Tag Archives: DoS

WatchGuard Security Week in Review: Episode 58 – Darkleech Apache Attack

April 5, 2013 by Corey Nachreiner 6 Comments

Telephony DoS, OpFreeKorea, and Darkleech

What do zombie video games, North Korea, and emergency telephone systems have in common? They’ve all been compromised by cyber attackers this week.

If you’re too busy dousing IT fires to keep up with InfoSec news on your own, give our weekly security news summary a try. In this short video, I quickly highlight the biggest security stories from the week, and give some practical defense tips along the way.

This week’s episode covers a new telephony denial of service (TDos) extortion scheme , a serious flaw in a common database system, the latest Anonymous operation, and a mysterious Apache hijacking campaign that has affected over 20,000 web servers. Watch the video below for the full scoop, and check out the Reference section for additional stories.

(Episode Runtime: 9:03)

Direct YouTube Link: http://www.youtube.com/watch?v=K18Snt0Lrm0

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 57 – 300Gb DDoS

March 29, 2013 by Corey Nachreiner 2 Comments

POS Trojans, Android Spear Phishing, and Record DDoS

Extra, Extra, the Internet almost broke (no it didn’t). Read… View all about it!

Too much security news, and too little time? Let me summarize the highlights for you in my weekly InfoSec recap video. This week I cover two trojans targeting point-of-sale (POS) computers, a few software updates, a targeted spear phishing campaign spreading Android malware, and the record-breaking SpamHaus DDoS attack, which didn’t really break the Internet despite some reports. Click play for the details

There were also a ton of other interesting Infosec tidbits this week, beyond what’s in the video. If you’re interested, check out the Reference section below. Stay frosty out there, and have a Happy Easter weekend.

(Episode Runtime: 9:47)

Direct YouTube Link: http://www.youtube.com/watch?v=sC1zLvbjzI4

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , , , , ,

Cisco Patch Day: Multiple DoS Flaws in IOS

March 27, 2013 by Corey Nachreiner 1 Comment

As part of their semiannual patch day, Cisco released seven security advisories describing different Denial of Service (DoS) vulnerabilities affecting the IOS software that primarily ships with their routers. The seven flaws differ technically, and lie within various IOS components, including NAT, IKE, RSVP, etc. However, most of them share the same essential scope and impact. If a remote, unauthenticated attacker can send specially crafted packets to your IOS device, he can exploit many of these flaws to cause the device to fill up memory, or crash and restart. Attackers can repeatedly leverage these flaws to knock your router offline for as long as they can carry out the attack.

DoS vulnerabilities in your gateway router pose a fairly significant risk, since attackers can leverage them to essentially knock you offline. Right now, DoS attacks are in vogue among Hacktivists and other attackers. Over the past week, Spamhaus has suffered the largest DDoS attacks in recorded cyber history, and big banks have suffered from politically motivated DDoS attacks for months now. Though today’s IOS DoS flaws are not likely what contribute to these huge DDoS attacks, they could make a DDoS attackers life even easier. If you manage any Cisco IOS gear, I highly recommend you check out today’s Cisco IOS alerts and apply the corresponding updates and workarounds. — Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, ,

MS Black Tuesday: 12 Bulletins, 57 Flaws, and Lots of Work

February 12, 2013 by Corey Nachreiner 3 Comments

Though not the biggest on record, today’s Patch Day is no slouch.

As expected, Microsoft released a dozen security bulletins, fixing 57 vulnerabilities that affect a range of their software, including:

  • Windows (and its components)
  • .NET Framework
  • Internet Explorer (IE)
  • Exchange Server
  • Fast Search Server 2010

According to the summary alert, Microsoft rates five of the bulletins as Critical, which typically means remote attackers can exploit them to gain control of affected computers (usually with little to no user interaction). In general, I recommend you apply these Critical updates first.

In particular, I’d start with the two IE updates since attackers often target users with drive-by download attacks. Also, jump on the Exchange server update immediately, as it fixes an issue attackers could easily exploit with a specially crafted email and attachment—not to mention, your email server is a pretty critical asset.

Though not as serious as other issues, one of Microsoft’s alerts describes a Windows TCP/IP Denial of Service vulnerability, which it sounds like attackers could exploit with a single malicious packet. I haven’t seen this sort of “Ping of Death”-like DoS vulnerability in a while.

As always, I recommend you test the updates before deploying them to a production environment. If you don’t have time or resources to test all of them, at least try to test the server-related updates.

As an aside, WatchGuard’s IPS signature team gets early warning about Patch Day, and will release a new signature update that detects some of the described issues shortly. The have developed signatures for the following Patch Day-related issues:

  • CVE-2013-0015
  • CVE-2013-0018
  • CVE-2013-0019
  • CVE-2013-0020
  • CVE-2013-0021
  • CVE-2013-0022
  • CVE-2013-0023
  • CVE-2013-0024
  • CVE-2013-0025
  • CVE-2013-0026
  • CVE-2013-0027
  • CVE-2013-0028
  • CVE-2013-0029
  • CVE-2013-0030
  • CVE-2013-0077
  • CVE-2013-1313

We’ll post consolidated alerts throughout the day, sharing more details about these bulletins and updates. Stay tuned.  — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day: Feb. 2013

Editorial Articles
, , , , , , , , , , , , , ,

Microsoft Black Tuesday: Updates Correct .NET and MSXML Flaws

January 8, 2013 by Corey Nachreiner 1 Comment

Are you ready for the first Patch Day of 2013? If you run a Microsoft shop (Mac users need not apply this month), get ready as you’ll want to install some of today’s updates as soon as you can.

As promised, Microsoft released seven security bulletins and software updates today, two of which they rate as Critical. The seven updates fix 12 vulnerabilities in products like Windows, XML Core Services, the .NET Framework, and their System Center Operation Manager. The impact of these vulnerabilities ranges widely from allowing a remote user to execute arbitrary code, to basic Denial of Service (DoS) issues. If you manage any of the affected products, I recommend you apply the updates quickly—particularly the Critical ones.

As I mentioned in last week’s notification, Microsoft is not releasing a fix for the recent Internet Explorer (IE) zero day vulnerability today. They simply haven’t had time to fully craft the patch since the exploit’s first discovery. However, Microsoft has released a FixIt, which partially mitigates the issue. While I recommend you apply the FixIt, do know a security research organization has found it doesn’t prevent all forms of this particular attack. So you’ll still want to jump on Microsoft’s real patch once they release it. In the meantime, if you use one of WatchGuard’s XTM appliances with the IPS service, we have a signature that protects you from the known exploits for this IE zero day flaw.

I’ll post more detailed alerts throughout the day, but until then feel free to refer to Microsoft’s January bulletin matrix below (click the image for more detail).  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: January 2013

Editorial Articles
, , , , , , , , , , , ,

Microsoft Black Tuesday: Patch Before the Holidays

December 11, 2012 by Corey Nachreiner 0 Comments

If you’re anything like me, your late December schedule is quickly filling with holiday parties, family activities, and seasonal days off. This means if you want to secure your Microsoft environment before the end of the year, you better get started earlier rather than later.

Today, Microsoft released seven security bulletins fixing at least 11 vulnerabilities in many of their products, including:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Word (part of Office)
  • and Exchange Server

They rate five of the bulletins as Critical, and the rest as Important. For more details, check out their December bulletin summary, or wait for our detailed alerts.

If I were to pick the order you patched, I’d start with the Exchange update since you need to protect your public servers, follow with the IE patch since attackers like drive-by downloads, fix the Word flaw to avoid targeted phishing attacks, and end with the Windows updates in order of severity… but that’s just me.

In any case, you should download, test, and deploy Microsoft’s updates as soon as possible. If you don’t have time to test everything, at least take the time to test the Exchange update, as you don’t want your production email server suffering any downtime.

I’ll post more detailed alerts throughout the day, but until then feel free to refer to Microsoft’s December bulletin matrix below.  — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day: December 2012

Editorial Articles
, , , , , , , , , , , , ,

Windows Updates Fix Relatively Minor Kernel and Kerberos Flaws

October 9, 2012 by Corey Nachreiner 1 Comment

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows and the components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic and enticing users to run malicious applications
  • Impact: In the worst case, a local attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. We summarize these Windows bulletins below:

  • MS12-068: Kernel Elevation of Privilege Vulnerability

The kernel is the core component of any computer operating system. The Windows kernel suffers from an integer overflow vulnerability, which attackers can leverage to  elevate their privilege. By running a specially crafted program, a local attacker could exploit this flaw to gain complete control of your PC. However, the attacker would first need to gain local access to your Windows computer using valid credentials. This factor significantly reduces the severity of the issue

Microsoft rating: Important

Kerberos is one of the authentication protocols used by Windows Servers. The Kerberos service suffers from a Denial of Service (DoS) vulnerability involving the way it handles specially crafted session requests. By sending specially crafted network traffic, an attacker could leverage this flaw to crash and restart your Kerberos server. The attacker could repeatedly exploit this vulnerability to keep your server offline for as long as they continued their attack. That said, most administrators do not allow Internet-based users access to their Kerberos server, which significantly mitigates the severity of this vulnerability

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances can mitigate some of these attacks, by preventing Internet-based attackers from accessing the vulnerable services, it cannot prevent local attacks. Therefore, we recommend you install Microsoft’s updates  to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , ,

Four Windows Updates Plug Seven Security Holes

March 13, 2012 by Corey Nachreiner 9 Comments

Bulletins Affect RDP, DNS Server, Kernel-Mode Drivers, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (One flaw also affects Small Business Server 2003)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets to vulnerable computers
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing seven vulnerabilities affecting Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-020: RDP Remote Code Execution and DoS Vulnerabilities

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network, and to directly control their desktops. Windows Terminal Servers also use the RDP protocol to allow many remote users to share one machine.

Unfortunately, the RDP component that ships with all versions of Windows suffers from two vulnerabilities. The worst is a serious remote code execution flaw, having to do with how the RDP component processes specially crafted sequences of packets. By sending a sequence of such packets to a computer running the RDP service, an attacker could exploit this flaw to gain complete control of that computer. The RDP component also suffers from a less severe Denial of Service (DoS) flaw, which attackers could leverage to cause the RDP service to stop responding to new connections.

This RDP remote code execution flaw is a severe vulnerability. However, the RDP service is not enabled by default on Windows systems. You are only vulnerable to this issue if you have specifically enabled RDP connections. That said, many companies manage Windows Terminal Servers, which do have RDP services enabled. If you manage such servers, we highly recommend you apply the RDP updates immediately.

UPDATE: Microsoft’s Small Business Server  (SBS) 2003 has a feature called Remote Web Workplace, which is also vulnerable to these RDP issues.

Microsoft rating: Critical

The Server versions of Windows ships with a DNS Server to allow administrators to offer Domain Name System services on their networks. This DNS Server suffers from a DoS vulnerability having to do with how it handles objects in memory when looking up DNS resource records. By sending your Windows DNS Server a specially crafted DNS request, an attacker could exploit this flaw to cause the DNS server to stop responding and reboot.

In general, people often consider DoS flaws less severe than, say, code execution flaws. However, if an attacker takes out your DNS server, he can essentially knock your network offline, as your users will not be able to browse the Internet using human-readable addresses. Though Microsoft only rates this bulletin as Important, we believe it fixes a fairly serious flaw for DNS administrators.

Microsoft rating: Important

  • MS12-018: Kernel-Mode Driver Code Execution Vulnerability

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers a serious code execution flaw, stemming from its lack of input validation when handling inputs passed via a particular Windows function (specifically PostMessage). By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

  • MS12-019: DirectWrite DoS Vulnerability

DirectWrite is a Windows API, which developers can leverage to help their applications handle text in the Windows GUI. It suffers from a minor DoS vulnerability, caused by a flaw in the way it handles a specially crafted sequence Unicode characters. If an attacker can entice your users to view specially crafted Unicode content via an application that leverages the DirectWrite API, he could leverage this flaw to crash that application. Some applications that leverage DirectWrite include Internet Explorer and Windows Instant Messenger. Unlike the DNS Server DoS vulnerability described above, this flaw is not that severe. Attackers can only exploit it to crash one client application on a user’s machine. The user could then easily restart the application and avoid the content that crashed it.

Microsoft rating: Moderate.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below should take you directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links for the various updates:

For All WatchGuard Users:

Attackers can leverage these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. However, our appliances cannot protect you from local attacks. You should install Microsoft’s updates to completely protect yourself from these flaws.

That said, our appliances can mitigate the risk of the Windows RDP vulnerabilities. By default, WatchGuard’s XTM and Firebox appliances block external RDP access (Typically, TCP port 3389; SBS 2003 uses TCP port 4125). As long as you haven’t specifically allowed RDP, our default setting will prevent Internet-based attackers from exploiting these RDP flaws against your servers.

Furthermore, if you must allow external access to your Terminal Servers, you can also leverage WatchGuard’s Authentication feature to limit RDP access to users you trust. For more information on WatchGuard’s Authentication features, refer to this help page.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , , , ,

WatchGuard Releases WSM v11.5.1 Update 1: XSS Flaws Corrected

December 15, 2011 by Corey Nachreiner 8 Comments

Severity:High

15 December, 2011

Summary:

  • This vulnerability affects: WatchGuard System Manager (WSM) v11.5.1
  • How an attacker exploits it: Multiple vectors of attack, including enticing you to click a maliciously crafted link, or sending specially crafted network traffic through an XTM appliance and having you view the resulting logs in our Web UI
  • Impact: In the worst case, an attacker can execute code in your browser with elevated privileges, possibly hijacking your web browser
  • What to do: Install WSM 11.5.1 Update 1 at your earliest convenience

Exposure:

A few weeks ago, WatchGuard released Fireware XTM OS and WatchGuard System Manager (WSM) v11.5.1. Among other things, this release includes a newly designed Log and Report Manager Web UI, which greatly improves our logging and reporting interface, making it dramatically faster and easier to use.

However, shortly after the release of WSM v11.5.1, we learned of two privately reported and two internally discovered security issues that affect our Log and Report Manager Web UI. WSM v11.5.1 Update 1 fixes all four of those security issues. We describe these issues in a bit more detail below:

  • BUG 64549: Persistent XSS Vulnerability in Log Messages (CVE-2011-4774)

The Log and Report Manager Web UI does not properly sanitize log data it retrieves from the log database, before displaying it in the Web UI. By sending specially crafted traffic through your XTM appliance (such as maliciously crafted email or FTP connections), an attacker can fill your logs with messages that contain malicious web script. When you view these logs within the Log and Report Manager Web UI, they could trigger a Cross-Site Scripting (XSS) vulnerability, which allows the attacker to execute scripts in your web browser under the context of our Web UI. Since these malicious logs would remain in your log database until you specifically deleted them, this flaw is a persistent XSS vulnerability.

In general, attackers can leverage XSS attacks to steal your web cookies, hijack your web sessions, redirect you to malicious sites, or essentially take any action you could on the vulnerable web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer. That said, a few factors somewhat mitigate the severity of this issue. In order to exploit this flaw, an attacker would have to know you manage a WSM server with v11.5.1. He’d also have to send very specially crafted traffic through your XTM appliance, which would need policies that allow such traffic. Finally, though this attack may allow the attacker to gain elevated privilege in your web browser, it would not give the attacker access to your XTM appliance, or the ability to change firewall rules. Nonetheless, we consider this a fairly serious vulnerability, and recommend you update as soon as you can. We’d like to thank Wayne Murphy of Sec-1 for bringing this flaw to our attention.

Severity: High

  • BUG 64551: Reflected XSS Vulnerability in URL Parameters (CVE-2011-4774)

The Log and Report Manager Web UI also does not properly sanitize inputs entered into certain URL parameters. By enticing you to click onto a specially crafted link, or by intercepting and modifying URL parameters, an attacker could exploit this flaw to trigger another XSS vulnerability. The impact of this flaw is the same as the one described above; an attacker can leverage it to steal web cookies, hijack your web session, or essentially take any action you could in the Log and Report Web UI. This is a reflected XSS flaw since the attack only occurs once, when you click the malicious link.

Like the flaw described above, an attacker would first have to know you manage an XTM appliance with WSM v11.5.1 to exploit this flaw. Furthermore, the attacker would then need to entice you to click a malicious link, which makes this XSS vulnerability slightly less severe than the one described above. Again, we’d like to thank Wayne Murphy of Sec-1 for bringing this flaw to our attention.

Severity: Medium

  • Two Low-Severity Nessus-Reported Vulnerabilities

Our own internal tests identified two minor security issues in our Log and Report Web UI, which were reported by Nessus scans. You can learn more about these issues from the links provided below:

In both cases, your WSM server is protected by your XTM appliance, making it unlikely that an external attacker could exploit either of these minor flaws. We believe they pose very low risk, but still recommend you apply Update 1 as soon as you can.

Severity: Low

Solution Path:

WSM v11.5.1 Update 1 fixes all four of these security issues. XTM appliance administrators who have installed WSM v11.5.1 should download and install Update 1 at their earliest convenience.

FAQ:

Are any of WatchGuard’s other products affected?

No. To our knowledge, these vulnerabilities only affect the new WSM v11.5.1 Log and Report Manager Web UI.

What exactly are the vulnerabilities?

The worst of these four vulnerabilities are the Cross-Site Scripting (XSS) vulnerabilities, which can allow attackers to execute scripts in your web browser under the context of our Web UI. In general, attackers can leverage XSS attacks to steal your web cookies, hijack your web sessions, redirect you to malicious sites, or essentially take any action you could on the vulnerable web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer. However, attackers cannot leverage these flaws to gain access to your XTM appliance or change firewall rules.

How serious is the vulnerability?

We believe the two XSS vulnerabilities are fairly serious. However some mitigating factors will likely limit attackers from exploiting these flaws in the real world. In general, XSS flaws can be very dangerous. Tools like the Browser Exploitation Framework (BeEF) have illustrated that attackers can leverage simple XSS flaws to gain significant control of your browser, and possibly your computer. That said, attackers would have to know a lot about you and your organization to exploit these particular XSS vulnerabilities. Specifically, they’d have to know you manage a WSM v11.5.1 server, and either get you to click a link, or view a specific log message in our Web UI. This would likely only happen in a very targeted attack. Furthermore, these flaws would not give the attacker access to your XTM appliance. That said, as a security company, WatchGuard takes any vulnerability in our products very seriously. We suggest you install WSM v11.5.1 Update 1 as soon as possible.

Other than installing Update 1, is there a workaround?

Not really. Obviously, if you avoid clicking malicious phishing links, then an attacker couldn’t exploit the reflected XSS attack. However, even the most savvy security professional sometimes can click the wrong link. If you do not allow any incoming traffic through your XTM appliance, then an attacker may not be able to booby-trap your log files with specially crafted messages. However, most organizations have policies to at least allow email traffic. This alone could allow an external attacker to corrupt your logs. We highly recommend you install WSM v11.5.1 Update 1 to correct these issues.

Where can I go to get the hotfix?

WSM 11.5.1 Update 1 is currently available in the Articles & Software section of WatchGuard’s Support Center. Look for it under the Management Software section for your XTM appliance.

How was this vulnerability discovered?

Two of these vulnerabilities were discovered by Wayne Murphy of Sec-1 (@Sec1Ltd), and confidentially reported to WatchGuard. We thank Mr. Murphy for working with us to keep our customers secure. The remaining issues were discovered internally.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild, nor do we believe them likely to be in the future.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Senior Network Security Strategist
WatchGuard Technologies, Inc.
http://www.watchguard.com
corey.nachreiner@watchguard.com

Security Updates, WatchGuard Software
, , , , , , ,

Patch BIND 9 to Avoid DNS Outages

July 8, 2011 by Corey Nachreiner 0 Comments

Earlier this week, the Internet Systems Consortium (ISC) released a BIND 9 update to fix two serious Denial of Service (DoS) vulnerabilities in the popular, open source DNS server software.

The two DoS flaws differ technically, but essentially share the same scope and impact. By sending specially crafted packets to your BIND 9 server, an attacker could leverage these flaws to either crash BIND, or cause it to exit. In either case, by repeatedly exploiting this flaw an attacker could drastically affect your DNS service, thus preventing your users from browsing the web.

That said, one of the two flaws only affects BIND 9 servers which have recursion enabled, and which use a special feature called “Response Policy Zones (RPZ). In fact, the flaw only affects BIND servers that have RPZ zones with specific rule or action patterns. These factors significantly mitigate the severity of that particular flaw.

In any case, if you run a BIND 9 server, I recommend you download and install the BIND 9.8.0-P4 update to correct these vulnerabilities.

You can learn more about these two vulnerabilities at ISC’s BIND advisory page, or at the individual advisory links below:

Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , ,
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,119 other followers

%d bloggers like this: