[Sunnet Alert] Advisory #220 - Kerberos, Multiple News

Security and IT News Alerts alertmailinglist at skiifwrald.com
Fri Apr 6 04:35:12 EST 2007 

Sûnnet Beskerming Alert List Advisory #220

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	Kerberos
	- Remote Hacker Automatic Control
	- Time Since Discovery - 1 Day
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	Rootkit Happenings
2.2	Microsoft's Planned April Security Release
2.3	Easter And Your Security
=====================================

1.	SECURITY

1.1	Kerberos - Remote Hacker Automatic Control

	-- Products Affected --
	All current versions of Kerberos 5

	-- Technical Description --
	SA 2007-001 - Complete control of remote system (root account)  
through trivial username crafting (found when investigating the  
effect of the Solaris telnetd vulnerability).
	SA 2007-002 - Arbitrary remote code execution as a result of a stack  
buffer overflow in the syslog library.  While a standalone  
exploitation requires an authenticated account, if it is combined  
with the above vulnerability, it can readily lead to arbitrary remote  
code execution by unauthorised users.
	SA 2007-003 - Arbitrary remote code execution due to presence of a  
double-free condition (believed difficult to exploit).

	-- Description --
	Several significant vulnerabilities affecting the Kerberos 5 telnet  
daemon (the client software is not affected) have recently been  
discovered and had patches made available for.  The vulnerabilities  
could allow a remote attacker to take control of a vulnerable system  
by passing specially-crafted usernames to the system, and thus gain  
complete access to the system (as root).  Other vulnerabilities could  
also allow remote attackers to run code of their choice on vulnerable  
systems, so is strongly recommended that the patches are applied as  
soon as possible.

	-- Recommended Action --
	Apply the appropriate interim patches from the MIT site (listed  
below), and apply the new version as soon as it is available

	-- Source --
	(Paid subscription required to access)

	-- Updates Available --
	(Paid subscription required to access)

	-- External Tracking Data --
	(Paid subscription required to access)

	-- Threat Matrix --
			U	O
	Home User	9	10 (Critical - Highly Critical)
	Corporate	10	10 (Highly Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	Rootkit Happenings

While some in the rootkit community are complaining of a quiet  
period, where not much new material is being generated, there is more  
than enough indication to show that rootkits are being delivered with  
increasing regularity as part of other malware infestations and  
through malicious websites.

While there is a lack of new material at the moment, it is being  
suggested that there are several lines of investigation currently  
being investigated as far as new rootkit capabilities go.   
Confirmation that no antirootkit software is anywhere near capturing  
all rootkits in circulation (and the presence of rootkits that bypass  
all known detection methods) is no surprise.  A heavy focus on the  
new Windows version, Vista, is likewise of little surprise.

Of more interest is discussion of rootkit development that is  
targeting very specific networking technologies (IPSEC and VPN).   
While there do not appear to be any functional samples on the near  
horizon, it is only going to be a matter of time before evolved  
rootkits will be able to successfully utilise flaws in these  
platforms in order to gain access to systems.


2.2	Microsoft's Planned April Security Release

Following the out-of-cycle patch release that came earlier this week  
(MS07-017), Microsoft are expecting to release five patches next  
Tuesday, as part of April's Security Patch Release.

Four of the patches will affect Microsoft Windows, and the most  
serious of the vulnerabilities being patched rated as Critical by  
Microsoft (the most serious rating).

The remaining patch will be for the Microsoft Content Management  
Server, and is also rated as Critical by Microsoft.


2.3	Easter And Your Security

Subscribers and regular readers who might have been wondering will be  
reassured to note that Sûnnet Beskerming staff will work throughout  
the Easter holiday period to ensure that the latest Information  
Security threat information and news is delivered to your inbox ready  
for your return from the holiday period.

For those who will be travelling or taking extended holidays over  
Easter, Sûnnet Beskerming would like to wish you safe travel, and for  
all readers we would like to wish a happy and safe Easter.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list