TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
INTERNET RISK UPDATE for 06-26-2002 ISS X-Force Internet Threat Intelligence Center www.iss.net - Click on the AlertCon logo for more information. ******************************************** ALERTCON 3 Projected: AlertCon 3 ******************************************** ALERTCON 3 - We are at AlertCon 3 due to the newly released OpenSSH vulnerability coupled with the existing Apache vulnerability. VULNERABILITIES: OpenSSH Remote Challenge Vulnerability Synopsis: ISS X-Force has discovered a serious vulnerability in the default installation of OpenSSH on the OpenBSD operating system. OpenSSH is a free version of the SSH (Secure Shell) communications suite and is used as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and Ftp. OpenSSH employs end-to-end encryption (including all passwords) and is resistant to network monitoring, eavesdropping, and connection hijacking attacks. X-Force is aware of active exploit development for this vulnerability. Impact: OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be vulnerable to a remote, superuser compromise. Affected Versions: OpenBSD 3.0 OpenBSD 3.1 FreeBSD-Current OpenSSH 3.0-3.2.3 OpenSSH version 3.3 implements "privilege separation" which mitigates the risk of a superuser compromise. Prior to the release of this advisory, ISS and OpenBSD encouraged all OpenSSH users to upgrade to version 3.3. Versions of FreeBSD-Current built between March 18, 2002 and June 23, 2002 are vulnerable to remote superuser compromise. Privilege separation was implemented in FreeBSD-Current on June 23, 2002. Note: OpenSSH is included in many operating system distributions, networking equipment, and security appliances. Refer to the following address for information about vendors that implement OpenSSH: http://www.openssh.com/users.html Description: A vulnerability exists within the "challenge-response" authentication mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2 protocol, verifies a user's identity by generating a challenge and forcing the user to supply a number of responses. It is possible for a remote attacker to send a specially-crafted reply that triggers an overflow. This can result in a remote denial of service attack on the OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs with superuser privilege, so remote attackers can gain superuser access by exploiting this vulnerability. OpenSSH supports the SKEY and BSD_AUTH authentication options. These are compile-time options. At least one of these options must be enabled before the OpenSSH binaries are compiled for the vulnerable condition to be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled. The SKEY and BSD_AUTH options are not enabled by default in many distributions. However, if these options are explicitly enabled, that build of OpenSSH may be vulnerable. VIRUSES/WORMS: BAT_WCUP.A - This destructive batch file worm deletes antivirus software program files, and overwrites batch (.BAT) files in the Root and Windows directories, and overwrites the SYSTEM.INI and WIN.INI files of Windows. It propagates via Microsoft Outlook, and arrives in an email message with the following: Subject: WorldCup News! Message Body: read me for more world cup news! Attachment: WorldCup.BAT ******************************************** RECOMMENDATIONS ******************************************** Internet Scanner X-Press Update 6.13 includes a check, OpenSshRunning, to detect potentially vulnerable installations of OpenSSH. XPU 6.13 is available from the ISS Download Center at: http://www.iss.net/download. For questions about downloading and installing this XPU, email [EMAIL PROTECTED] ISS X-Force recommends that system administrators disable unused OpenSSH authentication mechanisms. Administrators can remove this vulnerability by disabling the Challenge-Response authentication parameter within the OpenSSH daemon configuration file. This filename and path is typically: /etc/ssh/sshd_config. To disable this parameter, locate the corresponding line and change it to the line below: ChallengeResponseAuthentication no The "sshd" process must be restarted for this change to take effect. This workaround will permanently remove the vulnerability. X-Force recommends that administrators upgrade to OpenSSH version 3.4 immediately. This version implements privilege separation, contains a patch to block this vulnerability, and contains many additional pro- active security fixes. Privilege separation was designed to limit exposure to known and unknown vulnerabilities. Visit http://www.openssh.com for more information. For a list of current vulnerabilities, please see: https://gtoc.iss.net/vulnerabilities.php For information on the current Virus/Worm of the day, please refer to: <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BAT_WCUP.A> Information regarding other viruses and worms please see: https://gtoc.iss.net/viruses.php ******************************************** FACTOID: Nearly half of IT professionals believe that the U.S. government will be hit with a "major cyberattack" in the next 12 months, according to the survey, conducted for the Business Software Alliance. BSA President Richard Holleyman, announcing the survey results at an e-government conference here, said an attack could range from a discrete attempt to get at a select group of highly sensitive data to a broad-ranging attack on multiple systems, according to C|NET News. ******************************************** ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous Day, % of total ******************************************** Protocol Violation 30.90% Suspicious Activity 30.07% Unauthorized Access Attempt 18.89% Denial Of Service 11.73% Pre-Attack Probe 08.39% Back Door 00.03% ******************************************** TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ten (ports found at) http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html ******************************************** 80 (http) 63.20% 25 (smtp) 13.05% 23 (telnet) 08.27% 69 (tftp) 05.64% 21 (ftp) 03.03% 161 (SNMP) 02.22% 162 (SNMPTrap) 01.42% 22 (ssh) 01.40% 139 (NetBIOS) 00.94% 1221 (sweetware-apps) 00.84% ******************************************** BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER ******************************************** Background. We provide this information in the spirit of PDD 63 to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2002 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Risk electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to: [EMAIL PROTECTED] or [EMAIL PROTECTED] Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Patrick Gray Manager, X-Force Internet Threat Intelligence Center 6303 Barfield Road Atlanta, GA 30328 www.iss.net INTERNET | SECURITY | SYSTEMS The Power To Protect
