[Fwd: SANS Critical Vulnerability Analysis Vol 2 No 04]

Mon, 03 Feb 2003 11:41:10 -0500

-------- Original Message --------
Subject: SANS Critical Vulnerability Analysis Vol 2 No 04
Date: Mon, 3 Feb 2003  8:03:50 -0700 (MST)
From: The SANS Institute <CriticalVulnerabilityAnalysis@sans.org>
To: Liyun Yu (SD560793) <yu@radonc.unc.edu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In response to dozens of requests, we are opening up subscriptions
to this weekly newsletter. Please forward it to any system
administrators or security professionals who need to act on
critical security vulnerabilities. They may subscribe at no cost at
http://server2.sans.org/sansnews

That is also where they may also subscribe to SANS' other two free
security newsletters: the complete weekly summary of all security
vulnerabilities (Security Alert Consensus) and the weekly summary of
all important news stories on security (NewsBites).

                               Alan

***********************************************************************
                  SANS Critical Vulnerability Analysis
February 3, 2003                                          Vol. 2. No. 4
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents
- -----------------
Widely Deployed Software:
(1) HIGH: Solaris KCMS Library Service Daemon Vulnerability

Other Software
(2) LOW: Hypermail Attachment Name Buffer Overflow
(3) LOW: SpamAssassin spamc BSMTP Buffer Overflow

Exploit Code Information
(4) Sapphire/Slammer SQL Worm: Vulnerable Non-Microsoft Products
(5) Windows RPC Locator Service Buffer Overflow

**************************** Sponsored Links **************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Need to patch UNIX machines? Free SysUpdate v4.0 Download - an
       Anti-Vulnerability application.
    http://www.sans.org/cgi-bin/sanspromo/CVA10

(2) Need expert assistance to recover from SQL Slammer? Click for
       specials on ISS professional services.
    http://www.sans.org/cgi-bin/sanspromo/CVA11

(3) ALERT: Stop Viruses & Worms Before They Enter Your Network
       **Free Whitepaper**
    http://www.sans.org/cgi-bin/sanspromo/CVA12

***********************************************************************

**********************************************************
Widely Deployed Software
*********************************************************

(1) HIGH: Solaris KCMS Library Service Daemon Vulnerability

Affected Products:
Solaris 2.5.1, 2.6, 7, 8 and 9

Description:
The KCMS library service daemon provides remote read-only access
to KCMS library profiles on all versions of Solaris.  The daemon
contains a buffer overflow in the KCS_OPEN_PROFILE procedure, which
allows a remote attacker to read arbitrary files on the system. The
daemon runs as an RPC service with root privileges, and is installed
and enabled by default.

Risk: Exposure of information potentially leading to remote compromise
(e.g. by stealing the encrypted passwords and cracking them).

Deployment: Very large.
The vulnerability affects all default installations of Solaris.

Ease of Exploitation: Straightforward.
The attacker must be able to create a subdirectory in a directory
searched by the KCMS library service daemon. This task is easily
accomplished by calling a ToolTalk (another default RPC service)
procedure to create the subdirectory. The attacker can then request
arbitrary files by referencing them from the subdirectory and using
../../../ characters in the path.  An attacker could script this
procedure and use it to harvest password files from large numbers of
Solaris systems.

Status: This vulnerability has been confirmed by SUN, but patches
are not yet available. The KCMS library service can be disabled as
a workaround.

References:
CERT Vulnerability Note VU#850785
http://www.kb.cert.org/vuls/id/850785

SUN Advisory:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/50104

Entercept Advisory:
http://www.entercept.com/news/uspr/01-22-03.asp

Council Site Action:
Most of the Council Sites reported that the KCMS service is turned
off per policy or per their secure configuration requirements. Some
of these sites run daily conformance checks on their Solaris
machines.  As a side note, the CIS (Center for Internet Security)
Solaris Benchmark Tool can be used to identify and disable this
service. (http://www.cisecurity.org)

One site reported that they have several Solaris systems on their
network running the kcms_server, exposed to the Internet, and other
Solaris systems running rpc.ttdbserverd, exposed to the Internet. The
exploitation scenario in the published information requires that both
daemons be running on the same system, thus their exposure is low.
Nevertheless, they are already in the process of notifying the owners
of these systems, indicating that there is no patch and that that inetd
service must be removed if the system is going to stay connected to
the network.

Most of the Council Sites reported that RPC services along with
Portmapper are blocked at their perimeter control points/firewalls.

*******************************************************
Other Software
*******************************************************

(2) LOW: Hypermail Attachment Name Buffer Overflow

Affected Products:
Hypermail versions prior to 2.1.6

Description:
Hypermail, an open-source program that converts email messages into
cross-linked HTML pages, contains a buffer overflow that is exploitable
by a malicious email. The problem arises in the handling of large
attachment filenames when the 'progress' display option is set to 2
(this is not the default).

Risk: Compromise of systems running Hypermail with the privileges of
the user running the program.

Deployment: Small.
The affected software is said to be in the Beta development stage,
and the vulnerability is present only in a specific non-default
configuration. However, the program is popular with Unix administrators
providing web-based access to mailing list archives.

Ease of Exploitation: Straightforward.
An attacker sending a malicious email with an over-long attachment name
can overflow a buffer on the stack and control Hypermail's execution.
An example email that will trigger the overflow has been posted.

Status: Vendor confirmed, version 2.1.6 contains the fixes.

References:
Vulnerability Advisory by Ulf Harnhammer:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0042.html

Example Email Message:
http://packetstormsecurity.org/filedesc/hypermail.html

Vendor Web Page:
http://www.hypermail.org/
http://sourceforge.net/projects/hypermail/

Council Site Actions:
Only one Council Site reported use of the Hypermail application.
They have about a dozen systems on their network running Hypermail on
web servers that are exposed to the Internet. They think it is unlikely
any of these systems have the vulnerable version and configuration,
but they have sent inquiries to system owners.

The remaining Council Sites reported the affected software is not in
production or widespread use, thus no action was necessary.

As a side note, be aware that attackers can locate a large number of
potentially vulnerable servers by doing web searches for "hypermail".

**************************************************************

(3) LOW: SpamAssassin spamc BSMTP Buffer Overflow
Affected Products:
SpamAssassin 2.40 - 2.43

Description:
The SpamAssassin spamc daemon contains a buffer overflow vulnerability
when running in Batched SMTP (BSMTP) mode. Attackers can exploit the
flaw to execute arbitrary code by sending a specially crafted email.

Risk: Remote compromise of systems running SpamAssassin's spamc
program, with the privileges of the user running spamc.

Deployment: Moderate.
SpamAssassin is a popular open-source email spam filter for Unix,
but the vulnerability only arises in a specific configuration.

Ease of Exploitation: Variable/Challenging.
This off-by-one vulnerability is not exploitable on all platforms and
distributions. To be most successful, an attacker would need to be
able to identify victims that are running the vulnerable spam filter.

Status: The vulnerability has been confirmed, a source code patch
was posted with the advisory. Fixed software is not yet available
from the vendor.

References:
Advisory by Timo Sirainen
http://archives.neohapsis.com/archives/bugtraq/2003-01/0272.html

Vendor Web Page:
http://spamassassin.org/index.html

Council Site Actions:
Only one Council Site reported use of the affected software.  They are
using the SpamAssassin software on their IMAP servers that are used
for mail reading by their active users. These systems are not running
the vulnerable configuration, thus they have no plans for action at
this time.

The remaining Council Sites reported the affected software is not
in production or widespread use, thus no action was necessary. A
few sites do plan to send information on the vulnerability to the
appropriate support groups as an FYI.

*************************
Exploit Code Information
*************************

(4) Sapphire/Slammer SQL Worm: Vulnerable Non-Microsoft Products

Many non-Microsoft products are vulnerable to the Sapphire/ Slammer
worm due to their use of SQL Server/MSDE components.

An extensive list of potentially vulnerable products can be found at
the following URL:
http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13

Council Site Actions:
All Council Sites reported they block SQL Server UDP and TCP ports
at the perimeter control points/firewalls. Most sites reported zero
infections, although their external gateways and firewalls experienced
periods of heavy traffic.  A few sites did report infections -- the
highest rate was around 50 systems. These sites implemented outbound
filtering of UPD port 1434, although they knew this might cause some
UDP application to randomly fail since they may use this port as well.

Some sites are actively using client inventory and scanning tools
to identify all MSSQL and MSDE based applications, and updating
vulnerable systems as they are identified. One site stated they have
a policy that prohibits the use of Microsoft-based products for any
mission critical services.  All of their Microsoft Windows desktops
are tightly controlled and behind very restrictive firewalls.

***************************************************************

(5) Windows RPC Locator Service Buffer Overflow

Sample exploit code has been created by NGSSoftware but has not been
released to the public. David Litchfield, one of the founders of
NGSSoftware, writes that the company may post the exploit after a
"grace period". This vulnerability is a stack-based buffer overflow
that can be exploited over ports 139 and 445/tcp. An attacker can
send an over-long name to the RPC locator service, causing a buffer
overflow when the locator attempts to search for binding handles
associated with the over-sized name.

NGSSoftware has also released a tool that searches a network for
systems offering the RPC Locator Service. Attackers can analyze the
tool to learn how to interact with the vulnerable service remotely, and
could conceivably extend the tool's source code to include an exploit.
Exploitation is likely to be straightforward.

Background:
This vulnerability was ranked HIGH in last week's CVA newsletter. The
vulnerable service runs by default on Windows NT4/2000 Domain
Controllers but can be configured to run on any Windows NT4/2000/XP
system. The vulnerability yields SYSTEM privileges to successful
attackers.

Exploit Code:
http://archives.neohapsis.com/archives/bugtraq/2003-01/0368.html

Advisory by David Litchfield:
http://archives.neohapsis.com/archives/bugtraq/2003-01/0357.html

Tool to Find Vulnerable Systems from NGSSoftware (binary executable
and source code available):
http://www.nextgenss.com/rpclocator.html

Microsoft Security Bulletin MS03-001:
http://www.microsoft.com/technet/security/bulletin/MS03-001.asp

Council Site Actions:
Almost all Council Sites reported activity for this vulnerability.
Many of the sites have already patched their systems, and others are
scheduling the patch installation for the next regularly scheduled
patch update. One site reported that the RPC Locator Service was set
to manual on both the desktop and server systems.

**************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
Forristal and the Neohapsis team scour all of the major vendor
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
  servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers.  Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions:  The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+Pmw9+LUG5KFpTkYRAsQlAJ91Ob17Mn1TpEAnWGk33g2+J5mO/wCfbWGv
DQFc4lLBJ2vn9hrnH14okN0=
=LvbX
-----END PGP SIGNATURE-----