Microsoft Security Advisory 975191 Revised
We wrote about the new IIS FTP service vulnerabilities when the exploit code became public in diary 7039 and when Microsoft published their advisory some time afterwards in diary 7063. Not surprisingly Microsoft have revised their security advisory letting us know that there have been reports of incidents where this exploit was used to compromise systems. This might seem counter intuitive as the exploit code was public prior to the advisory coming out. It is more likely that there were few reports, however the exploit was being actively used. There are not all that many IIS servers running FTP on the Internet, in fact there are fewer public FTP servers than in the past. Where this exploit may have been used is attacking internal FTP servers.
Microsoft have also reminded admins that version 7.5 of their FTP service is available for download (although only for Windows Server 2008), and is not vulnerable to these attacks. Hopefully a patch will be out shortly.
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Microsoft September 2009 Black Tuesday Overview
Overview of the September 2009 Microsoft patches and their status.
| # | Affected | Contra Indications | Known Exploits | Microsoft rating | ISC rating(*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
| MS09-045 |
Request handling vulnerability leads to a remote code execution. |
|||||
| JScript Scripting Engine CVE-2009-1920 |
KB 971961 | No known exploits | Severity:Critical Exploitability:1 |
Critical | Critical | |
| MS09-046 | A vulnerability exist in DHTML Editing Component ActiveX Control. | |||||
| DHTML Editing Component CVE-2009-2519 |
KB 956844 | No known exploits | Severity:Critical Exploitability:2 |
Critical | Important | |
| MS09-047 |
This vulnerability could allow remote code execution if a user opened a specially crafted media file. |
|||||
|
Windows Media Format |
No known exploits | Severity:Critical Exploitability:1,1 |
Critical | Critical | ||
| MS09-048 | Vulnerabilities exist in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. | |||||
|
Windows TCP/IP |
KB 967723 | No known exploits | Severity:Critical Exploitability:3,2,3 |
Critical | Critical | |
| MS09-049 | A vulnerability in Wireless LAN AutoConfig Service. | |||||
|
Wireless LAN AutoConfig Service |
KB 970710 | No known exploits. | Severity:Important Exploitability:2 |
Critical | Critical | |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them
(**): If installed.
(***): Critical of ISA servers
Update 1: All KB and CVE links have been updated
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Vista/2008/Windows 7 SMB2 BSOD 0Day
We have received a report from Tyler that a vulnerability affecting Microsoft SMB2 can be remotely crashed with proof-of-concept code that has been published yesterday and a Metasploit module is out.
We have confirmed it affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall.
Windows 2000/XP are NOT affected by this exploit.
We will update this diary with more information as we get it.
Update 1: Theodore, an ISC contributor has sent us a couple links on how to disable SMB version 2.0 on Vista or Server 2008. The first post is by Hameed on AskPerf here an the second post is by Daniel Petri here.
Update 2: Microsoft released an new advisory here that shows only the following OS are affected:
- Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
- Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Cisco Security Advisory TCP DoS
ISC reader Kurt reported that Cisco has released an advisory affecting TCP State Manipulation which cause a Denial of Service that affect multiple Cisco Products. If an attacker send TCP connections forced into long-lived or indefinite state by preventing new TCP connections from being accepted, it could possibly cause a DoS indefinitely.
Additional information on the Cisco advisory is available here.
The following products are affected:
- Cisco IOS-XE Software
- Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected if they are configure with specific features
- The version of Cisco NX-OS Software that is running on Cisco Nexus 5000 and 7000 series devices
- Scientific Atlanta customers are instructed to contact Scientific Atlanta's Technical Support for questions regarding the impact, mitigation and remediation of the vulnerabilities
- Customers with Linksys products should contact Linksys security for questions regarding the impact, mitigation and remediation of the vulnerabilities
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
UPDATE
In addition to the Cisco advisory there is some additional information and response to the issue from other vendors here ==> https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html - M
Bug Fixes in Sun SDK 5 and Java SE 6
Sun released 17 bug fixes for JDK 5 Update 21. There are no new security vulnerabilities fixes part of this update. Support has also been added for Windows Vista SP2 and Windows Server 2008 SP2. The bulletin is available here.
Sun released a bug fixe for Java SE 6 Update 16. There are no new security vulnerabilities fixes part of this update. Users who have Java SE 6 Update 15 have the latest security fixes and do not need to upgrade to this release to be current on security fixes. The bulletin is available here.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Anybody recognize these packets?
I have been looking at a packet trace sent in by a reader, and have reached a dead end. He has been receiving the packets on his network for better than a month. The volume is not high enough to be a DOS. The sources are all over the world, although mostly high-speed customers. I was hoping one of you may have seen these packets before...
The packets are all UDP. The source ports vary, but the destination port in this case is always 49261. The data portion of the packets is either 35 or 31 bytes. Although the data changes from source address to source address, for any given source the source port and the data is always the same.
There does not appear to be any return traffic.
The data portion of a typical 35 byte packet will look similar to the following (colon delimited):
8d:da:d1:17:5d:5c:68:96:cb:45:e7:a7:03:dc:9b:00:00:01:00:0c:00:00:00:c3:02:49:50:40:83:53:43:50:41:02:00
The final portion 49:50:40:83:53:43:50:41:02:00 is identical for every 35 byte data packet.
The data portion of a typical 31 byte packet will look similar to the following:
70:d4:30:05:70:5b:42:43:3a:7b:07:51:ce:f7:49:00:00:01:00:08:00:00:00:c3:83:53:43:50:41:02:00
The final portion 43:50:41:02:00 is identical for every 31 byte data packet.
Anybody seen these before? Can anybody shed light on what they might be?
UPDATE:
I have a couple of Universities who contacted me indicating that this is related to Limewire. One sent me packets that were very similar to the ones I received originally.
There also appears to be a Emerging Threats signature to detect this traffic.
Thanks for the help!
-- Rick Wanner - rwanner at isc dot sans dot org
Comments