B.I.S.S. Forums > Internet Storm Center /eeye Newsletter

Full Version: Internet Storm Center /eeye Newsletter

B.I.S.S. Forums > Bluetack Forums > Global News

Moore

May 1 2004, 05:53 PM

########################################################################

Updated April 26th 2004 03:12 UTC
New LSASS RPC exploit; Port 443; The Week Ahead
New LSASS RPC Exploit
The exploit code has been posted (not confirmed as functional yet) that would allow an attacker to take advantage of an remote buffer overflow in the Local Security Authority Subsystem service(LSASS). In the recent release of MS04-011 by Microsoft (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx )one of the vulnerabilities affects the LSA service. The LSASS provides an interface to manage local security, domain authentication and active directory processes. LSASS fails to check the length of the message before passing it on to the correct service. This exploit would allow an attacker to execute code and gain complete control of the system. It is imperative that the patch is applied if you have not already done so.

http://www.eeye.com/html/Research/Advisori...D20040413C.html

Port 443
In light of the recent vulnerability with the PCT protocol in SSL, we have been watching traffic on Port 443. As of now, traffic is up on for the targets and records and the sources are slightly elevated. This activity is consistent with increased scanning. So far there are no reports of any worm-like activity. This could change in the near future, so please be alert and if you see an increased activity on port 443, please let us know.

The Week Ahead
With all of the new vulnerabilities, viruses, worms and exploit code that has been recently published, it is important that everyone stays alert. It is easy to become complacent when you hear about potential activity and it doesn't materialize. The week ahead may prove to be very active with all of the recent events. Watch your network traffic and stay alert!! Please let us know if you see anything unusual happening on your network.

-------------------------------------------------------------------------------

April 29, 2004

The following is a free email newsletter highlighting the latest trends and issues in network security. This newsletter is written for IT professionals, network security professionals, and those interested in learning more about the security industry.

--------------------------------------------------------------------------------

IN THIS ISSUE

1. TECH TALK
• “Beat the Worm:” A Guide to Mitigating Critical Flaws

2. NEWS AND ARTICLES
• eWeek: Compromise Likely of Serious Windows SSL Vulnerability
• eWeek: Microsoft Patches More Windows Holes
• SearchSecurity.com: TCP Protocol Flaw: The Sky Isn't Falling
• NetworkWorldFusion.com: Cisco Warns of More Critical Software Holes

3. READER Q&A
• What are the workarounds for the LSASS Vulnerability?

4. ANNOUNCEMENTS
• Now Available: Retina® Remediation Manager
• Upcoming Webinar: Vulnerability Expert Forum
• News Release: eEye® Digital Security Extends Vulnerability Management Offering
• Upcoming Webinar: How to Achieve Operational Efficiency with Retina Enterprise

5. ETCETERA
• CNN.com: Microsoft Releases Flurry of 'Critical' Patches
• eWeek.com: How Long Is Too Long to Develop a Patch?

TECH TALK

“Beat the Worm:” A Guide to Mitigating Critical Flaws
Part 1: Critical Flaw or Red Herring?

Every day, network administrators are deluged by hundreds of potential software flaws. Identifying critical flaws, prioritizing fixes, and ensuring the remedy does not cause additional issues – all before the first cup of coffee. Part one of this four part series will identify the motivation behind an attack.

By leveraging critical security flaws that are discovered in various, widely used software products, worm writers develop and release attacks, frequently in the form of a worm solely designed to exploit a particular flaw. Worms are quite possibly the most aggressive threat a security professional has to deal with when protecting network infrastructures. Stringent corporate security policies and the use of third party software can dramatically aid in the prevention and remediation of such threats.

Upon the discovery of a critical vulnerability, prioritizing patches to fix software flaws is a daunting task for any network administrator. Each time security professionals choose to prioritize the remediation of a software flaw, there is a risk of causing complications within the infrastructure. The increasing size and complexity of IT architectures exacerbates these complications, and can cost a company a substantial amount of time and money. Software compatibility issues, broken patches or even improper implementations are all examples of problems that can arise from a rushed remediation strategy. For this reason, security professionals need to be able to accurately gauge the threat level of a given software flaw so they can prioritize its remediation and begin deployment of the necessary patch, or third party software solution.

Worm Writer Motivation
The creator of a worm is often motivated personally, politically, or financially, or often due to a combination of these reasons. A worm writer who is personally motivated will often design and release a worm just for the challenge of doing something that hasn’t been done before or simply to see how much havoc the worm can cause. Some virus and worm writers take pride in their malicious creations and are motivated to write new and improved worms solely for personal satisfaction. Political motivations usually stem from cultural differences in the overall state of the two or more entities. Most worm writers enjoy their solitude, and are quickly drawn into action during times of serious political conflict. For example, the Code Red worm was designed to attack English-based operating systems during a time of serious political fallout, which occurred the second quarter of 2001. Financial motivations are self-explanatory and are seen as the least likely motivator but do exist. Worm writers operating for financial gain can be offered a substantial amount of money to design and or release a worm to target a desired company, infrastructure, or country.

Regardless of a worm writer’s motivation, network administrators need to remain vigilant. Implementing a proactive security strategy that incorporates ongoing vulnerability assessment and constantly updated vulnerability checks is crucial. When using a vulnerability scanner, be sure to choose a tool with the option to prioritize, schedule and automate remediation activities. This will allow for effective patch management, while obviating the tedious task of implementing manual patches across distributed enterprises. Visit http://www.eeye.com for more information.

Next issue: Part 2: The Complexity of Flaw Exploitation

Source: eEye’s Research Team

NEWS AND ARTICLES

The following articles represent the opinions of their respective authors. They do not necessarily represent the opinions of eEye Digital Security.

eWeek: Compromise Likely of Serious Windows SSL Vulnerability
"Security experts are monitoring what appears to be a coordinated effort to exploit a known vulnerability in the Secure Sockets Layer (SSL) implementation in Windows, and say that there may be a worm doing some of the work."
http://www.eeye.com/html/Newsletter/Versa/...8.html?rd=news1

eWeek: Microsoft Patches More Windows Holes
"It’s security bulletin release Tuesday for Microsoft. The company issued four new security bulletins—all of which pertain to Windows vulnerabilities. Three of the new patches the company rated "critical," and the other, "important.”"
http://www.eeye.com/html/Newsletter/Versa/...8.html?rd=news2

SearchSecurity.com: TCP Protocol Flaw: The Sky Isn't Falling
"A critical vulnerability, affecting multiple vendors, has been identified in the Transmission Control Protocol (TCP) used for Internet connections, mainly routing infrastructure including networked operating systems and network equipment. However, experts say the problem is being corrected and isn't that big of a deal."
http://www.eeye.com/html/Newsletter/Versa/...8.html?rd=news3

NetworkWorldFusion.com: Cisco Warns of More Critical Software Holes
"Cisco warned its customers about two critical security holes that affect almost every product the company makes. The vulnerabilities could be used by malicious hackers to create so-called "denial of service" (DoS) attacks, causing Cisco products to abruptly restart or drop active connections with other devices."
http://www.eeye.com/html/Newsletter/Versa/...8.html?rd=news4

READER Q&A

While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

Use a personal firewall.
If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. Microsoft recommends blocking all unsolicited inbound communication from the Internet.

Block the following ports at the firewall:
UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. All unsolicited inbound traffic on ports greater than 1024. Any other specifically configured RPC port.

Enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For additional information about how to configure TCP/IP filtering, please refer to Microsoft Knowledge Base Article 309798.

Block the affected ports using IPSec on the affected machines.
You can secure network communications by using Internet Protocol Security (IPSec).

For additional security, consider blocking using IPSec. IPSec allows you to control both inbound and outbound traffic, as opposed to just inbound traffic.

>> Have a question you would like answered? Send it to editor@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

ANNOUNCEMENTS

Now Available: Retina® Remediation Manager
Retina Remediation Manager is a fast, effective patch and configuration automation solution which allows for the efficient planning and execution of remediation activities. Enterprises that perform regular vulnerability assessments are frequently faced with the daunting task of remediating hundreds, if not thousands, of workstations and servers. Click here to learn how to eliminate the burden of manually patching your systems.
http://www.eeye.com/html/Newsletter/Versa/...28.html?rd=ann1

Upcoming Webinar: Vulnerability Expert Forum
eEye Digital Security will be hosting special web seminars focusing on recently announced critical vulnerabilities. Prospects, customers and partners are invited to participate in these discussions with eEye's vulnerability experts, such as Marc Maiffret, where we explore the impact high-risk vulnerabilities and exploits have on network environments and infrastructures. Our experts will provide in depth knowledge about these issues and the solutions eEye Digital Security provides to detect and protect against current and future critical software flaws and security weaknesses.
Date/Time: North America: Wednesday, May 12 @ 1pm PST / 4pm EST
Date/Time: Europe: Thursday, May 13 @ 15:30 GMT - 16:30 CET
http://www.eeye.com/html/Newsletter/Versa/...28.html?rd=ann2

News Release: eEye® Digital Security Extends Vulnerability Management Offering
eEye released REM™ 2.0 Security Management Platform on March 22, 2004. REM 2.0 enables organizations to proactively address network security threats, enforce security policies and automate remediation activities, all from a secure, web-based management console.
http://www.eeye.com/html/Newsletter/Versa/...28.html?rd=ann3

Upcoming Webinar: How to Achieve Operational Efficiency with Retina Enterprise
During this webcast, we’ll discuss some of the common misconceptions about security layers and why vulnerability assessment and remediation is a critical component to your overall network security strategy. This webinar will also provide a hands-on look at Retina Network Security Scanner and how you can use vulnerability assessment to quickly identify issues within your network and take corrective actions to proactively fix vulnerabilities before they’re exploited.
Date/Time: Thursday, May 13 @ 11am PST / 2pm EST
http://www.eeye.com/html/Newsletter/Versa/...28.html?rd=ann4

ETCETERA

CNN.com: Microsoft Releases Flurry of 'Critical' Patches
Microsoft Corp. has released three critical patches to fix security flaws that could allow an attacker to take over another computer user's Windows operating system. A fourth patch, which the company called "important," also fixes a similar vulnerability in the Windows operating system that is used on more than 90 percent of the world's computers.
http://www.eeye.com/html/Newsletter/Versa/...28.html?rd=etc1

eWeek.com: How Long Is Too Long to Develop a Patch?
A disturbing pattern is emerging from the last couple of months' worth of Microsoft security patches: Some of the critical vulnerabilities fixed had been reported to the company quite some time before, 200 days before the patch in one case.
http://www.eeye.com/html/Newsletter/Versa/...28.html?rd=etc2

##############################################################################

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.