[Sunnet Alert] Advisory #221 - SAP (Multiple), Multiple News

Sun Apr 8 01:47:27 EST 2007

Sûnnet Beskerming Alert List Advisory #221

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	SAP (Multiple)
	- Remote Hacker Automatic Control
	- Time Since Discovery - 3 Days
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	New Microsoft Problem, Or Old Issue Receiving New Attention?
2.2	Call For US To Have Cyber-offensive Capability
=====================================

1.	SECURITY

1.1	SAP (Multiple) - Remote Hacker Automatic Control

	-- Products Affected --
	SAP RFC Library 6.40, 7.00

	-- Technical Description --
	Numerous vulnerabilities in the described versions of the SAP RFC  
library, including Information Disclosure, Denial of Service due to  
resource exhaustion, and arbitrary remote code execution due to  
buffer overflows.  Full detailed technical descriptions of the  
vulnerabilities will be published after three months.  Notification  
was also received of the release of a specialised testing tool that  
targets and probes SAP installations for weakness.

	-- Description --
	Numerous serious vulnerabilities have been identified and pre- 
disclosed (without detailed technical explanations) for the corporate  
SAP software platform, specifically the library that allows external  
interaction with a SAP installation.  The vulnerabilities range from  
disclosure of sensitive information, through to allowing remote  
attackers the ability to run software of their choice on a vulnerable  
system.  SAP have already provided necessary updates to protect their  
clients from the weaknesses identified.

	-- Recommended Action --
	Apply the latest updates available from SAP in order to be protected  
against potential exploitation attempts of these vulnerabilities.

	-- Source --
	(Paid subscription required to access)

	-- Updates Available --
	(Paid subscription required to access)

	-- External Tracking Data --
	(Paid subscription required to access)

	-- Threat Matrix --
			U	O
	Home User	-	-  (Nil)
	Corporate	7	10 (Very High - Highly Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	New Microsoft Problem, Or Old Issue Receiving New Attention?

The Internet Storm Center (ISC) have alerted to a possible new  
vulnerability affecting Microsoft, DNS, and Active Directory (when  
used in combination).  While this does appear to be a real problem  
that is building, there is historic evidence to suggest that this was  
publicised on the 22nd of March on the Full-Disclosure mailing list,  
and refers to even older known attack vectors and issues with the  
software.

As far as the information disclosed on the 22nd of March, it appears  
that the default installation and configuration of Microsoft DNS  
servers, when integrated with Active Directory, allows for insecure  
dynamic updates of the DNS records.  This means that attackers with  
access to this capability can do anything they like with the DNS  
records that the system is holding (i.e. delete, modify, replace).

As with any successful DNS record manipulation, the main risks are  
from Man in the Middle attacks, where the attacker is able to control  
where Internet traffic will go for any site of preference.  While the  
claim is made that it will allow attackers to prevent / maliciously  
impersonate the Windows update servers, these figures are actually  
hard-coded into Windows and do not rely on external information  
(alleviating any risk of a HOSTS file compromise).

An updated version of 'dnsfun' was released with the public  
notification, which provides potential attackers with a simple point- 
and-click interface to probe and attack Microsoft DNS Servers being  
used in this particular configuration.

Of more interest is the claim that this is not a new vulnerability  
(certainly some other researchers have been complaining for some time  
about the inherent weaknesses of DNS), but particular vectors of  
attack were not investigated.

The simple fix that is presented is to disable dynamic updates, or to  
configure the server to only accept secure updates.

Until such time as more information is made public about the issue  
described to the ISC, it remains probable that what is being  
experienced are attacks derived directly from the public disclosure  
on 22 March.

2.2	Call For US To Have Cyber-offensive Capability

Although a longer writeup on this topic will be coming at a later  
stage, there has been increasing levels of coverage of the comments  
made by the US COM STRATCOM recently, in front of a Congressional  
committee.  Drawing the greatest attention was the comment that the  
US needed to have an effective cyber attack capability in order to  
effectively maintain its defences.

What sets aside the online environment (as distinct to the other  
electronic communication forms that the military already understands  
and has a well-established attack / defend capability) from all  
others is that there is no real distinction between a state-based  
entity and a standalone attacker.  This distinction is blurred even  
further with the ability of a single attacker to control literally  
armies of compromised machines across the globe and get them to carry  
out attacks that are extremely difficult to backtrace and investigate.

Even better for the attackers is the ease with which they can control  
machines within other countries, which means that they can  
effectively fake the source of an online attack, making it look like  
a particular country was responsible for the launching and  
implementation of an attack, when it was merely a fleet of  
compromised machines located in that country that carried out the  
attack (under the control of an attacker in another location).

The principal of having an effective attack force as a deterrent is  
well known, but using a state-backed attack force on electronic  
attacks of undetermined origin is a significant escalation of  
electronic force, and one which is likely to see an increased  
electronic arms race (over the one that already exists).

Currently, the coverage of the comments falls into two camps - the  
pacifists who believe that the US government and military should  
shore up their defences and continue on with weathering the  
electronic attacks as best as possible, and the militarists who  
believe that the development of an effective attack capability (used  
sparingly) will go along way to helping with the effective defence of  
electronic systems (alongside shored-up defences, as well).

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.