IDGNet Virus & Security Watch Monday 24 February 2003

This issue's topics: Introduction: * Oracle, Domino, Notes server & client, PHP CGI and OpenSSL updates Virus News: * Storm in tea-cup? Security News: * Multiple Oracle Database and Application Server fixes * Lotus Domino & Notes buffer overflows, other vulnerabilities fixed * Buffer overflow in Lotus Notes client ActiveX control fixed * Timing attack against SSL/TLS prompts OpenSSL patch; Others affected? * Critical PHP 4.3.0 CGI vulnerability * Millions of credit card accounts accessed

This issue's topics:

Introduction:

* Oracle, Domino, Notes server & client, PHP CGI and OpenSSL updates

Virus News:

* Storm in tea-cup?

Security News:

* Multiple Oracle Database and Application Server fixes

* Lotus Domino & Notes buffer overflows, other vulnerabilities fixed

* Buffer overflow in Lotus Notes client ActiveX control fixed

* Timing attack against SSL/TLS prompts OpenSSL patch; Others affected?

* Critical PHP 4.3.0 CGI vulnerability

* Millions of credit card accounts accessed

Introduction:

The biggest security news of the week was probably the announcement of the theft of credit card details from more than five million card holders. However, the biggest technical security story would be a toss-up between the newly discovered timing attack against SSL/TLS (which has resulted in an update to the very popular OpenSSL implementation of the protocol being posted) or the PHP CGI module flaw. Both are likely to affect a large number of web sites.

Other than that, Lotus Notes and Domino server administrators and Notes client systems administrators will have a busy patching period ahead as these products have all been found to have several serious security flaws, including remote code execution ones, for which IBM has now posted patches. Oracle Database and Application Server administrators will also be busy patching, as multiple versions of those products have also been shown to contain multiple remote code execution vulnerabilities.

It was a very quiet week on the virus front, with no new beasties worthy of our concern. We have included a story questioning some security experts' claims to have had early knowledge of SQLSlammer's outbreak.

Virus News:

* Storm in tea-cup?

An article in Wired has called into question when antivirus and computer security developer Symantec learnt of SQLSlammer. A marketing spiel intended to raise awareness of Symantec's DeepSight Threat Management System claimed that DeepSight customers received 'timely alerts' about SQLSlammer 'hours before it began rapidly propagating'. Wired has altered the article since its appearance (apparently not realizing that 'approximately 9 p.m. PST on Friday, Jan. 24' is much the same time as 'shortly after midnight EST on Saturday, Jan. 25th', especially when the speaker of the first time is a marketing or public relations staffer trying to talk up their company's products.

Given the times match, rather than differ, they are hardly evidence that Symantec's paying DeepSight customers received a heads up from the security company 'hours' before its competitors knew of the worm. Further, as several technical experts have attested, and as reported in earlier coverage of the event in this newsletter, SQLSlammer was not only capable of but apparently did infect most vulnerable machines in the whole Internet in well under an hour with several analyses suggesting that it hit 50-90% of all possible victims within less than 15 minutes of its release.

Not uncharacteristically, The Register picked up on these anomalies and poked a bit of borax at the situation too...

What Symantec Knew But Didn't Say - wired.com

Symantec PR bunnies score Slammer own goal - theregister.co.uk

Security News:

* Multiple Oracle Database and Application Server fixes

Five vulnerabilities affecting one or more of Oracle9i Database (Rel. 1 and 2), Oracle8i Database v 8.1.7, Oracle8 Database v 8.0.6, Oracle9i Application Server (Rel. 9.0.2 and 9.0.3) have been described by NGSSoftware security researchers. The effects of exploiting these vulnerabilities vary, ranging from denial of service through unauthorized data access and modification to the execution of arbitrary code with the privileges of the exploited service. Three of the vulnerabilities can be exploited without authenticating to the server and all can be remotely exploited, depending on a vulnerable server's network exposure. These should be considered as critical severity.

Oracle has released patches for all these vulnerabilities for all affected platforms. Affected users will probably want more details on each vulnerability and fix - these are individually linked from the CERT Coordination Center advisory linked below.

CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers

* Lotus Domino & Notes buffer overflows, other vulnerabilities fixed

NGSSoftware security researchers have discovered remotely exploitable buffer overflows in Lotus Domino 6.0 and Lotus Notes. Exploitation of both overflows can allow arbitrary code to run in the security context of the Domino server service. These are critical vulnerabilities and should be patched (at least on Internet-facing Domino and Notes servers) as soon as practicable.

The same researchers have also reported two denial of service attacks against the web services of Lotus Domino. The severity of denial of service attacks are debatable, but the NGSSoftware folk rate these as critical, which may now be realistic for Internet-facing vulnerable machines as the NGSSoftware advisory describing the attacks supplies sample exploits.

IBM has included the fixes for these vulnerabilities in the recently

shipped Domino Release 6.0.1.

Lotus Domino Web Server Buffer Overflow - NGSSoftware Security Advisory

Lotus Domino Web Server iNotes Overflow - NGSSoftware Security Advisory

Lotus Domino Denial Of Service Attacks - NGSSoftware Security Advisory

Domino Incremental Installer files (Domino Server) - lotus.com

* Buffer overflow in Lotus Notes client ActiveX control fixed

NGSSoftware researchers have obviously been quite busy - they also announced a buffer overflow vulnerability in the Lotus Notes Client ActiveX control. If exploited, this vulnerability can allow code arbitrary code of the attacker's choice to run in the security context of the user who launched the browser session invoking the ActiveX control. As it is generally trivial for a remote attacker to determine a potential victim's 'corporate standard' e-mail client, this should be considered a critical vulnerability if the affected component is deployed in your organization.

IBM has released an update to address this.

Lotus iNotes Client ActiveX Control Buffer Overrun - NGSSoftware Security Advisory

Notes Incremental Installer files (Notes client) - lotus.com

* Timing attack against SSL/TLS prompts OpenSSL patch; Others affected?

Researchers at LASEC (the Security and Cryptography Laboratory) at L'Ecole Polytechnique Federale de Lausanne (EPFL; the Swiss Federal Institute of Technology at Lausanne) have discovered a weakness in some SSL/TLS implementations that may significantly ease the cracking of certain types of encrypted data sent over such links. The nature of the vulnerability is such that although the early research only confirms the viability of such an attack against a specific, but very widely deployed implementation of SSL/TLS, it is likely that many other implementations will eventually prove to be similarly vulnerable.

The attack itself is of the form generally known as a timing attack. In this case, if a 'man-in-the-middle' attack can be arranged, packets from a client to a server 'safely' encrypted via SSL can be intercepted, altered, the altered packets sent to the server and the delay in error response noted. If this sequence is repeated several times, carefully altering different parts of the intercepted packet before sending it to the server, analysis of the pattern of delays in the error messages sent back by the server can be used to the crack the contents of the client packets. This timing attack works because different kinds of errors typically require different amounts of CPU processing (and thus time) before the error conditions of interest are reached. This allows an attacker to separate 'decryption errors' from 'bad_mac errors' (read the paper linked below for the gory details).

Of course, this requires that the same information be sent repeatedly, somewhat limiting the usefulness of the attack. E-mail clients and web page logins are situations where the same data (the password) is commonly sent fairly regularly from a client to a server. A proof of concept attack against an SSL-secured Outlook connection to an IMAP server succeeded in less than an hour (the fact that, by default, Outlook checks for updates every five minutes and has to authenticate for each folder certainly helps in this case, with that combination providing many encrypted transfers of the same username and password data in a relatively short time).

Although several implementations of SSL/TLS are likely to be vulnerable to this kind of attack against their encryption assurances, the OpenSSL implementation (probably the single most-widely used by far) has been updated to overcome this problem. Aside from linking to a technical memo at EPFL that outlines the vulnerability, the OpenSSL security advisory describing suitable remedies for OpenSSL code is also linked below. Note that OpenSSL 0.9.6i and 0.9.7a are (arguably) not vulnerable to such an attack, but earlier versions are. The preferred OpenSSL fix is to upgrade to 0.9.7a, but if that is not possible OpenSSL has released a source code patch that applies to 0.9.6e and later. Expect to see updated OpenSSL packages from your distributors soon.

Also note that many third-party products incorporate OpenSSL code to provide their SSL/TLS functionality. Most of these will also require updating.

(Although not IT security-related, a side-note to this story which may be of interest to our mainly New Zealand readership, EPFL is home to the scientific and materials advisors to the Alinghi challenge for the America's Cup.)

Password Interception in a SSL/TLS Channel - epfl.ch

Timing-based attacks on SSL/TLS with CBC encryption - openssl.org

* Critical PHP 4.3.0 CGI vulnerability

For security reasons, the CGI SAPI of PHP contains code to prevent direct access to its own binary. However, a bug in the PHP 4.3.0 version CGI SAPI renders the php.ini 'cgi.force_redirect' option and the configure option '--enable-force-cgi-redirect' useless. All sites running this version of the PHP CGI module should update immediately to the latest release, 4.3.1, as detailed in the security advisory linked below.

Web servers running the vulnerable version of the PHP CGI module are open to malicious browsers reading the contents of any files accessible to the user under which the server runs. Further, remote script injection into files readable by the CGI is also be possible, raising the spectre of remote arbitrary code execution on the server.

CGI vulnerability in PHP version 4.3.0 - php.net

* Millions of credit card accounts accessed

Credit card details of more than five (or six or eight depending which report you read) million card-holders had been 'stolen' from a US company that processes card transactions for other merchants.

Visa and MasterCard, many of whose customers were among those affected, claim that (so far) no fraudulent use is known to have been made of the illegally obtained information. Details of the method used by the thief are not being described by the companies involved nor by the FBI, but the theft has widely been described as due to a hacker breaching security at the processing company. It is not clear whether this involved hacking across a public network such as the Internet or was something of an 'inside job'.

Hacker hits up to 8M credit cards - cnn.com

Credit card database hacked - bbc.co.uk

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaCGIFBIIBM AustraliaOracleSymantecTechnologyVisa

Show Comments
[]