Tag Archives: DoS

Four Windows Updates Plug Seven Security Holes

March 13, 2012 by Corey Nachreiner 6 Comments

Bulletins Affect RDP, DNS Server, Kernel-Mode Drivers, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (One flaw also affects Small Business Server 2003)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets to vulnerable computers
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing seven vulnerabilities affecting Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-020: RDP Remote Code Execution and DoS Vulnerabilities

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network, and to directly control their desktops. Windows Terminal Servers also use the RDP protocol to allow many remote users to share one machine.

Unfortunately, the RDP component that ships with all versions of Windows suffers from two vulnerabilities. The worst is a serious remote code execution flaw, having to do with how the RDP component processes specially crafted sequences of packets. By sending a sequence of such packets to a computer running the RDP service, an attacker could exploit this flaw to gain complete control of that computer. The RDP component also suffers from a less severe Denial of Service (DoS) flaw, which attackers could leverage to cause the RDP service to stop responding to new connections.

This RDP remote code execution flaw is a severe vulnerability. However, the RDP service is not enabled by default on Windows systems. You are only vulnerable to this issue if you have specifically enabled RDP connections. That said, many companies manage Windows Terminal Servers, which do have RDP services enabled. If you manage such servers, we highly recommend you apply the RDP updates immediately.

UPDATE: Microsoft’s Small Business Server  (SBS) 2003 has a feature called Remote Web Workplace, which is also vulnerable to these RDP issues.

Microsoft rating: Critical

The Server versions of Windows ships with a DNS Server to allow administrators to offer Domain Name System services on their networks. This DNS Server suffers from a DoS vulnerability having to do with how it handles objects in memory when looking up DNS resource records. By sending your Windows DNS Server a specially crafted DNS request, an attacker could exploit this flaw to cause the DNS server to stop responding and reboot.

In general, people often consider DoS flaws less severe than, say, code execution flaws. However, if an attacker takes out your DNS server, he can essentially knock your network offline, as your users will not be able to browse the Internet using human-readable addresses. Though Microsoft only rates this bulletin as Important, we believe it fixes a fairly serious flaw for DNS administrators.

Microsoft rating: Important

  • MS12-018: Kernel-Mode Driver Code Execution Vulnerability

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers a serious code execution flaw, stemming from its lack of input validation when handling inputs passed via a particular Windows function (specifically PostMessage). By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

  • MS12-019: DirectWrite DoS Vulnerability

DirectWrite is a Windows API, which developers can leverage to help their applications handle text in the Windows GUI. It suffers from a minor DoS vulnerability, caused by a flaw in the way it handles a specially crafted sequence Unicode characters. If an attacker can entice your users to view specially crafted Unicode content via an application that leverages the DirectWrite API, he could leverage this flaw to crash that application. Some applications that leverage DirectWrite include Internet Explorer and Windows Instant Messenger. Unlike the DNS Server DoS vulnerability described above, this flaw is not that severe. Attackers can only exploit it to crash one client application on a user’s machine. The user could then easily restart the application and avoid the content that crashed it.

Microsoft rating: Moderate.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below should take you directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links for the various updates:

For All WatchGuard Users:

Attackers can leverage these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. However, our appliances cannot protect you from local attacks. You should install Microsoft’s updates to completely protect yourself from these flaws.

That said, our appliances can mitigate the risk of the Windows RDP vulnerabilities. By default, WatchGuard’s XTM and Firebox appliances block external RDP access (Typically, TCP port 3389; SBS 2003 uses TCP port 4125). As long as you haven’t specifically allowed RDP, our default setting will prevent Internet-based attackers from exploiting these RDP flaws against your servers.

Furthermore, if you must allow external access to your Terminal Servers, you can also leverage WatchGuard’s Authentication feature to limit RDP access to users you trust. For more information on WatchGuard’s Authentication features, refer to this help page.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , , , ,

WatchGuard Releases WSM v11.5.1 Update 1: XSS Flaws Corrected

December 15, 2011 by Corey Nachreiner 8 Comments

Severity:High

15 December, 2011

Summary:

  • This vulnerability affects: WatchGuard System Manager (WSM) v11.5.1
  • How an attacker exploits it: Multiple vectors of attack, including enticing you to click a maliciously crafted link, or sending specially crafted network traffic through an XTM appliance and having you view the resulting logs in our Web UI
  • Impact: In the worst case, an attacker can execute code in your browser with elevated privileges, possibly hijacking your web browser
  • What to do: Install WSM 11.5.1 Update 1 at your earliest convenience

Exposure:

A few weeks ago, WatchGuard released Fireware XTM OS and WatchGuard System Manager (WSM) v11.5.1. Among other things, this release includes a newly designed Log and Report Manager Web UI, which greatly improves our logging and reporting interface, making it dramatically faster and easier to use.

However, shortly after the release of WSM v11.5.1, we learned of two privately reported and two internally discovered security issues that affect our Log and Report Manager Web UI. WSM v11.5.1 Update 1 fixes all four of those security issues. We describe these issues in a bit more detail below:

  • BUG 64549: Persistent XSS Vulnerability in Log Messages (CVE-2011-4774)

The Log and Report Manager Web UI does not properly sanitize log data it retrieves from the log database, before displaying it in the Web UI. By sending specially crafted traffic through your XTM appliance (such as maliciously crafted email or FTP connections), an attacker can fill your logs with messages that contain malicious web script. When you view these logs within the Log and Report Manager Web UI, they could trigger a Cross-Site Scripting (XSS) vulnerability, which allows the attacker to execute scripts in your web browser under the context of our Web UI. Since these malicious logs would remain in your log database until you specifically deleted them, this flaw is a persistent XSS vulnerability.

In general, attackers can leverage XSS attacks to steal your web cookies, hijack your web sessions, redirect you to malicious sites, or essentially take any action you could on the vulnerable web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer. That said, a few factors somewhat mitigate the severity of this issue. In order to exploit this flaw, an attacker would have to know you manage a WSM server with v11.5.1. He’d also have to send very specially crafted traffic through your XTM appliance, which would need policies that allow such traffic. Finally, though this attack may allow the attacker to gain elevated privilege in your web browser, it would not give the attacker access to your XTM appliance, or the ability to change firewall rules. Nonetheless, we consider this a fairly serious vulnerability, and recommend you update as soon as you can. We’d like to thank Wayne Murphy of Sec-1 for bringing this flaw to our attention.

Severity: High

  • BUG 64551: Reflected XSS Vulnerability in URL Parameters (CVE-2011-4774)

The Log and Report Manager Web UI also does not properly sanitize inputs entered into certain URL parameters. By enticing you to click onto a specially crafted link, or by intercepting and modifying URL parameters, an attacker could exploit this flaw to trigger another XSS vulnerability. The impact of this flaw is the same as the one described above; an attacker can leverage it to steal web cookies, hijack your web session, or essentially take any action you could in the Log and Report Web UI. This is a reflected XSS flaw since the attack only occurs once, when you click the malicious link.

Like the flaw described above, an attacker would first have to know you manage an XTM appliance with WSM v11.5.1 to exploit this flaw. Furthermore, the attacker would then need to entice you to click a malicious link, which makes this XSS vulnerability slightly less severe than the one described above. Again, we’d like to thank Wayne Murphy of Sec-1 for bringing this flaw to our attention.

Severity: Medium

  • Two Low-Severity Nessus-Reported Vulnerabilities

Our own internal tests identified two minor security issues in our Log and Report Web UI, which were reported by Nessus scans. You can learn more about these issues from the links provided below:

In both cases, your WSM server is protected by your XTM appliance, making it unlikely that an external attacker could exploit either of these minor flaws. We believe they pose very low risk, but still recommend you apply Update 1 as soon as you can.

Severity: Low

Solution Path:

WSM v11.5.1 Update 1 fixes all four of these security issues. XTM appliance administrators who have installed WSM v11.5.1 should download and install Update 1 at their earliest convenience.

FAQ:

Are any of WatchGuard’s other products affected?

No. To our knowledge, these vulnerabilities only affect the new WSM v11.5.1 Log and Report Manager Web UI.

What exactly are the vulnerabilities?

The worst of these four vulnerabilities are the Cross-Site Scripting (XSS) vulnerabilities, which can allow attackers to execute scripts in your web browser under the context of our Web UI. In general, attackers can leverage XSS attacks to steal your web cookies, hijack your web sessions, redirect you to malicious sites, or essentially take any action you could on the vulnerable web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer. However, attackers cannot leverage these flaws to gain access to your XTM appliance or change firewall rules.

How serious is the vulnerability?

We believe the two XSS vulnerabilities are fairly serious. However some mitigating factors will likely limit attackers from exploiting these flaws in the real world. In general, XSS flaws can be very dangerous. Tools like the Browser Exploitation Framework (BeEF) have illustrated that attackers can leverage simple XSS flaws to gain significant control of your browser, and possibly your computer. That said, attackers would have to know a lot about you and your organization to exploit these particular XSS vulnerabilities. Specifically, they’d have to know you manage a WSM v11.5.1 server, and either get you to click a link, or view a specific log message in our Web UI. This would likely only happen in a very targeted attack. Furthermore, these flaws would not give the attacker access to your XTM appliance. That said, as a security company, WatchGuard takes any vulnerability in our products very seriously. We suggest you install WSM v11.5.1 Update 1 as soon as possible.

Other than installing Update 1, is there a workaround?

Not really. Obviously, if you avoid clicking malicious phishing links, then an attacker couldn’t exploit the reflected XSS attack. However, even the most savvy security professional sometimes can click the wrong link. If you do not allow any incoming traffic through your XTM appliance, then an attacker may not be able to booby-trap your log files with specially crafted messages. However, most organizations have policies to at least allow email traffic. This alone could allow an external attacker to corrupt your logs. We highly recommend you install WSM v11.5.1 Update 1 to correct these issues.

Where can I go to get the hotfix?

WSM 11.5.1 Update 1 is currently available in the Articles & Software section of WatchGuard’s Support Center. Look for it under the Management Software section for your XTM appliance.

How was this vulnerability discovered?

Two of these vulnerabilities were discovered by Wayne Murphy of Sec-1 (@Sec1Ltd), and confidentially reported to WatchGuard. We thank Mr. Murphy for working with us to keep our customers secure. The remaining issues were discovered internally.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild, nor do we believe them likely to be in the future.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Senior Network Security Strategist
WatchGuard Technologies, Inc.
http://www.watchguard.com
corey.nachreiner@watchguard.com

Security Updates, WatchGuard Software
, , , , , , ,

Patch BIND 9 to Avoid DNS Outages

July 8, 2011 by Corey Nachreiner 0 Comments

Earlier this week, the Internet Systems Consortium (ISC) released a BIND 9 update to fix two serious Denial of Service (DoS) vulnerabilities in the popular, open source DNS server software.

The two DoS flaws differ technically, but essentially share the same scope and impact. By sending specially crafted packets to your BIND 9 server, an attacker could leverage these flaws to either crash BIND, or cause it to exit. In either case, by repeatedly exploiting this flaw an attacker could drastically affect your DNS service, thus preventing your users from browsing the web.

That said, one of the two flaws only affects BIND 9 servers which have recursion enabled, and which use a special feature called “Response Policy Zones (RPZ). In fact, the flaw only affects BIND servers that have RPZ zones with specific rule or action patterns. These factors significantly mitigate the severity of that particular flaw.

In any case, if you run a BIND 9 server, I recommend you download and install the BIND 9.8.0-P4 update to correct these vulnerabilities.

You can learn more about these two vulnerabilities at ISC’s BIND advisory page, or at the individual advisory links below:

Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , ,

Potential Zero Day Cisco IOS DoS Vulnerabilities

May 5, 2011 by Corey Nachreiner 0 Comments

According to posts on the Bugtraq mailing list [ 1 / 2 ], Cisco’s popular router and switch operating system — IOS — suffers from two zero day Denial of Service (DoS) vulnerabilities. These advisories come from the penetration test team Of NCNIPC (China).

The advisories share minimal technical details about the two supposed flaws. They do say, attackers can trigger one DoS with a UDP packet flood and the other with SNMP packet sent to improper ports. In either case, the attack can put your IOS devices in a non-responsive state, requiring a reboot. By carrying out this sort of attach against your gateway router, and attacker can failry easily knock you offline

Cisco has since replied to these vulnerability allegations, saying they are researching the situations. However, they did not confirm or deny the DoS flaws, nor have they had time to release patches. Until they do, you can mitigate the risk of one of the flaws by disabling SNMP on your IOS device.

We’ll let you know more as soon as Cisco shares more complete details about these flaws. In the meantime, keep your eyes out for UDP floods. — Corey Nachreiner, CISSP

Security Updates
, , ,

IIS FTP Service Buffer Overflow Vulnerability

February 8, 2011 by Corey Nachreiner 2 Comments

Severity: High

8 February, 2011

Summary:

  • This vulnerability affects: The IIS FTP service running on Windows Vista, 2008, 7, and 2008 R2
  • How an attacker exploits it: By sending a specially crafted FTP command
  • Impact: In the worst case, an attacker gains complete control of your IIS server
  • What to do: Deploy the appropriate IIS update immediately, or let Windows Automatic Update do it for you

Exposure:

Internet Information Services (IIS) is the popular web and ftp server that ships with all server versions of Windows.

In a security bulletin released today as part of Patch Day, Microsoft describes a serious vulnerability that affects the optional FTP server that comes with the latest versions of IIS. Specifically, the IIS FTP service suffers from a buffer overflow vulnerability involving the way it handles a specially crafted FTP commands (or more specifically, specially encoded characters in an FTP response). By sending such a malformed FTP command, an attacker could exploit this vulnerability to either put your FTP server into a Denial of Service (DoS) state, or to gain complete control of it. An attacker does not have to authenticate to your FTP server to launch this attack.

However, IIS does not install or start the IIS FTP service by default. You are only vulnerable to this attack if you have specifically installed and started this service. That said, many administrators do enable IIS’s FTP service in order to give web administrators an easy way to update their web sites. If you are one of those administrators, you should consider this flaw a serious risk.

Researchers have already publicly released Proof-of-Concept (PoC) exploit code demonstrating the DoS version of this flaw. Whether or not you are using the IIS FTP service, we still recommend you download, test and install this update as soon as you can. Being a critical server update, we highly recommend you test it on non-production servers before pushing it to your real web site.

Solution Path:

Download, test, and deploy the appropriate IIS patches immediately, or let Windows Automatic Update do it for you.

For All WatchGuard Users:

This attack leverages seemingly normal FTP response traffic. You should apply the updates above.

Status:

Microsoft has released patches to fix this vulnerability

References:

This alert was researched and written by Corey Nachreiner, CISSP.

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.

Security Updates
, , , , ,

Microsoft Exchange and Windows SMTP Service DoS Vulnerability

April 13, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • This vulnerability affects: All current versions of Exchange Server and many versions of Windows
  • How an attacker exploits it: By sending specially crafted network traffic (malicious DNS MX record responses)
  • Impact: Multiple impacts, in the worst case an attacker can crash your mail server, preventing you from receiving email
  • What to do: Deploy the appropriate Exchange Server or Windows patch as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Microsoft Exchange is one of the most popular email servers used today. Exchange is a stand-alone program, separate from Windows, however, many versions of Windows also ship with a basic SMTP service to receive email as well.

In a security bulletin released today, Microsoft describes two security vulnerabilities that affect all current versions of Exchange, as well as the SMTP service that ships with many versions of Windows. The worst of these flaws has to do with how Exchange handles specially crafted DNS Mail Exchanger (MX) records. Basically, the SMTP service will hang indefinitely when it attempts to parse a specially crafted MX record. In order to exploit this vulnerability, an attacker would have to setup a malicious DNS Server for a domain they controlled. Then the attacker would have to send you an email containing addresses from that domain. When your mail server tries to request the MX record associated with this domain, it encounters the attackers specially crafted MX record, and will hang until you manually reboot it. This results in a Denial of Service (DoS) situation for email.

Microsoft’s bulletin also describes a lower risk information disclosure vulnerability in Exchange. By sending specially crafted SMTP commands, an attacker may be able to retrieve random email fragments from your server’s memory. We recommend you download an install the Exchange and Windows updates as soon as possible, in order to fix both these issues.

Solution Path:

Microsoft has released patches to fix these vulnerabilities. You should download, test, and deploy the appropriate Exchange and Windows patches as soon as possible.

For All WatchGuard Users:

An attacker can exploit the worst of these vulnerabilities by sending normal emails, which you must allow through your firewall if you have an internal email server. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

Security Updates
, , , ,

Cisco Biannual Patch Day: Seven DoS Advisories Primarily Affect IOS

March 25, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: Devices running Cisco IOS and Cisco UCM
  • How an attacker exploits them: Multiple vectors of attack; in the most common, the attacker sends specially crafted network packets
  • Impact: Various Denial of Service (DoS) issues, can force a Cisco device to crash, reload, or halt. One may also allow an attacker to execute code
  • What to do: Administrators who manage Cisco IOS or UCM devices should download, test, and deploy the appropriate Cisco updates as soon as possible

Exposure:

Yesterday, Cisco released seven security advisories as part of their biannual patch day, which falls on the fourth Wednesday of March and September. All of these advisories cover Denial of Service (DoS) security vulnerabilities that primarily affect devices running Cisco’s Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers. That said, attackers could potentially leverage one of the IOS DoS flaws to execute code on your IOS device, potentially gaining control of it. Finally, one of the advisories also covers a DoS in Unified Communications Manager (UCM), which is Cisco’s enterprise-level, IP telephony call-processing system.

While Cisco’s IOS advisories differ technically, all of them cover vulnerabilities that attackers could exploit in DoS attacks. For a complete list of today’s Cisco advisories, check out Cisco’s Bundled Advisory for March 24th or their Security Advisories page. We summarize three of the IOS advisories below:

Cisco Document ID 111448: IOS SIP DoS and code execution vulnerabilities.

The Session Initiation Protocol (SIP) is a multimedia communication standard used to make voice and video calls over an IP network. IOS’s SIP implementation suffers from three unspecified vulnerabilities involving the way it handles SIP Messages. By sending specially crafted SIP packets, a remote attacker could exploit these vulnerabilities to either reload your IOS device, or to potentially execute code on your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit the DoS vulnerabilities to knock your network offline. In the case of code execution, the attacker could potentially gain complete control of your IOS device.
Base CVSS Score: 10

Cisco Document ID 111265: IOS H.323 DoS vulnerabilities.

H.323 is a protocol designed to stream multimedia over a network, and often used in video conferencing. IOS’s H.323 implementation suffers from two unspecified vulnerabilities involving the way it handles H.323 traffic. By sending specially crafted H.323 packets, a remote attacker could exploit these vulnerabilities to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8 (10 being the most severe)

Cisco Document ID 111266: IOS IPsec DoS vulnerability.

IPsec is a VPN standard designed to allow you to securely tunnel private communications over the Internet. IOS’s IPsec implementation suffers from a flaw in the way it handles specially crafted IPsec IKE packets. By sending specially crafted IKE packets to your Cisco device, a remote attacker could exploit this vulnerability to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8

The remaining advisories also fix DoS flaws just as severe as the ones described above. For greater detail on all of Cisco’s March vulnerabilities, check out the individual advisories in the References section of this alert, or refer to Cisco’s bundled security advisory for March 2010.

Cisco also published an advisory describing a DoS vulnerability in their Unified Communications Manager (UCM). If you use Cisco UCM, be sure to apply these patches as well.

Solution Path:

Cisco has released patches to fix these vulnerabilities. If you use any Cisco device running IOS software or Cisco’s Unified Communications Manager (UCM), you should immediately consult the “Software Versions and Fixes” and “Obtaining Fixed Software” sections of the advisories listed in Cisco’s bundled security advisory for March 2010 to learn which fixes apply to your devices, and how to obtain them. You can also refer to the “Software Versions and Fixes” and “Obtaining Fixed Software” section of each of the individual alerts linked below.

For All WatchGuard Users:

Since these vulnerabilities can affect your router, which is typically in front of your WatchGuard firewall, the solutions above are your primary recourse.

Status:

Cisco has made fixes available.

References:

Security Updates
, ,

Follow

Get every new post delivered to your Inbox.

Join 6,939 other followers