iPad Air 2, Samsung Galaxy Tab A, or $350 Off with SANS Online Training Right Now!

Newsletters: @RISK


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

December 27, 2012
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 12, Num. 52

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 12/20/2012 - 12/26/2012
============================================================

TOP VULNERABILITY THIS WEEK: A major information disclosure vulnerability impacting users of the popular W3 TotalCache for Wordpress plugin was announced this week, with all files touched by the caching server being publicly available on the Internet by default with no authentication. The author of the plugin is currently working on a fix, but administrators can take simple action in the interim to reduce their exposure.

============================================================

TRAINING UPDATE

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current

Plus Anaheim, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Wordpress W3 TotalCache Information disclosure
Description: A security researcher has discovered that, by default, the popular W3 TotalCache plugin for Wordpress leaves cache files in directories readable by the web server, with indexing enabled. That allows for trivial web searches of all cached files of impacted servers, including database session information, password-restricted data, etc. At the time of writing, approximately 1.19 million results were returned with appropriate Google searches, demonstrating the scope of the issue. Impacted administrators should immediately disable indexing on all W3 TotalCache directories, and look for a patch that the author of the product is currently working on.
Reference:
http://seclists.org/fulldisclosure/2012/Dec/242
http://wordpress.org/extend/plugins/w3-total-cache/
Snort SID: 25120
ClamAV: N/A

Title: NVidia Display Driver "Christmas 0-day"
Description: Proving that information security never sleeps, a security researcher in the UK released exploit code for a new NVidia display driver on PasteBin on Christmas Day. While the has stated on this Twitter feed that it is likely "not wormable", the issue is clearly serious, and is likely to be addressed directly by NVidia soon. As the exploit uses an SMB pipe, in the interim concerned users should ensure that they are using a firewall to protect their systems from as much exposure to Windows SMB protocols as possible without impacting business.
Reference: http://pastebin.com/QP7eZaJt
Snort SID: N/A
ClamAV: N/A

Title: AutoIt Trojan observed in the wild
Description: Several instances of this new trojan downloader have been observed in the wild recently. The malware uses an encoded backdoor channel to decrease the likelihood of detection.
Reference: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Autoit-QN/detailed-analysis.aspx
Snort SID: 25109
ClamAV: AUTOIT.Trojan.Agent-8

============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Microsoft SQL Server link crawling command execution:
http://www.exploit-db.com/exploits/23649/

Defcon Doctumentary Preview:
http://vimeo.com/56234900

Partial FBI files for Occupy dumped on Pastebin:
http://pastebin.com/U2yaa3ex

Opsec for stained glass:
http://www.schnarff.com/blog/?p=192

The "hidden" backdoor: VirTool:WinNT/Exforel.A:
https://blogs.technet.com/b/mmpc/archive/2012/12/09/the-quot-hidden-quot-backdoor-virtool-winnt-exforel-a.aspx?Redirected=true

NSA targeting domestic computer systems in secret test:
http://news.cnet.com/8301-13578_3-57560644-38/revealed-nsa-targeting-domestic-computer-systems-in-secret-test/

Page weight matters:
http://blog.chriszacharias.com/page-weight-matters?utm_source=dlvr.it&utm_medium=twitter

Howto: distributed Splunk architecture:
http://blog.rootshell.be/2012/12/22/howto-distributed-splunk-architecture/

=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: : CVE-2012-2174
Title: IBM Lotus Notes URL Handler Design Error Vulnerability
Vendor: IBM
Description: The URL handler in IBM Lotus Notes 8.x before 8.5.3 FP2 allows remote attackers to execute arbitrary code via a crafted notes:// URL.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-4959
Title: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability
Vendor: Novell
Description: Directory traversal vulnerability in NFRAgent.exe in Novell File Reporter 1.0.2 allows remote attackers to upload and execute files via a 130 /FSF/CMD request with a .. (dot dot) in a FILE element of an FSFUI record.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2010-2590
Title: SAP Crystal Reports Print ActiveX "PrintControl.dll" Heap Buffer Overflow Vulnerability
Vendor: SAP
Description: Heap-based buffer overflow in the CrystalReports12.CrystalPrintControl.1 ActiveX control in PrintControl.dll 12.3.2.753 in SAP Crystal Reports 2008 SP3 Fix Pack 3.2 allows remote attackers to execute arbitrary code via a long ServerResourceVersion property value.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-5975
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed which affects the current Unix/Linux versions of Tectia SSH Server. The vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID: : CVE-2012-5611
Title: Oracle MySQL Server Command Processing Buffer Overflow Vulnerability
Vendor: Oracle
Description: Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

=========================================================
MOST POPULAR MALWARE FILES 12/20/2012 - 12/26/2012:
COMPILED BY SOURCEFIRE

SHA 256: 1B8C2FC3E7324DE7D88A5A481F5FA9FC7A1CA6EA3EEEE6056ACFB749FCA4E046
MD5:
VirusTotal: https://www.virustotal.com/file/1B8C2FC3E7324DE7D88A5A481F5FA9FC7A1CA6EA3EEEE6056ACFB749FCA4E046/analysis/

Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: 1B6BA4CD56E96FB455EA6C6A8041FBD179D3CDE67F9C0306798B78E15CF55929
MD5:
VirusTotal: https://www.virustotal.com/file/1B6BA4CD56E96FB455EA6C6A8041FBD179D3CDE67F9C0306798B78E15CF55929/analysis/

Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: 521513811D2E9C051F8F4A5F5B18B6FED31A24D2608A3B9D6A76E1E21DF44480
MD5:
VirusTotal: https://www.virustotal.com/file/521513811D2E9C051F8F4A5F5B18B6FED31A24D2608A3B9D6A76E1E21DF44480/analysis/

Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: 95B8892CB127AC1F21B55C0A19AE77D7561AB26D7131C03C3C9048C68EF27AF9
MD5:
VirusTotal: https://www.virustotal.com/file/95B8892CB127AC1F21B55C0A19AE77D7561AB26D7131C03C3C9048C68EF27AF9/analysis/

Typical Filename:
Claimed Product:
Claimed Publisher:

SHA 256: BAEC88CBCF585E268845970B332101B2EAF5FE194748AB5F7BBCE83F710745BB
MD5:
VirusTotal: https://www.virustotal.com/file/BAEC88CBCF585E268845970B332101B2EAF5FE194748AB5F7BBCE83F710745BB/analysis/

Typical Filename:
Claimed Product:
Claimed Publisher:

=============================================================

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account