<< Previous Next >>
best practices
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
The currently installed version of JRE depends on your patch
Thanks to the Samba developers, TippingPoint, and iDefense for
identifying and reporting these issues.
Note: These issues only affect the service console network, and are
not remote vulnerabilities for ESX Server hosts that have been set
up with the security best practices provided by VMware.
http://www.vmware.com/resources/techresources/726
ESX
---
VMware ESX 3.0.1 Download Patch Bundle ESX-1001213
Patch 18.
Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
The currently installed version of JRE depends on your patch
assigned the name CVE-2007-3004 to this issue.
NOTE: These vulnerabilities can be exploited remotely only if the
attacker has access to the service console network.
Security best practices provided by VMware recommend that the
service console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
4. Solution:
ESX 2.5.5 ESX not affected
Note: On ESX these vulnerabilities can be exploited remotely only
if the attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
4. Solution
to generate a spurious memory access error or, in certain cases,
reload the device.
The IOS SSH server is an optional service that is disabled by
default, but its use is highly recommended as a security best
practice for management of Cisco IOS devices. SSH can be configured
as part of the AutoSecure feature in the initial configuration of IOS
devices, AutoSecure run after initial configuration, or manually.
Devices that are not configured to accept SSH connections are not
affected by these vulnerabilities.
** JRE will be updated to version 1.5.0_20 in the next update release
Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
The currently installed version of JRE depends on your patch
that match the potential exploit packets with the "permit" action
result in these packets being discarded by the policy-map "drop"
function, while packets that match the "deny" action (not shown)
are not affected by the policy-map drop function. Additional
information on the configuration and use of the CoPP feature can
be found at "Control Plane Policing Implementation Best Practices"
(http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html)
and "Control Plane Policing"
(http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html).
Configuring iACLs
ESX 2.5.5 ESX not affected
Notes: This vulnerability can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
The currently installed version of Tomcat depends on your patch
===============================================
Rapperswil, Switzerland -- The Call for Papers for the third Swiss Cyber
Storm Security Conference in Switzerland is now open where the eminent
figures in the international security industry will get together and
share best practices and technology. The conference will be held at the
University of Applied Sciences in Rapperswil lakeside of Lake Zurich on
May 12-15 2011. Significant discoveries about cyber underground,
advanced persistent threat including computer network hack attacks and
defenses, and pragmatic real world security experience will be presented
in a series of well chosen talks. Swiss Cyber Storm provides European
Cc: bugtraq@securityfocus.com
Subject: Re: STP mitm attack idea
On Wed, Apr 28, 2010 at 05:26:09PM -0400, Jason T. Masker scribbled
thusly:
> Best practice is to implement layer 2 security mechanisms which would
> identify these ports as "access" ports and shut them down if any STP
> traffic was received through these interfaces. On Cisco equipment,
> this is known as BPDU guard.
>
http://www.cisco.com/en/US/customer/tech/tk389/tk621/technologies_tech_n
Computer and information security models
Computer and information security standards
Wireless security
Authentication and access control
Computer and information security policies
Best practices in Computer and Information security
Cryptography, VPN and PKI
Disaster recovery and business continuity planning
Vulnerabilities Analysis and Hacking techniques
Perimetral Security
Database Security
on the affected device does mitigate this vulnerability. Cisco is
recommends using a conservative value of 100 to mitigate this
vulnerability.
Consult the document "Protecting Border Gateway Protocol for the
Enterprise" at the following link for additional best practices on
protecting BGP infrastructures:
http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html
Obtaining Fixed Software
========================
On Wed, Apr 28, 2010 at 05:26:09PM -0400, Jason T. Masker scribbled thusly:
> Best practice is to implement layer 2 security mechanisms which would
> identify these ports as "access" ports and shut them down if any STP
> traffic was received through these interfaces. On Cisco equipment,
> this is known as BPDU guard.
> http://www.cisco.com/en/US/customer/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
I don't have an account with Cisco any more, but why would
shutting down the port be the right thing to do? CMU does that,
and it means you have to be very careful when plugging in a
> your machines.
> Anyway, this attack sounds like something a good switch can easily
> prevent by having a list of "STP trusted ports" or something like that.
> Doesn't that exist?
Best practice is to implement layer 2 security mechanisms which would
identify these ports as "access" ports and shut them down if any STP
traffic was received through these interfaces. On Cisco equipment,
this is known as BPDU guard.
http://www.cisco.com/en/US/customer/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
can reduce potential attack vectors and make exploitation more
difficult.
Prevent PDF documents from being opened automatically by the Web browser.
Disable JavaScript in the vulnerable products.
Follow best practice methodologies by avoiding opening files from
untrusted or unsolicited sources.
Deploy DEP (Data Execution Prevention).
VI. VENDOR RESPONSE
========================================================================
Workshop on Secure Web Services (SWS 2009)
http://sesar.dti.unimi.it/SWS09
The SWS workshop explores many topics related to Web Services
Security, ranging from the advancement and best practices of building
block technologies such as XML and Web services security protocols to
higher level issues such as advanced metadata, general security
policies, trust establishment, risk management, and service
assurance. The workshop provides a forum for presenting research
results, practical experiences, and innovative ideas in web services
you're complaining about is a *legitimate* feature with legitimate uses.
Yes, it's a feature that can be very badly abused, so enabling it needs some
forethought and intelligence.
I've said this once already, but it bears repeating: your concerns deserve
discussion in context of vmware best practices. But I personally don't
believe it merits discussion as a vulnerability. It's no more a
vulberability than, say, not setting a password on your Windows
administrator account. It's obviously idiotic, but not a flaw in the
software stack.
* Trends in Web Hacking Incidents: What's hot for 2008 - Ofer Shezaf
* Evaluation Criteria for Web Application Firewalls - Ivan Ristic
* HTML5 security - Thomas Roessler
* The OWASP Orizon Project internals - Paolo Perego
* Remo presentation (Input Validation) - Christian Folini
* Best Practices Guide: Web Application Firewalls (OWASP German chapter) -
Alexander Meisel
* Google-Hacking and Google-Shielding - Amichai Shulman
* NTLM Relay Attacks - Eric Rachner
* PHPIDS Monitoring attack surface activity - Mario Heiderich
* Security in Agile Development - Dave Wichers
I want to remind everyone that CONFidence is happening in less than two weeks.
http://2009.confidence.org.pl/warsztaty
CONFidence is an international conference that has been taking place in May in Poland for the last 5 years. CONFidence is focused on research and best practices of database, application, systems and network security. CONFidence is a two-day event, (15-16 May, 2009) divided in three tracks. The speakers list includes: Bruce Schneier, Tavis Ormandy, Jacob Appelbaum, Joanna Rutkowska, Rich Smith, Mario Heiderich, Mark Schoenefeld and many many more top security experts.
Moreover, just before CONFidence amazing trainings will be organized:
# w3af ninja - Andres Riancho - 12th May 2009
# Discovery and exploitation of web application vulnerabilities - Andres Riancho - 13th May 2009
# Analyzing and Securing Enterprise Application Code by Blueinfy - Shreeraj Shah & Vimal Patel - 14th May 2009
# Secure Java Programming - Marc Schoenefeld - 14th May 2009
Submission Details
==================
IMF invites to submit full papers of up to 20 pages, presenting novel
and mature research results as well as practice papers of up to 20
pages, describing best practices, case studies or lessons learned.
Proposals for workshops, discussion and presentation on practical methods
and challenges are also welcome.
All submissions must be written in English (see below), and either in
postscript or PDF format. Authors of accepted papers must ensure that
to guest operating systems as an administrator, the script running as a
non-admin on the host can still execute admin-level scripts on the guests.
I obviously did not discover this issue--the API developers provided it as a
feature-I am simply pointing out the potential danger, that it was a poor
design decision, and that there is a need to establish best practices for
virtual machine guest and host isolation.
Background
Virtual machines have become a more integral part of the computing world and
IMF invites to submit:
----------------------
- Full papers of up to 20 pages, presenting novel and mature research
results.
- Practice papers of up to 20 pages, describing best practices, case
studies, lessons learned, or latest product developments.
- Proposals for Workshops: Discussion and presentation on practical
methods and challenges.
IMF invites to submit:
----------------------
- Full papers of up to 20 pages, presenting novel and mature research
results.
- Practice papers of up to 20 pages, describing best practices, case
studies, lessons learned, or latest developments.
- Proposals for Workshops: Discussion and presentation on practical
methods and challenges.
Select 'Drivers & Software'
Enter 'Proliant Support Pack' into the product field
Select Operating System
Download the Proliant Support Pack
Note: HP SNMP Agents and HP Insight Management Agents v8.7 are the only components of the PSP required to resolve the vulnerabilities. However, the best practice recommendation from HP is to update a server to the full HP ProLiant Support Pack v8.7 in order to have a fully qualified set of drivers, agents, and firmware.
HISTORY
Version:1 (rev.1) - 19 April 2011 Initial Release
Version:2 (rev.2) - 2 May 2011 Changed CVSS score for CVE-2011-1538
Version:3 (rev.3) - 11 May 2011 Changed product from PSP to SNMP Agents and Insight Management Agents, added patches
no ip scp server enable
If the Secure Copy server cannot be disabled due to operational
concerns, then no workarounds exist. The risk posed by this
vulnerability can be mitigated by following the best practices detailed
in "Improving Security on Cisco Routers" at
http://www.cisco.com/warp/public/707/21.html. Please refer to the
Obtaining Fixed Software section for appropriate solutions to resolve
this vulnerability.
eyeballs, all bugs are shallow,"[4] open-source software is still plagued by
high-impact security vulnerabilities. For this mantra to hold, not only are
"enough eyeballs" required, but the eyeballs should be those of well-trained
security professionals.
Security best-practices such as adherence to the Security Development
Lifecycle[5] are also critical when designing and developing software. It is
worth noting that even with the code-based vulnerability identified in this
advisory, a defense-in-depth approach of using ASLR and/or DEP would have
deterred exploitation if enabled.
Although it is often difficult to block traffic transiting your
network, it is possible to identify traffic which should never be
allowed to target your infrastructure devices and block that traffic
at the border of your network. iACLs are a network security best
practice and should be considered as a long-term addition to good
network security as well as a workaround for this specific
vulnerability. The iACL example shown below should be included as
part of the deployed infrastructure access-list which will protect
all devices with IP addresses in the infrastructure IP address range:
Any input from a user is susceptible to tampering. The advisory is specifically about vulnerabilities in how frameworks handle view states. While the frameworks provide functions to secure the view states, the specific vulnerabilities are not documented by the vendors.
Apache's documentation states that the encryption is only needed when t:SaveState tag is used. Sun provides no specific recommendations on encrypting the view state. Microsoft recommends securing the view state, but doesn't provide concise information about what will happen if you don't.
The purpose of our advisory was to show that unsecured view states will always be vulnerable to real-world attacks. This changes view state security from a best-practice to a demonstrable vulnerability for all applications developed on the three frameworks described.
Regarding your specific questions:
1) Yes, we did find specific vulnerabilities in all three products listed. The Microsoft vulnerability is demonstrated in the advisory. The Apache MyFaces vulnerability is described in the advisory, but a specific attack is beyond the scope of the advisory. Trustwave has released Deface (https://www.trustwave.com/spiderLabs-tools.php) to demonstrate an actual attack. The Sun Mojarra vulnerability is essentially the same as the one in Apache MyFaces, but is not supported by Deface. If you are familiar with Java, Deface can be modified for use with Mojarra.
lightweight) worm to propagate. This isn't so much about guest OS compromise
as it is about malware propagation.
4. This is also not so much about this specific issue at hand--we can easily
block this--but also looking at the bigger picture of establishing best
practices for dealing with the guest/host relationship.
5. Arthur, it may not affect you but the way you use virtual machines is
likely not representative of the population of vmware users.
6. The argument that a secured server won't be vulnerable is fine, but
<<Previous Next>>
|
