Diaries

Published: 2003-09-23

OpenSSH Vulnerability (New)


*** IMPORTANT UPDATE: ***



**OpenSSH 3.7.1p2 was released on September 23rd.**


It fixes additional security problems. No details yet.
****************************

A vulnerability has been discovered in OpenSSH which also affects the recent released versions 3.7p1 and 3.7.1p1.
We highly recommend upgrading to the version 3.7.1p2 which was released this morning. The new version 3.7.1p2 fixes additional related issues in the PAM module, not covered in 3.7.1p1.

This new bug may be remotely exploited according to the recently released announcement: "Under a non-standard configuration, with privsep disabled". This bug may not be exploitable on some platforms (e.g. OpenBSD) but could be exploitable on others (e.g. Linux).

Currently, there is no widely available exploit.

Workaround for this new bug (also affects 3.7p1 and 3.7.1p1)

(*) Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM support ("UsePam no" in sshd_config).

(*) Allow only trusted hosts to access port 22

(*) Enable the 'Privilege Separation feature. It is not clear if this will prevent the current exploit. But it is likely to make any compromise harder
At the time of this writing, no major Linux distribution has released an official update.

OpenSSH is used in a number of devices sold by various vendors. Examples are Cisco and Juniper routers. We do not know at this point if these devices are vulnerable. Please contact your vendor for details.

Related links:

Portable OpenSSH Source:

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

OpenSSH Web site:

http://www.openssh.org

OpenSSH Advisory:

http://www.openssh.com/txt/sshpam.adv
As always: Verify PGP signatures for any patches or files you download.

Relevant URLs for patches:

Linux:

Debian: http://www.debian.org/security/2003/dsa-382

Mandrake: http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:090

RedHat: http://www.redhat.com/apps/support/errata/

SUSE: http://www.suse.com/us/private/support/security/index.html (no ssh patch as of 19:30 EDT Sept. 16th)

Slackware: http://www.slackware.org


BSD:

FreeBSD: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.asc

NetBSD:
OpenBSD: http://www.openbsd.org/errata.html#sshbuffer
Please send additional relevant URLs to isc@sans.org

Not Vulnerable

Putty

ssh server from ssh.com

0 Comments

Published: 2003-09-16

OpenSSH Vulnerability (NEW)


*** IMPORTANT UPDATE: ***



**OpenSSH 3.7.1p2 was released on September 23rd.**


It fixes additional security problems. No details yet.
****************************

A vulnerability has been discovered in OpenSSH which also affects the recent released versions 3.7p1 and 3.7.1p1.
We highly recommend upgrading to the version 3.7.1p2 which was released this morning. The new version 3.7.1p2 fixes additional relating issues in PAM module, not covered in 3.7.1p1.

This new bug may be remotely exploited according the recent released announce: "Under a non-standard configuration, with privsep disabled". This bug may not be exploitable on some platforms (e.g. OpenBSD) but could be exploitable on others (e.g. Linux).

Currently, there is no widely available exploit.

Workaround for this new bug (also affects 3.7p1 and 3.7.1p1)

(*) Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM support ("UsePam no" in sshd_config).

(*) Allow only trusted hosts to access port 22

(*) Enable the 'Privilege Separation feature. It is not clear if this will prevent the current exploit. But it is likely to make any compromise harder
at the time of this writing, no major Linux distribution released an official update.

OpenSSH is used in a number of devices sold by various vendors. Examples are Cisco and Juniper routers. We do not know at this point if these devices are vulnerable. Please contact your vendor for details.

Related links:

Portable OpenSSH Source:

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

OpenSSH Web site:

http://www.openssh.org

OpenSSH Advisory:

http://www.openssh.com/txt/sshpam.adv
As always: Verify PGP signatures for any patches or files you download.

Relevant URLs for patches:

Linux:

Debian: http://www.debian.org/security/2003/dsa-382

Mandrake: http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:090

RedHat: http://www.redhat.com/apps/support/errata/

SUSE: http://www.suse.com/us/private/support/security/index.html (no ssh patch as of 19:30 EDT Sept. 16th)

Slackware: http://www.slackware.org


BSD:

FreeBSD: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.openssh.asc

NetBSD:
OpenBSD: http://www.openbsd.org/errata.html#sshbuffer
Please send additional relevant URLs to isc@sans.org

Not Vulnerable
Putty

ssh server from ssh.com

0 Comments

Published: 2003-09-11

Microsoft Windows RPCSS Vulnerability Update

Several groups are working on an exploit for this vulnerability. Expect a working exploit to be published and used within the next few days. We did compile a set of power point slides for IT managers to illustrate the most important facts of this issue:

PDF: http://isc.sans.org/presentations/MS03-039.pdf

Power Point: http://isc.sans.org/presentations/MS03-039.ppt

This vulnerability is NOT PATCHED by the RPC DCOM patch (MS03-026)

The RPCSS patch (MS03-039) has been made available on Sept. 10th (Wednesday). No patch prior to this date fixed this issue. While this is an RPC issue, it is a new and different issue as the one released in July.

You must patch as soon as possible

We expect an exploit in widespread use shortly. At this point, you should be able to patch while assuming that the machine has not yet been compromised. However, within a few days this may no longer be the case and you will have to validate the system's integrity.

The patch for MS03-039 (RPCSS) does include the july patch for MS03-026 (RPC DCOM).

Workarounds

There are two workarounds. You can avoid exploitation by this vulnerability by applying firewall rules. In particular if you are using a host based ("Personal") firewall. For network firewalls, make sure no hosts are moved into the same zone with unpatched machines. We recommend setting up a "laptop quarantine" to avoid the introduction of malware from the outside of the network.

In order to protect unpatched systems, you should close the following ports:

UDP 135, 137, 138, 445

TCP 135, 139, 445, 593

Other ports may be used as well depending on additional components you may have installed. In particular if you are using COM Internet Services (CIS) and RPC over HTTP, you need to close port 80 and 443 inbound.

To disable RPC, see this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;825750

Update Vulnerability Scanners

Scanners for the old RPC vulnerability will not recognize this new vulnerability, and may detect false positives for patched systems. Update to the most recent versions of your scanner.

Links and Further Information

Microsoft Bulletin (Consumer version):

http://www.microsoft.com/security/security_bulletins/ms03-039.asp

Microsoft Bulletin (Technical Details):

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp

Details about RPC:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/cis.asp


Scanners:

Microsoft: http://support.microsoft.com/?kbid=827363

Qualys: http://www.qualys.com/RPCSS

Eeye: http://www.eeye.com/html/Research/Tools/RPCDCOM.html

ISS: http://www.iss.net/support/product_utilities/Xfrpcss.php

Foundstone: http://www.foundstone.com/resources/scanning.htm
Symbolic.it (Italian and English): http://www.symbolic.it/Press/press_rpcheck2.html

0 Comments

Published: 2003-09-10

Microsoft RPCSS Vulnerability


Update: MS03-039 Briefing for senior IT managers

PDF: http://isc.sans.org/presentations/MS03-039.pdf

Power Point: http://isc.sans.org/presentations/MS03-039.ppt

In response to todays announcement of a new Microsoft Windows RPC vulnerability, we
raised the 'Infocon' to 'yellow' in order to alert users of the urgency to patch,
and to point out that this is a new issue not covered by any of the prior RPC
patches.
Microsoft released a new RPC related advisory (MS003-039). This advisory discloses
a buffer overrun condition in the RPCSS service. This issue is not fixed by any
patch applied to remedy the RPC DCOM vulnerability.

For details, see:

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp

0 Comments

Published: 2003-09-09

Sobig-F hybernation

Today will be the last day for Sobig-F to propagate. While it will no
longer send e-mail to spread, Sobig-F will not uninstall and infected
systems continue to be vulnerable to future upgrades via the backdoor
installed by Sobig-F.

As a reminder: If you are using a virus scanner on your mail server,
please make sure that it does not send notifications to the senders
of infected e-mails. Most recently released worms, including Sobig,
use fake "From" headers. As a result, notification e-mails can flood
innocent bystanders and cause considerable pain to mail systems.

Based on Sobig's history, a new version may be released soon. Insure
your users are aware not to click on ANY unsolicited attachments.

Recent Office vulnerabilities may open new vectors for viruses to
spread. Update vulnerable systems as soon as possible. The vulnerabilities
affect essentially all versions of Microsoft Office and Microsoft Works.
For Office updates see: http://office.microsoft.com/productupdates/
These patches will not be offered by Windows Update.

0 Comments

Published: 2003-09-05

Steps to Mitigate Office Vulnerabilities

Some of the vulnerabilities announced on Wednesday are easily exploited to
execute hostile code without users opening any attachments.

As patching is tricky, we do provide these steps as a work around. Please
do not substitute implementing these steps for patching. However, it may
help mitigate problems.

Proof of concept exploits for the vulnerability have been released to the
public. At this point, it is rather likely that this vulnerability will
be used as a vector to launch a virus or for targeted network intrusions.

The basic idea is to change the message format in Exchange to txt or html.
(In exchange go to tools, options, mailformat, message format )
If this option is "Microsoft Word" any reply or forward with an infected
word document in it can cause word to open the infected document.
The default email editor in office XP (EXCHANGE) is word.

To change which program starts when you open a file

1 In My Computer or Windows NT Explorer, click the View menu, and then
click Options.

2 Click the File Types tab.

3 In the list of file types, click the one you want to change.
The settings for that file type are shown in the File Type Details box.

4 Click Edit.

5 In the Actions box, click Open.

6 Click Edit, and then specify the program you want to use to open
files that have this extension.
Choose word documents (and all other word type files)

change from quick view to confirm open after download.

URL for Office Updates:
http://office.microsoft.com/productupdates/

0 Comments

Published: 2003-09-03

5 Microsoft Advisories

Microsoft release 5 new advisories today:

Most of these advisories require updates to Microsoft Office. In order to
download and install the patches, use this URL:

http://office.microsoft.com/productupdates/

The regular Windows Update service will not offer any Office patches. Make sure
you have your Microsoft Office CDs ready. The patch may require you to insert the CDs for Office, Frontpage and Visio. The exact CDs required varies from installation to installation.

This is a very brief summary to allow you to scan the issues. Please refer to the Microsoft bulletins for details.

MS03-34: Flaw in NetBIOS Could Lead to Information Disclosure

http://www.microsoft.com/technet/security/bulletin/MS03-034.asp

If a host responds to Netbios name queries, the packet is padded with content pulled from memory. If you are unlucky, this could be a password. The severity of this issue is rated low for all effected version of Windows. Windows NT 4.0, NT 4.0 Terminal Server Edition, 2000, XP and 2003 are vulnerable.

The memory location is random and there is no obvious way for an attacker to control it.

MS03-35: Flaw in Microsoft Word Could Enable Macros to Run Automatically

http://www.microsoft.com/technet/security/bulletin/MS03-035.asp

This problem could allow an attacker to run Word macros and bypass various protection mechanisms. All versions of Word and Microsoft Works are effected and
Microsoft considers this an "important" issue.

In order to execute a macro, the document has to be opened in Word. Alternative office suites like Open Office can be used. In general, it is not a good idea to open any attachment from an untrusted source. Digital signatures can be used to avoid 'From' spoofing.

MS03-36: Buffer Overrun in WordPerfect Converter Could Allow Code Execution

http://www.microsoft.com/technet/security/bulletin/MS03-036.asp

The Wordperfect converter included in Microsoft Office, Frontpage, Publisher and Works is suceptible to a buffer overflow. The attacker can execute arbitrary code as the user opening the file. Again, do not open attachments you don't trust.

MS03-37: Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution

http://www.microsoft.com/technet/security/bulletin/MS03-037.asp

MS03-38: Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution

http://www.microsoft.com/technet/security/bulletin/MS03-038.asp

0 Comments