Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cisco security advisory overview

Published: 2008-03-26
Last Updated: 2008-03-27 13:25:45 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Cisco released today its first combined six-monthly batch of security advisories.

A quick overview might help in prioritizing your actions.

Advisory CVEs Cisco's CVSS 2.0 base score Impact
PPTP Multiple vulnerabilities in virtual private dial up network (VPDN) when PPTP is used lead to Denial of Service.
CVE-2008-1151
CVE-2008-1150
7.1
4.3
DoS
DLSw Multiple vulnerabilities in the Data-link Switching (DLSw) feature when processing UDP or IP protocol 91 packets lead to Denial of Service. DLSw is used to carry SNA and NetBIOS over IP.
CVE-2008-1152 7.8 DoS
IPv4IPv6 Dual stack (IPv4 and IPv6) routers have a vulnerability when targeted with crafted IPv6 UDP packets in certain conditions
CVE-2008-1153 7.8 DoS
queue Certain Catalyst 6500 and Cisco 7600 devices are vulnerable to a DoS attack when configured for OSPF and MPLS VPNs
CVE-2008-0537 7.8 DoS
mvpn Cisco's implementation of Multicast Virtual Private Network (MVPN) is vulnerable to extra multicast state creation.
[MVPN is to support multicast traffic in a MPLS VPN]
CVE-2008-1156 7.5 Extra multicast states can be created resulting a.o. in a potential for leaking multicast traffic from one MPLS VPN to another.
Note: MPLS VPNs do not use encryption, they only separate the data.

For support and obtaining fixed software, please reference your support contracts, third party support or Cisco's TAC as appropriate.

Cisco provides a CVSS calculator.

--
Swa Frantzen -- Gorilla Security

Keywords: cisco
0 comment(s)

ORDB.org blacklisting all IP addresses

Published: 2008-03-26
Last Updated: 2008-03-26 17:22:35 UTC
by Raul Siles (Version: 1)
0 comment(s)

Since yesterday, March 25 (I started to see it around 8:00am EST), ORDB.org - one of the old SPAM blacklist databases - started to blacklist (or block ;)) all IP addresses. As a result, all mail servers using an SPAM filtering solution that still references ORDB (relays.ordb.org) started to immediately block all incoming e-mails. I got some reports into my personal e-mail yesterday, that finally got fixed by my provider today.

Although ORDB.org was shut down on December 18, 2006, yesterday they changed their behaviour, and instead of timing out, they are blocking all IP addresses, that is, every e-mail server queried is being reported as an open relay. If your mail infrastructure uses ORDB, the sender will get a message like this one (this is an example blacklisting the Gmail servers):

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 13): 550-Message rejected because ag-out-0708.google.com [72.14.246.240]:20081 is
550-blacklisted at relays.ordb.org see ordb.org was shut down on December 18,
550 2006. Please remove from your mailserver.

E-mail administrators (if you have not been notified yet by users not getting a single e-mail during the last 24 hours), please, check that your SPAM filtering solution is not querying ORDB!

(...and there are lots of them using ORDB by default)

The real reason behind this active behaviour change is not clear yet.
--
Raul Siles
www.raulsiles.com

Keywords: ORDB spam
0 comment(s)

Firefox 2.0.0.13 is out

Published: 2008-03-26
Last Updated: 2008-03-26 10:24:34 UTC
by Raul Siles (Version: 2)
0 comment(s)

A new version of Firefox, 2.0.0.13, has been released today. It is available for manual download directly from www.mozilla.com. It is also already available for automatic download, but remember (if you are running Windows) that the "Help --> Check for Updates..." menu option is greyed out if you don't have Administrator privileges.

UPDATE: The "Known Vulnerabilities in Mozilla Products" Web page now shows the details. Six vulnerabilities are fixed: two critical, two high, one moderate and one low, some of them referencing multiple CVE's (please, check the Mozilla web page for details).

The most relevant one seems to be MFSA 2008-14: "JavaScript privilege escalation and arbitrary code execution". Another good reason to run the NoScript add-on. It is associated to three CVE identifiers. Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail (not the default setting and not recommended).

Thanks roseman and other anonymous readers for the heads up, and those that alerted us to the availability of the updated Known Vulnerabilities page.
--
Raul Siles
www.raulsiles.com

Keywords: firefox
0 comment(s)
Diary Archives