Commonwealth Security and Risk Management staff have been tracking multiple vulnerabilities related to Microsoft Windows, Oracle Database products, BlackBerry Enterprise Server, HP OpenView, SSL certificates signed via MD5 Hash, and OpenSSL. In addition, Commonwealth Security and Risk Management staff have been reviewing reports of malicious software spreading via emails purporting to be from news organizations such as CNN, USA Today, and Fox News. These malicious emails invite the recipient to select an URL to view a video related to President-Elect Barack Obama. Our recommendations are included below as some of the vulnerabilities may have significant impact for the Commonwealth Information Security community.
Vulnerability Description: Microsoft Security Bulletin MS09-001
Pertinent Details: Vulnerabilities in SMB Could Allow Remote Code Execution (958687). This Microsoft security update resolves multiple vulnerabilities in the Microsoft Server Message Block (SMB) Protocol. These vulnerabilities may allow remote code execution on affected systems. A malicious individual who successfully exploits any of these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights. Failed attempts to exploit this vulnerability will most likely result in a denial-of-service condition. Local users whose accounts are configured to have fewer user rights on the system could be less impacted than those users who operate with administrative user rights. Firewall best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Affected Microsoft Products: Microsoft Windows 2000 Service Pack 4, Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, Microsoft Windows XP Professional x64 Edition, Microsoft Windows XP Professional x64 Edition Service Pack 2, Microsoft Windows Server 2003, Microsoft Windows Server 2003 Service Pack 1, Microsoft Windows Server 2003 Service Pack 2, Microsoft Windows Server 2003 x64 Edition, Microsoft Windows Server 2003 x64 Edition Service Pack 2, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, Microsoft Windows Vista, Microsoft Windows Vista Service Pack 1, Microsoft Windows Vista x64 Edition, Microsoft Windows Vista x64 Edition Service Pack 1, Microsoft Windows Server 2008 for 32-bit Systems, Microsoft Windows Server 2008 for x64-based Systems, and Microsoft Windows Server 2008 for Itanium-based Systems.
Recommended Action: Review the Microsoft security bulletin located at http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx. Install the software patch for your version of Microsoft Windows according to Microsoft Security Bulletin MS09-001 as soon as possible after appropriate testing. This update will require a system restart.
Vulnerability Description: Oracle January Critical Patch Update
Pertinent Details: Oracle has issued a security advisory to address multiple vulnerabilities in Oracle software.
Oracle Database software update addresses ten security vulnerabilities. Remote exploitation of the ten vulnerabilities without authenticated credentials is not possible. The versions of Oracle Database software affected by this security advisory are Oracle Database 11g, version 11.1.0.6, Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4, Oracle Database 10g, version 10.1.0.5, and Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
Oracle Times Ten Data Server software update addresses one security vulnerability.
A malicious individual could remotely exploit any of these vulnerabilities without the need for authenticated credentials. The versions of Oracle Times Ten Data Server software affected by this security advisory are Oracle TimesTen In-Memory Database version 7.0.5.1.0, 7.0.5.2.0, 7.0.5.3.0, and 7.0.5.4.0.
Oracle Secure Backup software update addresses nine security vulnerabilities. A malicious individual could remotely exploit any of these vulnerabilities without the need for authenticated credentials. This software update is applicable to client-only installations (installations that do not have an Oracle Secure Backup installed). The versions of Oracle Secure Backup software affected by this security advisory are Oracle Secure Backup version 10.2.0.2, 10.2.0.3, and Oracle Secure Backup version 10.1.0.1, 10.1.0.2, 10.1.0.3.
Oracle Application Server software update addresses four security vulnerabilities. A malicious individual could remotely exploit two of the vulnerabilities without the need for authenticated credentials. This software update is not applicable to client-only installations (installations that do not have an Oracle Application Server installed). The versions of Oracle Application Server software affected by this security advisory are Oracle Application Server 10g Release 3 (10.1.3), version 10.1.3.3.0, and Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0, 10.1.2.3.0.
Oracle Collaboration Suite software update addresses one security vulnerability. Remote exploitation of this vulnerability without authenticated credentials is not possible. This software update is not applicable to client-only installations (installations that do not have an Oracle Collaboration Suite installed). The version of Oracle Collaboration Suite software affected by this security advisory is Oracle Collaboration Suite 10g, version 10.1.2.
Oracle E-Business Suite and Applications software update addresses four security vulnerabilities. Remote exploitation of the four vulnerabilities without authenticated credentials is not possible. This software update is not applicable to client-only installations (installations that do not have an Oracle Applications Suite installed). The versions of Oracle E-Business Suite software affected by this security advisory are Oracle E-Business Suite Release 12, version 12.0.6, and Oracle E-Business Suite Release 11i, version 11.5.10.2.
Oracle Enterprise Manager software update addresses one security vulnerability. Remote exploitation of this vulnerability without authenticated credentials is not possible. This software update is not applicable to client-only installations (installations that do not have an Oracle Enterprise Manager installed). The version of Oracle Enterprise Manager software affected by this security advisory is Oracle Enterprise Manager Grid Control 10g Release 4, version 10.2.0.4.
Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne software update addresses six security vulnerabilities. Remote exploitation of the six vulnerabilities without authenticated credentials is not possible. The versions of Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne software affected by this security advisory are PeopleSoft Enterprise HRMS versions 8.9, 9.0 and 9.1, and JD Edwards Tools version 8.97.
Oracle BEA Products software update addresses five security vulnerabilities. A malicious individual could remotely exploit any of these vulnerabilities without the need for authenticated credentials. The versions of Oracle BEA software affected by this security advisory are Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released through MP1, 10.3 GA, Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA, 9.1 GA, 9.2 released through MP3, Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 released through SP6, Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 released through SP7, Oracle WebLogic Portal (formerly BEA WebLogic Portal) 10.0 released through MP1, 10.2 GA, 10.3 GA, Oracle WebLogic Portal (formerly BEA WebLogic Portal) 9.2 released through MP3, and Oracle WebLogic Portal (formerly BEA WebLogic Portal) 8.1 released through SP6.
More information can be found at the following URLs:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
Recommended Action: Review the Oracle security advisory located at the following URL: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html. For those running Oracle Application Server apply the software updates as soon as possible after appropriate testing. Apply the software for all other affected Oracle software during the next scheduled patch cycle.
Vulnerability Description: BlackBerry Products PDF Distiller Multiple Vulnerabilities
Pertinent Details: Research In Motion has released a security advisory to address multiple vulnerabilities in the BlackBerry Enterprise Server and BlackBerry Unite!. These vulnerabilities may be exploited by malicious individuals to compromise a vulnerable system. These vulnerabilities are the result of unspecified errors in the PDF distiller component of the BlackBerry Attachment Service. These vulnerabilities could be exploited to generate memory corruptions when an email containing a specially crafted PDF document is opened for viewing. The successful exploitation of any of these vulnerabilities may allow execution of arbitrary code.
The vulnerabilities are reported in the following products and versions: BlackBerry Enterprise Server version 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 6 (4.1.6), BlackBerry Professional Software 4.1 Service Pack 4 (4.1.4), and BlackBerry Unite! versions prior to 1.0 Service Pack 3 (1.0.3) bundle 28.
More information can be found at the following URLs:
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119
Recommended Action: Review the BlackBerry security advisories located at the following URLs: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118 and http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119. Apply the required software updates as soon as possible after appropriate testing.
Vulnerability Description: HP OpenView Network Node Manager Multiple Vulnerabilities
Pertinent Details: Secunia Research has discovered multiple vulnerabilities in HP OpenView Network Node Manager. These vulnerabilities could be exploited by malicious individuals to compromise a vulnerable system by use of a HTTP request with an overly log parameter string. The affected CGI applications include OpenView5.exe, getcvdata.exe, ovlaunch.exe, and Toolbar.exe. The end result of a successful exploitation of any of these vulnerabilities would be remote arbitrary code execution. The vulnerabilities are confirmed in version 7.51 with NNM_01168. Other versions may also be affected.
More information can be found at the following URLs:
http://secunia.com/secunia_research/2008-13/
http://secunia.com/advisories/28074/
Recommended Action: The vendor has not released a software update. Review the security advisory published by Secunia. Restrict access to all affected CGI applications.
Vulnerability Description: SSL certificates signed via MD5 Hash
Pertinent Details: The security research team of Alexander Sotirov, Marc Stevens,
Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to generate digital certificates for secure websites. This vulnerability is due to a weakness in the MD5 cryptographic hash function such that two different identification values can yield the same MD5 hash value and therefore the same MD5 Hash signature. This ability to have two equal MD5 Hash signatures for two separate identities can be exploited to create a rogue Certification Authority (CA) certificate trusted by all common web browsers allowing malicious individuals to impersonate any website on the Internet, including banking and e-commerce websites secured through the use of the HTTPS protocol. This rogue certificate will be accepted as valid and trusted by all common web browsers due to the fact that it appears to be signed by one of the Internet root CAs that most web browsers trust by default. This rouge certificate can be used to simplify a man-in-the-middle attack where the end user is assured that the connection is secure through all common security indicators.
More information can be found at the following URLs:
http://isc.sans.org/diary.html?storyid=5587
http://www.win.tue.nl/hashclash/rogue-ca/
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/
http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx
Recommended Action: Review the SSL/HTTPS web server certificates installed on the web servers under your control. Request a new SHA-1 signed certificate for any MD5-based certificate. Remind your user community to closely review any SSL certificate warning they receive while accessing information on the Internet. Do not ignore SSL certificate warnings. If in doubt, simply close the browser window and contact the company by telephone to determine why the vendor’s website is having SSL certificate issues.
Vulnerability Description: OpenSSL Multiple Vulnerabilities
Pertinent Details: The OpenSSL project has released a security advisory to address a single vulnerability in OpenSSL. This vulnerability is due to the fact that the software package fails to properly check the result of the EVP_VerifyFinal function when performing signature checks on DSA and ECDSA keys used with SSL/TLS. This vulnerability, if successfully exploited by a malicious individual, could result in a malformed signature being treated as valid and allow the malicious individual to bypass signature checks and conduct spoofing or phishing attacks. A successful exploitation requires that the server uses a certificate containing a DSA or ECDSA key.
OpenSSL releases prior to OpenSSL 0.9.8j are susceptible to this vulnerability.
More information can be found at the following URLs:
http://www.openssl.org/news/secadv_20090107.txt
http://www.securityfocus.com/bid/33150/info
http://www.securityfocus.com/bid/33151/info
http://secunia.com/advisories/33338/
http://www.us-cert.gov/current/index.html#cisco_releases_security_advisory_for4
Recommended Action: Review the OpenSSL security advisory located at the following URL: http://openssl.org/. Apply any vendor released updates for the OpenSSL package or upgrade to the newest version of the software as described in the OpenSSL advisory as soon as possible after appropriate testing.
Vulnerability Description: Malicious software spreading via email
Pertinent Details: Commonwealth Security and Risk Management staff have been reviewing reports of malicious software spreading via emails purporting to be from news organizations such as CNN, USA Today, and Fox News. These malicious emails invite the recipient to select an URL to view a video related to President-Elect Barack Obama. If the recipient selects the URL included in the email, the recipient will be prompted to update the Adobe Flash Player software installed on the computer. The update downloaded via the email link is not a legitimate Adobe Flash Player update, but malicious software intended to steal sensitive data.
This email should be deleted upon receipt. Users should never disclose authentication information (passwords or pins) to anyone, including support personnel.
Phishing campaigns are a form of social engineering, an attack that uses human interaction to obtain or compromise information about an individual or organization. Phishing attacks use either email or malicious web sites to solicit personal information from targeted individuals. Attackers attempt to replicate the look and format of emails from reputable companies, government agencies, or financial institutions.
More information can be found at the following URLs:
http://www.us-cert.gov/cas/tips/ST04-010.html
http://www.us-cert.gov/cas/tips/ST04-014.html
http://www.us-cert.gov/current/index.html#us_tax_court_spear_phishing
Recommended Action:
Instruct your users to delete this and all malicious emails upon receipt. To mitigate the potential threat presented by a malicious email campaign, it is recommended that you remind your users to never reveal personal or financial information in an email, and to never respond to email solicitations for this information. Advise them, if possible, to check with the person who supposedly sent the email to make sure that it is legitimate prior to opening any attachments. Scan any attachments at the network perimeter as well as the desktop with anti-virus software before opening the attachment.
Install and maintain anti-virus software, firewalls, and email filters to reduce the amount of unsolicited and unwanted traffic. Also advise users to never open attachments or click links contained in unsolicited email messages. Always examine the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain extension such as .com vs. .net. If the legitimacy of an email request needs to be verified, try to verify the origin of the email by contacting the company directly. Never use the contact information provided on a web site connected directly to the email request.
Use caution when downloading and installing applications. Obtain software applications and updates directly from the vendor’s website.
An additional step to help mitigate the risk of a phishing campaign is to limit the administrative rights of the local users through the implementation of the Least-Privileged best practice. Granting each local user only those system access rights required to perform the duties assigned to each local user will reduce the impact of any exploit successfully downloaded to the local user’s computer. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html).