Cisco AsyncOS Patch , (Fri, Mar 21st)

 SANS Internet Storm Center, Security Alerts  Comments Off on Cisco AsyncOS Patch , (Fri, Mar 21st)
Mar 202014
 

Cisco released a patch for AsyncOS, the operating system used in it's E-Mail Security Appliance (ESA) and Security Management Appliance (SMA).

The vulnerability is exploited by an authenticated attacker uploading a crafted blocklist file. The file has to be uploaded via FTP, so this vulnerability is only exploitable if the FTP service is enabled. Once the blacklist is pared, arbitrary commands are executed.

This sounds like an OS command injection vulnerability. The parameters (assumed to be IP addresses) are likely passed as arguments to a firewall script, but if the address includes specific characters (usually ; or & ?) , additional commands can be executed.

Time to patch, but given that the attacker has to be authenticated, makes this a less severe vulnerability then other arbitrary code execution vulnerabilities.

[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140319-asyncos

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Normalizing IPv6 Addresses, (Thu, Mar 20th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Normalizing IPv6 Addresses, (Thu, Mar 20th)
Mar 202014
 

One of the annoyances with IPv6 addresses is that they may be abbreviated. Leading "0"s may be omitted, and groups of all ":0000:" may be replaced with "::". The key annoyance is the word "may". Some logs (for example iptables) will not abbreviate, others, like for example nginx or apache, will abbreviate, making correlating logs more difficultly.

Lately, I started using a little perl script to "normalize" my IPv6 addresses in logs. The script will insert all the missing "0"s making it easier to find a specific IP address. The script I am using:

#!/usr/bin/perl
 
use strict;
 
while (<> ) {
    my $line=$_;
    if ( $line=~/[0-9a-f:]+/ ) {
my $old=$&;
        my $new=fillv6($old);
$line=~ s/$old/$new/;
    }
    print $line;
}
 
 
sub fillv6 {
    my $in=shift;
    $in =~ s/^:/0000:/;
    my @parts=split(/:/,$in);
    my $partn=scalar @parts;
    if ( $partn < 7 ) {
my $x= ':0000' x (9-$partn);
$in =~ s/::/$x:/;
$in =~ s/:://g;
@parts=split(/:/,$in);
    }
    while ( my $part=each(@parts) ) {
$parts[$part] = sprintf("%04s",$parts[$part]);
    }
    return join(':',@parts);
}
What I could use is a bit more diverse IPv6 logs to see if it covers all possible cases. The script is right now in a "works for me" state, so let me know if it works for you too.
 

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Full Disclosure list shuts down, (Wed, Mar 19th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Full Disclosure list shuts down, (Wed, Mar 19th)
Mar 192014
 

The Full Disclosure mailing list which is at times an interesting source of information, other times entertainment and sometimes a source of frustration is shutting down.  John Cartwright posted a message announcing the closure on the site (http://seclists.org/fulldisclosure/2014/Mar/332).  

I for one thank John and Len for the list.  It is a shame to see it go.  I'll miss the technical components.  I won't miss the reasons for taking this decision. 

M

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Mozilla released updates for Firefox ( v 28.0), Thunderbird (v 24.4) and Firefox Extended Support Release (ESR) updates to 24.4.0 (Fixes include the issues highlighted at the pwn2own contest.), (Wed, Mar 19th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Mozilla released updates for Firefox ( v 28.0), Thunderbird (v 24.4) and Firefox Extended Support Release (ESR) updates to 24.4.0 (Fixes include the issues highlighted at the pwn2own contest.), (Wed, Mar 19th)
Mar 182014
 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Call for packets dest 5000 or source 6000, (Tue, Mar 18th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Call for packets dest 5000 or source 6000, (Tue, Mar 18th)
Mar 182014
 

There are two events I'm interested in following up at the moment.  A few reports mentioned that scans to destination port 5000 seem to be popular at the moment. (https://isc.sans.edu/port.html?port=5000).  So if you have a few spare packets that would be great.  In this instance I'm not looking for log records only pcaps.  

Another reader mentioned scans from source port 6000 going to numerous ports on their infrastructure, but from different IP addresses. eg.  IP address A  scanning target 1089-1099.  IP address B scanning target 1100-1110, etc.  If you have log records or packets for trafic from source port 6000 to multiple ports or IP addresses in your environment I'd be interested in taking a look.  

We've seen both of these previously, but certainly like to see if it is the same or something different.  

Thanks

Mark H 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

%d bloggers like this: