Qualys Blog

www.qualys.com
9 posts

IoT Security: A Hairy Issue That’s Simple to Solve

First the bad news: Internet of Things (IoT) systems have created immense security holes. Now the good news: The problem can be fixed fairly easily.

That was the message from Jason Kent, Qualys’ Vice President of Web Application Security, during his recent webcast, “Aligning Web Application Security with DevOps and IoT Trends.”

“IoT doesn’t have to be scary. We have the knowledge on how to solve all these application security problems,” Kent said. “We just need to put focus on it.”

The effort to create awareness and shine a light on the issue of IoT security must be shared by IoT system manufacturers, application developers, and customers, including both businesses and consumers.

Continue reading …

Microsoft Releases MS11-100 for ASP.NET DoS Attack

Today Microsoft released a security bulletin addressing a flaw in ASP.NET that was disclosed early morning yesterday at the Chaos Communication Congress (CCC) in Berlin. Microsoft tested and finished MS11-100 in record time, taking about 30 days for the process of integrating this new vulnerability with the fix that was already scheduled for January 2012. We consider Microsoft’s reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work. We will be tracking how the other projects and vendors affected (PHP, Oracle, Phython, Ruby and others) are rolling out their patches.

The bulletin fixes the DoS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 1000 which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.

Overall the bulletin addresses four issues. CVE-2011-3416 is an ASP.Net Forms Authentication Bypass issue which is rated as critical. CVE-2011-3414 is the hash table collision DoS issue discussed above and is rated as important. CVE-2011-3417 is the ASP.NET Ticket Caching vulnerability which is also rated as important. And finally CVE-2011-3415 is the Insecure Redirect vulnerability which is rated as moderate. We recommend installing as soon as possible if you have web based infrastructure that uses ASP.NET.

Resources:

Microsoft Advisory on client side XSS – 2501696

Today Microsoft published today Security Advisory 2501696 describing a vulnerability (CVE-2011-0096) in the MHTML handler present on all versions of Windows. The vulnerability allows the execution of an XSS attack from a webpage going through Internet Explorer.

The XSS attack can be used to run JavaScript code on the user’s Internet Explorer instance, which gives the attacker a way to get at information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering.

The advisory 2501696 describes a work around that disables scripting inside the MHTML handler by setting the corresponding keys in the Windows registry. We expect the release of a FixIt to automate the application of the work around for security conscious end users.

The vulnerability was originally disclosed on the WooYun website The same site disclosed in December a vulnerability in the CSS handler of Internet Explorer "css.css" (CVE-2010-3971). The vulnerability has been acknowledged by Microsoft and Security Advisory 2488013 includes a workaround and a FixIt link to apply.

While the vulnerability is located in a Windows component Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules.

Microsoft’s SRD blog has a detailed description of the attack and provides HTML files for local testing.

Microsoft addresses high-profile ASP.NET issue with MS10-070

Micorosoft published an out-of-band patch MS10-070 for the ASP.NET issue made public 2 weeks ago the ekoparty conference in Buenos Aires.

MS10-070 updates the widely installed .NET Framework for all supported Windows platforms, from XP SP3 to Windows 7. This makes this update applicable to many machines, desktops and servers alike. However, the current known attack is applicable only machines that run a webserver with ASP.NET installed, so IT administrators should prioritize these machines. Desktops and servers that do not run a webserver can be updated at a later date, when convenient.

Microsoft rates the vulnerability as "important" as it only causes information leakage, but the effect of the attack is highly dependent on the web application running on the server. In the worst case scenario attackers can gain complete control of the server in question. The exact impact will have to be determined by the server and application engineers, we recommend patching this vulnerability on all Windows machine that run ASP.NET applications.

For a demo of the worst-case scenario take a look the video of Juliano and Thai running their POET tool against a updated "DotNetNuke" installation. They are able to gain full control over the server in under 10 minutes.

For a great explanation of padding attacks take a look at Gotham Digital Security blog.

The previously recommended workarounds in the advisory continue to be valid and do not need to be backed out for the patch. The are best practice recommendations that minimize information leakage through side channels and should be considered for any web application in production.

References:

  • Exploit tool and Whitepaper from Netifera
  • Demo video on Youtube for the 3rd party ASP.NET application DotNetNuke
  • DotNetNuke blog post on how to fix the issue
  • Technical details on the suggested workarounds
  • Initial advisory from Microsoft

Microsoft readies update for ASP.NET issue

Microsoft announced that they will release an update tomorrow for ASP.NET. The update will address a vulnerability disclosed by Thai Duong and Juliano Rizzo at ekoparty a Latin American Security Conference. The critical vulnerability allows a remote attacker to extract information from web applications programmed under ASP.NET and in certain circumstances can be used to take control over the affected server.

The current advisory provides a workaround for the problem. It minimizes information leakage through the error reporting system and should be considered a best practice for web applications even without the current attack. Scott’s blog post provides great insight, as does the blog post from the DotNetNuke team on how to implement the workarounds in their environment.

We recommend installing the patch immediately, once it becomes available.It administrators should first focus on web servers that do not have the workarounds implemented.

References:

  • Exploit tool and Whitepaper from Netifera
  • Demo video on Youtube for the 3rd party ASP.NET application DotNetNuke
  • DotNetNuke blog post on how to fix the issue
  • Technical details on the suggested workarounds

Additional September Security Advisories – Update

Update

  • Twitter today fixed an XSS vulnerability that was triggered by hovering over a link on their website. The vulnerability had been fixed some time ago, but was unwillingly reintroduced in a recent update. Today it was disclosed again and spread quite quickly. Twitter has more info in their post here.
    Minded Security has an interesting analysis of an additional issue in the used JavaScript code and shows that finding a valid fix that works across all browsers requires experience and structured QA testing. Mikko Hypponen suggests that twitter implements a bounty based program, but it seems that the problems are much lower in the dev/testing stack.

Original
After last week’s patch Tuesday a few high profile vulnerabilities and patches have appeared this week:

  • Adobe accelerated their patch for the Flash 0-day vulnerability by one week and came out with it yesterday, Monday September 20. Google Chrome users got the patch through Chrome’s update mechanism and received it even earlier on Friday, September 17. Google Chrome users can also use the Chrome-embedded PDF reader for most of their PDF usage, at least the simpler document viewing/printing and escape from the still open Adobe Reader 0-day.
  • Samba, the popular filesharing server issued a patch for a critical vulnerability . The vulnerability allows external users to cause a DOS condition and potentially take over control of the Samba server. Most users will run a version of Samba supplied by their vendor and should contact them for the updates, i.e. RedHat, IBM, Apple etc.
  • An exploit for a vulnerability in the 64 bit Linux kernel was published. The vulnerability allows a local user to take full control over the targeted machine. Limited reports of use of the exploit are coming in. A tool has been made available to detect infection. Engage your vendor for a patch.
  • Web applications that use Microsoft’s ASP.net are vulnerable to an "oracle padding" attack against application cookies which allows the attacker to gain access to private information. There is a demo video online on YouTube. Microsoft issued security advisory KB2416728 and has acknowledged a limited number of attacks seen in the wild. The advisory contains workarounds that mitigate the information leak. Web application firewalls with the technology to protect application cookies can also help with the issue
  • Apple published an update to Mac OS X 10.6 (Snow Leopard) fixing a single issue, which is quite uncommon as they normally bundle many security updates together. Earlier versions of Mac OS X are not affected. Quicktime for Windows was updated as well to address a known 0-day vulnerability.
  • Twitter today fixed an XSS vulnerability that was triggered by hovering over a link on their website. The vulnerability had been fixed some time ago, but was unwillingly reintroduced in a recent update. Today it was disclosed again and spread quite quickly. Twitter has more info in their post here.

OWASP Top 10 List of Web Application Security Risks for 2010

Michael_Shema.pngToday we have a guest post from Qualys Security Research Engineer Michael Shema.

The Open Web Application Security Project (OWASP) has updated its Top 10 list of Web Application Security Risks for 2010. The new list reflects a better understanding of how web applications are most commonly being attacked – or at least the most common risks discovered by security professionals. It’s important for organizations to understand that the list is a risk-based selection of web app vulns. For example, security misconfigurations (A6) appeared in the 2004 version, was dropped in 2007, and re-appears now in 2010. Also, malicious file execution (A3 from the 2007 version) was dropped because the main culprit, poorly configured and written PHP apps, can benefit from improvements to the default PHP settings. However, this doesn’t mean those problems have gone away. If you haven’t upgraded your PHP installation, then your site is still highly vulnerable.

The list doesn’t explicitly call out a very important exploit against web applications: logic attacks — attacks against the site’s workflows. These types of attacks have a generic description, but tend to be very specific to each web site. They’re related to broken auth and session management (A3) in that they take advantage of poor controls over a user’s activity. Logic attacks target assumptions the site makes about a user’s click path or the sequence in which a workflow is expected to be completed. These attacks rarely rely on injection of malicious content or otherwise invalid input. Instead, they very often repeat steps that the web app didn’t expect to be repeated or perform actions out of their expected order. It’s these vulns that are gaining prominence with JavaScript-heavy apps that push a lot of logic to the browser without verifying actions on the server.

It’s still important for web site owners to keep track of the OWASP Top 10 in order to understand how threats evolve. CRSF didn’t appear on the list in 2004, but apps have been vulnerable to it since 2000 and earlier (it takes advantage of a fundamental nature of HTML and HTTP). It’s just that CSRF attacks weren’t well defined or widely understood before the list could be updated in 2007.

Also keep in mind the Top 10 list is primarily for web site owners to understand how to improve their site’s security and to know what types of attacks seem most prolific. Some of the items, like XSS and CSRF also target the web browser. As a visitor to a possibly insecure web site, it’s fortunately still possible to apply some defenses in the browser, whether simply keeping the browser and its plug-ins up to date or using a security plug-in like NoScript.

And while developers scour their sites for risks associated with this Top 10 list, web users need to be aware of the prevalence of malware. Malware isn’t actually an attack against the web site; the attacker needs to use some other vulnerability in order to sneak malicious code onto a web page. However, malware is still a significant concern for users how are trying to keep their personal information secure.

New 0-day in Java

Today Tavis Ormandy published a 0-day vulnerability in Java. His post provides exploit information and a link to a webpage demonstrating the launch of calc.exe on WIndows. The vulnerability allows an attacker to execute remote code on the target machine and can be triggered by a user visiting a simple webpage. It is located in the Java Web Start component and is present on Java running on Windows Operating Systems. There is no patch or official work-around yet, but Tavis provides suggestions on how users can configure their system to defend themselves.

Rubén Santamarta provides additional technical information on the vulnerability and points out that Java on Linux is affected as well.

Our vulnerability research team has confirmed the existence of the vulnerability on Windows and we are releasing a detection under QID 117772 in QualysGuard. We will track the development around this vulnerability and keep you posted.

Reference:

Firefox browser to check for Flash updates

Yesterday the Mozilla foundation announced on their security blog that Firefox will start checking for outdated Flash plug-ins. This is a great way of improving the security of web browsers, Flash is often used by attackers to exploit client machines and unfortunately notoriously difficult to update, requiring (on Windows) different update packages for Internet Explorer and all other browsers.

Now we just need to convince Hillary Clinton to let the Department of State use Firefox.

As you can see this worked fine for me on my Mac under Firefox 3.0.14.