SANS Institute | Newsletters

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

December 27, 2012
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 12, Num. 52

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

TOP VULNERABILITY THIS WEEK: A major information disclosure vulnerability impacting users of the popular W3 TotalCache for Wordpress plugin was announced this week, with all files touched by the caching server being publicly available on the Internet by default with no authentication. The author of the plugin is currently working on a fix, but administrators can take simple action in the interim to reduce their exposure.

============================================================

TRAINING UPDATE

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current

Plus Anaheim, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

============================================================

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Wordpress W3 TotalCache Information disclosure
Description: A security researcher has discovered that, by default, the popular W3 TotalCache plugin for Wordpress leaves cache files in directories readable by the web server, with indexing enabled. That allows for trivial web searches of all cached files of impacted servers, including database session information, password-restricted data, etc. At the time of writing, approximately 1.19 million results were returned with appropriate Google searches, demonstrating the scope of the issue. Impacted administrators should immediately disable indexing on all W3 TotalCache directories, and look for a patch that the author of the product is currently working on.
Reference:
http://seclists.org/fulldisclosure/2012/Dec/242
http://wordpress.org/extend/plugins/w3-total-cache/
Snort SID: 25120
ClamAV: N/A

Title: NVidia Display Driver "Christmas 0-day"
Description: Proving that information security never sleeps, a security researcher in the UK released exploit code for a new NVidia display driver on PasteBin on Christmas Day. While the has stated on this Twitter feed that it is likely "not wormable", the issue is clearly serious, and is likely to be addressed directly by NVidia soon. As the exploit uses an SMB pipe, in the interim concerned users should ensure that they are using a firewall to protect their systems from as much exposure to Windows SMB protocols as possible without impacting business.
Reference: http://pastebin.com/QP7eZaJt
Snort SID: N/A
ClamAV: N/A

Title: AutoIt Trojan observed in the wild
Description: Several instances of this new trojan downloader have been observed in the wild recently. The malware uses an encoded backdoor channel to decrease the likelihood of detection.
Reference: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Autoit-QN/detailed-analysis.aspx
Snort SID: 25109
ClamAV: AUTOIT.Trojan.Agent-8

============================================================

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Microsoft SQL Server link crawling command execution:
http://www.exploit-db.com/exploits/23649/

Defcon Doctumentary Preview:
http://vimeo.com/56234900

Partial FBI files for Occupy dumped on Pastebin:
http://pastebin.com/U2yaa3ex

Opsec for stained glass:
http://www.schnarff.com/blog/?p=192

The "hidden" backdoor: VirTool:WinNT/Exforel.A:
https://blogs.technet.com/b/mmpc/archive/2012/12/09/the-quot-hidden-quot-backdoor-virtool-winnt-exforel-a.aspx?Redirected=true

NSA targeting domestic computer systems in secret test:
http://news.cnet.com/8301-13578_3-57560644-38/revealed-nsa-targeting-domestic-computer-systems-in-secret-test/

Page weight matters:
http://blog.chriszacharias.com/page-weight-matters?utm_source=dlvr.it&utm_medium=twitter

Howto: distributed Splunk architecture:
http://blog.rootshell.be/2012/12/22/howto-distributed-splunk-architecture/

=========================================================

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: : CVE-2012-2174
Title: IBM Lotus Notes URL Handler Design Error Vulnerability
Vendor: IBM
Description: The URL handler in IBM Lotus Notes 8.x before 8.5.3 FP2 allows remote attackers to execute arbitrary code via a crafted notes:// URL.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-4959
Title: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability
Vendor: Novell
Description: Directory traversal vulnerability in NFRAgent.exe in Novell File Reporter 1.0.2 allows remote attackers to upload and execute files via a 130 /FSF/CMD request with a .. (dot dot) in a FILE element of an FSFUI record.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2010-2590
Title: SAP Crystal Reports Print ActiveX "PrintControl.dll" Heap Buffer Overflow Vulnerability
Vendor: SAP
Description: Heap-based buffer overflow in the CrystalReports12.CrystalPrintControl.1 ActiveX control in PrintControl.dll 12.3.2.753 in SAP Crystal Reports 2008 SP3 Fix Pack 3.2 allows remote attackers to execute arbitrary code via a long ServerResourceVersion property value.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-5975
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed which affects the current Unix/Linux versions of Tectia SSH Server. The vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID: : CVE-2012-5611
Title: Oracle MySQL Server Command Processing Buffer Overflow Vulnerability
Vendor: Oracle
Description: Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

=========================================================