Cisco AsyncOS Patch , (Fri, Mar 21st)

 SANS Internet Storm Center, Security Alerts  Comments Off on Cisco AsyncOS Patch , (Fri, Mar 21st)
Mar 202014
 

Cisco released a patch for AsyncOS, the operating system used in it's E-Mail Security Appliance (ESA) and Security Management Appliance (SMA).

The vulnerability is exploited by an authenticated attacker uploading a crafted blocklist file. The file has to be uploaded via FTP, so this vulnerability is only exploitable if the FTP service is enabled. Once the blacklist is pared, arbitrary commands are executed.

This sounds like an OS command injection vulnerability. The parameters (assumed to be IP addresses) are likely passed as arguments to a firewall script, but if the address includes specific characters (usually ; or & ?) , additional commands can be executed.

Time to patch, but given that the attacker has to be authenticated, makes this a less severe vulnerability then other arbitrary code execution vulnerabilities.

[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140319-asyncos

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Normalizing IPv6 Addresses, (Thu, Mar 20th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Normalizing IPv6 Addresses, (Thu, Mar 20th)
Mar 202014
 

One of the annoyances with IPv6 addresses is that they may be abbreviated. Leading "0"s may be omitted, and groups of all ":0000:" may be replaced with "::". The key annoyance is the word "may". Some logs (for example iptables) will not abbreviate, others, like for example nginx or apache, will abbreviate, making correlating logs more difficultly.

Lately, I started using a little perl script to "normalize" my IPv6 addresses in logs. The script will insert all the missing "0"s making it easier to find a specific IP address. The script I am using:

#!/usr/bin/perl
 
use strict;
 
while (<> ) {
    my $line=$_;
    if ( $line=~/[0-9a-f:]+/ ) {
my $old=$&;
        my $new=fillv6($old);
$line=~ s/$old/$new/;
    }
    print $line;
}
 
 
sub fillv6 {
    my $in=shift;
    $in =~ s/^:/0000:/;
    my @parts=split(/:/,$in);
    my $partn=scalar @parts;
    if ( $partn < 7 ) {
my $x= ':0000' x (9-$partn);
$in =~ s/::/$x:/;
$in =~ s/:://g;
@parts=split(/:/,$in);
    }
    while ( my $part=each(@parts) ) {
$parts[$part] = sprintf("%04s",$parts[$part]);
    }
    return join(':',@parts);
}
What I could use is a bit more diverse IPv6 logs to see if it covers all possible cases. The script is right now in a "works for me" state, so let me know if it works for you too.
 

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe Updates: Flash Player, (Tue, Mar 11th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Adobe Updates: Flash Player, (Tue, Mar 11th)
Mar 112014
 

Adobe released a new version of Flash Player as part of today's patch Tuesday. No details are available yet. We will update this diary once the details become available. Note that this will also affect browsers like Chrome that include an embeded version of Flash.

 

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

NTP reflection attacks continue, (Mon, Feb 17th)

 SANS Internet Storm Center, Security Alerts  Comments Off on NTP reflection attacks continue, (Mon, Feb 17th)
Feb 172014
 
 
As we discussed here back in January, there has been a significant rise in large Network Time Protocol (NTP) reflection DDoS attacks. In such an attack, an attacker sends a crafted packet that requests a large amount of data that is ultimately sent to the spoofed host. 
 
In our previous post[1], we discussed in detail the “monlist” command but it’s not just “monlist” that can be abused but many level-6 and level-7 commands such as “showpeer”, “sysstats”, “peers”, “listpeers”.
 
To lock down your NTP server, please follow our previous post and upgrade your NTP version as outlined by US-Cert here[2].
 
Additionally, as a FYI, a recent US Cert alert [3] identified other possible sources of UDP amplification attacks and it is recommended to review.
 
For those that think, well that won't happen to me or "Who cares, DDoS attacks have been happening since 1999" this year has already shown an excessive number of public attacks using NTP, creating a devastating flood of traffic to anyone without top notch mitigation* measures lined up. And we're only in February.
 
Brian Krebs's web site, a reporter that write about cyber security stories,  was hit by a 200Gbps of NTP traffic over the last week [4]. Brian reports how and by whom launched the attack in a detail story that's well worth a read. It's not just small targets; since the start of 2014, as reported here, many online gaming websites have been targeted through these reflection-type attacks with the attackers taking to Twitter to announce the upcoming attack and later bask in the glory. The latest Arbor report [5] talks about this in further detail, mentions attacks of up to 309Gbps and names the relevant Twitter IDs tweeting about DDOS. Cloudflare indicated that the attack they saw earlier this week was 400Gbps. The sheer size of these attacks mean that they just don’t break the target but significant areas of the Internet, i.e. large collateral damage.
 
If you see NTP reflection attacks being targeted towards you, the standard best practice follows – 
 
• Apply ACLs to your perimeter network and as far possible upstream 
 
• Work with your ISP(s) to do the same [6]
 
• Lock down your own NTP servers and other UDP-listening servers 
 
• If you detect open ntp servers, report them to the Open NTP project [7]
 
For those that are looking for a handy DDoS quick reference guide explaining the different DDoS attack http://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
 
* For the majority of businesses DDoS mitigation has a financial cost associated with it that increases upward for increased protection
 
[1] https://isc.sans.edu/diary/NTP+reflection+attack/17300
[2] https://www.us-cert.gov/ncas/alerts/TA14-013A
[3] https://www.us-cert.gov/ncas/alerts/TA14-017A 
[4] http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/
[5] http://www.arbornetworks.com/asert/2014/02/ntp-attacks-welcome-to-the-hockey-stick-era/
[6] http://www.ietf.org/rfc/rfc3704.txt 
[7] http://openntpproject.org/
 

Chris Mohan — Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Advance Notification for February 2014, (Fri, Feb 7th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Microsoft Advance Notification for February 2014, (Fri, Feb 7th)
Feb 062014
 

Today Microsoft published the advance notification for this months security bulletins. The bulletins will be published on February 11th (coming Tuesday) [1]. Again, we will have a pretty light patch day, with only 5 bulletins, and only 2 of these bulletins are considered critical.

Noteworthy: No Internet Explorer patches and no Office Patches. We will only see Windows Patches, a patch for .Net and a "Security Software" patch.  

Not part of the patch Tuesday, but still happening on the same day: Microsoft will no longer allow MD5 hashes for certificates. This may be difficult for some applications that haven't been changed over yet, even though Microsoft gave ample warning, and MD5 hashes have been shown to be badly broken for certificate signatures for a few years now. Just earlier today I ran into a brand new Axis, pretty expensive,  network camera that only allows the use of MD5 hashed certificate signatures.

 

[1] http://technet.microsoft.com/en-us/security/bulletin/ms14-feb

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

%d bloggers like this: