Archive | Security Updates RSS feed for this section

How to Neuter POODLE (New SSL Vulnerability)

Surprise, surprise… Researcher’s have found yet another OpenSSL vulnerability. They’ve named this one POODLE. Silly name, I know, but at least it stands for something—Padding Oracle On Downgraded Legacy Encryption.

Attack POODLE

In short, POODLE is a protocol level cryptography flaw in Secure Sockets Layer version 3 (SSLv3), which is one of the many encryption protocols available to SSL/TLS implementations like OpenSSL, used to encrypt network traffic. While SSL can encrypt any traffic, it’s most commonly associated with secure web communications (HTTPS). SSLv3 is one of the older encryption protocols in OpenSSL’s library, having been around for 18 years or so. Newer protocols like TLS 1.0-1.2 are much more secure, but we’ve kept SSLv3 around for legacy interoperability reasons. Since this new vulnerability allows attackers to decrypt SSLv3 traffic, it’s time we get rid of SSLv3 for good.

The POODLE flaw is fairly complex, and hard to understand without a deeper comprehension of cryptography. If you’d really like to dive into the details, I recommend you read the paper [PDF] by the Google researchers who found the flaw, or check out this detailed explanation. However, here are the basics:

  1. First, this vulnerability requires a Man-in-the-Middle (MitM) attack to succeed. An attacker can only perform it if he can intercept traffic between you and the SSL server. Performing MitM attacks can range from extremely difficult to trivial, depending on the circumstances. For instance, if you join an unsecured WiFi network, attackers on the same network can quite easily intercept your traffic, whereas intercepting Internet traffic is exceptionally more difficult, and typically requires ISP level interception (or at least DNS poisoning) to pull off.
  2. Next, this attack only works against SSLv3 encrypted traffic, so the attacker needs to somehow force you to use it. This is a much easier hurdle for attackers to overcome. The SSL/TLS protocol includes a “downgrade” feature that allows SSL clients and servers to negotiate which encryption protocol they agree on, depending on what they both support. With a MitM attack, the attacker can intercept and manipulated the negotiations to ensure your browser and the server settle on SSLv3 encryption.
  3. At this point, an attacker can take advantage of the SSLv3 flaw (which is essentially a vulnerability in how SSLv3’s CBC cipher suites use padding) to decrypt certain bytes of your secured traffic. Again, see the paper if you are interested in the technical and mathematical detail. However, there are some caveats here. Basically, the educated guesses used in this attack will only work 1 in 256 times.  So this attack requires the same data be sent over newly created SSLv3 connection hundreds of times. Forcing hundreds of requests is easy when targeting web browsers, since the MitM attack allows the attacker to inject malicious javascript into your web session. This javascript allows the attacker to silently force your browser to do what he needs. However, there are many other clients that use SSL/TLS to encrypt communications, including VPN clients, and apps on your mobile device. Since this attack relies on malicious javascript, attackers can’t easily exploit it against non-browser SSL clients. In any case, once this attack succeeds in decrypting one byte, it’s trivial for the attacker to decrypt the rest of your secure message.
  4.  So what can attackers do by decrypting SSL encrypted web sessions? Most likely, they’d leverage this flaw to try to intercept your encrypted HTTP session cookie. This essentially allows them to hijack your secure web sessions, and do anything you could do on the particular secure site you’re visiting. They wouldn’t obtain your passwords, but they’d have access to your secure web account.

While this sounds pretty bad, and it can be when the attack succeeds, the mitigating factors mentioned above really lessen the severity of this flaw. MitM attacks are not trivial to pull off in most cases, and this exploit’s javascript requirement means it can only easily target web browsers, not other SSL-based clients. Furthermore, if either end (client or server) disables SSLv3, the attack is dead in the water. In fact, NIST only assigns this vulnerability (CVE-2014-3566) a CVSS severity rating of 4.3, which is on the lower medium range of their severity scale. Though many of the media outlet reporting on this flaw have made it sound extremely dangerous, I would only give it a medium severity. It’s definitely something you want to mitigate, but it is not nearly as dangerous as the Heartbleed and Shellshock flaws the media has compared it to.

How to Protect Yourself from POODLE:

Simply put, disable SSLv3!

SSLv3 is an antiquated and broken encryption protocol. Every modern browser and SSL client supports much more recent encryption options. Disabling SSLv3 is the only way to completely protect yourself.

That said, some organizations may still use some legacy web applications, especially ones that require Internet Explorer (IE) 6 running on XP, which depend on SSLv3. Frankly, it’s time you get rid of those applications. In order to quantify today’s minimal SSLv3 usage, CloudFlare monitored all their customers’ traffic and found only 0.09% of it was SSLv3. When monitoring only secure web (HTTPS) traffic, SSLv3 usage jumped to 0.65%, but that’s still a tiny fraction of web traffic. We recommend you help bring this number to zero by getting rid of SSLv3 in your organization

So how do you disable SSLv3? There are two sides to the equation—the server and the client. You only have to disable one side for the attack to fail.

Since this attack targets clients, and seems to primarily affect web browsers, I recommend you disable SSLv3 in your browsers first. All popular web browsers have configuration settings that allow you to do so. The folks at Zmap.io have kindly provided an instruction page detailing how to disable SSLv3 in the popular browsers; check it out. Furthermore, most browser vendors have promised to disable SSLv3 by default in their next software release. Once you have disabled SSLv3 in your browser, attackers cannot leverage this flaw to decrypt your traffic, even if you connect to a web server that still has SSLv3 enabled.

That said, you also should disable SSLv3 on any servers you run, just to help protect the rest of the world against this flaw. The creators of OpenSSL have released an update that fixes this vulnerability (and three others). Besides allowing you to disable SSLv3 on your server, the latest version of OpenSSL supports a feature called TLS_FALLBACK_SCSC, which essentially prevents MitM attackers from forcing clients to downgrade to a certain encryption protocol. Many other Linux distributions and SSL implementations have also released updates. Go get them.

As an aside, once you’ve disabled SSLv3 in your browsers and servers, you can check the results using the following sites:

Are WatchGuard Products Affected by POODLE?

In short, yes.

WatchGuard appliances use OpenSSL and are affected by this vulnerability to varying degrees. The impacted products include:

  • XTM appliances – WatchGuard’s web-based user interfaces (UI), whether the administrative interface or the VPN client portal, do support SSLv3, and are vulnerable to this. However, you can mitigate this flaw by limiting exposure to the Web UI. There is no reason to allow Internet users to access that administrative interface. Also, our SSL VPN clients do NOT support SSLv3. So mobile VPN connections are not affected. We are making updates to our XTM firmware to disable SSLv3 by default.
  • XCS appliances – The XCS’s Web UI does support SSLv3 by default. However, you can disable it for the Web UI, and should do so. Our mail engine does also support SSLv3, and you can’t currently disabled it in the mail engine. That said, this exploit primarily targets web browsers, so the exposure in the mail engine should be low. In any case, we are making changes to the XCS firmware to disable SSLv3.
  • SSL VPN appliances – The SSL VPN appliances administrative Web UI uses SSLv3, and your currently can’t disable it. However, you can limit exposure simply by not allowing external access to the Web UI. As far as client VPN connections, you can disable SSLv3 in the Manage System => Device Setting page. Doing so ensures attackers can’t exploit this flaw to intercept and decrypt mobile SSL VPN traffic. We will release and update to disable SSLv3 in the Web UI.

This vulnerability’s impact to our appliances is relatively low. Nonetheless, WatchGuard will release updated versions for all affected software and devices that are under support. We are currently planning all these releases, and we will update this post as the dates and releases become available. In any case, if you limit access to the web-based administration interfaces on your WatchGuard appliances, the vulnerability poses you little risk. Furthermore, if you disable SSLv3 in your browser, attackers can’t even leverage it against you, whether or not the appliance uses SSLv3.

To summarize, POODLE is a big enough issue that you should definitely disable SSLv3 in all your browsers and servers as soon as you can. However, despite the wide and alarming coverage of this issue, it does not pose a huge, real-world risk to most users. If you update your browsers, and avoid unsecured WiFi connections, POODLE will likely not bite, and is easy to neuter. — Corey Nachreiner, CISSP (@SecAdept)

 

Bash or “Shellshock” vulnerability

Summary
News is breaking about a major new high severity vulnerability, CVE-2014-6271, with widespread impact. Gnu Bourne again shell (Bash) is a UNIX like command shell that is included in most distributions of Linux and also Apple OS X. The vulnerability allows an attacker to create environment variables that include malicious code before the system calls the Bash shell. The nature of the exposure can vary depending on how Bash is used, but it can lead to arbitrary command execution on affected systems. There are reports that is has already been exploited in the wild.

Are WatchGuard products affected?
All Firebox and XTM models are not affected. The Fireware operating system is hardened to remove any unnecessary features, and does not include a Bash shell. WatchGuard Wireless Access Points, SSL 100 and 560, XCS, and  QMS also do not include or install Bash. They are not vulnerable.

The Linux distribution included in WatchGuard Dimension includes bash, but the exposure to this vulnerability is low since Dimension does not use AcceptEnv or CGI. Nevertheless Dimension automatically downloads security updates for its Linux components. Just make sure that you don’t have any upstream firewall that blocks access to security.ubuntu.com and archive.ubuntu.com.

Solution Path
Download and deploy patches from your vendors immediately.

For WatchGuard Users
The WatchGuard IPS signature team has developed and released a signature to identify exploits of the Bash vulnerability. It is included in signature set 4.454. If your Firebox and XTM appliances are configured to receive automatic updates, you will get the new signature.

We’ll keep this post updated as more news is available.

References:

Security Blog - Redhat
Concerns over Bash vulnerability grow - Ars Technica

Adobe Patches Flash but Delays Reader Update

Summary:

  • This vulnerability affects: Adobe Flash Player running on all platforms and Adobe Air
  • How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

In a security bulletin released this week during Patch Day, Adobe released an update that fixes a dozen security vulnerabilities affecting Flash Player running on any platform. The bulletin doesn’t describe the flaws in much technical detail, but does say most of them consist of various types of memory corruption flaws. If an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

Though attackers aren’t exploiting these flaws in the wild yet, Adobe rates them as a “Priority 1” issues for Windows, Mac, and Linux users, and recommends you apply the updates within 72 hours. These vulnerabilities also affect other platforms as well, though not as severely. I recommend you update any Flash capable device as soon as you can.

As an aside, though Adobe promised a Reader update this month, they seem to have delayed it for some reason. You may want to keep an eye on Adobe’s Security page for more updates.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome or Internet Explorer 10 or 11 you’ll have to update it separately.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p – Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

  • Hex FLV: 46 4C 56 01
  • ASCII FLV: FLV
  • Hex FLA:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Windows 8.x and Server 2012 Suffer From Local EoP Vulnerability

Severity: Medium

Summary:

  • These vulnerabilities affect: Windows 8.x, Server 2012, and RT
  • How an attacker exploits it: By running a specially crafted application
  • Impact: A local low privileged attacker can gain SYSTEM privileges on your Windows computers
  • What to do: Deploy the appropriate update at your convenience, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft described an Elevation of Privilege (EoP) vulnerability that affects the latest versions of Windows—specifically, Windows 8.x, Server 2012, and RT.

The flaw lies in the Windows Task Scheduler, a service that allows you to automate the execution of tasks at certain times. Microsoft doesn’t describe the vulnerability in much detail, only saying the Task Scheduler does not properly check the integrity of tasks. By running a specially crafted application, an underprivileged local attacker could take advantage of this to execute programs with full SYSTEM privileges. Of course, the local attacker would have to log into a vulnerable system using valid credentials, which significantly lower the impact of this flaw.

Solution Path:

You should download, test, and deploy the appropriate Windows update immediately, or let Windows Automatic Update do it for you. You can find links to the updates in the “Affected and Non-Affected Software” section of Microsoft’s Windows security bulletin.

For All WatchGuard Users:

This is a local vulnerability. We recommend you install Microsoft’s updated to completely protect yourself from this flaw.

Status:

Microsoft has released patches to fix this vulnerability.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Corrects Lync Server and .NET Framework DoS Flaws

Severity: Medium

Summary:

  • These vulnerabilities affect: Lync Server and .NET Framework
  • How an attacker exploits them: Various, including by sending maliciously crafted packets or launching specially crafted calls
  • Impact: An attacker could slow down or disrupt connections to the server, or stop it from responding at all.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins that fix a pair of Denial of Service (DoS) vulnerabilities in two of their products; Lync Server and the .NET Framework. If you used either of these products, you should update them as soon as you can. We summarize the two DoS bulletins below:

  • MS13-053: .NET Framework DoS Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. It suffers from a DoS vulnerability involving the way it handles communications that are hashed. In short, if a remote attacker sends a small amount of specially crafted packets to a server that uses .NET Framework ASP applications, he can cause the server to slow down, and eventually stop responding. If you have any public servers or web applications that use .NET, you should download and install the update as soon as possible.

Microsoft rating: Important

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from three vulnerabilities, including a DoS flaw involving the way it handles specially crafted calls. By sending a malicious call to your Lync server, a remote attacker can exploit the DoS flaw to cause the Lync Server to stop responding. If you rely on Lync for communications, you should patch your servers as soon as you can.

Microsoft rating: Important

Solution Path:

Microsoft has released patches that correct both these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

Though you can use your XTM appliance to block the ports necessary for Lync, or use application control to restrict it, this would prevent you from using it externally at all. Right now, Microsoft’s patch are your best solution to these issues.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Mega IE Update Corrects 37 Vulnerabilities; Including Zero Day

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft posted an update that fixes a 37 new vulnerabilities in all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

All but one of the vulnerabilities described in this alert are memory corruption vulnerabilities, which share the same general scope and impact. If an attacker can lure you to a web page containing malicious web code, he can exploit these flaws to execute code on your computer, inheriting your privileges. If you have local administrative privileges, which most Windows users do, the attack could potentially gain full control of your computer.

These types of memory corruption vulnerabilities are ideal for attackers launching drive-by download attacks—a class of attack where malicious code hidden on a web page can silently install malware on your computer. Today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way. In fact, one of today’s fixes closes a zero day vulnerability that attackers have exploited in the wild. I highly recommend you install this update immediately

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4095)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4094)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability -1 (CVE-2014-4092)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability -2 (CVE-2014-4092)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4089)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4082)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4081)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4086)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4087)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4088)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4084)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4065)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4080)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Windows, IE, Lync, and .NET Patches

As you may know, today was Microsoft Patch Day. If you manage a Windows-based network, it’s time to get the latest updates.

According to Microsoft’s summary post, the Redmond-based software company released four security bulletins fixing 41 vulnerabilities in many of their popular products. The affected software includes, Windows, Internet Explorer (IE), Lync Server, and the .NET Framework. Microsoft rates the IE update as Critical, and the rest as Important.

As you might guess from the severity ratings, the IE update is the most important. It fixes over 37 security flaws in the popular browser, many of which attackers could use in drive-by download attacks (where just visiting a web site results in malware on your computer). Furthermore, one of the fixes closes a zero day vulnerability that attackers have exploited in the wild. If you use IE, I recommend you apply its update as quickly as your can. You should also install the other updates as well, however, their mitigating factors lessen their risk, so you can install them at your convenience.

In summary, if you use any of the affected products, download, test, and deploy these updates as quickly as you can or let Windows’ Automatic Update do it for you. For the server related updates, I highly recommend you test them before installing them on production servers, as Microsoft has released a few problem causing updates recently. You can find more information about these bulletins and updates in Microsoft’s September Summary advisory.

Also note today is Adobe’s Patch Day as well, and they released one security update fixing 12 vulnerabilities in Flash Player. If you use Flash, you should update it quickly. Adobe also pre-announced a Reader update earlier this month. However, it appears they have had to delay the update for some reason.

I’ll share more details about today’s patches on the blog throughout the day. However, I am traveling internationally, so the updates may not arrive as regularly as usual. If you are in a hurry to patch, I recommend you visit the links above, and start now.  — Corey Nachreiner, CISSP (@SecAdept).

Avoid MS14-045; Windows Kernel-mode Drivers Patch

Last week, I covered Microsoft Patch Day and recommend you install all the latest Windows, IE, Office, and server updates. This week, I need to warn you against one of those updates.

According to recent reports, the Windows kernel-mode driver update (MS14-045) is causing some computers to have blue screens of death (BSOD). If you haven’t installed this update yet, I recommend you avoid it until further notice. If you have installed it, and have suffered issues, Microsoft has shared instructions on how to remove it.

In the past, I’ve argued that Microsoft’s QA has gotten better, with fewer crash inducing updates. I guess they’re still not perfect. In general, this is a great example of why you should always test updates before pushing them into production. You can do this by maintaining a virtual version of your infrastructure and testing updates there.  — Corey Nachreiner, CISSP (@SecAdept)

Office Patches Mend SharePoint and OneNote

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products like OneNote and SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released two security bulletins that fix a like number of vulnerabilities in OneNote and SharePoint. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-048OneNote Code Execution Vulnerability

OneNote is a collaborative, multiuser note taking application that ships with Office. It suffers from an unspecified vulnerability having to do with how it handles specially crafted OneNote files. If an attacker can lure you into opening such a file, she could exploit this flaw to execute code on your computer, with you privileges. As usual, if you are a local administrator, the attacker gains complete control of your PC.

Microsoft rating: Important

  • MS14-050: SharePoint Elevation of Privilege Vulnerability

SharePoint Server is Microsoft’s web and document collaboration and management platform. It suffers from a privilege escalation vulnerability. SharePoint offers an extensibility model that allows you to create apps that can access and use SharePoint resources. However, SharePoint suffers some unspecified flaw that allows specially crafted apps to bypass permission management. In short, by running a specially crafted application, an attacker may be able to access all the SharePoint resources of the currently logged-in user.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

We recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

SQL Server Update Fixes XSS and DoS Vulnerability

Severity: Medium

Summary:

  • These vulnerabilities affect: Most current versions of SQL Server
  • How an attacker exploits it: Various, including enticing someone to click a specially crafted link
  • Impact: In the worst case, an attacker can steal your web cookie, hijack your web session, or essentially take any action you could on the SQL server
  • What to do: Deploy the appropriate SQL Server updates as soon as possible

Exposure:

SQL Server is Microsoft’s popular database server. According to Microsoft’s security bulletin, SQL Server suffers from both a Cross-site Scripting (XSS) and Denial of Service (DoS) vulnerability.

The XSS flaw poses the most risk. The SQL Master Data Services (MDS) component suffers from a Cross-site Scripting (XSS) vulnerability due to its inability to properly encode output. By enticing someone to click a specially crafted link, an attacker could leverage this flaw to inject client-side script into that user’s web browser. This could allow the attacker to steal web cookie, hijack the web session, or essentially take any action that user could on your SQL Server’s associated web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer.

The DoS flaw poses less risk, but is worth patching too. Essentially, if an attacker can send specially crafted queries to you SQL server, he could lock it up. However, since most administrator block SQL queries from the Internet, the attacker would have to reside on the local network to launch this attack.

Solution Path:

Microsoft has released SQL Server updates  to correct this vulnerability. You should download, test, and deploy the appropriate update as soon as possible. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s SQL Server bulletin.

As an aside, the Cross-site Scripting (XSS) protection mechanisms built into many modern web browsers, like Internet Explorer (IE) 8 and above, can often prevent these sorts of attacks. We recommend you enable these mechanisms, if you haven’t already.

For All WatchGuard Users:

Since attackers might exploit some of these attacks locally, we recommend you download, test, and apply the SQL Server patches as quickly as possible.

Status:

Microsoft has released updates to fix this vulnerability.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Follow

Get every new post delivered to your Inbox.

Join 7,674 other followers

%d bloggers like this: