that check the password's strength.

Avoid service interactions and misconfigurations

• Where possible, limit the functions of the host. Misconfigurations in multiple services may often increase the risk to a service.

S3.6 References

Brute Force Attacks and Counter Measures
http://isc.sans.org/diary.php?storyid=1541
http://isc.sans.org/diary.php?storyid=1491
http://isc.sans.org/diary.html?storyid=3212
http://isc.sans.org/diary.html?storyid=3209
http://isc.sans.org/diary.php?date=2006-08-01

General UNIX Security Resources
http://www.cisecurity.org
http://www.bastille-linux.org
http://www.puschitz.com/SecuringLinux.shtml

S4. Backup Software

S4.1 Description

Backup software is an extremely valuable asset for any organization. Backup software typically runs on many systems throughout an enterprise. In recent years, the trend has been to consolidate backup functions onto few servers, or even a single server. The hosts requiring backup services communicate with the backup server via the network. Interaction with the server generally conforms to a push approach, where the client sends data to the server to be backed up, or a pull approach, where the server polls for new data to be backed up from the client, or a combination of these two approaches. During 2007 many critical backup software vulnerabilities were discovered. Since the backup software generally runs with high privileges to read all files on a system, vulnerabilities in backup software have led to severe security vulnerabilities. Some of these vulnerabilities were exploited to completely compromise systems running backup servers and/or backup clients. Attackers leveraged these flaws for enterprise-wide compromise and obtained access to the sensitive backed-up data. Exploits have been publicly posted for many of these flaws, and these vulnerabilities are often exploited in the wild.

S4.2 Operating Systems and Backup Software Affected

All operating systems running backup server or client software are potentially vulnerable to exploitation. The affected operating systems tend to be Windows and Unix systems, as these systems form the preponderance of enterprise clients and servers.

The following popular backup software packages have had critical vulnerabilities:

• Computer Associates (CA) BrightStor ARCServe has had dozens of easy-to-exploit vulnerabilities with exploit code widely available.
• Symantec Veritas NetBackup/Backup Exec has had a few recently reported vulnerabilities.
• EMC Legato Networker also has had one publicly reported vulnerability.

S4.3 A Special Note on Backup Security

Backup data often contains all of, or at least large portions of, the data on a given system. Generally the backup data is stored in a centralized location and is often unencrypted. Physical security of backup media is of the utmost importance, as theft or analysis of backup media can provide complete access to critical data with little or no additional effort. If at all possible, backed up data should be encrypted with strong encryption, and the methods for decryption should be available only to trusted individuals.

S4.4 CVE Entries

CVE-2007-5332, CVE-2007-5330, CVE-2007-5328,, CVE-2007-5327,, CVE-2007-5325,, CVE-2007-5006,, CVE-2007-5004,, CVE-2007-5003, CVE-2007-3825, CVE-2007-3216, CVE-2007-2864, CVE-2007-2863, CVE-2007-2139,, CVE-2007-1447,, CVE-2007-5126, CVE-2007-3509, CVE-2007-2279, CVE-2007-3618

S4.5 How to Determine If You Are Vulnerable

• Use any vulnerability scanner to detect vulnerable backup software installations.
• Update your backup software to the latest version. Monitor your backup software vendor site and subscribe to the patch notification system if they have one, and to general security related sites such as US-CERT , SANS Internet Storm Center or new vulnerability announcements relating to your chosen backup software.
• Check for access to the TCP and UDP ports used by your backup software. The backup products listed above are known to use the following ports:
  • Symantec Veritas Backup Exec
    • TCP/10000 TCP/8099, TCP/6106, TCP/13701, TCP/13721 and TCP/13724 (A listing of ports used by Veritas backup daemons is available here.)
  • CA BrightStor ARCServe Backup Agent
    • TCP/6050, UDP/6051, TCP/6070, TCP/6503, TCP/41523, UDP/41524
  • Sun and EMC Legato Networker
    • TCP/7937-9936

  S4.6 How to Protect against These Vulnerabilities

  • Ensure the latest vendor supplied software patches are installed on the clients and servers.
  • The ports being used by backup software should be firewalled from any untrusted network, especially the Internet.
  • Data should be encrypted when stored on backup media and while being transported across the network.
  • Host- or network-based firewalls should be run to limit the accessibility of a system's backup software to ensure that only the appropriate backup hosts can communicate on the backup server ports.
  • Segregate your network to create a separate backup network VLAN.
  • Backup media should be stored, tracked and monitored like other IT assets to deter and detect theft or loss.
  • Backup media should be securely erased, or physically destroyed at the end of its useful life.
  top^

  S5. Anti-virus Software

  S5.1 Description

  Anti-virus software is seen as a required basic tool within the "defense-in-depth" toolbox to protect systems today. Anti-virus software is now installed on almost all desktops, servers and gateways to combat virus outbreaks.

  During 2007, attackers have shifted their focus to exploit security products used by a large number of end users. This includes anti-virus and personal firewall software. The discovery of vulnerabilities in anti-virus software is not limited to desktop and server platforms: gateway solutions are also affected, and compromising a gateway could cause a much larger impact since the gateway is the outer layer of protection and the only protection against some threats in many small organizations.

  Multiple remote code execution vulnerabilities have been discovered in the anti-virus software provided by various vendors including Symantec, F-Secure, Trend Micro, McAfee, Computer Associates, ClamAV and Sophos. These vulnerabilities can be used to take a complete control of the user's system with limited or no user interaction.

  Anti-virus software has also been found to be vulnerable to "evasion" attacks. By specially crafting a malicious file (for instance, an HTML file with an executable header) it may be possible to bypass anti-virus scanning. These evasion attacks can be exploited to create a vector for malware propagation, or bypass systems that would otherwise limit malware propagation.

  S5.2 Operating Systems Affected

  Any system with an installed anti-virus application or scanning engine meant to scan for malicious data could be affected. This includes solutions installed on desktops, servers and gateways. Any platform could be affected, including all Microsoft Windows and Unix systems.

  S5.3 CVE Entries

  Avast!
  CVE-2007-2845, CVE-2007-2846, CVE-2007-1672

  AVIRA
  CVE-2007-2974, CVE-2007-2973, CVE-2007-2972, CVE-2007-1671

  BitDefender
  CVE-2007-0391

  ClamAV
  CVE-2007-4560, CVE-2007-3023, CVE-2007-2029, CVE-2007-1997, CVE-2007-1745

  Computer Associates
  CVE-2007-2864, CVE-2007-2523, CVE-2007-2522

  HAURI
  CVE-2006-0864

  F-Secure
  CVE-2007-3300, CVE-2007-2967, CVE-2007-2966, CVE-2007-2965, CVE-2007-1557

  Kaspersky
  CVE-2007-3675, CVE-2007-1879, CVE-2007-1112, CVE-2007-0445, CVE-2007-1281

  Mcafee
  CVE-2007-2152, CVE-2007-1538

  Panda
  CVE-2007-3969, CVE-2007-3026, CVE-2007-1670

  Sophos
  CVE-2006-6335, CVE-2006-0994

  Symantec
  CVE-2007-3699, CVE-2007-0447, CVE-2007-3802, CVE-2007-3095, CVE-2007-3021

  Trend Micro
  CVE-2007-1591, CVE-2007-0856, CVE-2007-0851

  S5.4 How to Determine If You Are Vulnerable

  If you are running any release of any anti-virus software that has not been updated to the latest version, you are likely to be affected.

  S5.5 How to Protect against Anti-virus Software Vulnerabilities

  • Ensure that all of your anti-virus software is regularly and automatically updated.
  • Regularly check your vendor website for upgrades, patches and security advisories. A list of anti-virus vendors is provided in the References below. The list may not be exhaustive.
  • If you have deployed anti-virus software on gateway and desktops, use different anti-virus vendor solutions for gateway and desktop. If one is vulnerable, it will not create a single point of failure.

  S5.6 References

  Below is a list of anti-virus vendors to check for upgrades, patches and security advisories.

  Anti-virus Security Advisories

  • https://www2.sans.org/newsletters/risk/display.php?v=6&i=29#widely7 (Symantec)
  • https://www2.sans.org/newsletters/risk/display.php?v=6&i=23#widely3 (F-Secure)
  • https://www2.sans.org/newsletters/risk/display.php?v=6&i=9#widely2 (Trend Micro)
  • https://www2.sans.org/newsletters/risk/display.php?v=6&i=17#07.17.29 (McAfee)
  • https://www2.sans.org/newsletters/risk/display.php?v=6&i=24#widely2 (Computer Associates)
  • https://www2.sans.org/newsletters/risk/display.php?v=6&i=9#widely6 (ClamAV)
  • https://www2.sans.org/newsletters/risk/display.php?v=6&i=22#other1 (Avast!)
  • http://www.sans.org/newsletters/risk/display.php?v=4&i=34#other2 (HAURI)
  • https://www2.sans.org/newsletters/risk/display.php?v=5&i=19#widely6 (Sophos)
  • https://www2.sans.org/newsletters/risk/display.php?v=6&i=31#widely4 (Panda)
  • https://www2.sans.org/newsletters/risk/display.php?v=6&i=23#other1 (AVIRA)
  • https://www2.sans.org/newsletters/risk/display.php?v=6&i=15#widely3 (Kaspersky)

  Anti-virus Evasion Issues

  • http://www.kb.cert.org/vuls/id/968818
  • http://www.sans.org/newsletters/risk/display.php?v=4&i=43#other4

  Other Anti-virus Resources

  • http://www.cert.org/other_sources/viruses.html
  • http://www.virusbtn.com/
  • http://www.eicar.com/
  • http://www.wildlist.org/
  top^

  S6. Management Servers

  S6.1 Description

  Applications such as on-server virus and spam filters, directory servers, and management and monitoring systems pose a unique security challenge; in addition to opportunities for compromising the system hosting them, they provide opportunities to attack other systems.

  S6.2 Applications Affected

  These applications can be divided into multiple categories:

  • Directory Servers - Used to maintain user and system information. Compromising these applications can give access to large amounts of information, including usernames and (possibly encrypted) passwords.
  • Monitoring Systems - Used to monitor various other systems. These applications often have user accounts on monitored clients, allowing an attacker easy access to client systems.
  • Configuration and Patch Systems - These systems are used to maintain client configurations and patches. Compromising these systems provides an easy path to further distribute malware.
  • Spam and Virus Scanners - Vulnerabilities in these systems can often be exploited with little or no user interaction, by simply sending a specially-crafted email message. Once compromised, attackers can more easily send spam and virus-containing emails. Additionally, these systems often contain vital information, such as users' mailboxes.

  These applications run on a variety of operating systems, including Microsoft Windows, Solaris, HP-UX, Novell Netware, and others.

  S6.3 CVE Entries

  CVE-2006-5478, CVE-2006-4509, CVE-2006-4510, CVE-2006-4177, CVE-2006-2496, CVE-2006-0992, CVE-2005-3653, CVE-2005-1928, CVE-2005-1929

  S6.4 How to Determine If You Are at Risk

  • Use a vulnerability scanner.
  • Track vendor security announcements.

  S6.5 How to Protect Against These Vulnerabilities

  • Keep the systems updated with all the latest patches and service packs. if provided, use an automatic update system.
  • Use Intrusion Prevention/Detection Systems to prevent/detect attacks exploiting these vulnerabilities.
  • Ensure that only authorized users and systems have access to the affected systems.

  S6.6 References

  Trend Micro ServerProtect Multiple Vulnerabilities
  http://archives.neohapsis.com/archives/vulnwatch/2005-q4/0066.html
  http://archives.neohapsis.com/archives/vulnwatch/2005-q4/0067.html
  http://archives.neohapsis.com/archives/vulnwatch/2005-q4/0068.html

  Trend Micro Home Page
  http://www.trendmicro.com/

  CA iTechnology iGateway Buffer Overflow
  http://supportconnectw.ca.com/public/ca_common_docs/igatewaysecurity_notice.asp

  CA Home Page
  http://www.ca.com/

  Novell eDirectory iMonitor Remote Buffer Overflows
  http://www.zerodayinitiative.com/advisories/ZDI-06-016.html

  Novell Home Page
  http://www.novell.com

  Symantec Sygate Management Server SQL Injection
  http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html

  Symantec Home Page
  http://www.symantec.com/

  HP OpenView Multiple Remote Command Execution
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00672314
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00671912

  HP OpenView Storage Data Protector Remote Code Execution
  http://archives.neohapsis.com/archives/bugtraq/2006-08/0273.html

  HP OpenView Home Page
  http://h20229.www2.hp.com/

  Barracuda Spam Firewall Remote Command Injection
  http://archives.neohapsis.com/archives/bugtraq/2006-08/0093.html

  Barracuda Home Page
  http://www.barracudanetworks.com/ns/?L=en

  S7. Database Software

  S7.1 Description

  Databases provide the ability to store, search and manipulate large amounts of data. They are key elements of many systems, even though their presence may not be directly visible to users. They are found in many common applications including financial, banking, customer relationship management and system monitoring software.

  Due to the valuable information they often store, such as personal and financial details, databases are often a target of attack and are of particular interest to identity thieves. Database systems are often very complex, combining the core database with a collection of applications. Some of these applications are supplied by the database vendor, others (such as web applications) are written by users in house. A flaw in any of these components can compromise the stored data. It is not sufficient to protect the database alone, all the associated applications need to be secured. The most common vulnerabilities in database systems are:

  • Use of default configurations with default user names and passwords.
  • SQL Injection via the database's own tools, third part applications or web front-ends added by users. Huge numbers of vulnerabilities in this class are announced every year.
  • Use of weak passwords for privileged accounts.
  • Buffer overflows in processes that listen on well known ports.

  Many different database systems are available. Some of the most common are Microsoft SQL Server (proprietary, runs on Windows), Oracle (proprietary, runs on many platforms), IBM DB2 and IBM Informix (both proprietary, run on multiple platforms), Sybase (proprietary, runs on many platforms), MySQL and PostgreSQL (both open source and available on many platforms).

  All modern databases can be accessed over networks, which means that anyone with network access and readily available query tools can attempt to connect directly to the database. The commonly used default connections are: Microsoft SQL via TCP port 1433 and UDP port 1434, Oracle via TCP port 1521, IBM DB2 via ports 523 and 50000 up, IBM Informix via TCP ports 9088 and 9099, Sybase via TCP 4100 or 2025, MySQL via TCP port 3306, and PostgreSQL via TCP port 5432.

  Due to the network connections they provide, databases may suffer from worms; there have been examples of worms attacking Microsoft SQL and Oracle.

  In addition to addressing the specific vulnerabilities mentioned here, administrators concerned with database security should consider:

  • The impact of standards such as the Payment Card Industry Data Security Standard that may require encryption of some information such as credit card numbers or prohibit the storage of some types of information.
  • The risks of transferring entire databases or large quantities of data onto mobile devices: there have been numerous reports of personal data being lost through the theft of laptops.

  S7.2 Operating Systems Affected

  Most database systems, commercial and open source, run on multiple platforms. Issues regularly cover all supported platforms.

  S7.3 CVE Entries

  These are the entries released since September 2006 that have a CVSS base score of 7 or more. Earlier vulnerabilities can be found in previous editions of this SANS document. In many cases reported issues are not flaws in the databases themselves but in applications built around them, e.g. SQL injection into web interfaces; these have not been included here.

  IBM DB2

  CVE-2007-1086, CVE-2007-1087, CVE-2007-1088, CVE-2007-1089, CVE-2007-2582, CVE-2007-5652.

  IBM Informix

  None during this reporting period.

  Microsoft SQL Server

  CVE-2007-4814
  

  MySQL

  None during this reporting period.

  Oracle
  CVE-2006-5332, CVE-2006-5333, CVE-2006-5334, CVE-2006-5335, CVE-2006-5336, CVE-2006-5339, CVE-2006-5340, CVE-2006-5341, CVE-2006-5342, CVE-2006-5343, CVE-2006-5344, CVE-2006-5345, CVE-2006-7138,