IDGNet Virus & Security Watch Monday 7 April 2003

This issue's topics: Introduction: * QuickTime, Sendmail, Apache, Mutt patches; RDP, vsftpd config checks Virus News: * All quiet on the virus front... * George Smith calling Uncle Roger... Security News: * Terminal Services RDP protocol vulnerable to man-in-the-middle attacks * Update fixes remote overflow in QuickTime Player for Windows * Critical Sendmail vulnerability prompts hasty update * Apache 2.0.45 release fixes two security vulnerabilities * Mutt, Balsa updates fix remote buffer overflow vulnerability * Red Hat Linux 9 vsftpd does not use tcp_wrappers * 'Evil Bit' IPv4 security flag RFC continues April Fool tradition

This issue's topics:

Introduction:

* QuickTime, Sendmail, Apache, Mutt patches; RDP, vsftpd config checks

Virus News:

* All quiet on the virus front...

* George Smith calling Uncle Roger...

Security News:

* Terminal Services RDP protocol vulnerable to man-in-the-middle attacks

* Update fixes remote overflow in QuickTime Player for Windows

* Critical Sendmail vulnerability prompts hasty update

* Apache 2.0.45 release fixes two security vulnerabilities

* Mutt, Balsa updates fix remote buffer overflow vulnerability

* Red Hat Linux 9 vsftpd does not use tcp_wrappers

* 'Evil Bit' IPv4 security flag RFC continues April Fool tradition

Introduction:

Windows terminal server users are warned that researchers have shown the feasibility of man-in-the-middle attacks against the RDP protocol used to provide connectivity between a Terminal Server and client. Windows administrators running such setups should ensure that they are not potentially vulnerable to such an attack which is possible because RDP does not do server authentication. Windows admins should also be checking on the version of Apple QuickTime Player installed on the machines under their charge given the recent announcement of an update to fix a trivial buffer overflow in the player.

It looks as if it will be a busy week (or weekend) for Unix and Linux administrators. Both Apache and Sendmail, probably the most heavily deployed servers in their respective product classes, have serious security flaws that require updating or patching. Further, the popular (at least among the hardcore commandline set) e-mail client Mutt has a remotely exploitable buffer overflow, though the urgency of fixing this is reduced dramatically if your Mutt users do not use IMAP servers you do not control. On the lighter side, we have included a link to the most recent April Fool RFC - a tongue-in-cheek attempt to bolt security into IPv4 via a single bit-field in the IP header.

On the virus front there has been nothing of special note this week so we have included a link to George Smith's take on what punishment is suitable for the Swedish author of the Ganda e-mail worm.

Virus News:

* All quiet on the virus front...

Well, not dead quiet (we wish!) but quiet enough that no malware stories of merit sufficient to retell here played out this week. As we are essentially just one week into the month the monthly prevalence statistics at MessageLabs are a good place to get a feel for things. As you'll see, Klez.H is still way out in front with Sobig and a couple of Yaha variants each with about 20-25% the hit-rate as Klez.H. After that it tails off very quickly.

MessageLabs current month Threatlist - messagelabs.com

* George Smith calling Uncle Roger...

Several past issues of this newsletter have linked to the often sardonic writings of George Smith. His wry take on many matters more or less relevant to computer security, and to virus writing and virus writers in particular, can provide a valuable sanity-check. His most recent column for SecurityFocus considers the foibles of distributing a mass-mailer to make a political point. The 'Uncle Roger' of Smith's title is the misguided writer of Ganda (mentioned in this section of the last two issues of the newsletter). Smith's feelings on the unduly harsh sentence Uncle Roger faces - '[he] might get four years, said authorities - an inappropriately long punishment for a fellow whose biggest offense is best described as gross idiocy'.

Uncle Roger's Folly - securityfocus.com

Security News:

* Terminal Services RDP protocol vulnerable to man-in-the-middle attacks

Erik Forsberg, a security researcher at Swedish company Cendio Systems, has announced that RDP (Remote Desktop Protocol) in Windows Terminal Services makes no effort to verify the identities of the systems while exchanging the encryption keys to be used in a session. Thus, if attackers can arrange for the negotiation of an RDP session to flow through an intermediary machine (say by way of DNS spoofing or arp poisoning), they can obtain the secret keys of the RDP server and client. The machine in the middle of such 'man-in-the-middle' attacks decrypts and re-encrypts the RDP traffic so as to relay the traffic transparently between the two machines. This occurs invisibly to the user of the Terminal Services client and to the server.

Cendio Systems has reported this to Microsoft which reportedly acknowledged the problem and said it was 'investigating the feasibility in adding [server authentication] functionality' to RDP. Cendio tested the Windows 2000 RDP client and its latest update from Microsoft against Windows 2000 Advanced Server, Windows 2000 Terminal Server and pre-release builds of Windows Server 2003 (formerly .NET Server). It seems unlikely that other versions of RDP in NT 4.0 Terminal Server and Windows XP do not share this problem.

Users should note, however, that Microsoft does not claim RDP provides server authentication. Thus, its deployment in environments where the type of man-in-the-middle attacks mentioned above are possible should have already been considered.

Archived Bugtraq list message - securityfocus.com

* Update fixes remote overflow in QuickTime Player for Windows

Apple's QuickTime Player 5.x and 6.0 for Windows have been discovered vulnerable to a buffer overflow, surrendering the privileges of the user who launched the player. This vulnerability was announced by iDefense whose advisory is linked below. Apple has released QuickTime Player 6.1 for Windows which fixes the problem.

MacOS versions of the player are not vulnerable.

Buffer Overflow in Windows QuickTime Player - idefense.com

Apple QuickTime Player download page - apple.com

* Critical Sendmail vulnerability prompts hasty update

Security researcher Michal Zalewski recently discovered a remotely exploitable buffer overflow in Sendmail which is said to affect all open source and commercial releases of the mail server software. While Sendmail was coordinating patch and update release schedules with many vendors through the CERT Coordination Center, news of the flaw and the source code patch were leaked to public security mailing lists.

Remotely exploitable vulnerabilities in products as extensively deployed as Sendmail are an attention magnet to so-called blackhat hackers. Depending on system, the Sendmail code suffering the overflow does not necessarily run with root privileges, so some administrators may not be quite as concerned as one may imagine. However, coupled with the recent Linux kernel issue that can allow almost any user to elevate themselves to root (see last week's newsletter), any remote exploit on a Linux machine would be especially attractive to the hacker community. Fuelled further still by the passionate dislike of any suggestion that some researcher or developer did not fully and immediately disclose a security flaw, the suggestion of a behind-the-scenes to patch such a hole in Sendmail spurred several people to look at the patch code in an attempt to work out where the problem was and how it could be exploited.

Given all that, the Sendmail developers were effectively forced to release their planned update ahead of schedule. Thus Sendmail Inc and the Sendmail Consortium publicly released an advisory on the last weekend, well before some other affected vendors had a chance to finish their update and delivery planning.

The flaw itself is technically a signedness error when data of one type is recast as another type without appropriate bounds checking tests. As a result of the unchecked cast against a specific value, a buffer overflow style exploit can be result a little later in the code. This bug is in address parsing code called from several places in Sendmail and thus any exploit is message-based not connection-based. This means Sendmail servers not directly accessible to the Internet are just as vulnerable as Internet-facing ones if messages are relayed to them from Internet-connected SMTP servers.

As well as releasing a new version of Sendmail, 8.12.9, code patches for versions 8.9, 8.10, 8.11, and 8.12 have been produced for users unable or unwilling to update to the 8.12.9 release. Sendmail Inc has updates available for all commercial versions still on support and for Sendmail Switch 2.2 (these pages are linked from the sendmail.org page linked below). Most Unix, Linux and similar OSes (and several others) distribute affected versions of Sendmail and have provided updated packages. If you face coordinating this update for several OSes you may find the CERT Coordination Center advisory a good place to start tracking down availability of updates for your systems.

Sendmail 8.12.9 release notes - sendmail.org

CERT Advisory CA-2003-12 Buffer Overflow in Sendmail - cert.org

* Apache 2.0.45 release fixes two security vulnerabilities

A 'significant Denial of Service vulnerability' and file descriptor leaks that may expose sensitive information to child processes (such as CGI scripts) have been fixed in the latest release of the world's most deployed web server, Apache. Administrators are advised to obtain and install the update as soon as practicable as the details of the denial of service vulnerability are reputedly to be publicly released on 7 April. As well as the two security flaws, several other bugs are fixed in this release and a few minor new features added.

Apache 2.0.45 release notes - apache.org

* Mutt, Balsa updates fix remote buffer overflow vulnerability

A potentially critical severity vulnerability in Mutt's IMAP folder handling code has been fixed. Researchers at CORE Security discovered the flaw and the Mutt developers have released updates, 1.4.1 (stable branch) and 1.5.4 (unstable). Many Unix, Linux and the like distributions include Mutt and update packages for the more popular should be available from the distributors. When announcing its update package, Red Hat noted that Balsa - a GNOME e-mail client that includes code from Mutt - has also been fixed.

Vulnerability in Mutt Mail User Agent - coresecurity.com

Mutt home page - mutt.org

* Red Hat Linux 9 vsftpd does not use tcp_wrappers

A packaging error means that the Red Hat Linux 9 build of vsftpd does not run under tcp_wrappers as it did in previous builds (and as it is documented to). This means that many security configuration issues normally applied to the package by tcp_wrappers will, in fact, be in force on Red Hat 9 boxes running the package. An updated package fixing this has been released. This problem only applies to boxed product intended for the US market - specifically part numbers RHF0120US and RHF0121US which can found on the bottom of the box. Versions obtained through any other means were shipped with the errata packages already included, so New Zealand users should not be affected. Given the seriousness of the consequences though, anyone who installed Red Hat Linux 9 from packaged media should probably take the couple of minutes it will take to check...

Updated vsftpd packages re-enable tcp_wrappers support - redhat.com

* 'Evil Bit' IPv4 security flag RFC continues April Fool tradition

Steve Bellovin published RFC 3514, titled 'The Security Flag in the IPv4 Header' on 1 April. As if the date alone were not enough of a hint, the RFC describes a security system that depends entirely on user compliance, thus failing to further the art. It seems however, from the reactions of some early readers of the RFC, that this was not enough clue that something was afoot. For your delight and delectation (perhaps while waiting for all those Sendmail, Apache, mutt, etc patches and updates to download?) we have linked to this latest April Fool RFC.

If you enjoy that one and those downloads are taking longer than you expected, one or more of the following 'joke' (or at least less than serious) RFCs released on 1 April dates may also take your fancy:

RFC 1149 Standard for the transmission of IP datagrams on avian carriers

RFC 1216 Gigabit Network Economics and Paradigm Shifts

RFC 1217 Memo from the Consortium for Slow Commotion Research (CSCR)

RFC 1313 Today's Programming for KRFC AM 1313 Internet Talk Radio

RFC 1437 The Extension of MIME Content-Types to a New Medium

RFC 1438 Internet Engineering Task Force Statements Of Boredom (SOBs)

RFC 1605 SONET to Sonnet Translation

RFC 1606 A Historical Perspective On The Usage Of IP Version 9

RFC 2321 RITA -- The Reliable Internetwork Troubleshooting Agent

RFC 2323 IETF Identification and Security Guidelines

RFC 2324 Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)

RFC 2549 IP over Avian Carriers with Quality of Service

RFC 2550 Y10K and Beyond

RFC 2551 The Roman Standards Process -- Revision III

RFC 2795 The Infinite Monkey Protocol Suite (IMPS)

RFC 3251 Electricity over IP

RFC 3253 Binary Lexical Octet Ad-hoc Transport

The Security Flag in the IPv4 Header - rfc-editor.org

Join the newsletter!

Error: Please check your email address.

More about ApacheAppleCERT AustraliaCGIiDefenseIETFInternet Engineering Task ForceLinuxMessageLabsMicrosoftParadigmRed HatSecurityFocusSonnet Corporation

Show Comments

Market Place

[]