Overview of the October 2013 Microsoft patches and their status.# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS13-080 Cumulative Security Update for Internet Explorer
(ReplacesMS13-069 ) Internet Explorer
CVE-2013-3897 KB 2879017 Yes. Severity:Critical
Exploitability: 1 PATCH NOW! Critical MS13-081 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
(ReplacesMS13-076 MS13-078 MS13-054 MS13-046 ) Kernel Mode Drivers (OpenType Font Parsing and others)
CVE-2013-3894 KB 2870008 No. Severity:Critical
Exploitability: 1,2 Critical Important MS13-082 Vulnerabilities in .NET Framework Could Allow Remote Code Execution
(ReplacesMS13-040 MS11-100 MS13-052 ) Microsoft .NET Framework (OpenType font)
CVE-2013-3861 KB 2878890 CVE-2013-3861 was publically disclosed. Severity:Critical
Exploitability: 1,2,3 Critical Importantl MS13-083 Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
(ReplacesMS10-081 ) Windows Common Control Library (64 Bit versions only) DSA_InsertItem function used in webapps
CVE-2013-3195 KB 2864058 No. Severity:Critical
Exploitability: 1 N/A Critical MS13-084 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution
(ReplacesMS13-067 ) Sharepoint
CVE-2013-3895 KB 2885089 No. Severity:Important
Exploitability: 3,2 N/A Critical MS13-085 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
(ReplacesMS13-072 MS13-072 ) Excel
CVE-2013-3890 KB 2885080 No. Severity:Important
Exploitability: 1,2,3 Critical Less Important MS13-086 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
(ReplacesMS13-072 ) Word
CVE-2013-3892 KB 2885084 No. Severity:Important
Exploitability: 1,3 Critical Less Important MS13-087 Vulnerability in Silverlight Could Allow Information Disclosure
(ReplacesMS13-052 ) Silverlight
CVE-2013-3896 KB 2890788 No. Severity:Important
Exploitability: 3 Important Less Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.
The home page of anti virus company Avira has been defaced, likely by altering the DNS zone for Avira.com. Currently, avira.com uses the following NS records:$ dig +short avira.com NS ns2.radioum.com.br. n1.ezmail.com.br. ns1.radioum.com.br. n2.ezmail.com.br. $ dig +short A avira.com 188.8.131.52
Once an attacker has control of the NS records, they may also change MX records and redirect e-mail, or in the case of an Antivirus company like Avira change the addresses used to download signature updates.
According to domaintools.com, the last address for avira.com was 184.108.40.206 and that address still appears to host Avira's site.A cached whois record from a couple days ago lists these DNS servers for avira.com: NS1.AVIRA-NS.NET NS2.AVIRA-NS.DE 220.127.116.11 NS3.AVIRA-NS.NET NS4.AVIRA-NS.DE 18.104.22.168 The domain is hosted with Network Solutions. At this point, this looks like an isolated incident and not a more wide spread issue with Network Solutions. I hope this will not be considered an "advanced sophisticated highly skilled attack", as the attackers have issues spelling "Palestine" consistently. The content of the defaced site is political and no malware has been spotted on the site so far. Partial screenshot of the site:
Our reader Stuart sent us a screenshot with a similar defacement of Antivirus vendor AVG (avg.com), but the site appears to be back to normal now. I can't tell if that defacement was DNS related or not. Instant messaging software maker Whatsapp was appearently a third victim of this attack.
ISC StormCast for Tuesday, October 8th 2013 http://isc.sans.edu/podcastdetail.html?id=3587, (Tue, Oct 8th)
Another interesting twist was that once it was detected that the packet was dropped they fragmented the packets in order to attempt to circumvent the FW/IPS in place.
If you see similar please let us know. I'd be interested to compare the samples. In the mean time these requests will be fairly obvious in your web logs, so should be easy enough to pick out.
Mark(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
GnuPG 2.0.22 is released it contains a security fix and all users are advised to updated to this version. More here --> http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000333.html, (Mon, Oct 7th)
ISC StormCast for Monday, October 7th 2013 http://isc.sans.edu/podcastdetail.html?id=3584, (Mon, Oct 7th)
CSAM Week 1 Recap
We kicked off the tenth annual Cybersecurity Awareness Month with the official theme of ‘Shared Responsibility’. We all succeed by furthering the education and awareness of the community we live as a whole, not just the technical folks. Adrien talked earlier this week about how we at the Internet Storm Center are all about logs, and the basis for much of our work has always been the Dshield project. The Dshield database of information is provided by everyone who contributes, thus supporting the efforts of the ISC.
The other half of the equation for the ‘Shared Responsibility’ of the Internet Storm Center is the Handlers. The Handlers of the ISC are all volunteers, with day jobs to take up the other half of our brains not committed here. Of course the ISC is not the only volunteer opportunity that we as security professionals can actively engage to bring our expertise and experience together to share amongst ourselves and others. One that comes to mind that is active in many areas across the globe is the Information Systems Security Association.
Where else can we help? Submit your comments to us below, and help spread the word!
Tony d0t Carothers --gmail(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
'UPDATE:' We are receiving reports that notifications are being sent out. Thank you to the readers that posted some examples. It seems that the notifications are targeted towards certain services. It goes without saying but we shall say it 'anyways' , we recommend changing any Adobe passwords. It reminds me of another life as a Submarine Hunter. If you recall the World War II movies well enough you can imagine when the Sub captain says "Send up the oil slick and debris" ... Then the Destroyer Captain "Ah... we got em' look at that!"
Even if I'm 'SURE' I got it all, I'm never 100% positive and always suspicious. It makes me wonder how bad this will impact (to quote Mr Mike Poor) "The Intertubes" as Flash is EVERYWHERE :)
------ Initial Post ------
A few of us have noticed that there have been no eNotifications from Adobe for account resets or any sort of direct notice. Has any of our readers had 'any' sort of notice/notification or resets sent?
--- ISC Handler on Duty
--- Twitter @packetalien --- Blog: packetalien.com (opinionated and blunt mixed with hard science)(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The Log today came from a Web Hosting control panel software, the popular cPanel.
While there are a couple of exploits for the control panel itself, today we will analyze a portion of log generated by the CSF.
CSF is the ConfigServer Firewall plugin for cPanel. It basically works like a log checker for difference daemons in the system and checks the logs for different services like SSH, STMP, FTP,etc...
Once it identifies possible malicious behavior, it can take some actions like block the offending IP.The log we received today is below:
lfd: blocked 22.214.171.124 (CN/China/-)
Time: Fri Oct 4 02:59:09 2013 -0400
IP: 126.96.36.199 (CN/China/-)
Failures: 5 (smtpauth)
Interval: 300 seconds
2013-10-04 02:58:54 courier_login authenticator failed for (pc07) [188.8.131.52]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:58:55 courier_login authenticator failed for (pc07) [184.108.40.206]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:58:58 courier_login authenticator failed for (pc07) [220.127.116.11]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:59:00 courier_login authenticator failed for (pc07) [18.104.22.168]:2622: 535 Incorrect authentication data (set_id=xedofghj)
2013-10-04 02:59:03 courier_login authenticator failed for (pc07) [22.214.171.124]:2622: 535 Incorrect authentication data (set_id=xedofghj)
Basically what it says is that this IP address: 126.96.36.199 was blocked because it had 5 invalid logins in less than 5 minutes (300 seconds).
Lets break the log message to understand it better.The first part if about the description of the event:
lfd: blocked 188.8.131.52 (CN/China/-)
Time: Fri Oct 4 02:59:09 2013 -0400
IP: 184.108.40.206 (CN/China/-)
Failures: 5 (smtpauth)
Interval: 300 seconds
This shows that the IP 220.127.116.11, which according the geolocation belongs to China, had 5 failure attempts to login. The service targeted is the SMTPAUTH, which is used to provide authentication to the SMTP service (email).
The time threshold set in this case is 300 seconds, and the action is to block.
This can be modified at:
Plugins-> ConfigServer Security & Firewall-> Firewall Configuration-> Login Failure Blocking and Alerts
If you disable it, remember that you will be unable to detect bruteforce attempts against your system, so you may want to fine tune it before think about disable.
Btw, do you recognize this IP as a bad offender?
Pedro Bueno (pbueno /%%/ isc. sans. org)
If You Have Been a Victim of Cryptolocker Ransomware, Please Directly Contact John Bambenek at email@example.com, (Fri, Oct 4th)
bambenek \at\ gmail /dot/ com
You have probably seen now the stories about Adobe being breached, customer data being exposed and source code leaked. Excellent work by Brian Krebs in uncovering these breach and he has a great write-up about this here: http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
But what does this mean for you? Does this affect you as an Adobe customer? Here are a couple of questions that keep coming up.
1 - How did they get in?
It appears a vulnerability in Coldfusion was used to breach an Adobe site used for payment processing. The group that breached Adobe appearantly used Coldfusion exploits as one of their favorite tools to breach sites. Again, see Brian's excellent work above for more details.
2 - I am a Coldfusion user. Should I worry?
3 - How do I protect myself as a Coldfusion user?
Make sure you are patched. Coldfusion had some significant vulnerabilities that were patched a few months ago (in particular the patches released around May). If you haven't patched those problems yet, then you should probably call this an "incident". But then again, Incident Response is so much more exciting then operations.
4 - Should I chang hosting platforms from Coldfusion to something else?
Probably not. It is a ton of work to switch platforms. This time and effort is better spent shoring up your existing infrastructure. What controls do you have in place to detect a breach? How many Coldfusion servers do you have? How are they patched? Do you store confidential information on those servers that you don't really need on those servers?
5 - Do I need to change my passwords?
No. Adobe already changed your password on Adobe's site. If you are still using the same password on multiple sites: You are doing it wrong. Changing your password will help you as little as changing underwear if you don't clean it between uses.
6 - Do Ineed to worry about my credit card if I used it with Adobe?
You should always worry about your credit card. But for the most part, this is your bank's problem. Relax, watch your statements, get a new card if you see odd charges or if your bank notifies you. You used a Debit Card online? Brave! You probably also don't like seatbelts and eat supermarket puffer fish sushi.
ISC StormCast for Friday, October 4th 2013 http://isc.sans.edu/podcastdetail.html?id=3581, (Fri, Oct 4th)
So far, we got pre-announcements from Microsoft and Adobe.
Microsoft promises 8 bulletins, split evenly between critical and important. The critical bulletins affect Windows, Internet Explorer and the .Net framework, while the important bulletins affect Office and Silverlight.
So this sounds like an average, very client heavy patch Tuesday. On the server end, only Sharepoint server (again) and Office Server are affected.
Important: The cumulative IE update included will include a patch for CVE-2013-3893, the currently un-patched but exploited vulnerability in Internet Explorer. This bulletin should be applied as soon as possible once released.
For details, see http://technet.microsoft.com/en-us/security/bulletin/ms13-oct
Adobe pre-announced only one patch for Acrobat and PDF Reader. For details see http://blogs.adobe.com/psirt/2013/10/prenotification-upcoming-security-updates-for-adobe-reader-and-acrobat-apsb13-25.html
Today's logs come from a honeypot. The fun part about honeypots is that you don't have to worry about filtering out "normal" logs. Usually I check the honeypot for anything new and interesting first, then look on my real web server to figure out if I see similar attacks. In the real web server, these attack would otherwise drown in the noise.SSL Conection to a web server not supporting SSL Invalid method in request \x80w\x01\x03\x01
The first few bytes of the request are interpreted as the method of the request. If SSL is used by the client, but the server "doesn't get it", then the server will just log the first few bytes of the SSL message. In this case, this was \x80w\x01\x03\x01Odd URLs File does not exist: /var/www/HNAP1
Frequently you will find attack scripts that try to "hunt" for a particular vulnerability, wether or not you even have the application installed. This is in part behind our 404 project. Above, the attacker looked for "HNAP1", which appears to be vulnerable in some routers (see http://www.cathaycenturies.com/blog/?p=643 for more details about this particular vulnerability.Odd User Agents Mozilla/3.0 (compatible; Indy Library) Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij
The first one "Indy Libary" is a standard library used in many web attack tools. The second one is old favorite nmap and the last one is Havij, a script kiddie SQL injection tool (not seeing it as much as I used to). In pretty much all cases it is easy to change the user agent, but most attackers don't bother to.
Sometimes the user agent string itself is the attack. like in this log:"GET /rssfeed.xml HTTP/1.1" 200 5162 "-" "><script>alert('XSSUserAgent')</script>" "-"
The attacker may hope that the user agent is echoed back to the administrator as part of an admin interface.Standard SQL Injection Strings GET /diary.php?storyid=999999.9+union+all+select+0x31303235343830303536-- GET /diary.php?storyid=1480%27 GET /diary.php?storyid=1480+and+1%3D1
Many SQL injection attack tools use similar techniques. The examples above are from Havij. Typically the attacker will try to insted single quotes (%27) or try to issue UNION requests with random parameters to be able to identify any data that may come back. For the union requests, you will see the attack starting with one column and work its way up as the attacker attempts to figure out how many columns your query returns.Cross Site Scripting
here is a typical XSS attempt:GET /diary.html?storyid=\"><script>alert(13377331)</script> HTTP/1.0"
Not much obfuscation here. Just a pretty plain XSS attempt.
ISC StormCast for Thursday, October 3rd 2013 http://isc.sans.edu/podcastdetail.html?id=3578, (Thu, Oct 3rd)
As Adrien mentioned, we are trying to focus on "interesting" logs during October to celebrate "Cyber Security Awareness Month". For security professionals is is important to be aware of what your logs are trying to tell you. We are no looking for ground breaking new events, but just the "stuff you always wondered about what it meant".
I am starting today with a couple of DNS logs. If you haven't seen logs like this yet: You are not doing your job well protecting your network ;-)
I kept the logs as original as possible, but masked out a few IP addresses using "X" and some hostnames with 'example.com'.
1 - RFC 1918 Response
Oct 2 14:32:36 nsint named: client X.X.X.X#50873: RFC 1918 response from Internet for 18.104.22.168.in-addr.arpa
In this case, one of my internal hosts tried to reverse reolve the address 10.64.10.1. 10.0.0.0/8 is however reserved address space per RFC 1918, so this lookup just doesn't make much sense. The DNS server (named) is warning me about this lookup.2 - FORMERR
Oct 2 14:16:01 nsint named: error (FORMERR) resolving 'ocsp.verisign.net/AAAA/IN': 22.214.171.124#53
One of my hosts tried to connect to ocsp.verisign.net. "OCSP" is a web service used to check if certifiates are valid. You will see connections to this host name from your browser as you visit some HTTPS sites. My network is dual stack, so hosts will attempt IPv4 (A) as well as IPv6 (AAAA) address lookups. Looks like Verisign doesn't support IPv6 and doesn't know what to do with AAAA queries so it is sending a format error (FORMERR) back. This caught my eye because of the security relevance of OCSP. But then again, there is nothing I can or have to do about this error.3 - DHCP Dynamic Updates
Oct 2 14:27:25 nsint named: client X.X.X.X#38155: signer "dhcpkey" approved Oct 2 14:27:25 nsint named: client X.X.X.X#38155: updating zone 'example.com/IN': deleting an RR at laptop.example.com TXT
My DHCP server is configured to update DNS whenever it sees a new host. To authenticate and encrypt these updates, it uses a key (I call it "dhcpkey"). Since the request came from the DHCP server (masked IP address) and was approved, all is well and this is normal. I would be concerned if these requests get rejected and/or came from an IP address different then the DHCP server.
Here is a log entry for a denied update:
Oct 2 14:03:40 nsint named: client 10.5.0.254#53419: update 'lexample.com/IN' denied
In this case it turned out to be a misconfiguration of the respective zone. Remember: Watching your logs not only keeps attackers out, but also makes your network perform better!4 - REFUSED
Oct 2 12:47:53 nsint named: error (unexpected RCODE REFUSED) resolving 'example.com/A/IN': 126.96.36.199#53
Here a name server I connected to to lookup example.com refused the query. Odd, as the domain was valid. Could be a misconfigured DNS server, or a network device (Anti-DoS?) interfering with the query.
Got any other DNS logs?
Obamacare related domain registration spike, Government shutdown domain registration beginning, (Wed, Oct 2nd)
In the last 24 hours, DomainTools reported to us that over 50 domains related to the US Government Partial Shutdown have been registered. About a third of those are partisan oriented, most of the rest are parked. During the same time period, ver 40 domains were registered relating to the Affordable Care Act (colloquially known as Obamacare). So far, no spam has shown up on either subjects which was surprising to many of us that monitor these trends.
While those specific data points are US-oriented, the lesson generally is not. Whenever there is a major event there is usually a corresponding uptick in new domains registered related to those events and spam campaigns. The advice to users is the same, don't click on random emails and if you want to do business online, always affirmatively type in the URLs of known entities instead of using email or website links. The federal insurance exchange website is healthcare.gov, for instance. Other sites proclaiming they are *the* federal exchange are likely less than honest, especially if they are anything other than a .gov.
What makes these campaigns successful is an uptick in media coverage and popular awareness, especially if there is a visual component. One of the most successful campaigns of this type was a spam campaign related to the capture of Osama Bin Laden and links the purported to be pictures or videos of the event. The Boston bombing is another example. What makes the potential for Obamacare related scams to work is stability of the new site combined with some confusion to the details of the new law. Where there isn't clarity, fraud is possible.
The awareness type for those that support users is that any time something like this happens is to review with users the same tips: don't click on links, go only to known websites and let them know online miscreants will use popular interest in subjects to infect them with malware.
bambenek \at\ gmail /dot/ com
Most of us are familiar with the "microsoft support" call. A phone call is received, the person states they are from "microsoft support" and they have been alerted that your machine is infected. The person will assist you by having you install a remote desktop tool such as teamviewer or similar (we have seen many different versions).
Previously they would install software that would bug you until you paid the "subscription fee". As the father of a friend found out the other day, when he received a call. They now install ransomware which will lock the person out of their computer until a fee has been been paid. In this instance it was done quite early in the "support" call so even disconnecting when smelling a rat it was to late.
The ransomware itself looks like it replaced some start up paramters to kick in the lockout rather than encrypting the drive or key elements of the machine. However for most users that would be enough to deny access.
So in the spirit of Cyber Security Awareness Month make this month one where you let your non-IT friends and family know two things. Firstly, BACKUP YOUR STUFF. Secondly, tell them "when you receve a call from "microsoft support", the correct response is to hang up.".
Mark H(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC StormCast for Wednesday, October 2nd 2013 http://isc.sans.edu/podcastdetail.html?id=3575, (Wed, Oct 2nd)
Today is the beginning of Cyber Security Awareness Month. Apparently the month's official theme is "Our Shared Responsibility," We at the SANS Internet Storm Center want your logs! Send us packets, malware, all your logs, log snippets, observations, things that go bump on the 'net, things that make you go HMMMM, or just send us email to discuss InfoSec. What can we do as individuals to increase information security and encourage secure practices among co-workers, friends, and family? Let us know via our Contact Us page, or the comments below.
This year our theme is 'wierd. wonderful, and interesting stuff in logs'. In past years here have been some of our themes:
https://isc.sans.edu/tag.html?tag=Cyber%20Security%20Awareness%20Month%202010 - awareness
https://isc.sans.edu/tag.html?tag=Cyber%20Security%20Awareness%20Month%202011 - critical controls
https://isc.sans.edu/tag.html?tag=Cyber%20Security%20Awareness%20Month%202012 - theme was "standards"
You can watch NCSAM in the USA go live at the following Facebook URI: https://www.facebook.com/staysafeonline/app_142371818162
Let's be careful out there!
Adrien de Beaupré
My SANS Teaching Schedule