Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Verizon New York area issues

Published: 2009-10-02
Last Updated: 2009-10-02 21:43:45 UTC
by Stephen Hall (Version: 1)
0 comment(s)

A number of readers in the last 20 minutes have been indicating that there has been an outage with Verizon in the New York area. Service appears to be recovering, and some internet health monitoring sites are showing latency entering and exiting the Verizon hub in Boston.

Nanog are reporting a few people experiencing connectivity issues in the NY US area.

If you have any information on what happened, let us know and we'll update this diary with the news.

Update: Verizon have indicated via Twitter that:

"a router responsible for peering in the Northeast failed. It was reset and traffic should be coming back."

Update 2:

Verizon have now posted a blog detailing the event in addition to their continuing updates on Twitter

Steve Hall 

Keywords: verizon
0 comment(s)

Cyber Security Awareness Month - Day 2 - Port 0

Published: 2009-10-02
Last Updated: 2009-10-02 18:59:20 UTC
by Stephen Hall (Version: 1)
4 comment(s)

The second day of Cybersecurity Awareness Month is dedicated to the strange, and anomalous port number, 0.

IANA have entries for both TCP and UDP packets defined within their range of assigned ports at : http://www.iana.org/assignments/port-numbers
 
Decimal    Description
-------    -----------
0/tcp      Reserved
0/udp      Reserved
 
As you can see, both are defined as being reserved.
 
However, there is a lesser known definition for port 0 which is:
 
spr-itunes        0/tcp    Shirt Pocket netTunes
spl-itunes        0/tcp    Shirt Pocket launchTunes
 
which causes confusion when some /etc/services files have the itunes (nothing to do with Apple) and commands will show the spr-itunes service as being in use.
 
The use of TCP port 0 was first introduced (as far as I can find) with the documentation of RFC675 where they state that :
 
   It is possible to specify a socket only partially by setting the PORT
   identifier to zero or setting both the TCP and PORT identifiers to
   zero. A socket of all zero is called UNSPECIFIED. The purpose behind
   unspecified sockets is to provide a sort of "general delivery"
   facility [useful for logger type processes with well known sockets].
 
So this would have resulted in a packet which was 0.0.0.0:0 or, x.x.x.x:0 where x.x.x.x is a valid IP address.
 
So, when do we see port 0 in use? Well, for no valid reason I know of.
 
Indeed, many IDS systems provide signatures to detect packets which have port numbers of 0, for example:
 
"alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)"
 
To break down this Snort IDS signature, we have a TCP flow from any system to any system where the destination port number is 0.
 
Other handlers have pondered on where such packets come from such as : isc.sans.org/diary.html?storyid=556
 but we also know that such packets can be created by tools such as hping3.
 
So, have you seen TCP 0 on your network and found a valid reason for it being there? If so, drop us a line via the contact form, and i'll update the diary with those uses.
 
Update:
 
One of our diary readers, Troy, has let us know that he has seen on a number of occasions TCP Port 0 traffic coming from an Akamai caching server farm. If you know why the people over at Akamai are using TCP port 0, or indeed have a packet capture we could examine the please let us know via the contact form.
 
4 comment(s)

VMware Fusion updates to fixes a couple of bugs

Published: 2009-10-02
Last Updated: 2009-10-02 18:19:27 UTC
by Stephen Hall (Version: 1)
0 comment(s)

VMWare have informed us that an update is available for their Apple Mac version of their VMWare environment, VMWare Fusion.

The update  fixes a vulnerability found in all versions of VMWare Fusion, so if you use this product, it is time to update. A vulnerability for one of the issues has been published.

The published vulnerability apparently produces a remote shell with root privileges but I have not tested it at this time.

The exploit writer comments:

"The vmx86 kext ioctl handler permits an unprivileged userland program to initialize several function pointers via the 0x802E564A ioctl code. These function pointers are later used from several reachable locations within the driver, one of which is called immediately after initialization."

 

Keywords: fusion vmware
0 comment(s)

New SysInternal fun for the weekend

Published: 2009-10-02
Last Updated: 2009-10-02 16:18:22 UTC
by Stephen Hall (Version: 1)
1 comment(s)

A whole raft of new SysInternal goodness has been released just before the weekend so we have new versions of our toys to play with over the weekend.

The SysInternal blog has all the news  but in summary, there are updates to LiveKd, BgInfo, ProcDump, and Autoruns.

Mark also blogs about a couple of interesting issues.

Thanks to Roseman for the heads up, and the follow-up e-mail.

 

1 comment(s)

New version of OpenSSH released

Published: 2009-10-02
Last Updated: 2009-10-02 16:11:08 UTC
by Stephen Hall (Version: 1)
0 comment(s)

The guys and gals over at OpenSSH have announced that a new version has been released. This is version 5.3, and its also the 10th Birthday version of the stalwart of secure communication over TCP port 22.

Details of the release can be found in the release note and should be on the mirror servers soon.

The release note shows a couple of general bugs, and a few platform specific ones.

Enjoy, and remember to test your deployment!

 

Keywords: openssh
0 comment(s)
Diary Archives