Thursday, December 15, 2011

sslyze – Fast and Full-Featured SSL Configuration Scanner

Transport Layer Security (TLS), commonly called SSL, is one of the most widely used protocols to secure network communications. As costs fall and user security and privacy expectations rise companies are deploying it more widely every year. Attacks against the CA system, SSL implementation flaws and aging protocol versions have grabbed news headlines, bringing attention to weak configurations, and the need to avoid them. Additionally, server misconfiguration has always greatly increased the overhead caused by SSL, slowing the transition to improved communications security.
To help improve system configurations, iSEC is releasing the free software “SSLyze” tool. They have found this tool helpful for analyzing the configuration of SSL servers and for identifying misconfiguration such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings.
SSLyze is a stand-alone python application that looks for classic SSL misconfiguration, while providing the advanced user with the opportunity to customize the application via a simple plugin interface.
Features
  • Insecure renegotiation testing
  • Scanning for weak strength ciphers
  • Checking for SSLv2, SSLv3 and TLSv1 versions
  • Server certificate information dump and basic validation
  • Session resumption capabilities and actual resumption rate measurement
  • Support for client certificate authentication
  • Simultaneous scanning of multiple servers, versions and ciphers
For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack by checking the server’s support for client-initiated renegotiations. For more information on testing for client-initiated renegotiations, you can readhere.
You can download sslyze here:

Microsoft Security Bulletin for December 2011

Microsoft’s Security Bulletin for December 2011 includes 13 bulletins addressing 17 vulnerabilities. Three of the bulletins are rated "critical": MS11-087, MS11-090, and MS11-092 and the rest are "important". This month many of the patches relate to vulnerabilities with known exploits likely available in the wild, so it is essential that organizations prioritize patching as soon as possible.

Microsoft reports that the exploit code for the “critical” MS11-087 and MS11-092 is likely to be in the wild. This comes as no surprise with MS11-087, which addresses the much publicized zero-day vulnerability related to the malicious Duqu worm. The vulnerability is in Windows kernel-mode drivers and could allow remote code execution. Microsoft previously released a workaround for this as a part of Microsoft Security Advisory #2639658, so organizations applying patch MS11-087 need to also undo the workaround if it was deployed.

MS11-092 is a vulnerability in Windows Media player and Media Center, which an attacker could use to phish a victim into visiting a site or opening a file on their site. Microsoft also reports that there is likely already exploit code available for this vulnerability.

This month, there are a couple of updates related to Internet Explorer. MS11-092 is an Active-X bug that exploits a user when they visit a webpage with Internet Explorer. MS11-099 is a cumulative security update for Internet Explorer. Browser updates always get my attention because browsers are on the front line in the security battle. As we approach the end of the year, organizations should be thinking about bringing in the new year by upgrading their legacy browsers and upgrading to Internet Explorer 9.

There are several bulletins related to Microsoft Office Suite and applications related to it such as Powerpoint, Publisher, and Excel. MS11-094, related to Powerpoint, is like to have exploit code in the wild.

According to the 80/20 rule, 20% of your vulnerabilities will likely cause 80% of your security risk. I see Microsoft getting the number of critical bulletins way down, but at the same time those criticals could be responsible for mass compromises and included in mass malware packs.

This is a month where Microsoft patched a wide variety of vulnerabilities so organizations need to test and patch the “critical” ones as soon as possible, and prioritize the “importants” by which ones have exploit code available, and which ones allow remote code execution.

From: https://community.rapid7.com/community/infosec/blog/2011/12/14/microsoft-security-bulletin-for-december-2011

Tuesday, December 06, 2011

Vendor Security

I’d like to share our experiences with vendor security since I’m sure it’s something that impacts all of us. Like every company, Rapid7 relies on a number of technology vendors for a huge range of products and services to run the business. I’m sure no one will be surprised to hear that as a security company we have a policy specifying the security requirements that our vendors need to meet before we’ll do business with them. Our view is that their security directly impacts any of our internal or customer data that their systems hold, so we take it as seriously as our own infrastructure security. Most or all of you probably have the same approach, but one unique thing that we have at our disposal is a number of highly skilled security experts on staff which allows us to have a mandatory application security assessment as part of our policy.

The results of this policy over the last few years have been eye-opening.  The number of prospective vendors that pass our security bar is disappointingly low, across every category we used (marketing tools, sales tools, support tools, file transfer tools, IT infrastructure, etc). The most recent failure sparked this blog post, but it was the norm rather than the exception. More often than not they fail basic tests with numerous readily apparent and easily exploitable issues. If the vendor has a great product or service that we think is significantly better than the alternatives we evaluated, we’ll delay our deployment while we engage with them to address the issues we found, getting commitments to fix in a defined timeline. The results there have been equally dismal, with most of them missing their commitments and forcing us to end up going with an alternate months later. It’s clear that our security bar is far higher than their bar, but also that in many cases they don’t have either the desire or skills to significantly improve their security.

All of this ends up slowing our deployment of the various third party solutions, which is an acceptable tradeoff in our view. But what do we do when none of the vendors in the space pass the security bar? And more broadly, what can we do as a security community to raise awareness of the state of vendor security and create impetus for change?  Our individual efforts to push the vendors we’ve engaged with generally haven’t been enough to move the ball. If you have any suggestions on how we can tackle this as a community, please post them below.

In the meantime, I thought I’d share our own approach in case it’s useful to any of you. The overall approach we use is a coordinated process between procurement, legal, and IT security. Having a coordinated process between the business discussion and technical due diligence allows for not just improved decision making, but also more informed negotiation.

  1. First, in addition to screening new vendors, if you haven’t already been doing this, start by pulling together a list of all your existing vendors (particularly SaaS vendors that have an exposed security surface). This will be eye-opening the first time you do it, since lots of groups will have been using tools without any IT involvement.
    • One useful tactic we use to find out what’s in use and catch new ad-hoc “deployments” that bypass your vetting process is a periodic review of corporate credit card statements, flagging expenses associated with known vendors & SaaS providers.
  2. Use a security questionnaire to understand their security policies, processes, and sophistication.
  3. Demand to see the results of their latest security audit, showing what was tested, the findings, and the remediation they’ve done since that time. (We do an audit ourselves because we can). Negotiate for rights to this on a periodic basis.
  4. Pay close attention to audit logging functionality. Does the SaaS application track and report on login/logout, user actions within the application, and does it track source IP address? At the very least, you will want to conduct periodic reviews of the account logs to check for anomalies.
  5. Scrutinize the identity management capabilities and set a policy for how they are used. Access management, particularly account management, is one of the weakest areas of SaaS security today. Multiple users are often tempted to share accounts because account limits are common to SaaS: this practice needs to be discouraged. Organizational password strength and password rotation policies are usually difficult to enforce when it comes to SaaS. Account provisioning and de-provisioning usually happens outside the IT group, and sometimes there are multiple users on a SaaS application with the ability to create accounts but no single user with clear ownership of, and responsibility for, the application. This creates a substantial risk that accounts will not be revoked in a timely fashion upon a change in employment status. Some approaches that can mitigate the issue:
    • Ensure that IT is solely responsible for account management in all SaaS applications.
    • Conduct periodic reviews of active SaaS accounts across all applications, matching to current employee rosters.
    • Work with your SaaS provider to enact IP-level restrictions to all logins, so that employees are required to be either physically present in the office or connected to the VPN to log in to the SaaS application. This will require the VPN to operate in “full tunnel” mode, where all traffic (including internet traffic) is driven over the VPN to egress from the corporate network.
  6. Most SaaS applications allow you to grant different levels of permissions to different users. As much as possible, place reasonable limits on user access levels in SaaS applications. Restrict manager privileges to as few accounts as possible

As companies increasingly rely on SaaS solutions to do every day business, and security moves even further outside of your control, it becomes more and more important to proactively ensure the security and integrity of the solution you rely on. Employing a number of these suggestions, when considering your SaaS solutions, will help put you on the road to a higher level of security serving both your internal stakeholders and customers well.

Article from Rapid7 Blog:

The Mole – Automatic SQL Injection SQLi Exploitation Tool

The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.

Features:
  • Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
  • Command line interface. Different commands trigger different actions.
  • Auto-completion for commands, command arguments and database, table and columns names.
  • Support for query filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
  • Developed in python 3.
If you want to see documentation, download or tutorial, please refer here:

Adding custom wordlists in Metasploit for brute force password audits

In any penetration test that involves brute forcing passwords, you may want to increase your chances of a successful password audit by adding custom wordlists specific to the organization that hired you. Some examples:
  • If you are security testing a hospital, you may want to add a dictionary with medical terms.
  • If you're testing a German organization, users are likely to use German passwords, so you should add a German wordlist.
  • Another good idea is to build a custom wordlist based on the organization's website (try the Worldlist Ruby gem to generate a wordlist based on a URL scrape)
For more details, please refer to this Metasploit Blog:

October 2011: Ten Cisco Vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published ten important vulnerability advisories:
  • Buffer Overflow Vulnerabilities in the Cisco WebEx Player
  • Cisco Unified Contact Center Express Directory Traversal Vulnerability
  • Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras
  • Cisco Security Agent Remote Code Execution Vulnerabilities
  • Cisco Unified Communications Manager Directory Traversal Vulnerability
  • CiscoWorks Common Services Arbitrary Command Execution Vulnerability
  • Cisco Show and Share Security Vulnerabilities
  • Directory Traversal Vulnerability in Cisco Network Admission Control Manager
  • Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
  • Multiple Vulnerabilities in Cisco Firewall Services Module

Buffer Overflow Vulnerabilities in the Cisco WebEx Player
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.
Vulnerable Products
The vulnerabilities disclosed in this advisory affect the Cisco WRF players. The Microsoft Windows, Apple Mac OS X, and Linux versions of the players are all affected. Review the following table for the list of releases that contain the nonvulnerable code. Affected versions of the players are those prior to client build T26 SP49 EP40 and T27 SP28. These build numbers are available only to WebEx site administrators. End users will see a version such as “Client build: 27.25.4.11889.” This indicates the server is running software version T27 SP25 EP4.
Details
The Cisco WebEx Recording Format (WRF) Player is affected by the following vulnerabilities:
  • Cisco WebEx Player WRF Parsing Vulnerability: This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2011-3319
  • Cisco WebEx Player ATAS32 Processing Vulnerability:This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2011-4004
The vulnerabilities may cause the player application to crash or, in some cases, remote code execution could occur.
Impact
Successful exploitation of the vulnerabilities described in this document could cause the Cisco WRF player application to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the WRF player application.
Cisco Unified Contact Center Express Directory Traversal Vulnerability
Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) contain a directory traversal vulnerability that may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.
Vulnerable Products
The following Cisco UCCX versions are vulnerable:
  • Cisco UCCX version 6.0(x)
  • Cisco UCCX version 7.0(x)
  • Cisco UCCX version 8.0(x)
  • Cisco UCCX version 8.5(x)
The following Cisco Unified IP Interactive Voice Response versions are vulnerable:
  • Cisco Unified IP Interactive Voice Response version 6.0(x)
  • Cisco Unified IP Interactive Voice Response version 7.0(x)
  • Cisco Unified IP Interactive Voice Response version 8.0(x)
  • Cisco Unified IP Interactive Voice Response version 8.5(x)
Details
The Cisco Unified Contact Center Express is a single/two node server, integrated “contact center in a box” for use in deployments with up to 300 agents until software version 8.0(x) and 400 agents starting at version 8.5(x). The vulnerability is due to improper input validation, and could allow the attacker to traverse the filesystem directory. An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. The vulnerability in Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response could be exploited over TCP port 8080 in 6.0(x) and 7.0(x) versions and TCP port 9080 starting in 8.0(x) version of the product.
Impact
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to retrieve arbitrary files from the Cisco Unified Contact Center Express or Cisco Unified IP Interactive Voice Response filesystem.
Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras
A denial of service (DoS) vulnerability exists in the Cisco Video Surveillance IP Cameras 2421, 2500 series and 2600 series of devices. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted RTSP TCP packets to an affected device. Successful exploitation prevents cameras from sending video streams, subsequently causing a reboot. The camera reboot is done automatically and does not require action from an operator.
Vulnerable Products
Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series are affected by this vulnerability. For Cisco Video Surveillance 2421 and 2500 series IP Cameras, all 1.1.x software releases and releases prior 2.4.0 are affected by this vulnerability, For Cisco Video Surveillance 2600 IP Camera, all software releases before 4.2.0-13 are affected by this vulnerability.
Details
The Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series of devices are affected by a RSTP TCP crafted packets denial of service vulnerability that may allow an unauthenticated attacker to cause the device to reload by sending a series of crafted packets. This vulnerability can be exploited from both wired and wireless segments.
Impact
Successful exploitation of the vulnerability may result in DoS condition. Subsequent exploitation may result in sustained DoS condition, as the cameras will continue to reload.
Cisco Security Agent Remote Code Execution Vulnerabilities
Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to perform remote code execution on the affected device. These vulnerabilities are in a third-party library (Oracle Outside In) and are documented in CERT-CC.
Vulnerable Products
These vulnerabilities only affect 6.x versions of Cisco Security Agent running on Windows platforms.
Details
Version 6.x of Cisco Security Agent running on Windows platforms is affected by the following vulnerabilities:
  • Vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5.0 allows local users to affect availability, related to File ID SDK: This vulnerability is assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2011-0794
  • Vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.2.0 and 8.3.5.0 allows local users to affect availability via vectors related to Outside In Filters: This vulnerability is assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2011-0808
Impact
Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to perform remote code execution on the affected device that will execute with Administrator privileges.
Cisco Unified Communications Manager Directory Traversal Vulnerability
Cisco Unified Communications Manager contains a directory traversal vulnerability that may allow an unauthenticated, remote attacker to retrieve arbitrary files from the filesystem.
Vulnerable Products
The following products are affected by this vulnerability:
  • Cisco Unified Communications Manager 6.x
  • Cisco Unified Communications Manager 7.x
  • Cisco Unified Communications Manager 8.x
Details
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications.
Impact
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.
CiscoWorks Common Services Arbitrary Command Execution Vulnerability
CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
Vulnerable Products
This vulnerability affects all versions of CiscoWorks Common Services-based products running on Microsoft Windows. Common Services version 4.1 and later are not affected by this vulnerability.
Details
CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator. The vulnerability is due to improper input validation in the CiscoWorks Home Page component. An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. An exploit could allow the attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
This vulnerability affects CiscoWorks Common Services running only on Microsoft Windows.
This vulnerability could be exploited over the default management ports, TCP port 1741 or 443.
Impact
Successful exploitation of this vulnerability may allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
Cisco Show and Share Security Vulnerabilities
The Cisco Show and Share webcasting and video sharing application contains two vulnerabilities.
  • The first vulnerability allows an unauthenticated user to access several administrative web pages.
  • The second vulnerability permits an authenticated user to execute arbitrary code on the device under the privileges of the web server user account.
Vulnerable Products
These vulnerabilities affect all versions of Cisco Show and Share prior to the first fixed releases as indicated in the Software Version and Fixes section of this Cisco Security Advisory.
Details
Cisco Show and Share contains the following vulnerabilities:
  • Anonymous users can access some administration pages: Several administrative web pages of the Cisco Show and Share can be accessed without prior user authentication. These include pages for accessing Encoders and Pull Configurations, Push Configurations, Video Encoding Formats, and Transcoding. This vulnerability is documented in Cisco Bug ID CSCto73758, (registered customers only) and has been assigned CVE identifier CVE-2011-2584.
  • Cisco Show and Share arbitrary code execution vulnerability: An authenticated user with privileges to upload videos could upload code that could then be executed under the privileges of the web server.
Impact
These vulnerabilities have the following impact on Cisco Show and Share:
CSCto73758: Anonymous users can access some administration pages. Several administrative web pages of the Cisco Show and Share can be accessed without prior user authentication. The impact of the different administrative web pages include:
  • Encoders Configurations
  • Push Configurations
  • Video Encoding Formats
  • Transcoding
CSCto69857: Cisco Show and Share arbitrary code execution vulnerability. An authenticated user may upload arbitrary code that can be executed on the appliance with the same privileges as the web server.
Directory Traversal Vulnerability in Cisco Network Admission Control Manager
Cisco Network Admission Control (NAC) Manager contains a directory traversal vulnerability that may allow an unauthenticated attacker to obtain system information.
Vulnerable Products
Only Cisco NAC Manager software versions 4.8.X are affected by this vulnerability. Cisco NAC Manager software versions 4.7.X and earlier are not affected.
Details
Cisco NAC Manager contains a directory traversal vulnerability. The management interface uses TCP port 443. An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks.
Impact
An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks.
Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows:
  • MSN Instant Messenger (IM) Inspection Denial of Service vulnerability
  • TACACS+ Authentication Bypass vulnerability
  • Four SunRPC Inspection Denial of Service vulnerabilities
  • Internet Locator Service (ILS) Inspection Denial of Service vulnerability
Vulnerable Products
  • MSN IM Inspection Denial of Service Vulnerability: The MSN IM inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances is affected by a DoS vulnerability.
  • TACACS+ Authentication Bypass Vulnerability: An authentication bypass vulnerability affects the TACACS+ implementation of Cisco ASA 5500 Series Adaptive Security Appliances.
  • SunRPC Inspection Denial of Service Vulnerabilities: Four DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances.
  • ILS Inspection Denial of Service Vulnerability: A DoS vulnerability affects the ILS inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances.
Impact
Successful exploitation of all the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall and/or administrative sessions.
Multiple Vulnerabilities in Cisco Firewall Services Module
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by the following vulnerabilities:
  • Syslog Message Memory Corruption Denial of Service Vulnerability
  • Authentication Proxy Denial of Service Vulnerability
  • TACACS+ Authentication Bypass Vulnerability
  • Sun Remote Procedure Call (SunRPC) Inspection Denial of Service Vulnerabilities
  • Internet Locator Server (ILS) Inspection Denial of Service Vulnerability
Vulnerable Products
The Cisco FWSM for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by multiple vulnerabilities. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. Refer to the “Software Version and Fixes” section for specific information on vulnerable versions.
Details
  • Syslog Message Memory Corruption Denial of Service Vulnerability: A denial of service vulnerability exists in the implementation of one specific system log message (message ID 302015, “Built outbound UDP connection session-id for src-intf:IP/Port to dst-intf:IP/Port ARP-Incomplete”) that can cause memory corruption and lead to a lock up or crash of the Cisco FWSM in the event that that system log message needs to be generated for IPv6 traffic that has flowed through the device. The Cisco FWSM may not recover on its own and a manual reboot may be necessary to recover.
  • Authentication Proxy Denial of Service Vulnerability: A denial of service vulnerability exists in some versions of Cisco FWSM Software that affects devices configured to use authentication to grant users access to the network, also known as cut-through or authentication proxy. Vulnerable configurations are those that contain the aaa authentication match or aaa authentication include commands. The vulnerability may be triggered when there is a high number of network access authentication requests.
  • TACACS+ Authentication Bypass Vulnerability: An authentication bypass vulnerability exists in the TACACS+ implementation in the Cisco FWSM. Successful exploitation could allow a remote attacker to bypass TACACS+ authentication of VPN users (the Cisco FWSM only allows VPN sessions for management), firewall sessions, or administrative access to the device.
  • SunRPC Inspection Denial of Service Vulnerabilities: The Cisco FWSM is affected by four vulnerabilities that may cause the device to reload during the processing of different crafted SunRPC messages when SunRPC inspection is enabled. These vulnerabilities are triggered only by transit traffic; traffic that is destined to the device does not trigger these vulnerabilities.
  • ILS Inspection Denial of Service Vulnerability: The ILS inspection engine provides Network Address Translation (NAT) support for Microsoft NetMeeting, SiteServer, and Active Directory products that use Lightweight Directory Access Protocol (LDAP) to exchange directory information with an ILS server.
Impact
Successful exploitation of any of the denial of service vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained denial of service condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall, and/or administrative sessions