Qualys Blog

494 posts

Current pcAnywhere Security Issues

Last week Symantec published a whitepaper "pcAnywhere Security Recommendations" which recommended increased security measures to all users who are managing pcAnywhere installations. The whitepaper was prompted by the recent disclosure of Symantec source code announced by the hacker group "Lords of Dharmaraja" affiliated with Anonymous, and it points out the increased risk associated with pcAnywhere given that attackers can now search the source code for flaws.

Somewhat surprisingly, the whitepaper’s first recommendation is to uninstall the product, of course only if it is not absolutely required. Personally I am a big fan of uninstalling unnecessary software, and it is always sound advice to minimize one’s software footprint and related attack surface. If uninstalling pcAnywhere is not an viable option, Symantec recommends a number of additional security configurations, including moving Internet exposed pcAnywhere installations behind a VPN gateway, blocking standard pcAnywhere ports 5631 and 5632 on the firewall and to disable the autostartup of pcAnywhere.

Last week Symantec also released patches for the currently supported versions 12.5, 12.0.x and 12.1.x in advisory SYM12-02. The patches address CVE-2011-3478, a remote code execution vulnerability with CVSS base score of 8.3 and CVE-2011-3479, a local file tampering vulnerability with CVSS base score of 6.8.

We recommend installing these patches as quickly as possible if you have pcAnywhere installed.

QualysGuard users can scan for Qualys ID 119873 for pcAnywhere installations that lack the latest patch, or use Qualys ID 38448 to find all pcAnywhere instances in their networks. Alternatively you can also use Qualys ID 42017 to scan for remote access in general and gain a complete understanding of all remote access applications, which is very helpful in these type of situations.

Detecting the DNS Changer Malware

Only a couple of days left until the DNS Changer Working Group will stop operating the DNS servers used by the DNS Change malware. According to the latest stats there are still 300,000 machines infected. These machines will lose Internet access once the servers are shut down.

You can use BrowserCheck to check whether you are in the affected group.

January marked half-time for the folks at the DNS Changer Working Group (DCWG) who are now running the DNS servers originally used in the Rove botnet. Ever since a multi-national task force dismantled the gang in Operation Ghost Click in early November of 2011, the DCWG has been in charge of running the servers at the heart of the botnet in order to keep the infected machines that depend on these servers. In its four years of existence, Rove managed to infect around four millions machines. Its mode of operation is simple: it replaces the DNS servers registered on the infected machine with its own servers, which allows it to redirect almost all of the traffic of the infected machines to its own services. This gives the attackers almost unlimited power over the infected machines, as they intercept almost all requests made to the Internet. They could for example, replace all download requests for a certain software, say iTunes, with a backdoor’d version of iTunes, that for all effects and purposes behaves the same, but installs for the attackers an additional remote administration tool. They were also able to reorder your search results and influence your purchase decisions, and to exchange the ads that are displayed to you favoring their affiliates.

But the DCWG’s mission is time-limited. In November they were tasked operate the servers for a total of 120 days. They will shutdown the servers in March and anybody who is still using those servers will then lose access to the Internet, as DNS is the service that translates your requests for a certain website, say "www.facebook.com," into its IP address equivalent: Once DNS stops working you will get a screen similar to:

Address not valid - Windows Internet Explorer

Fortunately it is relatively easy to verify whether a machine is affected by Rove. All one needs to do is verify whether its DNS servers fall into the five ranges that were under control of the Rove operators. The easiest way to do this, at least under Windows is to run the Qualys BrowserCheck plug-in which we recently equipped with Rove detection capabilities (see screenshot)

Qualys BrowserCheck - DNS Changer Malware Detected

If your machine shows as insecure under the DNS Changer heading, you need to perform a few simple steps to correct the situation. We provide more information on how to correct the DNS servers by clicking on the FixIt button, but basically you need to reset the DNS servers that you use. On Windows the Control Panel is used to modify the DNS servers. Click on Start, Control Panel, Network Connections, then right click on the icon that identifies your connection, and select Properties, then select Internet Protocol (TCP/IP) and click on the Properties button. This will bring you to the screen where the DNS servers are set. Here you should select Obtain DNS server address automatically and then close the Windows by pressing Ok and Close.

Internet Protocol TCP/IP Properties for Network Connection in Windows XP

Once done you should register the infection at the FBI’s website, as it will help strengthen the case against Rove’s operators.

Solving the Secure Password Conundrum

Last year around the holidays, Hacktivists published a list of usernames and passwords registered with the stratfor.com site. I had signed up for their free feed of geopolitical analysis several years ago through a recommendation from @anton_chuvakin and did not even remember the password I had used. While the disclosed information in the breach did not really worry me, I was fairly certain that I had probably used the same password to sign up for other services. Now I had a dual challenge:

  1. Recall the password I used for the site at the time.
  2. Research where else I had used that password and change it on those sites as well

Since I could not remember the password, I downloaded the password archive from one of the locations shared on pastebin.com (see cryptome.org for a nice timeline), looked for my username, extracted the MD5 hash string and then cycled through each of my "password sharing candidates" with a small PERL script to see if a match could be found. I found a match relatively quickly and then had to start on the tedious work of resetting my password on all sites that were using that very same password. It took me about two hours to go to each of the 17 sites that I had located through my password manager and reset the respective passwords. This time I followed best practice and let the tool generate a random password for each site. None of the sites were particularly important, but among them was the site where I pay my utility bills (they do not store credit card information), a forum for the car I drive, my local library and the sandwich store next door that allows for online ordering.

Then early Monday morning I got a similar e-mail from Zappos informing me that they had had a data breach as well, and that I had to reset my password at their site. Now with Zappos, I am in a somewhat worse and somewhat better situation: Zappos has my credit card information, but on the other hand, I have the same password only at Zappos' sister site Amazon, so the password change was simple and done quickly.

The lesson from all of these events is simple: reusing passwords, while convenient, is risky. Use a distinct password on each site when you open an account. I cannot remember the login details for the hundreds of sites with whom I have accounts, so I make use of a password manager to take care of that. I recommend installing a 3rd party product over the browser built-in manager, as they are harder to attack and less likely to disclose your passwords to a browser exploit.

Personally I use LastPass, which works well for me across my Linux and Mac computers and even on my Chromebook. I also like it because it allows two-factor authentication with a Yubikey or Google Authenticator. Two-factor authentication is a great security option if the service or site supports it, asking the user to provide an additional proof of identity, typically by prompting for a numeric code that is displayed on a token or on the user’s cellphone. I opt-in to two-factor authentication whenever possible and have activated in on my bank account, Paypal and eBay, DNS Management for my domains and GMail account. Even my son uses it on his World of Warcraft account. It adds an additional step to the login process, but provides additional security. This measure is well worth the added work which he realized when he lost all of his equipment on an account that did not have two-factor enabled.

Oracle Critical Patch Update January 2012

Oracle publishes Critical Patch Updates (CPUs) on a quarterly schedule and today released its January edition with patches for a majority of their product line:

  • Oracle Solaris: eight vulnerabilities in Solaris itself, including CVE-2012-0094 with the highest CVSS score of 7.8 in the advisory, plus three issues in the Glassfish application server
  • Weblogic Application Server: two vulnerabilities, neither one requiring authentication MySQL Server: a total of 27 vulnerabilities in versions 5.x, with one Remote Code Execution vulnerability (CVE-2011-2262)
  • Oracle Database Server: both version 10 and 11 are affected by two remote code execution vulnerabilities, one in the Listener (CVE-2012-0072) and the other one in the core RDBMS server (CVE-2012-0082). More details for the latter are available here, and are related to a DoS type flaw in Oracle’s System Change Numbering (SCN) throttling
  • Oracle Applications, such as Peoplesoft and JD Edwards have a total of 14 vulnerabilities between themselves
  • Oracle Virtualization software: three vulnerabilities, two in the Guest Additions and Shared Folders, which are widely used but only accessible locally

Overall a large update for Oracle software users, but with plenty of mitigating factors. We recommend addressing vulnerabilities on systems that are Internet accessible first. Most likely this will mean fixing Weblogic/Apache and Solaris vulnerabilities first, followed by MySQL. Oracle RDMBS can probably be addressed last as these systems tend to be installed in internal networks or well firewalled if they are connected to the Internet at all. A good map of your network will help in determining where to start.

BTW, both Oracle Enterprise Linux and Oracle Java are not covered in the CPU process and receive updates on their own distinct schedules.

Oracle Critical Patch Update January 2012

Oracle has published its preview for the January 2012 CPU scheduled for next Tuesday January, 17.

Most of their products, including the acquisitioned PeopleSoft, JD Edwards, Weblogic and the recent Sun/MySQL lines, are affected by this update. Overall there are 78 security relevant patches, with 16 being categorized in the most critical category – Remote Code Execution with Authentication. Only PeopleSoft and the virtualization products are not affected by this critical rating – everybody else should pay close attention to the release next Tuesday.

One notable exception is the Java programming language as it is updated on a separate schedule and had its last release in December 2011.

Update Your PCs: OK, but How About Printers?

This week was Microsoft Patch Tuesday and you are probably all working now on getting the appropriate updates out to your PCs. But how well are you covering other software vendors, say Adobe, who also published a critical update this week, or Oracle who will be giving us their Critical Patch Update (CPU) next week. You are good? Great ! How about your printers?

Over the holidays, the 28th Chaos Computer Congress (CCC) was held in Berlin, Germany. Ang Cui from Columbia University presented his research that focused on problems in HP printer firmware. While that sounded initially pretty dry, it turned out to be very a engaging and practical talk. In a nutshell many (>50) current HP printers are vulnerable to a Remote Firmware Update (RFU) exploit, where an attacker can install a new and malicious firmware by printing a document on the printer in question.

Ang demonstrated live onstage what can be done with this vulnerability. A colleague printed a document (his tax return, web generated), and it infected his printer with a new backdoored version of firmware. The firmware installed itself in under two minutes and then started sending every document printed on this printer to Ang’s personal printer. It also acted as a reverse IP proxy connecting out to the Internet, allowing Ang to attack internal, neighboring machines through the printer – in the demo he uses MS08-067 to control a demo workstation through Metasploit.

HP has since fixed the vulnerabilities and new firmware packages are available here.

Overall one of my favorite talks of the CCC and well worth watching in its entirety. Congratulations to Ang and his team at Columbia. By the way, Ang’s research is not focused on printers, but on all kinds of embedded devices. This is a good reminder that in our efforts to use technology to enhance our daily lives by equipping more things with processing and networking capabilities, we are also increasing the ways that a malicious party could gain entry into our lives.

PS: If you are ready to fix your printers, QualysGuard helps you to identify this vulnerability in your network through QID 78050, "HP Printers and HP Digital Senders Remote Firmware Update Enabled by Default".

January 2012 Patch Tuesday

2012’s first Patch Tuesday has seven bulletins, including the postponed bulletin from December 2011 that addresses the BEAST style information disclosure. Talking about changes in schedules, Microsoft also released a bulletin MS11-100 for ASP.NET originally planned for this January between Christmas and New Years of 2011, which you might have missed.

Our highest priority is MS12-004, which fixes two vulnerabilities in Windows Media Player, one critical in MIDI playing, one important in the closed caption (CC) interpretation. The vulnerabilities are relatively easy to trigger and require a specially crafted media input file. Attacks against these vulnerability can be both through e-mail or hosting the media file on a website. They have the potential to be used in a drive-by-download attack.

Next on our list is MS12-005, a vulnerability in the Windows .NET packager that can be triggered through a malicious Microsoft Office Word or PowerPoint document. Microsoft rates it only as 'important', but we consider vulnerabilities that only rely on a user opening a file critical enough to move them up in priority.

MS12-006 is the mentioned fix for the BEAST attack and should be deployed on all of your webservers. BEAST was first demonstrated at the September 2011 Ekoparty conference in Buenos Aires and is a crypto attack against SSL/TLS that allows the attacker to decode and eavesdrop on HTTPS sessions. If you did miss the MS11-100 release over the holidays, now is a good time to take the opportunity to bundle both together. Tools for triggering MS11-100 are actively being researched and are very simple to build, meaning that they will soon get added to the common DoS tools, maybe even to the one advertised here by Crista (http://www.youtube.com/watch?v=ySdaJbgO5gc via @mikko).

MS12-001 is the bulletin that was tagged as addressing a 'Security Feature Bypass' flaw. This is a new category and Microsoft has written a blog post explaining the details involved. In summary: a certain version of Visual-C (2003 RTM) implemented the the SAFESEH security measure in a way that Windows XP, 2003, Vista, Win7 and 2008 were unable to read the information and fell back to run the binary without the SAFESEH handler. Binaries compiled with the later versions of Visual-C (starting with SP1) are generated correctly and MS12-001 now changes the affected Windows Operating systems to be able to read the older format as well. There is no direct vulnerability here, but an attacker would have to identify a software compiled with the old version of Visual-C, find a vulnerability in it and code an exploit that would use the SEH exploit mechanism. Install it when you can, as it is a useful defense-in-depth measure.

Please also take a look at Adobe’s release today of a new version of Adobe Reader 9 and X. It will cover CVE-2011-4369 for Adobe Reader X, which they had already addressed for Adobe Reader 9 out-of-band due to exploits in the wild on December 16th plus a security enhancement that allows for better control of embedded JavaScript.

2011 Year in Review, Trends for 2012

Tony Bradley published yesterday a blog entry that contains a great summary of the top security incidents of 2011. This is worth reading for any IT administrator as these attacks will grow in 2012 and if you are like me, you may agree that one always learns better by looking at real-life examples.

Tony Bradley, The Security Detail at TechTarget

January 2012 Patch Tuesday Preview

Microsoft is starting 2012 with a surprisingly large first release of seven security bulletins covering eight separate vulnerabilities. In contrast, in past years we usually had relatively small January release containing only one or two bulletins.

The first six bulletins affect various versions of the Windows Operating System, from XP SP3 up to the newest versions Windows 7 and Windows 2008 R2. The seventh bulletin covers Microsoft Developer Tools.

Bulletin one is the single bulletin rated as 'critical' and should be considered the priority, however for users of Windows 7 and Windows 2008 R2 its severity is downgraded to 'important'. Bulletins three and five, while rated 'important' both involve Remote Code Execution, most likely through a specifically crafted input file to one of the Windows standard programs and should also be high on your list of bulletins to look at.

Bulletin two stands out as it is tagged as 'Security Feature Bypass', which is a new category. Next Tuesday it will be interesting to see, which exact Windows features are involved and how this vulnerability can be used by attackers.

As usual, the newest versions of Windows, 7 and 2008 R2 have less exposure, as they are not susceptible at all to bulletins three and four.

Please be also aware that both Adobe and Oracle will release their quarterly updates this month as well, on January 10th and January 17th respectively. Parts of Adobe’s release will cover CVE-2011-4369 in Adobe Reader X, which they had addressed for Adobe Reader 9 out-of-band due to exploits in the wild on December 16th.