Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-04-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

2 Cisco Vulnerabilities, New Auto-Executing Virus Capabilities (Bugbear.C), MacOS X Security Update, Metasploit Framework Release

Published: 2004-04-07
Last Updated: 2004-04-08 15:30:51 UTC
by Scott Fendley (Version: 1)
0 comment(s)


Cisco LEAP Authentication Protocol Vulnerability Exploit Tool Released



A tool that exploits vulnerabilities in the Cisco LEAP authentication protocol was released into the public. The tool purports to actively compromise Cisco LEAP networks
by mounting an offline dictionary attack against weak user passwords. For those organizations still using the Cisco LEAP protocol on your wireless network, it is heavily recommended that this tool be used to assess the security posture of your network. If possible, migration to the Cisco EAP-FAST protocol may be the appropriate course of action. For more information, please see :
http://asleap.sourceforge.net

http://www.securityfocus.com/archive/1/359694/2004-04-04/2004-04-10/0
Cisco Default Username and Password in WLSE and HSE



Cisco released a security advisory today detailing software packages that have a default username and password pair with full administrative access of the device or even cause a denial of service. The username cannot be disabled and no workaround for this vulnerability.


The affected software releases of WLSE (Wireless LAN Solution Engine) are 2.0, 2.0.2, and 2.5.
The affected software releases for HSE (Hosting Solution Engine) are 1.7, 1.7.1, 1.7.2, and 1.7.3.
As this vulnerability can allow a multitude of possible security issues, it is heavily recommended that patches be installed quickly. For more information on the vulnerability and the potential impacts, please see:

http://www.cisco.com/warp/public/707/cisco-sa-20040407-username.shtml
Bugbear.C using IE CHM Exploitation



Handlers at the Internet Storm Center noted today a revision to the Symantec Security Response web site involving the Bugbear.C virus. According to the web page?

"The malformed email from the worm uses the Microsoft Internet Explorer
Unspecified CHM File Processing Arbitrary Code Execution Vulnerability
(CAN-2004-0380) in Internet Explorer to run a malicious program. There is no
patch that is currently available for this vulnerability."
From the reports we have gathered, this vulnerability can be used to autoexecute the Bugbear.C virus. The recent discovery of this attack vector appears to pose a distinct security risk for the immediate future. While Anti-Virus vendors can quickly release updates to protect many security conscious users, this virus and any new virus variants using this attack vector _may_ have a window of opportunity to be exceptionally malicious. It is hoped that this vulnerability will have an appropriate patch released as part of the Microsoft patch cycle next week. For more information about the Bugbear.C virus, please see:

http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.c@mm.html
For more information about the Internet Explorer CHM Vulnerability along with workarounds, please see the CERT Vulnerability Note VU#323070
(Microsoft Internet Explorer does not properly validate source of CHM
components referenced by ITS protocol handlers) available at:
http://www.kb.cert.org/vuls/id/323070
Apple MacOS X Security Bulletin (2004-04-05)




Apple released a security update bulletin on Tuesday that lists a number of security patches available for the MacOS X operating system. Among the patches listed are fixes for the CUPS Printing system, libxml2, Mail, and OpenSSL. None of the patches appear to be overly critical, but should be addressed by those MacOS X users as a part of their maintenance procedures. For more information, please see:

http://docs.info.apple.com/article.html?artnum=61798
Metasploit 2.0 exploit framework released
The Metasploit Framework purports to be an advanced platform for developing and using exploit code. As this framework can be used for both good purposes (vulnerability assessment and auditing), or could help in prototyping malicious purposes, it is noteworthy to mention that this has become available to the public. There is some speculation that we may see a noticeable increase of attacks or malware using this software over the next few months. For more information concerning the release of this framework, please see:

http://www.securityfocus.com/archive/1/359765/2004-04-04/2004-04-10/0
-----------------------------------------------------------------------

Scott Fendley, University of Arkansas (Handler On Duty)
Keywords:
0 comment(s)
Diary Archives