Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cisco Unified Communications (VoIP) Vulnerabilities: Update your IP phones!

Published: 2008-02-14
Last Updated: 2008-02-15 00:40:35 UTC
by Raul Siles (Version: 1)
0 comment(s)

Cisco has released a couple of security advisories covering vulnerabilities in their IP Phones and the Unified Communications Manager (UCM):

  • Cisco IP Phones present multiple and serious overflows and DoS vulnerabilities. It is time to update your VoIP phones! This issues affect phones using Skinny (SCCP) or/and SIP. The vulnerabilities affect several phone components, and the first four are specially relevant:
    • DNS (CVE-2008-0530): Malicious DNS responses may trigger a buffer overflow and execute arbitrary code on a vulnerable phone.
    • SSH ( CVE-2004-2486, old CVE): Buffer overflow on the phone SSH server that may allow remote code execution with system privileges.
    • SIP (CVE-2008-0528): Buffer overflow when handling MIME on SIP messages that may allow remote code execution.
    • SIP (CVE-2008-0531): Heap overflow when handling SIP challenge and response messages with the SIP proxy that may allow remote code execution.
    • ICMP (CVE-2008-0526): DoS due to large ICMP echo request packets (another ping of death!).
    • HTTP (CVE-2008-0527): DoS due to specially crafted HTTP requests to the phone HTTP server.
    • Telnet (CVE-2008-0529): Buffer overflow may allow privilege escalation.
  • Cisco UCM is vulnerable to SQL injection (CVE-2008-0026): An authenticated  user could access sensitive database information, such as usernames and password hashes, and call records, plus alter or delete call record
    information from the database. Update to UCM versions 5.1(3a) or 6.1(1a). The flaw is in the key parameter of either
    the admin or user interface page.

If you cannot immediately update your IP phones (please, do it asap!), disable the unused affected services on all your phones (what practically means disabling almost all ways of remotely managing the device: HTTP, SSH, Telnet...) or/and filter remote access to them using ACLs.

 

Keywords:
0 comment(s)

Tools for updating third-party software

Published: 2008-02-14
Last Updated: 2008-02-15 00:39:10 UTC
by Raul Siles (Version: 1)
0 comment(s)

Last week we pointed out multiple vulnerabilities in commonly used client software. Several readers replied to my request asking for  tools used to update third-party software, and the most recommended tool for Windows is Secunia PSI (Personal Software Inspector), still in Release Candidate (RC-1) state, for personal use only (they also have a commercial version).

Other options are UpdateStar (Windows), SUMo - Software Update Monitor (Windows), VersionTracker [Pro] (Mac and Windows), RadarSync (Windows), UDC - UpdateChecker (Windows), Belarc Advisor (Windows), and App Update Widget (Mac). For Linux you are pretty much tied to the software package manager of the distribution you like to use. I strongly encourage you to evaluate the best tool that meets your needs.

Thanks to all the readers for submitting their suggestions!

I honestly think this is something we need to take very seriously, as most malware and attacks today (targeted, botnets, etc) are focused on the clients, exploiting OS and third-party software vulnerabilities (plus social engineering). The two sides of the coin are:

  • Corporate environments (not covered by this post) that frequently (in my own experience) present disheartening scenarios, having vulnerable outdated systems without patches for several months.
  • Small organization, SOHO environments, independent professionals, end users, etc. We need to find solutions to deal with all the frequent security updates and simplify the user's software update life.

I've been testing Secunia PSI in a few computers recently and I got a good first impression. The tool scans the system and detects not only vulnerable installed software but remnant installations that still could lay around on the file system. It is focused on outdated vulnerable third-party software - just from a security perspective. Additionally, it can detect small pieces of software that do not appear in the "Add and Remove Programs" list, such as the Adobe Flash Player Plugin and ActiveX components. My main concern about this tool (shared by Kelvin too) is that the data about your installed applications is sent to Secunia to match it against their File Signatures engine, as they state on their website. The impact of someone getting access to all that information is pretty serious.

No matter what process (even manual if it works for you) or tool you use, all your installed software must be updated in a timely fashion! I know you are aware of it, but some responses to my request came from outdated vulnerable browser versions. Blame on my as well, as the software update checks not always work as expected. More about this is a near future post...

-- Raul Siles - www.raulsiles.com

Keywords:
0 comment(s)

Updating third-party software: The Good, the Bad and the Ugly

Published: 2008-02-14
Last Updated: 2008-02-14 23:34:51 UTC
by Raul Siles (Version: 1)
0 comment(s)

This is the last post in the series of updating third-party software. As I reflected in a previous post, I've recently seen multiple glitches in the update process for various commonly used client software when the official update tools are used. If the update process does not work efficiently and accurately, it just only means one thing: lots of end users are vulnerable and exposed to all the client attacks we are seeing in the wild. Let's analyze some current examples for Windows (XP SP2):

  • QuickTime 7.4.1: As we announced last week, a new QuickTime update, 7.4.1, was released to fix a security vulnerability. The Apple's Software Update (ASU) tool ("C:\Program Files\Apple Software Update\SoftwareUpdate.exe"),or the QuickTime (QT) update feature at "Help -> Update Existing Software...", do not detect the latest version, 7.4.1 in a system running 7.4. This was also the case with the update from QuickTime 7.3 to 7.3.1. This behaviour occurs under Windows, but not under Mac OS. QuickTime 7.4.1 can be manually downloaded from the Apple's website.
    The update tool connects to "qtsoftware.apple.com", and requests "/cgi-bin/query2?" with a few parameters. If the "lang=xx" value in the request is different from "us", then it reports back that the latest QuickTime version is 7.0.3!! If the value is "us", then it reports back 7.4.1 and 7.1.6 (for older Windows OS versions) as the latests available versions.
    In the non-US case, it requests and retrieves multiple files from various Apple sites (swcatalog.apple.com, swcdn.apple.com, etc), and although the final file contains references to 7.4.1, they are not taken into consideration.

    A couple of anonymous ISC readers confirmed a similar behaviour and even notified Apple. It seems Apple does "not believe that this issue is a security exposure.". Sorry, but I disagree.

    IMPORTANT!! Yesterday multiple buffer overflow vulnerabilities were released for the QuickTime "QTPlugin.ocx" ActiveX control (including version 7.4.1) that may allow the execution of arbitrary code within the context of the application invoking the ActiveX control (such as Internet Explorer). There is no patch available yet and a DoS exploit is publicly available, and it works. It is recommended to disable the control on IE ("Tools -> Manage Add-ons") or set the kill-bit for CLSID 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B through the registry.
  • Java 6 Update 4: Last month we announced the latest Java update, that includes lots of fixes. Even today (a month later), if you run the Java update tool (C:\Program Files\Java\jre1.6.0_0X\bin\jucheck.exe), it reports back that the latest version is Java 6 Update 3. The update process ends up requesting the following XML file: http://javadl-esd.sun.com/update/1.6.0/map-1.6.0.xml. As you can see, it references "http://javadl-esd.sun.com/update/1.6.0/1.6.0_03-b05.xml", that is, Update 3.

    As Sun is using Akamai to balance the load, we tested this at the ISC from different places over the world and it seems it is always the case (Thanks to the fellow handlers Daniel, Stephen and Bojan!). You can manually download the latest version from the Sun's website.

    It is important to emphasize that all Java updates do not remove the previously installed and vulnerable versions, so you need to remove them manually. Don't forget about it unless you have a reason not to do so!
  •  Unprivileged user vs. Administrator: A few third-party Windows software do not show the availability of new updates unless you are running as Administrator. I understand that the installation must be performed with Admin privileges, but the check could be done as a regular user. Best security practices recommend to work as a regular user unless you need to perform administrative operations, so we have a serious conflict here! Just a few examples:
    • Adobe Reader does not show the "Help -> Check for Updates..." menu unless you are running with Administrator credentials.
    • Thunderbird grays out the "Help -> Check for Updates..." menu if you run as a regular user.
    • The Microsoft Update Web page can be accessed as a regular user, but it clearly indicates you need Administrator privileges to install updates from the Website. The problem is that even if you run Internet Explorer as Admin through "Run as...", it doesn't work. You can see and download the updates, but when  they are going to be installed, they fail. This is not the case with the automatic updates, as the "Automatic Updates" service uses the local System account.
    Therefore, the conclusion is that you need to periodically (every day?) login as (or run things as) Administrator to perform periodic tests for new updates. Obviously, this is not practical for end users, so we clearly need to improve the third-party update mechanisms in Windows to be accurate, up-to-date and work smoothly from non-privileged accounts.

 --
Raul Siles
www.raulsiles.com

 

Keywords:
0 comment(s)
Diary Archives