September 08, 2008 - Current Activity

Exploit Code Available for CitectSCADA Vulnerability

In June, US-CERT published Vulnerability Note VU#476345 to alert users of a vulnerability affecting Citect CitectSCADA. This vulnerability is due to a buffer overflow condition in the handling of ODBC requests from clients. Exploit code for this vulnerability is publicly available and exploitation may allow an attacker to execute arbitrary code.

US-CERT encourages users to review Vulnerability Note VU#476345 and apply the patch as described in the document.

Cisco Releases Advisory and Security Response

Cisco has released a Cisco Security Advisory to address multiple vulnerabilities in Cisco PIX and ASA. These vulnerabilities may allow an attacker to cause a denial-of-service condition or obtain sensitive information. Additionally, Cisco has released a Security Response to address a vulnerability in Cisco Secure ACS. This vulnerability may allow an attacker to cause a denial-of-service condition on the affected system.

US-CERT encourages users to review Cisco Security Advisory cisco-sa-20080903-asa, review Cisco Security Response document 107443, and apply any necessary workarounds or updates listed in those documents to help mitigate the risks.

Microsoft Releases Advance Notification for September Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its September release cycle will contain four bulletins, all of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server, and Visual Studio. Release of these bulletins is scheduled for Tuesday, September 9.

US-CERT will provide additional information as it becomes available.

FCC Releases Public Notice about Phishing Scam

The Federal Communications Commission (FCC) has released a public notice alerting users of a potential phishing attack. The notice indicates that non-government entities may be using websites to misdirect regulatory fee payers to an illegitimate website in an attempt to obtain their financial information.

US-CERT encourages users to review the FCC public notice (pdf) and refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Novell Releases Update for iPrint Vulnerability

Novell has released an update to address multiple vulnerabilities in iPrint. These vulnerabilities are due to the following:

• multiple buffer overflow conditions within the Novell iPrint ActiveX control (ienipp.ocx)
• multiple buffer overflow conditions within nipplib.dll
• an insecure "GetFileList()" method

Google Chrome Download Vulnerability

US-CERT is aware of a vulnerability that affects the Google Chrome web browser. This vulnerability is due to a default configuration that allows files to be downloaded without prompting the user. In addition, downloaded files can be opened with a single click, which could allow a user to inadvertently open a malicious file.

US-CERT encourages users to enable the "Ask where to save each file before downloading" option within the "Minor Tweaks" tab in the browser preferences. Although this does not fix the underlying vulnerability, selecting this option will warn the user before files are downloaded. Users should still exercise caution when visiting and downloading items from untrusted websites.

US-CERT will provide additional information as it becomes available.

VMware Releases Security Announcement

VMware has released a security announcement to address multiple vulnerabilities in VMware Workstation, VMware Player, VMware ACE, VMware Server, and VMware ESX. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, access the system with elevated privileges, or obtain sensitive information.

US-CERT encourages users and administrators to review the VMware security announcement and apply any necessary updates.

Hurricane Gustav and Phishing Scams

In the past, US-CERT has received reports of an increased number of phishing scams that take advantage of natural disasters. Due to the current situation involving Hurricane Gustav, US-CERT would like to remind users to remain cautious when receiving unsolicited email that could be a potential phishing scam.

Phishing scams may appear as requests for donations from a charitable organization asking users to click on a link that will take them to a fraudulent website that appears to be a legitimate charity. The users are then asked to provide personal information that can further expose them to future compromises.

Users are encouraged to take the following measures to protect themselves from this type of phishing scam:

• Do not follow unsolicited web links received in email messages.
• Review the Federal Trade Commission's Charity Checklist.
• Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.

• Recognizing and Avoiding Email Scams (pdf)
• Avoiding Social Engineering and Phishing Attacks

SSH Key-based Attacks

US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as "phalanx2" is installed.

Phalanx2 appears to be a derivative of an older rootkit named "phalanx". Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

Detection of phalanx2 as used in this attack may be performed as follows:

• "ls" does not show a directory "/etc/khubd.p2/", but it can be entered with "cd /etc/khubd.p2".
• "/dev/shm/" may contain files from the attack.
• Any directory named "khubd.p2" is hidden from "ls", but may be entered by using "cd".
• Changes in the configuration of the rootkit might change the attack indicators listed above. Other detection methods may include searching for hidden processes and checking the reference count in "/etc" against the number of directories shown by "ls".

• Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
• Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
• Review access paths to internet facing systems and ensure that systems are fully patched.

• Disable key-based SSH authentication on the affected systems, where possible.
• Perform an audit of all SSH keys on the affected systems.
• Notify all key owners of the potential compromise of their keys.

Microsoft Revised Security Bulletin MS08-051

Microsoft has revised Security Bulletin MS08-051, which addresses vulnerabilities in Microsoft PowerPoint. This revision describes a rerelease of the standalone update package for Microsoft Office PowerPoint 2003.

According to Microsoft, users who applied the update provided through Microsoft Update or Office Update do not need to take further action. Users who installed the original standalone update should apply the updated package as described in the revised Microsoft Security Bulletin.

US-CERT encourages users and administrators to review Microsoft Security Bulletin MS08-051 and apply or reapply any necessary updates.