Tag Archives: buffer overflow

WatchGuard posts maintenance releases for e-Series and XTM 21/22/23 appliances.

WatchGuard has posted Fireware XTM OS 11.3.7 for e-Series and 11.6.7 for XTM 21/22/23 appliances. Along with providing significant bug fixes, these releases enable Commtouch as the anti spam solution provider. Both releases also include a fix for the buffer overflow vulnerability reported last week at WatchGuard Security Center. The Release Notes provide a complete list of all issues resolved in each software release.

Note: There is no corresponding update to WSM.

Does This Release Pertain to Me?

Customers with an XTM 21/21-W, 22/22-W, or 23/23-W appliance should upgrade to version 11.6.7. Customers with e-Series appliances should upgrade to 11.3.7.

Please read the 11.6.7 Release Notes and the 11.3.7 Release Notes before you upgrade, to understand what’s involved.

Note: These updates do not apply to customers with XTM 25 or higher appliances.

How Do I Get the Release?

XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller»

WatchGuard’s XTM 11.8 Software Fixes Buffer Overflow & XSS Vulnerabilities

Overall Severity: High

Summary:

  • These vulnerabilities affect: WatchGuard WSM and Fireware XTM 11.7.4 and earlier
  • How an attacker exploits them: Either by enticing an XTM administrator into clicking a specially crafted link or by visiting the appliance’s web management UI with a malicious cookie
  • Impact: In the worst case, an attacker can execute code on the XTM appliance (see mitigating factors below)
  • What to do: Install WSM and Fireware XTM 11.8 (and limit access to the XTM web management interface)

Exposure:

Last week, we released WSM and Fireware XTM 11.8, which delivers a number of powerful new features to XTM administrators. However, it also fixes two externally reported security vulnerabilities. Though both vulnerabilities have mitigating factors that somewhat limit their severity, you should still patch them quickly.

If you haven’t already installed 11.8 for its great new features, we recommend you install it for these security fixes. We summarize the two vulnerabilities below:

WGagent is one of the processes running on an XTM appliance. Among other things, WGagent is responsible for parsing the web cookies sent to the appliance’s web management interface. It suffers from a buffer overflow vulnerability involving its inability to handle specially crafted cookies containing an overly-long “sessionid.” By creating a maliciously crafted cookie, and then connecting to your XTM appliance’s web management interface (tcp port 8080),  an unauthenticated attacker can exploit this vulnerability to execute code on the appliance. Though the WGagent process runs with low privileges (nobody) and from a chroot  jail, it does have enough privilege to access your appliance’s configuration file and change passwords. So we consider this a significant vulnerability.

That said, one mitigating factor somewhat limits its severity. An attacker can only exploit the flaw if he has access to your XTM appliance’s web management interface. By default, physical XTM appliances only allow web management access to the trusted network. As long as you haven’t specifically changed the WatchGuard Web UI policy to allow external access, Internet-based attackers cannot exploit this flaw against you.

However, this is not the case for XTMv users (the virtual version of our XTM platform). As a virtual appliance, XTMv has no concept of what is internal or external until you attach its virtual interfaces to physical ones, using your hypervisor software. To make its setup easier, XTMv allows access to the web management UI from all interfaces. In other words, this flaw poses a  higher risk to XTMv appliances, if you haven’t restricted the web management policy manually.

Security best practices suggest that you limit access to your security appliance’s management interfaces. If you configure the WatchGuard Web UI policy to limit access to the management interface to only those you trust, this flaw should pose minimal risk. In any case, we still consider it a significant vulnerability, and recommend you upgrade to Fireware XTM 11.8 to fix it.

We’d like to thank Jerome Nokin and Thierry Zoller from Verizon Enterprise Solutions (GCIS Threat and Vulnerability Management) for discovering and responsibly disclosing this flaw, and thank the CERT team for coordinating the disclosure and response.

Update: If you’d like to read a very detailed report on how the researcher found this vulnerability, visit his blog.

Severity rating: High

  • Reflective XSS vulnerabilities in WatchGuard Server Software’s WebCenter (CVE-2013-5702)

WebCenter is the web-based logging and reporting UI that ships with the Server Software included with WSM. The WebCenter web application suffers from a few cross-site scripting (XSS) vulnerabilities involving some of its URL parameters. If an attacker can trick your XTM or WebCenter administrator into clicking a specially crafted link, he could exploit these vulnerabilities to execute script in that user’s browser, under the context of the WebCenter application. Among other things, this mean the attacker could do anything in the WebCenter application that your user could do.

However, it would take significant interaction for this attack to succeed. It is a reflected XSS attack, which means the attacker must trick a WebCenter administrator into clicking a link before the attack can take place. Furthermore, the link does not bypass Webcenter’s authentication. This means that unless the victim is already logged on to WebCenter, she would also have to enter her WebCenter credentials before this malicious link would work. Despite these mitigating factors, we still recommend you install 11.8 to fix these XSS flaws quickly.

We’d like to thank Julien Ahrens of RCE Security for bringing this matter to our attention, and disclosing it responsibly.

Severity rating: Medium

Solution Path:

WatchGuard Fireware XTM and WSM 11.8 correct both of these security issues. We recommend you download and install 11.8 to fix these vulnerabilities. You can find more details about 11.8 in our software announcement post.

For older appliances,  such as the e-Series devices, or an XTM 21, 22, and 23 appliances, Fireware XTM 11.6.7 and 11.3.7 also corrects this buffer overflow vulnerability.

If, for some reason, you are unable to update your XTM appliances immediately, a few simple workarounds can significantly mitigate these vulnerabilities.

  • Restrict access to your appliance’s web management UI using the WatchGuard Web UI policy.  By default, our physical appliances do not allow external access to the web management UI; meaning Internet-based attackers can’t exploit this cookie buffer overflow flaw. If you like, you can fine-tune our policy even more, further limiting access. For instance, you can restrict access to very specific IP addresses or subnets,  use our user authentication capabilities to restrict access to certain users, or use our mobile VPN options to restrict access to VPN users. The more you limit access, the less likely an attacker could exploit this flaw.
  • Limit access to WebCenter, and train administrators against clicking unsolicited links. If you like, you can also use your XTM appliance and local host firewall policy to limit access to WebCenter (running on tcp port 4130 on your WatchGuard Server). This will minimize the amount of victims a maliciously crafted link would work against. Furthermore, we recommend you train your administrators about the dangers of clicking unsolicited links, especially ones that connect you to security appliances, and ask for additional authentication.

FAQ:

Are any of WatchGuard’s other products affected?

No. These flaws only affect our XTM appliances, and the WebCenter software that ships with WSM Server Software.

What exactly is the vulnerability?

One is a buffer overflow that allows attackers to execute code on your XTM appliance, and another is a cross-site scripting (XSS) vulnerability that could allow an attacker to gain unauthorized access to WebCenter, assuming he can trick an administrator into clicking a malicious link.

Do these give attackers access to my XTM security appliance?

Yes. The buffer overflow flaw could potentially give attackers access to your XTM security appliance. Though the WGagent process involved runs with low OS privileges, it does have enough privilege to access your appliance’s configuration file, and to change things like your passwords. However, attackers could only exploit this flaw if they had access to the web management UI, which most administrators block from the Internet. For most cases, this flaw primarily poses an internal risk.

How serious is the vulnerability?

Mitigating circumstances aside, we consider the buffer overflow flaw a high risk vulnerability, and recommend you update to 11.8 as soon as possible. The XSS flaws pose lesser risk.

How was this vulnerability discovered?

These flaws were discovered by Jerome Nokin and Thierry Zoller of Verizon Enterprise Solutions, and by Julien Ahrens of RCE Security, and were both confidentially reported to WatchGuard through a very responsible process. We thank them all for working with us to keep our customers secure.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild. However, shortly after our alert, the researcher who discovered the buffer overflow flaw shared his proof of concept (PoC) exploit code publicly. This code makes it easier for unskilled attackers to try and exploit this flaw. To make sure no one can exploit this issue against you, we highly recommend your upgrade to 11.8, or be sure not to expose your web management interface externally.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.
http://www.watchguard.com
corey.nachreiner@watchguard.com

Trio of Windows Bulletins Correct Moderate Vulnerabilities

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows or components often packaged with it (like the .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or running malicious programs locally
  • Impact:  Varies, ranging from a remote Denial of Service (DoS) attack to local attackers gaining complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that describe six vulnerabilities affecting Windows or components related to it (like the .NET Framework). They only rate these bulletins as Important, due to limited impact or mitigating factors. Each of these vulnerabilities affects different versions of Windows to varying degrees. In the worst case, a local attacker could exploit one of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates at your earliest convenience.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

The HTTP Protocol Stack (HTTP.sys) is a Windows component that listens for and handles HTTP requests before passing them to a web server like IIS. It suffers from a Denial of Service (DoS) vulnerability having to do with its inability to properly handle HTTP requests with specially malformed headers. By sending a specially crafted HTTP request, a remote attacker can leverage this flaw to cause your system to stop responding. While this sort of DoS attack doesn’t result in any breach or data loss, attackers can leverage it to knock your public web server offline, which could have significant business implications. You should download, test, and deploy Microsoft’s HTTP.sys update as soon as possible.

Microsoft rating: Important

  • MS13-040Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. The .NET Framework component suffers from two new security vulnerabilities.

The first issue is an XML digital signature spoofing vulnerability. XML files can contain digital signatures, which .NET applications can use to verify the integrity of XML files (ensuring they haven’t been improperly modified). However, the .NET Framework component (CLR) responsible for validating these signatures doesn’t do it right. As a result, attackers can modify the contents of an XML file without invalidating the signature. The impact of this flaw depends on if and how your custom .NET applications leverage this functionality.

The second issue is an authentication bypass vulnerability. The Windows Communication Foundation (WCF) is essentially a set of .NET APIs that developers can use to make applications that communicate securely with one another. However, WCF suffers from an authentication bypass flaw. By sending specially crafted packets, an attacker could gain unauthenticated access to computers that run WCF services. The impact of this bypass depends on your custom .NET application. If you custom application gives your users access to sensitive data, then in can pose a significant risk. If you install the .NET framework, you should download, test, and install Microsoft’s update as soon as you can.

Microsoft rating: Important

  • MS13-046Kernel-Mode Driver Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three new local elevation of privilege flaws. They all differ technically, but share the same basic scope and impact. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers (or cause it to become unstable). However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows and .NET Framework patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

  • WEB Microsoft Windows 2012 Server HTTP.sys Denial of Service Vulnerability (CVE-2013-1305)
  • EXPLOIT Microsoft XML Digital Signature Spoofing Vulnerability (CVE-2013-1336)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Windows Updates Fix a Wide Range of Security Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and some of the components that ship with it (such as DirectShow and the .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets, luring users to view malicious media or email, and so on
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released eight security bulletins that describe around 39 vulnerabilities affecting Windows or components related to it, such as the .NET Framework and DirectShow. Each of these vulnerabilities affects different versions of Windows to varying degrees.

A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-011: DirectShow Media Decompression Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams and files. It suffers from an unspecified vulnerability having to do with how it handles specially crafted media. By getting your users to interact with malicious media, an attacker could leverage this flaw to execute code on that user’s computer, with the user’s privileges. Attackers might lure users to their booby-trapped media by linking it as a direct download, embedding it in a document, or by hosting it as a malicious media stream.

Microsoft rating: Critical

  • MS13-020: Windows XP OLE Automation Vulnerability

Object Linking and Embedding (OLE) Automation is a Microsoft protocol which allows one application to share data with, or control, another application. It suffers from an unspecified remote code execution flaw having to do with how it parses maliciously crafted  RTF files. If an attacker can convince you to open or preview a specially crafted RTF file in Windows, he could exploit this flaw to execute code on your machine, with your privileges.  If you have administrative rights, the attacker would gain complete control of your computer. This flaw only affects Windows XP.

Microsoft rating: Critical

  • MS13-014: NFS Server DoS Vulnerability

Network File System (NFS) is an industry-wide protocol for sharing files and directories over a network. Windows Server software ships with NFS support to share files in mixed, Unix and Windows environments.

Windows’ NFS service suffers from something called a null dereference vulnerability, which attackers can leverage to cause a Denial of Service (DoS) condition on Windows servers. By attempting to rename a file or folder on a read-only share, an attacker could exploit this flaw to cause the server to stop responding or crash. However, a few factors mitigate the severity of this issue. Specifically, the flaw only affects servers with the NFS role enabled; the attacker needs access to an NFS share and legitimate credentials; and finally, most administrators don’t allow NFS access through their firewall.

Microsoft rating: Important

  • MS13-015: .NET Framework EoP Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework suffers from a technically complex elevation of privilege (EoP) vulnerability, where it unnecessarily elevates the permissions of a callback function when a .NET application creates a particular object. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit this flaw to execute code on that user’s computer with full system privileges. This flaw also can affect non-web .NET applications, which an attacker runs directly on a system. The good news is most versions of IE will either block or warn you about the particular web content (XBAP) attackers use to leverage this flaw, which significantly mitigates its risk.

Microsoft rating: Important

  • MS13-016: Multiple Kernel-Mode Driver Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers 30 race condition vulnerabilities. The vulnerabilities differ technically  but share the same scope and impact. By running a specially crafted program, a local attacker can leverage any of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of these issues.

Microsoft rating: Important

  • MS13-017 Kernel Elevation of Privilege Vulnerability

As mentioned above, the kernel is the core component of any computer operating system. The Windows kernel suffers from three vulnerabilities (two race conditions), which attackers can leverage to  elevate their privilege. By running a specially crafted program, a local attacker could exploit this flaw to gain complete control of your PC. However, the attacker would first need to gain local access to your Windows computer using valid credentials.

Microsoft rating: Important

  • MS13-018: Windows TCP/IP Stack  DoS Vulnerability

As you would expect, the Windows TCP/IP stack is a set of networking protocols that allows your computer to get on the Internet and participate in modern networking. Unfortunately, the Windows TCP/IP stack suffers from a DoS vulnerability involving the way it parses specially crafted packets.  In short, an attacker can lock or crash a Windows computer simply by sending it a sequence of specially crafted packets. Though Microsoft only rates this update as Important, attackers could repeatedly exploit it against your public Windows server, essentially knocking them offline. This could have serious implications for essential production servers. We recommend you test and apply this update immediately.

Microsoft rating: Important

  • MS13-019CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a local privilege elevation issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows, DirectShow (quartz.dll), and .NET Framework patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed new signatures that can detect and block the DirectShow Media Decompression and OLE Automation vulnerabilities. Your XTM appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Windows Updates Include .NET and MSXML Fixes

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that often ship with it (like XML Core Services and the .NET Framework). Some vulnerable components also affect Office and Server Software products.
  • How an attacker exploits them: Multiple vectors of attack, including sending malicious print jobs to luring victims to malicious web pages.
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released six security bulletins that describe 11 vulnerabilities affecting Windows or components related to it,  such as the .NET Framework and XML Core Services (MSXML). Each of these vulnerabilities affects different versions of Windows to varying degrees. One of the component vulnerabilities (MSXML) also affects other Microsoft products, including Office, SharePoint Server, and Microsoft Expression.

A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-001: Print Spooler Remote Code Execution Vulnerability

The print spooler is a Windows service that manages printing. It suffers from an unspecified vulnerability having to do with its inability to handle specially crafted print jobs. By sending a specially crafted print request, an attacker can exploit this flaw to execute code on a Windows computer with full system privileges.  That said, most administrators do not allow the ports necessary for Windows printing through their firewall. By default, a WatchGuard XTM appliance will block Internet-based attackers from leveraging this flaw, so it primarily poses an internal threat.

Microsoft rating: Critical

  • MS13-002: Two MSXML Remote Code Execution Flaws

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It often ships with various versions of Windows, and other Microsoft products like Office, SharePoint Server, Groove Server, and Expressions. If you have a Windows computer, you very likely have MSXML, and you need to update if you use any of the aforementioned products.

According to today’s bulletin, MSXML suffers from two vulnerabilities – likely memory corruption flaws, but Microsoft doesn’t specify – which remote attackers could leverage to execute code on vulnerable computers with the privileges of the currently logged-in user. An attacker would only have to lure you to a web site containing malicious XML content for his attack to succeed. Since most Windows users have local administrative privileges, this sort of attack often gives the attacker complete control of their computers.

Don’t forget, attackers often booby-trap legitimate web sites with drive-by download code. So it’s possible you could encounter attacks leveraging this sort of vulnerability when visiting perfectly legitimate web sites. We recommend you patch quickly to avoid these sorts of attacks.

Microsoft rating: Critical

  • MS13-004Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework component suffers from four new security vulnerabilities.  The flaws differ in scope and impact, and include an information disclosure issue, and three elevation of privilege vulnerabilities; two due to buffer overflow flaws. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit the worst of these flaws to execute code on that user’s computer with full system privileges. This flaw also can affect non-web .NET applications, including custom ones you may have developed in-house. In short, if you’ve installed the .NET framework on any of your servers or clients, you should update them as quickly as possible.

Microsoft rating: Important

  • MS13-005Kernel-Mode Driver Elevation of Privilege Flaw

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from a new local elevation of privilege flaw having to do with how it improperly handles window broadcast messages. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

  • MS13-006: Windows SSLv3/TLS Degradation Attack

The Secure Socket Layer and Transport Layer Security (SSL/TLS) protocols are responsible for helping computers establish secure connection over networks. For instance, SSL/TLS is what you use when connecting to secure web sites. Like all operating systems, Windows ships with components necessary to handle SSL/TLS connections.

According to Microsoft’s bulletin, the SSL/TLS implementation that ships with most versions of Windows suffers from what they call a “Security Feature Bypass vulnerability.” Windows supports SSLv3, which includes the latest encryption ciphers. However, if an attacker can perform a Man-in-the-Middle attack on your SSL traffic, he can inject maliciously crafted traffic that forces Windows to downgrade to SSLv2. This doesn’t give the attacker immediate access to the SSL encrypted traffic, but it theoretically makes it easier to crack the SSL encryption, since SSLv2 supports weaker ciphers. Since this attack is relatively difficult to carry out, and doesn’t result in any true decryption of the SSL communication, we believe it poses a relatively low risk in the real world. Of course, we still recommend you patch it.

Microsoft rating: Important

At the highest level, the Open Data (OData) protocol is a standard that web applications can use to query and update data. In short, it’s like the many other protocols developers might use to get a web application to interact with a database. The OData component that ships with the .NET Framework suffers from a Denial of Service (DoS) vulnerability. By sending specially crafted HTTP requests, an attacker can leverage this flaw to disrupt your web server, preventing visitors from accessing it. Any IIS web server that includes the .NET Framework and has the Windows Communication Foundation (WCF) services installed is vulnerable to this DoS flaw, as is any Windows Server 2012 with IIS and the Management OData IIS Extension installed.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows, .NET Framework, and XML Core Services patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a new signature that can detect and block the OData DoS vulnerability against IIS servers with the .NET Framework. Your XTM appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Shockwave Update Corrects Five Buffer Overflows

Summary:

  • This vulnerability affects: Adobe Shockwave Player 11.6.7.637 and earlier, running on Windows and Macintosh computers
  • How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave content
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (11.6.8.638) of Adobe Shockwave Player as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on hundreds of millions of PCs.

In a security bulletin released this week, Adobe warned of six vulnerabilities that affect Adobe Shockwave Player 11.6.7.637 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail, though it does say that five of them are buffer overflow vulnerabilities, and the last is another memory related flaw. All six of the security flaws have the same impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version at your earliest convenience.

Solution Path

Adobe has released Shockwave Player version 11.6.8.638 to fix these security flaws. If you use Adobe Shockwave in your network, we recommend you download and deploy the updated player as soon as possible. You can get it from the link below.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Shockwave content. Keep in mind, doing so blocks all Shockwave content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify Shockwave files:

File Extension:

  • .swf –  Adobe Shockwave files

MIME types:

  • application/x-shockwave-flash
  • application/x-shockwave-flash2-preview
  • application/futuresplash
  • image/vnd.rn-realflash

FILExt.com reported Magic Byte Pattern:

  • Hex: 46 57 53

(We believe this pattern is too short, thus prone to false positives. We don’t recommend you use it) 

If you decide you want to block Shockwave files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

Four Updates Repair Office and Server Software Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word, Works, Sharepoint, InfoPack, Communicator, Lync, Groove, and more
  • How an attacker exploits them: Multiple vectors of attack, including enticing users to click specially crafted links, or to open specially crafted documents
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix around 20 vulnerabilities in a wide range of Microsoft Office and Server Software products. The affected products include:

  • Word and Word Viewer
  • Works 9
  • Sharepoint Server
  • InfoPath
  • Communicator and the new Lync
  • Groove
  • FAST Search Server
  • and the Office Web Apps

I summarize these four security bulletins below, in order from highest to lowest severity.

  • MS12-064: Two Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It suffers from two memory corruptions vulnerabilities having to do with how it handles maliciously crafted Word or RTF documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage either of these flaws to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could leverage these vulnerabilities to gain complete control of their machines. These flaws affect all current versions of Word; including Word Viewer, the Office Compatibility Pack, and the Office Web Apps.

Microsoft rating: Critical

  • MS12-065: Works 9 Heap Buffer Overflow Vulnerability

Works is a light-weight word processor, which is less expensive that Word but lacking in features. It suffers from a buffer overflow vulnerability having to do with how it handles malformed Word documents. By luring one of your users into downloading and opening a malicious Word document, an attacker can exploit this buffer overflow to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. The flaw only affects Works 9.

Microsoft rating: Important

  • MS12-066 :  Microsoft Server Software XSS Vulnerability

Many of Microsoft’s Server Software products (including Sharepoint Server, Communicator and Lync, InfoPath, and Groove) suffer from a Cross-site Scripting (XSS) vulnerability having to do with the servers’ inability to properly sanitize HTML inputs. The bulletin doesn’t describe exactly what element of these web-based servers suffers from the XSS vulnerability; only that they do. In any case, if an attacker can trick you into clicking a specially crafted link, he could leverage this flaw to to steal your web cookie, hijack your web session, or essentially take any action you could on the vulnerable server. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer.

Microsoft rating: Important

  • MS12-067 : FAST Search Server Oracle Outside In Vulnerabilities

Microsoft’s FAST Search Server improves the searchability of your SharePoint infrastructure. In previous alerts and videos, we warned you that Microsoft Exchange leveraged Oracle’s Outside In technology to parse various types of file attachments, and that Outside In suffered from a number remote code execution vulnerabilities. FAST Search Server implements Outside In, and also suffers from these vulnerabilities. If an attacker can upload a specially crafted file to a share that FAST Search Server indexes, he could leverage these vulnerabilities to execute arbitrary code on the FAST Search Server. However, two factors significantly mitigate the severity of these issues. First, most administrators only use this server to index internal file shares, which means the attacker needs local access and privilege to upload her malicious file. Furthermore, the attacker could only execute code with the limited privileges of a “user account with a restricted token.”

Microsoft rating: Important

Solution Path:

Microsoft has released Office and Server Software patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you. That said, we highly recommend you test server updates before deploying them, so you may not want to turn on automatic updates for your servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

Our XTM security appliances can mitigate the risk of many of these flaws. One of our generic XSS detection signatures already detects and prevents the XSS flaw described in MS12-066. Furthermore, with information from Microsoft’s Active Protections Program (MAPP), we have already developed a signature for the RTF exploit described in MS12-064, which we will include in a new signature set your appliance should get shortly.

Furthermore, WatchGuard’s Gataway Antivirus (GAV) service detects most of the common malware attackers try to deliver when exploiting these flaws. In short, if you have our UTM bundle and enable IPS and GAV, we can protect you from many attacks that try to leverage these flaws.

Nonetheless, Attackers can exploit these flaws in other ways as well, including uploading malicious files locally. We still recommend you install Microsoft’s updates as quickly as possible to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Grab Adobe’s Shockwave Update to Avoid Web-based Attacks

Summary:

  • This vulnerability affects: Adobe Shockwave Player 11.6.3.633 and earlier, running on Windows and Macintosh computers
  • How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave content
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (11.6.4.634) of Adobe Shockwave Player as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on hundreds of millions of PCs.

In a security bulletin released late Tuesday, Adobe warned of nine critical vulnerabilities that affect Adobe Shockwave Player 11.6.3.633 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. For the most part, the flaws consist of memory related vulnerabilities, including heap buffer overflows and other memory corruption flaws. Though the flaws differ technically, they all share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version as soon as you can.

Solution Path

Adobe has released Shockwave Player version 11.6.4.634 to fix these security flaws. If you use Adobe Shockwave in your network, we recommend you download and deploy the updated player as soon as possible. You can get it from the link below.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Shockwave content. Keep in mind, doing so blocks all Shockwave content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify Shockwave files:

File Extension:

  • .swf –  Adobe Shockwave files

MIME types:

  • application/x-shockwave-flash
  • application/x-shockwave-flash2-preview
  • application/futuresplash
  • image/vnd.rn-realflash

FILExt.com reported Magic Byte Pattern:

  • Hex: 46 57 53

(We believe this pattern is too short, thus prone to false positives. We don’t recommend you use it) 

If you decide you want to block Shockwave files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

Apple OSX: Take Your Leopards In For a Checkup

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various documents or images
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer
  • What to do: OS X administrators should download, test and install OS X 10.6.8 or Security Update 2011-004 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 39 (number based on CVE-IDs) security issues in 22 components that ship as part of OS X or OS X Server, including Airport, Quicktime, and MobileMe. Some of the fixed vulnerabilities include:

  • Two ImageIO Code Execution Flaws. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from two security vulnerabilities involving the way it handles certain types of image files (such as a buffer overflow vulnerabilities). Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include JEPG2000, and TIFF.
  • ATS Buffer Overflow Vulnerability. The Apple Type Service (ATS) helps OS X machines handle fonts. ATS suffers from a buffer overflow vulnerability having to do with the way it handles embedded fonts TrueType fonts. By tricking one of your users into downloading and viewing a malicious document containing a specially crafted font, an attacker can exploit this flaw to execute code on that user’s computer. By default, the attacker would only execute code with that user’s privileges.
  • Five Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from five security issues  involving how it handles certain image,audio, and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted media in QuickTime, he could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, privilege escalation vulnerabilities, and information disclosure flaws. Components patched by this security update include:

AirPort App Store
ATS Certificate Trust Policy
ColorSync CoreFoundation
CoreGraphics FTP Server
ImageIO International Components for Unicode
Kernel Libsystem
libxslt MobileMe
MySQL OpenSSL
patch QuickLook
QuickTime Samba
servermgrd subversion

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

Solution Path:

Apple has released OS X Security Update 2011-004 and OS X 10.6.8 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

2011’s First OS X Update Patches 57 Vulnerabilities

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various documents or images
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer
  • What to do: OS X administrators should download, test and install OS X 10.6.7 or Security Update 2011-001 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 57 (number based on CVE-IDs) security issues in 26 components that ship as part of OS X or OS X Server, including Apache, Quicktime, and ClamAV. Some of the fixed vulnerabilities include:

  • Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from various security vulnerabilities involving the way it handles certain types of image files (such as a buffer overflow vulnerabilities). Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include JEPG, TIFF, and XBM.
  • Many ATS Vulnerabilities. The Apple Type Service (ATS) helps OS X machines handle fonts. ATS suffers from various memory related vulnerabilities having to do with the way it handles certain types of embedded fonts. By tricking one of your users into downloading and viewing a malicious document containing a specially crafted font, an attacker can exploit this flaw to execute code on that user’s computer. By default, the attacker would only execute code with that user’s privileges.
  • Five Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from five security issues (number based on CVE-IDs) involving how it handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, he could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, cross-site scripting (XSS) vulnerabilities, and information disclosure flaws. Components patched by this security update include:

AirPort Apache
AppleScript ATS
bzip2 CarbonCore
ClamAV CoreText
File Quarantine HFS
ImageIO Image RAW
Installer Kerberos
Kernel Libinfo
libxml Mailman
PHP QuickLook
QuickTime Ruby
Samba Subversion
Terminal X11

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

On a related note, Apple has released many security updates in the last few weeks. Besides the Java update we alerted about early this month, Apple has also posted the following security-related product updates:

If you use any of those products, we recommend you update them as well, or let Apple’s automatic Software Updater do it for you.

Solution Path:

Apple has released OS X Security Update 2011-001 and OS X 10.6.7 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,532 other followers

%d bloggers like this: