Information Security

Vulnerability Pipes

FreeBSD Denial of Service advisory (CVE-2004-0230), (Tue, Sep 16th)

Other Security - Tue, 09/16/2014 - 17:54

A vulnerability has been discovered by Johnathan Looney at the Juniper SIRT in FreeBSD (base for Junos and many other products) in the way that FreeBSD processes certain TCP packets (https://www.freebsd.org/security/advisories/FreeBSD-SA-14:19.tcp.asc)  If you send TCP SYN packets for an existing connection (i.e. the correct source IP, source port, destination IP, destination port combination) the operating system will tear down the connection.  

The attack is similar to the "slipping in the TCP window" attack described back in 2004 by Paul Watson (http://packetstormsecurity.com/files/author/3245/), but using SYN packets instead of RST.  One of the Handlers has successfully reproduced the attack in their lab.  

For those of you that don't have FreeBSD in your environment, you probably do. There are a number of products that utilise FreeBSD as their base operating system. A few that spring to mind are OSX, Bluecoats, CheckPoint, Netscaler and more (A partial list is here http://en.wikipedia.org/wiki/List_of_products_based_on_FreeBSD).  

Keep an eye out for updates from your vendors, Juniper's is here  -->  http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10638">=SIRT_1">M

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

Spoofed SNMP Messages: Mercy Killings of Vulnerable Networks or Troll?, (Mon, Sep 15th)

Other Security - Mon, 09/15/2014 - 21:50

2nd Update

All the packet captures we received so far show the same behavior. The scans are sequential, so it is fair to assume that this is an internet wide scan. We have yet to find a vulnerable system, and I don't think that vulnerable configurations are very common but please let me know if you know of widely used systems that allow for these SNMP commands. This could also just be a troll checking "what is happening if I send this". 

1st Update

Thanks to James for sending us some packets. Unlike suggested earlier, this doesn't look like a DoS against Google, but more like a DoS against vulnerable gateways. The SNMP command is actually a "set" command using the default read-write community string "private". If successful, it should:

- set the default TTL to 1, which would make it impossible for the gateway to connect to other systems that are not on the same link-layer network.

- turn off IP forwarding.

Still playing with this, and so far, I haven't managed to "turn off" any of my test systems. If you want to play, here are some of the details:

The SNMP payload of the packets reported by James:

Simple Network Management Protocol
    version: version-1 (0)
    community: private
    data: set-request (3)
        set-request
            request-id: 1821915375
            error-status: noError (0)
            error-index: 0
            variable-bindings: 2 items
                1.3.6.1.2.1.4.2.0:
                    Object Name: 1.3.6.1.2.1.4.2.0 (iso.3.6.1.2.1.4.2.0)
                    Value (Integer32): 1
                1.3.6.1.2.1.4.1.0:
                    Object Name: 1.3.6.1.2.1.4.1.0 (iso.3.6.1.2.1.4.1.0)
                    Value (Integer32): 2

 

The snmp set command I am using to re-create the traffic:

snmpset  -v 1 -c private [target ip] .1.3.6.1.2.1.4.2.0 int 1 .1.3.6.1.2.1.4.1.0 int 2

any insight is welcome. Still working on this and there may be more to it then I see now (or less...)

 

--- end of update ---

We are receiving some reports about SNMP scans that claim to originate from 8.8.8.8 (Google's public recursive DNS server). This is likely part of an attempt to launch a DDoS against Google by using SNMP as an amplifier/reflector.

Please let us know if you see any of the packet. The source IP should be 8.8.8.8 and the target port should be 161 UDP. For example in tcpdump:

tcpdump -s0 -w /tmp/googlensmp dst port 161 and src host 8.8.8.8

Thanks to James for sending us a snort alert triggered by this:

Sep 15 11:07:07 node snort[25421]: [1:2018568:1] ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1) [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 8.8.8.8:47074 -> x.x.251.62:161

So far, it does not look like service to Google's DNS server is degraded.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

Vuln: Apache Axis Incomplete Fix CVE-2014-3596 SSL Certificate Validation Security Bypass Vulnerability

Linux Security - Mon, 09/15/2014 - 19:00
Apache Axis Incomplete Fix CVE-2014-3596 SSL Certificate Validation Security Bypass Vulnerability
Categories: Vulnerability Pipes

Vuln: Apache Commons FileUpload CVE-2014-0050 Denial Of Service Vulnerability

Linux Security - Sun, 09/14/2014 - 19:00
Apache Commons FileUpload CVE-2014-0050 Denial Of Service Vulnerability
Categories: Vulnerability Pipes

Vuln: Apache Tomcat CVE-2014-0099 Request Processing Information Disclosure Vulnerability

Linux Security - Thu, 09/11/2014 - 19:00
Apache Tomcat CVE-2014-0099 Request Processing Information Disclosure Vulnerability
Categories: Vulnerability Pipes

Vuln: Apache Tomcat CVE-2014-0075 Chunk Request Remote Denial Of Service Vulnerability

Linux Security - Thu, 09/11/2014 - 19:00
Apache Tomcat CVE-2014-0075 Chunk Request Remote Denial Of Service Vulnerability
Categories: Vulnerability Pipes

Bugtraq: [SECURITY] CVE-2013-4444 Remote Code Execution in Apache Tomcat

Linux Security - Thu, 09/11/2014 - 04:07
[SECURITY] CVE-2013-4444 Remote Code Execution in Apache Tomcat
Categories: Vulnerability Pipes

Bugtraq: [security bulletin] HPSBMU03075 rev.1 - HP Network Node Manager I (NNMi) for Windows and Linux, Remote Execution of Arbitrary Code

Windows Security - Thu, 09/11/2014 - 04:07
[security bulletin] HPSBMU03075 rev.1 - HP Network Node Manager I (NNMi) for Windows and Linux, Remote Execution of Arbitrary Code
Categories: Vulnerability Pipes

Wed, 12/31/1969 - 19:00
Syndicate content