Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-04-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

telnetd deja vu, this time it is Kerberos 5 telnetd

Published: 2007-04-04
Last Updated: 2007-04-05 02:15:58 UTC
by Jim Clausing (Version: 3)
0 comment(s)
It seems like it was just a couple of weeks ago that we noted issues with the Solaris telnetd.  A couple of our readers took exception to our statement in the earlier story that telnet shouldn't be open to the internet.  Some of them pointed out that Kerberized telnetd uses much stronger authentication and can optionally encrypt traffic.  That is all well and good, but I don't consider that ordinary telnet(d).  Today, I noticed a RedHat bulletin (and subsequently, the official MIT advisory) about a vulnerability in Kerberos 5 telnetd (so it isn't any safer from bugs creeping into the code) that could allow unauthenticated root login by passing a crafted username (a different bug than the Solaris one).   Note that in neither case is the issue with the client, the issue is on the server side.  There are still valid reasons to have the telnet client on machines.  Anyway, krb5-telnet is not enabled by default on RedHat (or any other Linux/Unix that I'm aware of), but if you use it, update as soon as possible/practical.  I assume that other Linux distributions will have updates soon, if not already available.  If you are building from source, please see the MIT advisory.

References:
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt
https://rhn.redhat.com/errata/RHSA-2007-0095.html
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0956 (not live yet)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0957 (not live yet)

UPDATE:  Yes, I did see the other 2 advisories from MIT, one for a syslog issue and one for a double free.  They are all fixed, I wrote about the telnetd one because that appears to me to be the worst and because it was eerily similar to the Solaris thing in Feb, but you should patch for all 3.

UPDATE 2:  On further reading of the syslog issue, it appears to be pretty serious, too.  It potentially allows remote code execution on the KDC.


Keywords:
0 comment(s)

Is WEP dead yet? Should it be?

Published: 2007-04-04
Last Updated: 2007-04-04 20:51:32 UTC
by Jim Clausing (Version: 2)
0 comment(s)
We've known almost from its release, that there were some significant weaknesses in WEP (Wired Equivalent Privacy).  AirSnort and WEPcrack among other packages have been able to crack WEP keys fairly easily if they could sniff enough of the encrypted traffic.  One of our readers (thanx, Mike) noted a new paper by three folks from the Darmstadt Technical University in Germany entitled Breaking 104 bit WEP in less than 60 seconds.  They explain how an updated attack on the underlying RC4 algorithm allows much faster cracking of WEP (over an order of magnitude faster), than previously realized.  We have long recommended that WEP be abandoned in favor of WPA2 (or, even better, WPA2).  This new work demonstrates that WEP is little more than an annoyance to folks really interested in seeing your traffic.
Keywords:
0 comment(s)

Various Vista Concerns

Published: 2007-04-04
Last Updated: 2007-04-04 19:44:03 UTC
by Jim Clausing (Version: 1)
0 comment(s)
I ran across a couple of stories in the last day or two that got me thinking about how much of security relies on assumptions that aren't necessarily always validated (remember Ronald Reagan's old adage "Trust, but verify"?).  The first one is this story from Blackhat Amsterdam about VBootkit.  The key quote from the story is "Experts say that the fundamental problem that this highlights is that every stage in Vista's booting process works on blind faith that everything prior to it ran cleanly."  The other one was this story from one of the guys at CERIAS at Purdue about the introduction of symbolic links in Vista.  Frankly, I haven't paid enough attention to Vista yet, to realize they had added symbolic links and I don't program for Windows, but having been a programmer in a previous life, the possible implications of this one jumped out at me.  Further, I suspect that, all too soon, we'll be seeing all the race conditions with symlinks in Vista that we've seen in Unix/Linux over the years.  The more things change, the more things stay the same, huh?!
Keywords:
0 comment(s)

Microsoft Patch Maybe Causing Some Problems

Published: 2007-04-04
Last Updated: 2007-04-04 00:38:52 UTC
by Deborah Hale (Version: 1)
0 comment(s)
We have received several emails today from people who are having problems with the patch.  One that is confirmed by Microsoft is the Realtek problem.  Microsoft has been working on this problem and have provided a patch for the problem at:

support.microsoft.com/kb/935448/


Other possible issues have been reported and are being investigated.  Microsoft is asking anyone having problems after installing the patch to contact them at Microsoft Product Support Services at 1-866-PCSAFETY.  There is no charge for the support relating to Microsoft Security Updates.

support.microsoft.com/


Keywords:
0 comment(s)
Diary Archives