Network Managing, Engineering and Administration with an eye toward security.
Best practices meets the real world!
Wednesday, February 16, 2005
Symantec UPX Parsing Engine Heap Overflow I hope nobody is in the same shape that I'm in. I've been behind in getting Symantec AV 9.0.0 installed and found a break during a conversion to get it rolled out to the clients. For reference it's not required, but I imagine in the future it will be. Then, the day that I'm finishing the last of just under 400 users this comes out: Symantec UPX Parsing Engine Heap Overflow. You guessed it, time to re-roll out a new 9.0.3 version. This time I've got to do every client and every server, reboots included.
This affects almost every product that Symantec produces, so you need to apply the updates. For you corporate customers you need to call a support engineer to get the latest versions. posted by David | 2/16/2005 05:19:00 PM
Microsoft Security Patches Microsoft has been quiet for a while, and now in February they release 13 patches, with 8 of them critical. SANS-Internet Storm Center has a great wrapup of the bulletins, and an order to patch them in.
They are up to all their usual tricks, including a stealth patch, and the number of vulnerabilities isn't 13, but at least 17. I read in their blog that they had to put out something like 70,000 words, and have it translated into at least 8 languages. It would have helped if they would have provided something that actually told you what the issues were, and how to verify and fix them; the only real info is: patch this (implied: or else). One of my other pet peeves with them is the fact that they don't disclose that at least 2 of these vulnerabilities are from at least 4-6 months old. That would help you to go through your old logs looking for things that may have happened, especially if something was suspicious.
I'm definitely glad they are working on these patches and putting them out, and yes I am aware that their target audience isn't very technical. Most of the vulnerabilities are fairly well mitigated if you have your servers behind firewalls, but a couple can get past the firewalls, so they need to get patched.
In case your wondering about the "stealth" patch, check out the previous diary entry to see that it is related to DNS and SMTP. This can affect your Exchange servers. posted by David | 2/16/2005 05:15:00 PM
Wednesday, February 02, 2005
The Weakest Link Ran across this on Bruce Schneier's site and got a laugh out of it. Schneier on Security: The Weakest Link. Make sure you look at the picture. posted by David | 2/02/2005 02:03:00 PM
Thursday, January 27, 2005
Three major Cisco vulnerabilities Cisco has released fixes for three new vulnerabilities. The three are BGP, MLPS, and IPv6 related. All three vulnerabilities cause reloads of the IOS which makes them pretty severe issues.
So far, the worst one appears to be the Misformed BGP Packet Causes Reload problem. Malformed packet can cause a reboot of the IOS which used repeatedly can be a DOS issue. This can be mitigated somewhat by using the MD5 shared secret, which makes exploitation difficult, but not impossible. The IPv6 shouldn't be too much of an issue due to the lack of production systems. The MLPS looks like it also is mitigated by a lower number of systems that use MLPS.
You need to check into these issues to see if you need to apply patches to your systems. posted by David | 1/27/2005 08:49:00 AM
Wednesday, January 26, 2005
Linux -vs- Windows, an age old argument I've been doing some investigation lately into the security aspects of Linux, BSD, Solaris, and Windows. Before I go too much further let me just say that all of them have their merits, and to a large degree any of them can be configured securely.
One of the things I've been looking at is the number of vulnerabilities that a product has and the severity of the vulnerabilities. What exactly have I been looking into, you ask? I've seen a number of folks discuss the merits of Windows -vs- Linux and seen little data to back it up. Usually it's WIndows -vs- Red Hat, or some such nonsense. It is especially difficult to come up with clear numbers on vulnerabilities on these products as they are "bundled'" differently. IE is built into Windows, so do IE vulnerabilites get included, or are they a seperate item? Most Linux distros have a large number (some can install upwards of 500) of applications that can be installed with them, do they get included, or are they seperate items?
For a while now I've had to keep up with the security patches for our servers. Since we really don't run Linux, and there are so many different versions of Linux to track I thought it's really difficult to trace the differences in security among the versions. Then I thought about Secunia and their database. Seemed to me that this was a good place to start. I pulled together some information from their database, querying for several different products. The search included Windows 2000 (Pro), XP (Home), 2000 Server, 2003 Server, RedHat 9, Debian 3, SuSE 9, Gentoo 1, RedHat ES 3, SuSE ES 8, Solaris 9, Open BSD 3, and Free BSD 5. I was thinking this was a good representation, and pulled the data which is cataloged quite nicely. Here's a chart of some of what I've found:
A couple of things kind of struck me first off when going over this information. First was the number of vunlnerabilities that the Linux/BSD/Solaris systems had. Then I started digging into them, and as we discussed earlier these include hundreds of applications that Secunia included (which is fine) are counted here. The second thing I noticed was the patched percentage. The BSDs had a 100% patched, and many of the Linux variants had 100%, with some just missing at 99% (which may be how Secunia classified them - which again is ok). Now here is a chart showing the Linux/BSD/Solaris -vs- Windows numbers in breakdown:
Notice here the discrepancies between the Unpatched column and the Patched column. Now, this appears that Windows has around 20% more unpatched issues than Linux/BSD/Solaris average. Given that there were twice as many vulnerabilities with the Linux/BSD average that's a significant number of Windows advisories that have not been patched. I then checked out the criticality of the advisories, and here is what I found:
When I started looking into the browsers that's when I knew that the numbers like this were just useless. I compared IE6 with Firefox 1, Opera 7, and Safari 1. Here are the numbers that I got:
After seeing this I thought, wow one of the alternative browsers is really bad, and I found it in a suprising place: Firefox. According to Secunia, Firefox has 6 advisories and 83% of them are unpatched. Then I started digging into why, because I've been a Firefox fan for a while now and haven't found anything that I personally didn't like (e.g. it was my favorite browser) and it always seemed to be much more secure than IE. That's when I found that several of the 6 vulnerabilities (that do need to be fixed) are systematic of issues in the standards, and are also listed under the other browsers. I also found that several of the unpatched items are of a low security risk (in fact, Firefox had no issues of a High security risk in the Secunia advisories). This of course skews the results (for all of the products), but also gives the appearance that Firefox is less secure than it really is.
That's when I started realizing that it's really impossible to do this kind of testing. The only kind of testing that could be done like this is comparing the Linux distros to each other, or comparing the BSDs to each other, or comparing Windows to each other. It's too easy to skew the numbers one way or the other depending on how you want the results to play out, and there are too many caveats for those that don't have an agenda (the addendum would be as large as the research paper).
The numbers are interesting in and of themselves, but they prove nothing. I still find them fascinating, and may continue to see if there is a way to level the playing field (hmm, adding advisories from CERT?) but I doubt there is a way as each database of advisories is different in how they categorize issues and some don't include issues that are included in others.
Just thought you might want to see some of this.
The Reigster - Security Report: Windows vs Linux
Secunia - Vendor Advisories
NewsForge - Linux and Windows security compared
posted by David | 1/26/2005 08:01:00 PM
Tuesday, January 11, 2005
Microsoft Security Bulletins (3) Microsoft has released three new security bulletins. They include three remote executable holes.
The first notice MS05-001 is a cross domain vulnerability (CAN-2004-1043) affecting Internet Explorer 6. It affects Windows 2000, XP (including SP2), Windows Server 2003, and Windows 98/ME (Note: a default install of Windows Server 2003 is not vulnerable, only if you turned off IE's restricted mode on the server). Although Windows NT is listed as not being "affected", under security updates, there is a patch for NT 4. This vulnerability is mitigated by not surfing to a page owned by an attacker.
The second notice (MS04-002) is an update from a previously issued item (MS03-045). It affects NT, 2000, XP (through SP1), Server 2003, and Windows 98/ME. There are two bugs here: Cursor and Icon format handling Vulnerability (CAN-2004-1049) and Windows Kernel Vulnerability (CAN-2004-1305). The FAQ notes that the Cursor and Icon Format Handling Vulnerability is a remote code execution issue, and the Kernel Vulnerability is a DOS issue. The remote code execution issue can be mitigated by not surfing to a page owned by an attacker, or update your IE to the latest patches, or use XP SP2. The denial of service issue is mitigated by installing the latest patches or versions of Outlook Express, or Outlook, and also by only viewing messages in plain text.
The third vulnerability listed (MS05-003) is a indexing service vulnerability that allows remote code execution (CAN-2004-0897). Please note that this requires that the indexing service be turned on, and accessible through IIS. In the notes it mentions that Windows 2000 is not affected, though they recommend applying the patch and update (what is the 'security related change' updating then?). This vulnerability is mitigated if the index service is turned off.
For those of you still running Windows 98, 98SE, and Windows ME, you are out of luck for patches for these issues, you need to upgrade to a system that has patches available. The browser vulnerability is also mitigated by using an alternative browser (like Firefox).
One thing I've noticed for a while now about Microsoft's notices is the incredible complexity they go to describing them. That's why you see groups and security companies like ISC (SANS), and Symantec having security calls the next day to review them. Oh, and don't get me started about printing them out you may need a ream of paper for these three alone.
These three don't look too severe to me in just a quick glance due to the requirement that you go to a remote page that has the vulnerability, but given that many people click on links in their email and on web pages it's easy to see how these vulnerabilities can be used for malicious activity. These people are also probably the last ones that would look for these security notices also.
[Update: 1-12-2004] I ran across this Secunia advisory that helps fill the gap as to why the first bug is so nasty, but I also noticed that this advisory has not been fixed yet.
[Update: 1-13-2004] SANS's ISC page had a couple of comments that I felt should be mentioned here. They said that eEye believes that they can remote execute code on the Windows Kernel Vulnerability (CAN-2004-1305). In addition, they complain about the "Quality Control" on their vulnerability announcments (one of the CVE notices has DOS, but the patch notes say remote code execution).
posted by David | 1/11/2005 03:07:00 PM
Saturday, January 08, 2005
Linux Kernel Local Privilege Elevation This is a local privilege escalation flaw that requires local access to the server in order to exploit the flaw.
This flaw is present in both the 2.4 kernel and the 2.6 kernel. All 2.4 releases through 2.4.29-pre3 are vulnerable, and all releases of the 2.6 kernel through 2.6.10 are also vulnerable.
A flaw in the binary format loader layer allows a local exploit through the uselib() functions to bypass privileges. Paul Starzetz of ISEC has released on January 7th, 2005 sample code to demonstrate this exploit (CAN-2004-1235). K-Otik has also released this code on their web site.
Limiting the users to be ones you trust, and keeping a close eye on your servers (and their logs) should mitigate this risk until you have patched your servers.
Patch information on patches can be found in this article at Kernel Trap. Further down in the article it mentions that 2.4.29-rc1, and 2.6.10-ac that have been recently released have addressed this issue. It also corrects the inital report that 2.4.29-rc1 and rc2 were affected, but this turns out to be false. It appears from this Debian bug report that it is a pending fix. Quick searches did not turn it up on other distros, so the fixes are either pending, or testing.
Update (1-10-2004): The Kernel Trap discussion includes patches for both the 2.4 and 2.6 kernels, however these are developer patches for rebuilding the kernel.
posted by David | 1/08/2005 05:59:00 PM
Friday, January 07, 2005
Vulnerability Scanning We've been talking about this lately at work, so it's a good subject to start with.
We're all probably familiar with the 'Penetration Test' that scans external access to a network to see what vulnerabilities exist. What I'm referring to is an internal scan to see what vulnerabilities exist. Running a internal vulnerability scan can get into a debate, mostly about the differences between perimeter hardening and defense in depth. The idea with perimeter hardening is that everything malicious is stopped at the border, and internally is stopped with application or network login access rights. Defense in depth goes this one further by adding additional layers of security on the network. These layers include monitoring and testing systems for vulnerabilities, which is where we get internal vulnerability scanning. A nice article that I found over at CERT pointed out that with proper security you need to Secure, Monitor, Audit/Test, and then Manage and Improve.
I did a quick google search for vulnerability scanners and found different types of products to meet different needs. You can go from simple port scanners (nmap, superscan, etc), to vulnerability scanners (nessus, retina, etc) to specific OS scanners (hfnetchk, mbsa, etc).
I believe you can't have enough tools to perform these kinds of tests, and some of the best ways you can get a collection of these tools is through ISOs of whole systems that have been setup and designed to give you every tool you can think of. There are several of these including Knoppix, Knoppix STD, F.I.R.E., Helix, Plan-B, etc. They are great to get you started because you just boot up, and away you go, reboot and your back to your desktop. Some of them also offer forensics capabilities (which is a subject for another day). Be warned, do not use many of these tools on a production network until you know what they do. Some of them can cause problems to production systems (heck, even nmap can) even if they are fully patched.
I'm a big fan of defense-in-depth, and agree with both monitoring and testing systems. This goes hand in hand with security being a process, not a setup and forget system.
Security Quick Links:
Great CERT chart about changing focus - http://www.cert.org/governance/ges-shifts.html
Defense in Depth - http://www.nwfusion.com/columnists/2004/081604johnson.html
Email explaining Defense in Depth - http://www.securityfocus.com/archive/105/380109
Nice whitepaper at GIAC - http://www.giac.org/practical/gsec/Adam_Straub_GSEC.pdf
Link at bottom of "more that you can do" - http://www.symantec.com/smallbiz/library/depth.html
Thomas Schwarz, Santa Clara University - http://www.cse.scu.edu/~tschwarz/coen350_03/Lectures/defdep.html
posted by David | 1/07/2005 01:15:00 AM