Secunia Advisory: SA26161
Release Date: 2007-07-25
Last Update: 2007-07-27
Critical: Moderately critical
Impact: DoS
Where: From local network
Solution Status: Partial Fix
OS: Cisco 4400 Series Wireless LAN Controller
Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
Software: Cisco Catalyst 6500 Series Wireless Service Module (WiSM)
CVE reference: CVE-2007-4011
CVE-2007-4012
Description:
Some vulnerabilities have been reported in multiple Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service).
1) Certain Cisco Wireless Lan Controllers (WLCs) do not correctly handle unicast ARP requests from MAC addresses that are unknown to the Layer-2 infrastructure, causing a second WLC to incorrectly re-forward the ARP request back into the network.
Successful exploitation allows to cause a DoS due to heavy network traffic, but requires that two WLCs are attached to the same set of Layer-2 VLANs and each have a context for the wireless client, e.g. if a guest WLAN (auto-anchor) is used or after a Layer-3 (cross-subnet) roam.
2) Broadcast ARP packets for the IP address of a known client context are not correctly handled and re-forwarded into the network.
Successful exploitation allows to cause a DoS due to heavy network traffic, but requires that more than 1 WLC is installed for the corresponding network and that the arpunicast feature is enabled.
Note: This affects version 4.1 only.
3) In certain Layer-3 (L3) roaming scenarios (e.g. when wireless clients move from one controller to another and the wireless LAN interfaces are configured on different controllers which are on different IP subnets), a foreign controller may send a unicast ARP request out to a local VLAN.
The vulnerabilities are reported in software versions 4.1, 4.0, 3.2, and prior in for the following products:
* Cisco 4100 Series Wireless LAN Controllers
* Cisco 4400 Series Wireless LAN Controllers
* Cisco Airespace 4000 Series Wireless LAN Controller
* Cisco Catalyst 6500 Series Wireless Services Module (WiSM)
* Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
Solution:
Version 3.2:
Reportedly, an update will be available 27-July-2007.
Version 4.0:
Reportedly, an update will be available 27-July-2007.
Version 4.1:
Update to version 4.1.181.0.
Provided and/or discovered by:
Reported to the vendor by customers.
Changelog:
2007-07-27: Added CVE reference.
Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20070724-arp.shtml
Labels: Vulnerability, Wireless
CVE ID:
CVE-2007-3026
Affected Vendor:
Panda Software
Affected Products:
Panda AdminSecure 2006
Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Panda AdminSecure. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the AdminSecure agent which binds by default to TCP port 19226 or 19227. When processing traffic on the listening port, the agent trusts a user-supplied length value for a memory allocation. Specific size values can result in an integer overflow and subsequently insufficient allocation size. This results in a heap-based buffer overflow that can be leverage to execute arbitrary code.
Vendor Response:
Panda Software has issued an update to correct this vulnerability. More details can be found at:
http://www.pandasoftware.com/Download/tree/
Disclosure Timeline:
2006.11.15 - Vulnerability reported to vendor
2007.07.24 - Coordinated public release of advisory
Credit:
This vulnerability was discovered by Tenable Network Security.
Labels: Anti-Virus, Vulnerability
This is an excellent article with good technical explanations. Unfortunately, no answers to the question of whodunnit.
Summary: what happened was that someone installed a very sophisticated rootkit for Vodafone's Ericsson AXE including:
* using the existing wiretapping code, but not the normal user interface;
* bypassing the logging system (of course);
* bypassing the audits;
* hiding the illegal processes from the process list (task manager in Windows or ps ax in Unix) by
modifying the relevant system code;
* adding a backdoor user;
* modified the shell to allow access to the illegal processes.
All done without rebooting the AXE switch!
On 9 March 2005, a 38-year-old Greek electrical engineer named Costas Tsalikidis was found hanged in his Athens loft apartment, an apparent suicide. It would prove to be merely the first public news of a scandal that would roil Greece for months.
The next day, the prime minister of Greece was told that his cellphone was being bugged, as were those of the mayor of Athens and at least 100 other high-ranking dignitaries, including an employee of the U.S. embassy.
A study of the Athens affair, surely the most bizarre and embarrassing scandal ever to engulf a major cellphone service provider, sheds considerable light on the measures networks can and should take to reduce their vulnerability to hackers and moles.
It's also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations of any kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate.
Labels: Backdoor
Vista Windows Firewall Incorrectly Applies Fltering to Teredo InterfaceAuthor: Jim Hoagland / Ollie Whitehouse
Release Date: 10-07-2007
Application: Windows Firewall (Vista version)
Platform: Windows Vista (RTM and RC2 builds known affected; XP, 2003 would not be affected)
Severity: Unintended remote exposure to services
Vendor status: Resolved in MS07-038
CVE Number: CVE-2007-3038
Reference: http://www.securityfocus.com/bid/24779
Overview: Windows Firewall for Windows Vista is the Microsoft provided
firewall solution. It is installed and enabled out-of-the-box,
with most ports filtered.
Due to an implementation issue, the Windows Firewall does not
apply firewall rules correctly on the Teredo Interface. This
allows a level of remote access to TCP and UDP ports and services
that exceeds what Microsoft expected and what an administrator
would expect.
Details: Teredo is an IPv4 to IPv6 transition mechanism for IPv6-capable
hosts that are located behind an IPv4 NAT. It is installed and
enabled out-of-the-box on Windows Vista. It provides end-to-end
automatic tunneling through a NAT by tunneling IPv6 over IPv4 UDP
packets. Once a Teredo interface becomes set up (in Teredo
terminology: qualified), anyone on the Internet that knows the
Teredo address can send it packets and possibly establish
sessions. This capability persists until the Teredo interface
becomes de-qualified for some reason; while in general Teredo
works to keep an Teredo interface qualified, under some
circumstances, Vista will shut down the interface after 60 minutes
of inactivity.
By design, Windows Firewall is supposed to block all access to
ports on the Teredo interface, except for cases where
access-though-Teredo is specifically requested (through the "Edge
Traversal" flag in the firewall rule being set). However, due to a
logic bug, it does not apply this restriction. Instead, any port
that is accessible on the local network is also accessible from
any host on the Internet over the Teredo interface, even if the
firewall rule specifies "remote address=local subnet".
The level of exposure depends on current firewall rule settings.
An out-of-the-box Vista installation with a network profile set
to "private" will expose the following port across the Teredo
interface:
* TCP port 5357 (Web Services for Devices)
An exposed service may reveal sensitive or useful information to
an attacker. In combination with a vulnerability in the service
it may also provide an avenue of attack. In addition, a service
that was designed to only be accessible in trusted circumstances
may simply not present an adequate security posture for general
Internet access.
It is not considered difficult for a remote user to cause the
Teredo interface to become qualified. Teredo can become qualified
simply because Vista or some application wants to use IPv6 for
whatever reason. The attacker would then just have to guess the
Teredo address or learn it by some means and they would be able to
access any open ports.
Teredo will also become qualified if the address of a peer
represents a Teredo address (perhaps even if the peer has a native
IPv6 Internet access). Thus an attacker can send a URL of this
form "http://[2001:0:...]/..." through e-mail, IM, HTTP, etc, and
if the URL is followed, the attacker will both know the Teredo
address of the victim and will have had the victim become
qualified. A HTTP redirect to such a URL would also work and may be
more stealthy. Reportedly, Vista will not return AAAA records
corresponding to Teredo addresses, so attackers Teredo address
would have to be listed by address and not by hostname.
Vendor Response: This has been patched in MS07-038.
Recommendation: Apply the patch contained in MS07-038.
In addition you should consider whether Teredo poses an acceptable
level of exposure to your network. If it provides too much
exposure (e.g., due to bypassing network-based security controls),
you should disable Teredo and block it on your network
Labels: Bug, Firewall, Microsoft