Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-08-08 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cisco is back, so you can go read up on their new advisories (<--- See! English)

Published: 2007-08-08
Last Updated: 2007-08-08 22:19:56 UTC
by Tom Liston (Version: 1)
0 comment(s)

Here they are:

1: Cisco Security Advisory: Cisco IOS Secure Copy Authorization Bypass Vulnerability
2: Cisco Security Advisory: Cisco IOS Next Hop Resolution Protocol Vulnerability
3: Cisco Security Advisory: Cisco IOS Information Leakage Using IPv6 Routing Header
4: Cisco Security Advisory: Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications Manager

Issue 1:
IOS has the capability to act as an SCP server (through the addition of the IOS Secure Copy Server service).  There is a flaw in this service that allows any valid user to access any file on the Cisco device (including device configuration files).

Issue 2:
There is an issue with Cisco's implementation of the Next Hop Resolution Protocol (NHRP) that could potentially cause a device restart or (possibly) code execution on the device.  The issue affects NHRP running at all layers (Layer 2, GRE / mGRE, or at the IP layer).

Issue 3:
Specially crafted IPv6 packets with a type 0 routing header can cause information leakage or a crash of the affected IOS or IOS XR devices. 

Issue 4:
There are issues with voice-related vulnerabilities in multiple protocols [Session Initiation Protocol (SIP), Media Gateway Control Protocol (MGCP), Signaling protocols H.323, H.254, Real-time Transport Protocol (RTP), and Facsimile reception]. These issues affect IOS (if voice services are enabled) and one (SIP related) is found in Cisco Unified Communications Manager.

Mitigating issues:

1: Not much... user needs a login, but after that, it's pretty much game-over.
2: Layer 2 only... attacker needs to be on the same link
3: Only the IPv6 subsystem crashes... IPv4 appears (from the advisory) to still function
4: Uh... not much... patch this 'un now.. The others can potentially wait for testing, this one can't.

If you're doing VoIP stuff w/Cisco hardware, then Issue #4 is a definite must-do... other than that, prioritizing these is difficult because they all are very "configuration-centric."  Sorry...

Keywords:
0 comment(s)

Sheesh...

Published: 2007-08-08
Last Updated: 2007-08-08 21:19:19 UTC
by Tom Liston (Version: 1)
0 comment(s)

Ok... for a little fun, I used some pithy Latin sayings as titles for today's diaries...  my thought was that perhaps (perhaps!) it might be nice to... broaden some people's horizons.  I was obviously mistaken.

Bad handler...  baaaaaaaaaaaaaad handler.... no donut!

Keywords:
0 comment(s)

Diligentia maximum etiam mediocris ingeni subsidium

Published: 2007-08-08
Last Updated: 2007-08-08 21:08:37 UTC
by Tom Liston (Version: 3)
0 comment(s)

It appears that someone has kicked the big red Ethernet cable out of the wall over at Cisco.  Currently, attempts to reach their website fall a few hops short.  We'll update if we hear anything...

Update: They're baaaaaaaaaaaaaack... The best word we have is that Cisco was having an "issue" that was not attributable to anything "evil."  Personally, I'm sticking with my "someone tripped over the Ethernet cable" explanation, 'cause it sounds plausible...

Keywords:
0 comment(s)

Bis interimitur qui suis armis perit

Published: 2007-08-08
Last Updated: 2007-08-08 16:45:59 UTC
by Tom Liston (Version: 1)
0 comment(s)

Rick wrote in with a log snippet showing someone out there actively scanning his webserver for an installation of horde:

2007-08-08 05:49:33 xxxxxx XXXXXXX 192.168.aaa.aaa GET /horde/README
2007-08-08 05:49:32 xxxxxx XXXXXXX 192.168.aaa.aaa GET /README
2007-08-08 05:49:32 xxxxxx XXXXXXX 192.168.aaa.aaa GET /Horde/README
2007-08-08 05:49:32 xxxxxx XXXXXXX 192.168.aaa.aaa GET /horde-3.0.9/README
2007-08-08 05:49:31 xxxxxx XXXXXXX 192.168.aaa.aaa GET /horde3/README
2007-08-08 05:49:31 xxxxxx XXXXXXX 192.168.aaa.aaa GET /horde2/README
2007-08-08 05:49:45 xxxxxx XXXXXXX 192.168.bbb.bbb GET /Horde/README
2007-08-08 05:49:45 xxxxxx XXXXXXX 192.168.bbb.bbb GET /horde-3.0.9/README
2007-08-08 05:49:45 xxxxxx XXXXXXX 192.168.bbb.bbb GET /horde3/README
2007-08-08 05:49:45 xxxxxx XXXXXXX 192.168.bbb.bbb GET /horde2/README

My guess: they're looking to find boxes to exploit with CVE-2006-1491

If you're using horde, make sure that the version you're running is up-to-date.  Not running horde?  Make sure: horde is one of those things that admins will often install to "try it out..."  You might want to take a quick look around, just to be sure.  Nothing worse than getting whacked by your own tools...

Anyone else seeing scanning like this?

(Also, if you haven't picked up on the diary title drift yet, your kindly narrator has decided to try to class the joint up a bit...  Anyone know the source of that quote?)

Keywords:
0 comment(s)

Quis custodiet ipsos custodes?

Published: 2007-08-08
Last Updated: 2007-08-08 16:05:20 UTC
by Tom Liston (Version: 1)
0 comment(s)

It appears that several forensics tools are seeing a some... ahem... "attention" of late.  Both the commercial tool "Encase" by Guidance Software and the Open Source tool "The Sleuth Kit" saw a slew of CVE's filed yesterday.

Encase:

CVE-2007-4194 (v 5.0)
CVE-2007-4201 (v 6.2 and 6.5)
CVE-2007-4202 (v EEE 6)

The Sleuth Kit (v <2.09):

CVE-2007-4195
CVE-2007-4196
CVE-2007-4197
CVE-2007-4198
CVE-2007-4199
CVE-2007-4200

Issues mainly seem to be in the parsing of various malformed or specially created files/filesystem images.

Keywords:
0 comment(s)
Diary Archives