Most Critical Internet Security Threats - From SANS

posted onJune 3, 2001
by hitbsecnews

In a retroflective article, the SANS Top 10 critical vulnerabilities for the year
2000 was republished. Although it does not reflect the most current vulnerabilities
or exploits, it does serve to let you see where everyone was as of January 2001
when this listing was last updated. And here on SNPortal we have brought the list
back for your look on what the hot issues were just five months ago...

The list is © 2000-2001 SANS Institute which can be found on http://www.sans.org/topten.htm

Contact scott@sans.org if there is anything you would like to ask regarding the top ten list.

The List:

1.
BIND weaknesses: nxt, qinv and in.named allow immediate root compromise.

The Berkeley Internet Name Domain (BIND) package is the most widely
used implementation of Domain Name Service (DNS) -- the critical means by which we all
locate systems on the Internet by name (e.g., www.sans.org) without having to know
specific IP addresses -- and this makes it a favorite target for attack. Sadly, according
to a mid-1999 survey, about 50% of all DNS servers connected to the Internet are running
vulnerable versions of BIND. In a typical example of a BIND attack, intruders erased the
system logs, and installed tools to gain administrative access. They then compiled and
installed IRC utilities and network scanning tools, which they used to scan more than a
dozen class-B networks in search of additional systems running vulnerable versions of
BIND. In a matter of minutes, they had used the compromised system to attack hundreds of
remote systems abroad, resulting in many additional successful compromises. This
illustrates the chaos that can result from a single vulnerability in the software for
ubiquitous Internet services such as DNS.

Systems Affected:
Multiple UNIX and Linux systems

CVE Entries:
nxt CVE-1999-0833
qinv CVE-1999-0009
Other related entries: CVE-1999-0835, CVE-1999-0848, CVE-1999-0849, CVE-1999-0851

Advice on correcting the problem:
A. Disable the BIND name daemon (named) on all systems that are not authorized to be DNS
servers. Some experts recommend you also remove the DNS software.

B. On machines that are authorized DNS servers, update to the latest version and patch
level. Use the guidance contained in the following advisories:

For the NXT vulnerability: http://www.cert.org/advisories/CA-99-14-bind.html
For the QINV (Inverse Query) and NAMED vulnerabilities: http://www.cert.org/advisories/CA-98.05.bind_problems.html
http://www.cert.org/summaries/CS-98.04.html

C. Run BIND as a non-privileged user for protection in the event of future
remote-compromise attacks. (However, only processes running as root can be configured to
use ports below 1024 - a requirement for DNS. Therefore you must configure BIND to
change the user-id after binding to the port.)

D. Run BIND in a chroot()ed directory structure for protection in the event of future
remote-compromise attacks.

2.
Vulnerable CGI programs and application extensions (e.g., ColdFusion) installed on web
servers.

Most web servers support Common Gateway Interface (CGI) programs to
provide interactivity in web pages, such as data collection and verification. Many web
servers come with sample CGI programs installed by default. Unfortunately, many CGI
programmers fail to consider ways in which their programs may be misused or subverted to
execute malicious commands. Vulnerable CGI programs present a particularly attractive
target to intruders because they are relatively easy to locate, and they operate with the
privileges and power of the web server software itself. Intruders are known to have
exploited vulnerable CGI programs to vandalize web pages, steal credit card information,
and set up back doors to enable future intrusions, even if the CGI programs are secured.
When Janet Reno's picture was replaced by that of Adolph Hitler at the Department of
Justice web site, an in-depth assessment concluded that a CGI hole was the most probable
avenue of compromise. Allaire's ColdFusion is a web server application package which
includes vulnerable sample programs when installed. As a general rule, sample programs
should always be removed from production systems.

Systems Affected:
All web servers.

CVE Entries:
** Sample CGI programs (All CGI)
Remedy:
Remove all sample CGI programs on a production server.

** CAN-1999-0736(IIS 4.0, Microsoft Site Server 3.0, which is included with Microsoft
Site Server 3.0 Commerce Edition, Microsoft Commercial Internet System 2.0, and Microsoft
BackOffice Server 4.0 and 4.5)

(see http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
)
Remedy:
Apply patch at : ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/

CVE-1999-0067 (phf phone book program included with older NCSA and Apache server)
CVE-1999-0068 ('mylog.html' sample script shipped with the PHP/FI)
CVE-1999-0270 (IRIX 6.2, IRIX 6.3, IRIX 6.4)
CVE-1999-0346 (sample script shipped with the PHP/FI package)
CVE-2000-0207 (IRIX 6.5)

Most important CGI Vulnerabilities not including sample programs
CAN-1999-0467 (WebCom Guestbook CGI)

** CAN-1999-0509 (All CGI Web Servers)
Refer to http://www.cert.org/advisories/CA-96.11.interpreters_in_cgi_bin_dir.html

Remedy:
The solution to this problem is to ensure that the CGI bin directory does not include any
general-purpose interpreters, for example

  • PERL
  • Tcl
  • UNIX shells (sh, csh, ksh, etc.)

CVE-1999-0021 (Muhammad A. Muquit's wwwcount version 2.3)
CVE-1999-0039 (Outbox Environment Subsystem for IRIX)
CVE-1999-0058 (PHP/FI package written by Rasmus Lerdorf)
CVE-1999-0147 (Glimpse HTTP 2.0 and WebGlimpse)
CVE-1999-0148 (Outbox Environment Subsystem for IRIX)
CVE-1999-0149 (Outbox Environment Subsystem for IRIX)

** CVE-1999-0174 (All CGI Web Servers) Refer to,
http://xforce.iss.net/static/291.php
(More info at http://www.netspace.org/cgi-bin/wa?A2=ind9702B&L=bugtraq&P=R64

)
Remedy:
Remove the "view-source" script from the cgi-bin directory on your web server.

CVE-1999-0177 (O'Reilly Website 2.0 and earlier CGI)
CVE-1999-0178 (O'Reilly Website 2.0 and earlier CGI)
CVE-1999-0237 (Webcom's CGI Guestbook for Win32 web servers)
CVE-1999-0262 (fax survey CGI script on Linux )
CVE-1999-0279 (Excite for Web Servers)
CVE-1999-0771 (Compaq Management Agents and the Compaq Survey Utility)
CVE-1999-0951 (OmniHTTPd CGI program)
CVE-2000-0012 (MS SQL CGI program)
CVE-2000-0039 (AltaVista search engine)
CVE-2000-0208 (htsearch CGI script for ht://dig)

ColdFusion Sample Program Vulnerabilities
** CAN-1999-0455
** CAN-1999-0922
** CAN-1999-0923

ColdFusion Other Vulnerability
** CAN-1999-0760
** CVE-2000-0057

Advice on correcting the problem:
A. Do not run web servers as root

B. Get rid of CGI script interpreters in bin directories:

http://www.cert.org/advisories/CA-96.11.interpreters_in_cgi_bin_dir.html

C. Remove unsafe CGI scripts

http://www.cert.org/advisories/CA-97.07.nph-test-cgi_script.html
http://www.cert.org/advisories/CA-96.06.cgi_example_code.html
http://www.cert.org/advisories/CA-97.12.webdist.html

D. Write safer CGI programs:

http://www-4.ibm.com/software/developer/library/secure-cgi/
http://www.cert.org/tech_tips/cgi_metacharacters.html
http://www.cert.org/advisories/CA-97.24.Count_cgi.html

E. Don't configure CGI support on Web servers that don't need it.

F. Run your Web server in a chroot()ed environment to protect the machine against yet
to be discovered exploits

3.
Remote Procedure Call (RPC) weaknesses in rpc.ttdbserverd (ToolTalk), rpc.cmsd (Calendar
Manager), and rpc.statd that allow immediate root compromise

Remote procedure calls (RPC) allow programs on one computer to
execute programs on a second computer. They are widely-used to access network services
such as shared files in NFS. Multiple vulnerabilities caused by flaws in RPC, are being
actively exploited. There is compelling evidence that the vast majority of the distributed
denial of service attacks launched during 1999 and early 2000 were executed by systems
that had been victimized because they had the RPC vulnerabilities. The broadly successful
attack on U.S. military systems during the Solar Sunrise incident also exploited an RPC
flaw found on hundreds of Department of Defense systems.

Systems Affected:
Multiple UNIX and Linux systems

CVE Entries:
rpc.ttdbserverd - CVE-1999-0687, CVE-1999-0003, CVE-1999-0693 (-0687 is newer than -0003,
but both allow root from remote attackers and it's likely that -0003 is still around a
LOT; -0693 is only locally exploitable, but does give root)
rpc.cmsd - CVE-1999-0696
rpc.statd - CVE-1999-0018, CVE-1999-0019.

Advice on correcting the problem:
A. Wherever possible, turn off and/or remove these services on machines directly
accessible from the Internet.

B. Where you must run them, install the latest patches:

For Solaris Software Patches:
http://sunsolve.sun.com

For IBM AIX Software
http://techsupport.services.ibm.com/support/rs6000.support/downloads
http://techsupport.services.ibm.com/rs6k/fixes.html

For SGI Software Patches:
http://support.sgi.com/

For Compaq (Digital Unix) Patches:
http://www.compaq.com/support

Search the vendor patch database for tooltalk patches and install them right away.

A summary document pointing to specific guidance about each of three principal RPC
vulnerabilities may be found at: http://www.cert.org/incident_notes/IN-99-04.html

For statdd: http://www.cert.org/advisories/CA-99-05-statd-automountd.html

For ToolTalk: http://www.cert.org/advisories/CA-98.11.tooltalk.html
For Calendar Manager: http://www.cert.org/advisories/CA-99-08-cmsd.html

4.
RDS security hole in the Microsoft Internet Information Server (IIS)

Microsoft?s Internet Information Server (IIS) is the web server
software found on most web sites deployed on Microsoft Windows NT and Windows 2000
servers. Programming flaws in IIS?s Remote Data Services (RDS) are being employed by
malicious users to run remote commands with administrator privileges. Some participants
who developed the "Top Ten" list believe that exploits of other IIS flaws, such
as .HTR files, are at least as common as exploits of RDS. Prudence dictates that
organizations using IIS install patches or upgrades to correct all known IIS security
flaws when they install patches or upgrades to fix the RDS flaw.

Systems Affected:
Microsoft Windows NT systems using Internet Information Server

CVE Entries:
CVE-1999-1011

Advice on correcting the problem:
An outstanding guide to the RDS weakness and how to correct it may be found
at: http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface=2

B. Microsoft has also posted relevant information at:

http://support.microsoft.com/support/kb/articles/q184/3/75.asp
http://www.microsoft.com/technet/security/bulletin/ms98-004.asp
http://www.microsoft.com/technet/security/bulletin/ms99-025.asp

5.
Sendmail and MIME buffer overflows as well as pipe attacks that allow immediate root
compromise.

Sendmail is the program that sends, receives, and forwards most
electronic mail processed on UNIX and Linux computers. Sendmail?s widespread use on
the Internet makes it a prime target of attackers. Several flaws have been found over the
years. The very first advisory issued by CERT/CC in 1988 made reference to an exploitable
weakness in sendmail. In one of the most common exploits, the attacker sends a crafted
mail message to the machine running Sendmail, and Sendmail reads the message as
instructions requiring the victim machine to send its password file to the attacker?s
machine (or to another victim) where the passwords can be cracked.

Systems Affected:
Multiple UNIX and Linux systems

CVE Entries:
CVE-1999-0047, CVE-1999-0130, CVE-1999-0131, CVE-1999-0203, CVE-1999-0204, CVE-1999-0206.
CVE-1999-0130 is locally exploitable only.

Advice on correcting the problem:
A. Upgrade to latest version of Sendmail and/or implement patches for sendmail. See
http://www.cert.org/advisories/CA-97.05.sendmail.html

B. Do not run Sendmail in daemon mode (turn off the -bd switch) on machines that are
neither mail servers nor mail relays.

6.
sadmind and mountd

Sadmind allows remote administration access to Solaris systems,
providing graphical access to system administration functions. Mountd controls and
arbitrates access to NFS mounts on UNIX hosts. Buffer overflows in these applications can
be exploited allowing attackers to gain control with root access.

Systems Affected:
Multiple UNIX and Linux systems
Sadmind: Solaris machines only

CVE Entries:
sadmind - CVE-1999-0977
mountd - CVE-1999-0002.

Advice on correcting the problem:
A. Wherever possible, turn off and/or remove these services on machines directly
accessible from the Internet.

B. Install the latest patches:

For Solaris Software Patches:
http://sunsolve.sun.com

For IBM AIX Software
http://techsupport.services.ibm.com/support/rs6000.support/downloads
http://techsupport.services.ibm.com/rs6k/fixes.html

For SGI Software Patches:
http://support.sgi.com/

For Compaq (Digital Unix) Patches:
http://www.compaq.com/support

C. More guidance at:

http://www.cert.org/advisories/CA-99-16-sadmind.html
http://www.cert.org/advisories/CA-98.12.mountd.html

7. Global
file sharing and inappropriate information sharing via NetBIOS and
Windows NT ports 135->139 (445 in Windows2000), or UNIX NFS exports on port
2049, or Macintosh Web sharing or AppleShare/IP on ports 80, 427, and 548.

These services allow file sharing over networks. When improperly
configured, they can expose critical system files or give full file system access to any
hostile party connected to the network. Many computer owners and administrators use these
services to make their file systems readable and writeable in an effort to improve the
convenience of data access. Administrators of a government computer site used for software
development for mission planning made their files world readable so people at a different
government facility could get easy access. Within two days, other people had discovered
the open file shares and stolen the mission planning software.

When file sharing is
enabled on Windows machines they become vulnerable to both information theft and certain
types of quick-moving viruses. A recently released virus called the 911 Worm uses file
shares on Windows 95 and 98 systems to propagate and causes the victim?s computer to
dial 911 on its modem. Macintosh computers are also vulnerable to file sharing exploits.

The same NetBIOS mechanisms that permit Windows File Sharing may also be used to
enumerate sensitive system information from NT systems. User and Group information
(usernames, last logon dates, password policy, RAS information), system information, and
certain Registry keys may be accessed via a "null session" connection to the
NetBIOS Session Service. This information is typically used to mount a password guessing
or brute force password attack against the NT target.

Systems Affected:
UNIX, Windows, and Macintosh systems.

CVE Entries:
SMB shares with poor access control - CAN-1999-0520
NFS exports to the world - CAN-1999-0554
These candidate entries are likely to change significantly before being accepted as full
CVE entries.

Advice on correcting the problem:
A. When sharing mounted drives, ensure only required directories are shared.

B. For added security, allow sharing only to specific IP addresses because DNS names
can be spoofed.

C. For Windows systems, ensure all shares are protected with strong passwords.

D. For Windows NT systems, prevent anonymous enumeration of users, groups, system
configuration and registry keys via the "null session" connection.

Block inbound connections to the NetBIOS Session Service (tcp 139) at the router or the
NT host.

Consider implementing the RestrictAnonymous registry key for Internet-connected hosts
in standalone or non-trusted domain environments:

NT4: http://support.microsoft.com/support/kb/articles/Q143/4/74.asp
Win2000: http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

E. A quick, free, and secure test for the presence of NetBIOS file sharing, and its
related vulnerabilities, effective for machines running ANY operating system, is available
at the Gibson Research Corporation web site. Simply visit http://grc.com/
and click the "ShieldsUP" icon to receive a real-time appraisal of any system's
NetBIOS exposure. Detailed instructions are available to help Microsoft Windows users deal
with NetBIOS vulnerabilities.

F. For Macintosh systems, disable file sharing and web sharing extensions unless
absolutely required. If file sharing must be enabled, ensure strong passwords for access,
and stop file sharing during periods in which it is not required.

To permanently disable Web sharing in MacOS 8 or MacOS 9, remove two files and restart:
System Folder:Control Panels:Web Sharing
System Folder:Extensions:Web Sharing Extension

To permanently disable AppleShare/IP in MacOS 9, remove one file and restart:
System Folder:Extensions:Shareway IP Personal Bgnd

8.
User IDs, especially root/administrator with no passwords or weak passwords.

Some systems come with "demo" or "guest"
accounts with no passwords or with widely-known default passwords. Service workers often
leave maintenance accounts with no passwords, and some database management systems install
administration accounts with default passwords. In addition, busy system administrators
often select system passwords that are easily guessable ("love,"
"money," "wizard" are common) or just use a blank password. Default
passwords provide effortless access for attackers. Many attackers try default passwords
and then try to guess passwords before resorting to more sophisticated methods.
Compromised user accounts get the attackers inside the firewall and inside the target
machine. Once inside, most attackers can use widely-accessible exploits to gain root or
administrator access.

Systems Affected:
All systems.

CVE Entries:
Unix guessable (weak) password - CAN-1999-0501
Unix default or blank password - CAN-1999-0502
NT guessable (weak) password - CAN-1999-0503
NT default or blank password - CAN-1999-0504

These candidate entries are likely to change significantly before being accepted as
full CVE entries.

Advice on correcting the problem:
A. Create an acceptable password policy including assigned responsibility and frequency
for verifying password quality. Ensure senior executives are not exempted. Also include in
the policy a requirement to change all default passwords before attaching computers to the
Internet, with substantial penalties for non-compliance.

B1. VERY IMPORTANT! Obtain written authority to test passwords

B2. Test passwords with password cracking programs:

For Windows NT: l0pthcrack http://www.l0pht.com
For UNIX: Crack http://www.users.dircon.co.uk/~crypto

C. Implement utilities that check passwords when created.

For UNIX: Npasswd, http://www.utexas.edu/cc/unix/software/npasswd
For Windows NT: http://support.microsoft.com/support/kb/articles/Q161/9/90.asp

D. Force passwords to expire periodically (at a frequency established in your security
policy).

E. Maintain password histories so users cannot recycle old passwords.

Additional information may be found at:

http://www.cert.org/tech_tips/passwd_file_protection.html
http://www.cert.org/incident_notes/IN-98.03.html
http://www.cert.org/incident_notes/IN-98.01.irix.html

9.
IMAP and POP buffer overflow vulnerabilities or incorrect configuration.

IMAP and POP are popular remote access mail protocols, allowing
users to access their e-mail accounts from internal and external networks. The "open
access" nature of these services makes them especially vulnerable to exploitation
because openings are frequently left in firewalls to allow for external e-mail access.
Attackers who exploit flaws in IMAP or POP often gain instant root-level control.

Systems Affected:
Multiple UNIX and Linux systems

CVE Entries:
CVE-1999-0005, CVE-1999-0006, CVE-1999-0042, CVE-1999-0920, CVE-2000-0091

Advice on correcting the problem:
A. Disable these services on machines that are not e-mail servers.

B. Use the latest patches and versions. Additional information may be found at:

http://www.cert.org/advisories/CA-98.09.imapd.html
http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
http://www.cert.org/advisories/CA-97.09.imap_pop.html

C. Some of the experts also recommend controlling access to these services using TCP
wrappers and encrypted channels such as SSH and SSL to protect passwords.

10.
Default SNMP community strings set to ?public? and ?private.?

The Simple Network Management Protocol (SNMP) is widely used by
network administrators to monitor and administer all types of network-connected devices
ranging from routers to printers to computers. SNMP uses an unencrypted "community
string" as its only authentication mechanism. Lack of encryption is bad enough, but
the default community string used by the vast majority of SNMP devices is
"public", with a few "clever" network equipment vendors changing the
string to "private". Attackers can use this vulnerability in SNMP to reconfigure
or shut down devices remotely. Sniffed SNMP traffic can reveal a great deal about the
structure of your network, as well as the systems and devices attached to it. Intruders
use such information to pick targets and plan attacks.

Systems Affected:
All system and network devices.

CVE Entries:
default or blank SNMP community name (public) - CAN-1999-0517
guessable SNMP community name - CAN-1999-0516
hidden SNMP community strings - CAN-1999-0254, CAN-1999-0186

These candidate entries are likely to change significantly before being accepted as
full CVE entries.

Advice on correcting the problem:
A. If you do not absolutely require SNMP, disable it.

B. If you are using SNMP, use the same policy for community names as used for passwords
described in Vulnerability Cluster Number 8 above.

C. Validate and check community names using snmpwalk.

D. Where possible make MIBs read only. Additional information:

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm#xtocid210315

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs