Alerts

Cisco AsyncOS Patch , (Fri, Mar 21st)

Latest Alerts - Thu, 03/20/2014 - 16:16

Cisco released a patch for AsyncOS, the operating system used in it's E-Mail Security Appliance (ESA) and Security Management Appliance (SMA).

The vulnerability is exploited by an authenticated attacker uploading a crafted blocklist file. The file has to be uploaded via FTP, so this vulnerability is only exploitable if the FTP service is enabled. Once the blacklist is pared, arbitrary commands are executed.

This sounds like an OS command injection vulnerability. The parameters (assumed to be IP addresses) are likely passed as arguments to a firewall script, but if the address includes specific characters (usually ; or & ?) , additional commands can be executed.

Time to patch, but given that the attacker has to be authenticated, makes this a less severe vulnerability then other arbitrary code execution vulnerabilities.

[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140319-asyncos

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Normalizing IPv6 Addresses, (Thu, Mar 20th)

Latest Alerts - Thu, 03/20/2014 - 14:40

One of the annoyances with IPv6 addresses is that they may be abbreviated. Leading "0"s may be omitted, and groups of all ":0000:" may be replaced with "::". The key annoyance is the word "may". Some logs (for example iptables) will not abbreviate, others, like for example nginx or apache, will abbreviate, making correlating logs more difficultly.

Lately, I started using a little perl script to "normalize" my IPv6 addresses in logs. The script will insert all the missing "0"s making it easier to find a specific IP address. The script I am using:

#!/usr/bin/perl   use strict;   while (<> ) {     my $line=$_;     if ( $line=~/[0-9a-f:]+/ ) { my $old=$&;         my $new=fillv6($old); $line=~ s/$old/$new/;     }     print $line; }     sub fillv6 {     my $in=shift;     $in =~ s/^:/0000:/;     my @parts=split(/:/,$in);     my $partn=scalar @parts;     if ( $partn < 7 ) { my $x= ':0000' x (9-$partn); $in =~ s/::/$x:/; $in =~ s/:://g; @parts=split(/:/,$in);     }     while ( my $part=each(@parts) ) { $parts[$part] = sprintf("%04s",$parts[$part]);     }     return join(':',@parts); } What I could use is a bit more diverse IPv6 logs to see if it covers all possible cases. The script is right now in a "works for me" state, so let me know if it works for you too.  

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, March 20th 2014 http://isc.sans.edu/podcastdetail.html?id=3899, (Thu, Mar 20th)

Latest Alerts - Wed, 03/19/2014 - 16:53
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, March 20th 2014 http://isc.sans.edu/podcastdetail.html?id=3899, (Thu, Mar 20th)

Latest Alerts - Wed, 03/19/2014 - 16:53
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

For the Adventurous, Java 8 is out, (Wed, Mar 19th)

Latest Alerts - Wed, 03/19/2014 - 13:21

Looks like JAVA 8 is out (thanks Rob).  

What’s new: http://www.oracle.com/technetwork/java/javase/8-whats-new-2157071.html

Release notes: http://www.oracle.com/technetwork/java/javase/8train-relnotes-latest-2153846.html

Downloads: http://www.oracle.com/technetwork/java/javase/downloads/index.html

Note that many of the Java 8 download links still point to 7.51

 

Good luck let us know how you go if you are updating right now. 

M

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Full Disclosure list shuts down, (Wed, Mar 19th)

Latest Alerts - Wed, 03/19/2014 - 13:17

The Full Disclosure mailing list which is at times an interesting source of information, other times entertainment and sometimes a source of frustration is shutting down.  John Cartwright posted a message announcing the closure on the site (http://seclists.org/fulldisclosure/2014/Mar/332).  

I for one thank John and Len for the list.  It is a shame to see it go.  I'll miss the technical components.  I won't miss the reasons for taking this decision. 

M

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Mozilla released updates for Firefox ( v 28.0), Thunderbird (v 24.4) and Firefox Extended Support Release (ESR) updates to 24.4.0 (Fixes include the issues highlighted at the pwn2own contest.), (Wed, Mar 19th)

Latest Alerts - Tue, 03/18/2014 - 17:29
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, March 19th 2014 http://isc.sans.edu/podcastdetail.html?id=3897, (Wed, Mar 19th)

Latest Alerts - Tue, 03/18/2014 - 17:18
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, March 19th 2014 http://isc.sans.edu/podcastdetail.html?id=3897, (Wed, Mar 19th)

Latest Alerts - Tue, 03/18/2014 - 17:18
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Call for packets dest 5000 or source 6000, (Tue, Mar 18th)

Latest Alerts - Tue, 03/18/2014 - 03:16

There are two events I'm interested in following up at the moment.  A few reports mentioned that scans to destination port 5000 seem to be popular at the moment. (https://isc.sans.edu/port.html?port=5000).  So if you have a few spare packets that would be great.  In this instance I'm not looking for log records only pcaps.  

Another reader mentioned scans from source port 6000 going to numerous ports on their infrastructure, but from different IP addresses. eg.  IP address A  scanning target 1089-1099.  IP address B scanning target 1100-1110, etc.  If you have log records or packets for trafic from source port 6000 to multiple ports or IP addresses in your environment I'd be interested in taking a look.  

We've seen both of these previously, but certainly like to see if it is the same or something different.  

Thanks

Mark H 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, March 18th 2014 http://isc.sans.edu/podcastdetail.html?id=3895, (Tue, Mar 18th)

Latest Alerts - Mon, 03/17/2014 - 17:04
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Scans for FCKEditor File Manager, (Mon, Mar 17th)

Latest Alerts - Mon, 03/17/2014 - 17:01

FCKEditor (now known as CKEditor [1]) is a popular full featured GUI editor many web sites use. For example, you frequently find it with blog systems like WordPress or as part of commenting/forum systems. As an additional feature, a filemanager can be added to allow users to upload images or other files. Sadly, while a very nice and functional plugin, this features if frequently not well secured and can be used to upload malicious files. We have seen some scans probing specifically for this file manager plugin:

HEAD /js/fckeditor/editor/filemanager/connectors/test.html  HEAD /admin/FCKeditor/editor/filemanager/connectors/test.html  HEAD /admin/FCKeditor/editor/fckeditor.html HEAD /include/fckeditor/_samples/default.html  HEAD /include/fckeditor/editor/filemanager/connectors/test.html   These requests did not set a user agent or a referrer. The following set did however use "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1;" and instead of a HEAD request it used a GET request, indicating that there are different distinct tools looking for the same vulnerability:   GET /editor/editor/filemanager/connectors/uploadtest.html HTTP/1.1 GET /editor/editor/filemanager/upload/test.html HTTP/1.1 GET /editor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1 GET /editor/editor/filemanager/connectors/test.html HTTP/1.1 GET /admin/fckeditor/editor/filemanager/connectors/test.html HTTP/1.1 GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 GET /Fckeditor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1 GET /admin/FCKeditor/editor/filemanager/connectors/uploadtest.html HTTP/1.1 GET /admin/FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 GET /Fckeditor/editor/filemanager/connectors/test.html HTTP/1.1 GET /admin/fckeditor/editor/filemanager/browser/default/connectors/test.html HTTP/1.1
GET /FCKeditor/editor/filemanager/connectors/uploadtest.html HTTP/1.1

I am still looking for any samples of files these script attempt to upload. If you got any, please let use know.

[1] http://ckeditor.com

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New Apache web server release, (Mon, Mar 17th)

Latest Alerts - Mon, 03/17/2014 - 17:00

The Apache folks have released version 2.4.9 of their ubiquitous web server.  This one fixes a couple of security vulnerabilities along with some other bug fixes, one in mod_log_conifg having to do with issues with truncated cookies and one in mod_dav that was a potential denial of service.  Expect most of the Linux distros to apply the appropriate fixes shortly, but if you are building from source or running on a platform that won't push the updates to you, go grab the update.

 

References:

http://httpd.apache.org/security/vulnerabilities_24.html

http://www.apache.org/dist/httpd/CHANGES_2.4.9

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, March 17th 2014 http://isc.sans.edu/podcastdetail.html?id=3893, (Mon, Mar 17th)

Latest Alerts - Sun, 03/16/2014 - 17:21
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

NTIA begins transition of Root DNS Management, (Sat, Mar 15th)

Latest Alerts - Sat, 03/15/2014 - 09:30

The U.S. National Telecommunications and Information Administration (NTIA) has begun the final stages of privatizing the management of the Domain Name System (DNS) that powers the Internet.  This transition was begun in 1997.

From the press release...

"As the first step, NTIA is asking the Internet Corporation for Assigned Names and Numbers (ICANN) to convene global stakeholders to develop a proposal to transition the current role played by NTIA in the coordination of the Internet’s domain name system (DNS). "

The NTIA, in conjunction with ICANN and Verisign,  is currently responsible for managing the root zone, including the administration of the root zone file which contains the details about the top level domains (TLDs).  The TLDs are the last part of a Full Qualified Domain Name (FQDN), such as .com, .gov, .mil, etc.

-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Word Press Shenanigans? Anyone seeing strange activity today?, (Fri, Mar 14th)

Latest Alerts - Fri, 03/14/2014 - 07:10

We are getting different activity reports (Thanks for those!) on Word Press. Beyond the ping back issue that has been happening, is anyone else seeing strange WP behavior?

 

Richard Porter

--- ISC Handler on Duty

Twitter: Packetalien

Blog: packetalien.com

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, March 14th 2014 http://isc.sans.edu/podcastdetail.html?id=3891, (Fri, Mar 14th)

Latest Alerts - Thu, 03/13/2014 - 17:43
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe Shockwave Player critical update: http://helpx.adobe.com/security/products/shockwave/apsb14-10.html, (Thu, Mar 13th)

Latest Alerts - Thu, 03/13/2014 - 09:05
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Web server logs containing RS=^ ?, (Thu, Mar 13th)

Latest Alerts - Thu, 03/13/2014 - 01:55

A SANS ISC reader sent us the following Apache log snippet earlier today

108.178.x.x - [11/Mar/2014:04:21:14 +0100] "GET /index.shtml/RK=0/RS=o_wLEbyzxJDMeXhdrhZU9KN7uD4- HTTP/1.0" 302 206
196.196.x.x - [11/Mar/2014:07:43:19 +0100] "GET /index.shtml/RS=^ADAY1N1JxWPFnnOEW3FpVC1g.n4rec- HTTP/1.0" 302 206
88.80.x.x   - [11/Mar/2014:15:02:01 +0100] "GET /index.shtml/RS=^ADAw5eOsxy0br6iGm1BZPRs2wtnyAE- HTTP/1.1" 302 206

index.shtml exists on the reader's server, but the RS= / RK= stuff is bogus. The RS= looks like it could be a regular expression for a pattern match of sorts, since it is starting with an anchor "^", but that's guessing. We don't really know. Googling for the pattern shows that this sort of thing has been around for a while, but I didn't find any definite explanation about which software or toolkit these requests are attempting to exploit, if any. If you have information on what this is, please share in the comments below, or via our contact form.


 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, March 13th 2014 http://isc.sans.edu/podcastdetail.html?id=3889, (Thu, Mar 13th)

Latest Alerts - Wed, 03/12/2014 - 17:17
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content