Security Alerts
December 15, 2005
Skype Considered Harmful
A previous Dr. I. Doctor blog item (VOMIT: Diagnostic Tool Lets Hackers Target VoIP) discussed Voice-over-IP, noting that Skype was one of the few public VoIP services that encrypts its traffic. This was a good feature, providing a necessary layer of protection for Skype users. Unfortunately, since then several discoveries about Skype have led many network administrators to bar it from their networks.
Skype has become an incredibly popular VoIP service, with more than 60 million subscribers today, according to the technology's new owner, eBay. The main reason for this popularity is low cost -- zero, actually, for all computer-to-computer calls. Skype also delivers reasonably good sound quality and reliability. However, despite its freely available software client and wide ranging open network, Skype uses proprietary protocols and infrastructure, a fact that many users overlooked until recently.
The rub comes in the way Skype's proprietary scheme exploits users' bandwidth to route calls for other, completely unrelated, users. Even when a user is "on hook" (e.g., not making a call), Skype can use that user's Internet connection to route calls to other users. The total bandwidth consumed can impact an enterprise network's Internet performance, despite no Skype services being provided to the network's users!
Worse, many network administrators may not even be aware of Skype users on their network. Skype is a peer-to-peer, port-agile protocol, which means it establishes connections directly between users, even when they're behind firewalls and even when the firewall tries to block VoIP services. Skype's port agility enables it to use virtually any open port to carry VoIP traffic, so it's not readily blocked by traditional network perimeter controls.
This raises the spectre of Skype becoming a back door into an otherwise secure network. Because Skype is proprietary, you have no way of knowing what it's doing under the covers. Skype has had several serious bugs that opened the protocol to exploit by hackers, so such a back door could appear even without malicious intent on Skype's part. But now that Skype is owned by a big outfit (eBay), and other big outfits of late have been caught with their hand in the user's pocket (e.g., Sony and its onerous DRM), depending on eBay for your network security seems ill advised.
So much potential for abuse exists that Gartner Group recommended earlier this year that companies avoid using Skype, as well as other proprietary VoIP services. Gartner points out that an open VoIP standard, Session Initiation Protocol (SIP), already exists and is well accepted. While not perfect, that standard is open to inspection and vulnerabilities are theoretically more quickly discovered and corrected. That prediciton seems to be borne out as SIP usage expands, especially with the growth of Asterisk, a SIP-based, open-source phone system.
With Skype being so slippery in the network, the question becomes how one controls it. Skype can pass through most network firewalls without difficulty once one inside user installs and runs the Skype client, whether authorized or not.
One method is to use an application-layer firewall that employs deep packet inspection to detect Skype traffic based on content. Today only commercial packet-shaping products readily offer that capability, and they can be expensive. The primary open-source contender, L7-Filter for Linux (http://l7-filter.sourceforge.net/), is not a complete solution for Skype filtering. Such low-level filtering also imposes a significant burden on throughput, since every packet must be examined going in and out of the network. Cost rises directly with bandwidth.
A less sohpisticated, but much cheaper, method is to block all outbound ports except those that you pass through an Internet proxy server. The proxy server essentially breaks the VoIP traffic stream, rendering Skype and other peer-to-peer streaming protocols inoperative. You can purchase a commercial proxy, such as Microsoft's ISA Server, or deploy an open-source proxy like Squid (http://www.squid-cache.org/). A paper detailing the process, by the anonomous author vi_cipher, is online at http://www.net-security.org/dl/articles/Blocking_Skype.pdf.
Posted by Mel Beckman on December 15, 2005 at 9:09 AM
December 6, 2005
Another Reason to Disable the Cisco IOS HTTP Interface
Microsoft usually wins all awards for quantity and quality of network vulnerabilities, but don't be distracted. There are enough security holes for everyone, and it's easy to become complacent about seemingly innocuous devices like routers and switches. A case in point is a just-announced bug in Cisco IOS that affects all devices -- both routers and switches -- from version 11.0 through 12.4. The problem is with IOS' HTTP interface, a not very useful option that nevertheless is turned on by default in most Cisco products. This interface is a security time bomb, and should be disabled in virtually every Cisco deployment.
That's not just the opinion of Dr. I Doctor; it's conventional wisdom from the vast majority of security professionals in the world. The IOS HTTP interface is not a comprehensive GUI configuration interface -- it's just a gimick, really, that lets you execute textual command line interface commands through a Web browser. This latest vulnerability shows how dangerous such easily forgotten back doors can be.
In the instant event, Cisco reports that all these IOS devices are subject to a cross-site scripting attack in which an interloper can gain control of a router or switch by executing arbitrary IOS commands on a device being controlled through the HTTP CLI interface. To be sure, there are a lot of conditions to meet before this exploit is possible. First, somebody has to be actually using a Web browser on the HTTP interface. Second, they must at the same time visit a hostile site containing the exploit for this vulnerability. And third, the exploiter must have somehow gotten the command he wants executed into the device's memory buffers, and the user must execute an IOS command to view that buffer.
That's a long chain of coincidences, which makes this vulnerability, in theory, not very serious. But in the network security biz, where there's smoke, there's fire. Rarely do programmers commit bugs in isolation. It's quite probable that there are other bugs in the IOS HTTP interface, of unknown virulence, just waiting for hackers to find and exploit them. Since the HTTP interface is unnecessary for router operation, following the principle of least privilege, it should be turned off.
Since most of us have Cisco devices, and we all know (or should know) that the HTTP interface must be disabled as a best practice, this incident should serve as a wakeup call to verify that we have, in fact, disabled this hole. It only takes a minute to verify whether or not HTTP is running in IOS. Just type the command "show ip http server status". If the result is "enabled", you've got a problem. To disable the HTTP server, enter these two commands in configuration mode:
no ip http server
no ip http secure-server
The full Cisco security bulletin discussing this vulnerability is at:
http://www.cisco.com/en/US/products/products_security_advisory09186a008059e470.shtml
Posted by Mel Beckman on December 6, 2005 at 7:07 AM
April 14, 2005
They're Baaaaack! Microsoft Security Bugs
Platform: Numerous Microsoft Products
Microsoft Severity: Important to Critical
Actual Severity: IMPORTANT and CRITICAL
Microsoft this week released another landslide of vulnerability alerts and associated fixes -- the second largest batch this year. Two waves of bugs, one announced last week and one this week, hit many Microsoft operating systems and applications. The U.S. Cert published two "Technical Cyber Security Alert" bulletins summarizing the two events.
Microsoft announed several new security vulnerabilities -- five rated "Critical":
MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service
MS05-020: Vulnerabilities in IE Could Allow an Attacker to Take Complete Control of an Affected System
MS05-021: Vulnerability in Exchange Server Could Allow Remote Code Execution
MS05-022: Vulnerability in MSN Messenger Could Lead to Remote Code Execution
MS05-023: Vulnerabilities in Microsoft Word May Lead to Remote Code Execution
Three others are rated "Important":
MS05-016: Vulnerability in Windows Shell Could Allow Remote Code Execution
MS05-017: Vulnerability in Message Queuing Could Allow Code Execution
MS05-018: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service
All, fortunately, have patches available. It goes without saying that you should apply these patches immediately, because in some cases Microsoft's announcement is seen by hackers as a challenge to develop a working exploit as soon as possible.
The CERT bulletins are at:
TA05-039A: Multiple Vulnerabilities in Microsoft Windows Components
TA05-102A: Multiple Vulnerabilities in Microsoft Windows Components
Notice the very low number given to the first bulletin, despite the fact that the two were issued just a week apart. It makes one wonder how long the government sat on this information.
Posted by Mel Beckman on April 14, 2005 at 1:22 AM
March 11, 2005
Dust.Page.US Spyware Worm spreads, but You Can Block It
A new worm is afoot, tentatively called the dust.page.us worm because it downloads and installs spyware on victim computers from the site of the same name. Blocking traffic to the dust.page.us site appears to stop the virus from successfully infecting new systems. The IP addresses associated with this name are subject to change, however, so some cleverness is required to block access to it.
At this writing, lookup of the dust.page.us domain name yields the following IP addresses:
nslookup dust.page.us
Name: dust.page.us
Address: 24.45.69.153
Address: 69.56.179.10
Address: 130.74.201.43
Address: 158.65.196.156
You could just block these addresses in your router or firewall, but the worm author can easily change or add to the list by simply updating the DNS entry for dust.page.us. A quick fix is to intercept DNS lookups for the name and return a bogus private IP address, such as 192.168.255.254. The exact procedure for doing this varies with DNS server, but it�s not complex. Simply create a zone file for the fully qualified name and give it a single A record with the bogus IP address.
If you use a DNS server supplied by your ISP, you might want to notify them of this problem and suggest they incorporate the block in their DNS. By doing so they'll greatly reduce the spread of the worm.
As an adjunct to this technique, you should log all references to this domain name and IP address; any computer on your network looking it up or probing the address is likely infected with the worm. Virtually all firewalls support blocking and logging by IP address, and many support domain name blocking as well.
Hopefully the operators of the page.us domain will shut down the site soon.
Posted by Mel Beckman on March 11, 2005 at 11:06 AM
February 11, 2005
Mozilla Firefox Browser Vulnerabilities
Platform: Mozilla Firefox 1.0, all platforms
Vendor Severity: not specified
Actual Severity: HIGH to CRITICAL
Just becuase it's not Microsoft doesn't mean it's perfect. The exodus of users from Microsoft's security-hole-ridden Internet Explorer to the open source Firefox browser is well documented. However, Firefox suffers from serious security bugs just like IE does, so vigilance is still required. To date Firefox hasn't suffered from the high rate of IE security gaffes, but this week three serious bugs in a row reinforce the need to keep an eye on all software patches.
The vulnerabilities occur in three completely separate areas of Firefox's user interface: tabs, dragging, and the Flash plug-in.
Bug 280056: When dropping a javascript link to a tab, the script runs in the security context of the site currently displayed in the tab
Bug 279945: Image drag and drop allows to create executable files
Bug 280664: Using Flash and the -moz-opacity filter you can get access to about:config and make the user silently change values
All of these can be exploited by a malicious server to compromise the security of a user's browser environment, which could lead to disclosure of confidential information, to arbitrary code execution, and ultimately to the takeover of the user's machine.
All three bugs are fixed in the latest build of Firefox, but getting and installing the latest build isn't as easy -- or as automatic -- as Microsoft's self-installing updates. If you deploy Firefox, you must manually upgrade each user's installation to the fixed version, which could be a tedious process.
This additional labor may still be worth it given the advantages of Firefox: immunity from IE exploits, such as spyware and keystroke logging; resistance to cross-site script attacks; and built-in control over pop-up ads. The lesson here is to avoid complacency. While Firefox is safer than IE today, it's still software and still contains bugs that require close monitoring.
Posted by Mel Beckman on February 11, 2005 at 10:24 AM
Bevy of Critical Microsoft Flaws
Platform: Internet Explorer 6.0
Microsoft Severity: Important to Critical
Actual Severity: HIGH to CRITICAL
Microsoft this week released a record number of vulnerability alerts and associated fixes. And in an unusual move, Microsoft first gave security administrators a heads up at the beginning of the week that a number of fixes were coming down the pike. Presumably these vic..., er, security professionals appreciated the warning so they could clear off their weekends for a fun time updating systems.
Microsoft announed new twelve security vulnerabilities, -- many rated Critical:
MS05-04: ASP.NET Path Validation Vulnerability
MS05-05: Vulnerability in Microsoft Office XP could allow Remote Code Execution
MS05-06: Vulnerability in Windows SharePoint Services and SharePoint Team Services Could Allow Cross-Site Scripting and Spoofing Attacks
MS05-07: Vulnerability in Windows Could Allow Information Disclosure
MS05-08: Vulnerability in Windows Shell Could Allow Remote Code Execution
MS05-09: Vulnerability in PNG Processing Could Allow Remote Code Execution
MS05-10: Vulnerability in the License Logging Service Could Allow Code Execution
MS05-11: Vulnerability in Server Message Block Could Allow Remote Code Execution
MS05-12: Vulnerability in OLE and COM Could Allow Remote Code Execution
MS05-13: Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution
MS05-14: Cumulative Security Update for Internet Explorer
MS05-15: Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution
Such a flood of vulnerabilities (note the prevelance of the phrase "could allow remote code execution") should give one second thoughts about the Windows monoculture. Although replacing Windows on the desktop is problematical, I suspect this bug swarm will prompt enterprises to consider bumping Microsoft out of server roles. There are many good alternatives to Microsoft IIS, SMB and MSSQL servers.
Posted by Mel Beckman on February 11, 2005 at 9:46 AM
Symantec Buffer Overflow Creates Widespread Vulnerabilities
Platform: Symantec anti-virus, anti-spam, and firewall products.
Symantec Severity: High
Actual Severity: CRITICAL
Intrusion detection software vendor ISS Inc. yesterday reported a serious cross-product vulnerability in Symantec's security products, including stand-alone appliances. A buffer overflow problem in the Symantec scan engine, used in many Symantec products, could be exploited by a virus to compromise a Symantec-protected system.
Symantec acknowledges the problem, but reports that they have seen no instances of an exploit in the wild. The problem afflicts many editions of the company's consumer products for both Windows and Macintosh systems, as well as a number of Symantec enterprise products. The flaw also exists in Symantec Gateway Security 5300 and 5400 firewall appliances.
The specific module involved, DEC2EXE, is actually an obsolete component that Symantec products can live without; its function has been replaced by the Symantec AV Definition Engine, which is immune to this particular failure. Symantec says users can safely disable the DEC2EXE module by following instructions posted on its website at:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005020911112648
DEC2EXE is removed by the latest Symantec automatic software update for its products that support live updates. For Symantec's firewall appliances Symantec has posted a manual software fix.
Here are links the ISS and Symantec security bulletins for DEC2EXE:
http://xforce.iss.net/xforce/alerts/id/187
http://www.sarc.com/avcenter/security/Content/2005.02.08.html
Posted by Mel Beckman on February 11, 2005 at 9:08 AM
December 21, 2004
Internet Explorer Cross-Site Scripting Flaw
Platform: Internet Explorer 6.0
Microsoft Severity: no comment yet
Actual Severity: CRITICAL
Danish security firm Secunia reported last Friday an IE vulnerability that lets phishers trick users into thinking they are securely connected to their financial institution or other commerce site, when in fact they're being spoofed by the phisher to capture the victims user ID and password.
Secunia says the problem occurs even on systems running SP2 and the latest Microsoft security patches. It results from an error in the "DHTML Edit" ActiveX control when invoked by the execScript() function.
The end user must first visit a malicious site, which invokes the bug and then waits for the user to visit a targeted commerce site, at which point the user is surepticiously redirected to a forged replica site. To the user, the URL in the navigation bar looks correct and the SSL lock icon may even appear. When the user logs into the forged site, the forger captures the victim's user ID and password.
Secunia's site includes an online demonstration of the flaw to let you test your browser.
Microsoft says it is looking into the problem and will publish a fix if warranted. In lieu of a fix, you should disable ActiveX controls in IE, or set the browser security level to "high" for the Internet zone. When visiting any commerce site, Dr. I. Doctor recommends that you always hand-type the URL in a fresh browser window, and ideally never using Internet Explorer!
Secunia's advisory bulletin, SA13482, is online at:
http://secunia.com/advisories/13482/
Secunia's demonstration of the flaw is at:
http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/
Posted by Mel Beckman on December 21, 2004 at 11:22 AM
Service Pack 2 Firewall Flaw
Platform: Windows XP with Service Pack 2 running Microsoft's integrated firewall
Microsoft Severity: CRITICAL
Actual Severity: CRITICAL
Service Pack 2 has a critical vulnerability which can give the entire Internet access to file and print services that Microsoft's integrated firewall is supposed to protect.
According to a knowledgebase article Microsoft released last week (#886185), a flaw in the way the firewall interprets network scopes results in the Internet being considered a local network (The "My network" subnet). This happens when the Windows dial-up adapter is used to make the Internet connection, which can be the case with both modem and broadband Internet services. In particular, PPP-over-Ethernet connections, favored by some cable and DSL providers, often use this approach.
Microsoft has a fix available.
If an XP user opens printer and/or file sharing to his local network (not uncommon), the same services then become accessible via the Internet. Microsoft says this is not a bug, but rather "a configuration setting that shipped with Windows XP that was not optimal, but that is not classified as a security vulnerability," (Gary Schare, Windows director of product management, in a copyrighted Network World story). You can hear the weasels being tortured in every word.
Dr. I. Doctor always recommends a hardware firewall, even at home, as the primary security for a network. Software firewalls built on general purpose operating systems like Windows are just too unreliable to count on as your first line of defense. A hardware firewall, consisting of purpose-built software running on a dedicated network appliance, has a much lower probability of catastrophic bugs like this one. And you can buy very good name-brand firewalls for as little as $50, so cost is no excuse.
Microsoft's KB bulletin on the problem:
http://support.microsoft.com/kb/886185
The downloadble hot fix:
Posted by Mel Beckman on December 21, 2004 at 10:57 AM
December 15, 2004
WINS Compromised in Windows Server
Platform: All versions of Windows Server
Microsoft Severity: Important
Actual Severity: CRITICAL
Microsoft released a service bulletin yesterday announcing a vulnerability in WINS (UDP port 42) and already network security watchers are seeing apparent attempts to exploit the bug.
The flaw affects all versions of Windows Server, from NT through 2003 64-bit. Fortunately, Microsoft has a fix, and you�d better install it fast. According to SANS� Internet Storm Center, Internet watchers are reporting spikes in port 22 traffic � a pretty clear indication of attempts to subvert WINS, which is normally a LAN-only protocol.
A hacker exploits the flaw by sending a specially-crafted malicious packet to a WINS server. Although WINS servers are typically not Internet-accessible, they are still vulnerable to inside attacks launched by viruses. And some people have unwittingly exposed their WINS servers to the Internet, which is why hackers are diligently scanning the Internet right now looking for them. Once the hacker finds a vulnerable server, she can take it over completely.
Even if you�re currently on Active Directory, you should install this fix, to forestall problems should somebody inadvertently enable WINS on one of your servers. Indeed, many shops are running WINS without knowing it; it�s installed and enabled by default on Windows 2000 Server and Windows Server 2003.
Windows Server 2003 is slightly less vulnerable to takeover than 2000, but only because it usually crashes when attacked by this exploit. If it crashes three times in a row, it shuts down permanently until you manually restart it. So this exploit doubles as a Denial of Service attack.
One can only wonder that Microsoft rates this merely an �Important�, rather than �Critical�, alert.
Microsoft�s security bulletin MS04-045 is at:
http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx
The SANS Internet Storm Center is at:
http://isc.sans.org/
Posted by Mel Beckman on December 15, 2004 at 2:00 PM
