| New User, Welcome! Login |
Next Page >>
rules
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20071205-csa.shtml
Cisco Security Agent Rule to Block TCP Port 139 and 445 Traffic
+--------------------------------------------------------------
Workstations that do not have a need to provide SMB services, such as
services for sharing directories or files and printers, can be protected
by configuring a Cisco Security Agent rule that blocks all traffic to
========================================================================
ModSecurity (Core Rules) HPP Filter Bypass Vulnerability
========================================================================
Affected Software : ModSecurity <= 2.5.9 using ModSecurity Core
Rules <= 2.5-1.6.1
Author : Lavakumar Kuppan - lavakumar[dot]in[at]gmail[dot]com
Advisory URL : http://www.lavakumar.com
Severity : High
Local/Remote : Remote
Windows handles file names. The affected software is the Windows version
of the following web servers:
. Nginx Web Server [1]. The way Nginx handles files may differ when
they are requested using their 8.3 alias, and short file or path names
are not correctly handled when applying file handling rules or access
restrictions. By abusing of these flaws an attacker can bypass security
options implemented in the web server. For instance, 'file.shtml' will
become 'FILE~1.SHT'. This will cause the file to be handled as a '.sht'
file, not a '.shtml' file. The result of this is that instead of
processing SSI directives as would normally be the case with a '.shtml'
device, as in the following example:
Router#show ip ips interfaces
Interface Configuration
Interface FastEthernet0/0
Inbound IPS rule is ios-ips-incoming
Outgoing IPS rule is not set
Interface FastEthernet0/1
Inbound IPS rule is not set
Outgoing IPS rule is ios-ips-outgoing
Router#
Workarounds
===========
Service Rules
+------------
As an interim step prior to upgrading the Cisco content delivery system
software, it is possible to deny access to sensitive directories via
service rules. The following example shows denying access to move up a
Hi,
Please review your spamassassin rules, the FH_DATE_PAST_20XX rule marks the
2010 mails as spam with 3.6 points app, the workaround possible are:
.- file /usr/share/spamassassin/72_active.cf
replace :
header FH_DATE_PAST_20XX Date =~ /20[1-9][0-9]/ [if-unset: 2006]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUMMARY
InstallShield Update Agent - Remote "Rule Script" Code Execution Vulnerability.
OVERVIEW
InstallShield Update Agent uses insecure methods of retrieving operational
script code from unauthenticated, unverified external sources over HTTP.
there is some research in the public domain, there is much more
attention that needs to be paid to UPnP.
UPnP allows you to perform administrative functions. Some functions
are very standardized and supported by most devices. Examples include
obtaining network settings, and enabling port forwarding rules. Other
functions are make/model specific. Some very scary functions such as
obtaining administrative username and password pairs have been
reported [2] in the past. As a reminder, this works without submitting
any administrative password whatsoever since UPnP is a
authenticationless protocol. On top of this, most IGDs support UPnP by
It is possible to mitigate the vulnerabilities in this advisory by
disabling the translation of embedded IP addresses in the payload of
IP packets. Disabling NAT for the different protocols requires
different configurations. For some protocols, a single command can be
used. Other protocols require individual NAT translation rules be
added to the configuration.
NAT LDAP Vulnerability Mitigation
+---------------------------------
depend on accessing the device itself, but on intercepting session
between an operator console and the Cisco Network Building Mediator.
Administrators are advised to be selective when choosing the devices
that are allowed to establish connections to the Cisco Network
Building Mediator. The following rules will allow only legitimate
operator console(s) to establish sessions to the Cisco Network
Building Mediator. To execute following commands you must have
Administrator privileges on the Cisco Network Building Mediator. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
vulnerability.
Details
=======
An ACL is an ordered set of rules that filter traffic. Each rule
specifies a set of conditions that a packet must satisfy to match the
rule. When the device determines that an ACL applies to a packet, it
tests the packet against the conditions of all rules. The first
matching rule determines whether the packet is permitted or denied.
If there is no match, the device applies the applicable implicit
A device that is configured for either Cisco IOS IPS or Cisco IOS
Zone-Based Firewall (or both), may experience a memory leak under
high rates of new session creation flows through the device.
To determine if a device is configured with Cisco IOS IPS, log
into the device and issue the "show ip ips interfaces" CLI command.
If the output shows an IPS rule either in the inbound or outbound
direction set, then the device is vulnerable. This example, shows
a device with an IPS rule set on Interface Gigabit Ethernet 0/0
in the inbound direction:
Router#show ip ips interfaces
their own learning beyond the school books. Parents and educators
attending will also learn how to help other teens and how to start a
Hacker Highschool chapter in their school.
-- The Bad People Project
There are too many rules for children to learn about being safe.
Parents worry. They want that their child is safe and happy. So they
pile on the rules for life but many conflict, are antiquated, or just
don't make sense. That's why ISECOM began a project to study how we
can improve the rules we give to children, understanding that cultural
differences, mass media, and social conventions may reduce their
iptables configuration on the Adonis appliances.
Appropriate anti-spoofing policies must also be in place,
because an attacker can spoof the source IP address in the
UDP datagram.
When XHA was configured, iptables rules were configured in
/usr/local/bluecat/firewall_rules/localHAFirewallConfig to
permit 694/udp to and from the peer node on each appliance.
However, these rules have no effect due to the rules
mentioned above. And they are also incorrect because they
specify source port 694/udp, and the heartbeat packets we
6.1. *Server side*
According to OWASP [2], CSRF vulnerabilities can be avoided by checking
the referrer of the HTTP request and verifying that the request comes
from the original site. A potential workaround is thus to set a rule on
a Web Application Firewall that checks the referrer of the requests, and
verifies that all the requests to the WebSphere administrative console
are originated from the same site.
6.2. *Client side*
ftf4 release before August, but this release was not confirmed yet
(see the timeline for more details). In the meantime, users can
mitigate these flaws by applying these countermeasures:
1. For [CVE-2010-1929 | 40480], establish a Web Application
Firewall rule for limiting the length of the parameters
'EnteredClassID' and 'NewClassName' in POST requests to the URI
'/nps/servlet/webacc/'.
2. For [CVE-2010-1930 | 40485], establish a Web Application
Firewall rule for limiting the length of the parameter 'Tree' in POST
requests to the URI '/nps/servlet/webacc/'.
style bugs are inadequate), you get to keep it. You also get to
participate in 3com / Tipping Point's Zero Day Initiative, with the top
award for remote, pre-auth, vulnerabilities being increased this year.
Fine print and details on the cash prizes are available from
TippingPoint's DVLabs blog (http://dvlabs.tippingpoint.com/).
More fine print and rules for the contest will be found at
the http://cansecwest.com/ site.
Quick Overview:
-Limit one laptop per contestant.
style bugs are inadequate), you get to keep it. You also get to
participate in 3com / Tipping Point's Zero Day Initiative, with the top
award for remote, pre-auth, vulnerabilities being increased this year.
Fine print and details on the cash prizes are available from
TippingPoint's DVLabs blog (http://dvlabs.tippingpoint.com/).
More fine print and rules for the contest will be found at
the http://cansecwest.com/ site.
Quick Overview:
-Limit one laptop per contestant.
Details
-------
RFC 2818 covers the requirements for matching CNs and subjectAltNames
in order to establish valid SSL connections. It first discusses CNs
that are for hostnames, and the rules for wildcards in this case.
The next paragraph in the RFC then discusses CNs that are IP
addresses:
'In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
Eduardo Romero wrote:
> Hi,
>
> Please review your spamassassin rules, the FH_DATE_PAST_20XX rule marks the
> 2010 mails as spam with 3.6 points app, the workaround possible are:
>
> .- file /usr/share/spamassassin/72_active.cf
>
> replace :
>
use the BSD stack, you did not respond to security@ mail, or could not use pgp
properly.
Additionally, administrators of critical or major deployments of NetBSD (e.g.
dns root servers) were given advance notice in order to deploy appropriate
filter rules.
Exploitability of kernel stack overflows will vary by platform (n.b. a stack
overflow is not a stack buffer overflow, for a concise definition see
TAOCP3,V1,S2.2.2). Also note that a kernel stack overflow is very different
from a userland stack overflow.
Recently, David Litchfield asked me to help him out a bit with a research project he was working on by having me set up a network capture in my DMZ to log SQL Slammer attacks. I don't publish any services here at my Santa Cruz facility (meaning there are no required inbound protocols and no references in DNS anywhere) so I figured it would be nice "quiet" circuit to use for testing. I basically port-forwarded UDP 1434 to a laptop in my DMZ running NetMon3 also filtering for UDP 1434. After about 4 days of running NetMon, I had captured almost 30 (verified) random SQL Slammer attacks. What I found interesting was that every single one of them was sourced in China (all from different addresses).
Now, it's not my intent to start some geopolitical debate here, but I've long heard about how some people would block entire countries at the border in order to obviate issues with malicious traffic. There are obviously some issues with this (both from a technical and potential customer standpoint) so I set out to do a bit of research on my own. First thing I found out was that if one does decide to block entire countries, that it's going to be a bit of work from a rule standpoint. Sure, if I wanted to block all of China I could block APNIC, but that would block WAY more than I would want. So I set about finding a good resource for country-by-country IP ranges. Fortunately, Wade Alcorn, one of my colleagues at NGSSoftware turned me on to one that seemed pretty decent (there are a few around, though). But finding the resource was just the beginning... The list I got included 234 countries, comprised by almost 100,000 records of IP ranges.
Making a firewall rule to block China, for instance, would require entering in almost 600 IP ranges - so the "manual" route was clearly out. The thing is, I just didn't want to block countries without more research, so I needed a way to gather some statistics first. Enter ISA Server - as many of you know, I'm a big fan of ISA - it's a true enterprise security product with great scripting capabilities, so I set to work creating an automated method by which to create computer sets in ISA for each country. Basically, I created a SQL database and loaded all the records into it - I then wrote a little COM app to reach out and grab the data by countries, create the sets in ISA, and loop through the different ranges of IP's to add them to the set. It worked great.
This accomplished two things - one, I now have full detailed computer sets for each country to do with as I please. Secondly, I have an excellent way of producing detailed reports for traffic analysis in ISA- this was key. With data collection points set up at different places around the world, I was able to capture 3.1 million inbound connection attempts. The results were quite interesting. While China still led with connection attempts overall, it was interesting to see that Canada was a close second. However, while China's traffic consisted of SQL Slammer, HTTP, SMTP, probes for GhostProxy, etc, almost all of Canada's traffic was MESSENGER spam (UDP 1026,1027,1208). The world leader for HTTP was Brazil, strangely enough. Now, all of this will change based on who and where you are, and the types of services being offered. For example, I only got 5 SMTP connection attempts to my cable modem in a week, but my ISP in BM got hundreds of thousands (understandably) in the same time period. I'll whip up some cool reports for what I found and post them once I get some more data in from different collection points, but the valuable outcome of the project was the creation of these individual country-by-country Computer Sets for ISA.
Beforehand, I had no real way of easily and effectively reporting on traffic patterns by source country. Whether you can or can't block entire countries is your business, but at least this affords someone an easy way of doing research. You may not be able to (or even want) to block HTTP from China, but you very well may want to block SMTP - with ISA and computer sets, you can easily do this. Even if you don't block anything at all, you can use the sets to get rich reports of what kind of traffic your are getting from a particular country. While the validity of the practice of blocking entire countries (or particular protocols for that matter) may be up for debate, you now at least have the option to make your own decision based on factual information - to be sure, you've always been able to do this obviously, it's just been my experience that maintaining rule lists by country/protocol has been quite difficult and time consuming.
I've exported every countries entire list to ISA 2006 .XML format, and have posted them on the HoG site for community use. Since I've automated the Set creation process, I'll be updating the sets each month or so to ensure that changes are processed correctly. I would like to thank NGSSoftware for purchasing the required business services to receive the updates - their donation makes it possible for me to give you updated sets for free.
II. DESCRIPTION
Remote exploitation of a design error vulnerability in Snort, as
included in various vendors' operating system distributions, could
allow an attacker to bypass filter rules.
Due to a design error vulnerability, Snort does not properly reassemble
fragmented IP packets. When receiving incoming fragments, Snort checks
the Time To Live (TTL) value of the fragment, and compares it to the
TTL of the initial fragment. If the difference between the initial
<snip />
>
> Again, the Java Applet is *unsigned* and there is *no* crossdomain.xml
> policy
> which set rules of access control between www.targetsite.net and
> www.badsite.com
But, my point is that the current functionality is documented to ignore
the "set rules" you mention. In fact, there really are no rules for the
client to go by -- either the file is present and you can connect
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02063258
Version: 1
HPSBUX02514 SSRT100010 rev.1 - HP-UX running AudFilter rules enabled, Local Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-03-29
Last Updated: 2010-03-26
> security-in-depth comes in, and where the overall context of your post
> is incorrect:
>
> First off, you block .rdp files at the SMTP gateway (that by itself is
> security in depth). Secondly, normal domain users don't RDP to external
> hosts, so there would never be an allow rule for outbound RDP. Even if
> there was some need for off-lan RDP traffic from users, it would be on a
> host-by-host basis and managed by the firewalls. That, again, is
> security in depth.
>
> If your users are running XP, then the admin would prevent them from
> security-in-depth comes in, and where the overall context of your post
> is incorrect:
>
> First off, you block .rdp files at the SMTP gateway (that by itself is
> security in depth). Secondly, normal domain users don't RDP to external
> hosts, so there would never be an allow rule for outbound RDP. Even if
> there was some need for off-lan RDP traffic from users, it would be on a
> host-by-host basis and managed by the firewalls. That, again, is
> security in depth.
>
> If your users are running XP, then the admin would prevent them from
CVE-2010-0288
It was discovered that the ACL Manager plugin doesn't properly check the
administrator permissions. This allow an attacker to introduce arbitrary ACL
rules and thus gaining access to a closed Wiki.
CVE-2010-0289
It was discovered that the ACL Manager plugin doesn't have protections against
DSL modem, Alice Modem 1111, using firmware version 4.19, is prone to at
least the following two security vulnerabilities (after it has passed
initial configuration).
1. Denial of Service (DoS) via HTTP GET:
http://alice.box/natAdd?apptype=userdefined&rulename=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&waninterface=ipwan&inthostip1=192&inthostip2=168&inthostip3=1&inthostip4=99
After accessing this URL, the modem fails to accept any additional
connections via any of the protocols it supports (incl. telnet). The web
interface is only available from within the LAN, but an insecure
redirect from the Internet would work to exploit this.
> security-in-depth comes in, and where the overall context of your post
> is incorrect:
>
> First off, you block .rdp files at the SMTP gateway (that by itself is
> security in depth). Secondly, normal domain users don't RDP to external
> hosts, so there would never be an allow rule for outbound RDP. Even if
> there was some need for off-lan RDP traffic from users, it would be on a
> host-by-host basis and managed by the firewalls. That, again, is
> security in depth.
>
> If your users are running XP, then the admin would prevent them from
Next Page>>
|
|
|
