- Email: [email protected]
Bugs allow compromising of SSL sessions
news is caused by a programming bug in ActiveX control called script.typelib. The browser doesn’t need to be running for the virus to be unleashed, and the bug can be installed on a PC through its default security settings. While the Kak virus, believed to have originated in France, does not have a payload as malicious as that of ILoveYou, it has the potential to be the most dangerous virus to date if it were expanded and given nasty attributes. As yet, the virus does no damage but displays a message on the first of the month which says, “Kagou-Anti-Kro$oft says not today!”. If a user’s security settings are set high then Kak might display warning messages regarding ActiveX and scripts. Users who see a dialogue box asking, “Do you want to allow software such as ActiveX controls and plug-ins to run?” should respond “No.” Users of I.E. 5.0 and Office 2000 should update their virus detection software in order to close the hole. Experts also advise removing Windows Scripting Host from systems. There are also tools available to patch the hole which Microsoft released last August.
LAN/WAN NEWS
Bugs allow compromising of SSL sessions According to a security advisory released by Red Hat Inc. (RHSA-2000:02802), there are now new Netscape 4.73 packages available which fix bugs in SSL certification validation which could have allowed for the compromising of encrypted SSL sessions. Using this vulnerability, an attacker is able to poison a nameserver to redirect all connections to www.goodguy.com to www.badguy.com. The attacker causes all normal http requests to return what they normally would on www.goodguy.com, even though a user attempting to contact www.goodguy.com hits www.badguy.com. Upon getting a hit to www.badguy.com, the attacker causes an SSL connection to be established. This can be done by embedding a small image. The user may or may not get a warning about establishing a secure connection — this warning is on by
ISSN: 1353-4858/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, E-mail: [email protected]. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.nl), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 171 436 5931; fax: (+44) 171 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circu-
2
default, although many users will choose to disable this warning. The attacker needs to use a legitimate SSL key, certified by someone listed as trustworthy. When the user decides to leave the site, it will attempt to establish an SSL connection to www.goodguy.com. Upon checking the IP address for www.goodguy.com, for establishing an SSL connection, it will note that an SSL connection already exists to its IP. The key, however, was issued to www. badguy.com. The SSL connection will be established and, by all indications, it appears to go to www.goodguy.com, when it really goes to www. badguy.com. This could be used by a would-be attacker to steal information such as credit cards and other information protected by SSL. As a solution, for each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. For Red Hat Linux 5.0 and 5.1, use the Red Hat Linux 5.2 packages. For Red Hat Linux 6.0 and 6.1, use the Red Hat Linux 6.2 packages.
Server forced to halt and then reload Cisco bug ID CSCdr36952 has been identified and can cause virtually all mainstream Cisco routers and switches running Cisco IOS software releases 11.1 through to 12.1 to halt and reload. To determine if the Cisco product is running IOS, log in to the device and issue the command show version. Classic Cisco IOS software will identify itself simply as “Internetwork Operating System Software” or “IOS” software and will display a version number. Other Cisco devices either will not have the show version command or will give different output. Compare the version number obtained from the router with the versions the following list of affected versions: • Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 3000, 3600, 3800, 4000, 4500, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500 and 12000 series.
lation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) Ltd
LAN/WAN NEWS
Bugs allow compromising of SSL sessions According to a security advisory released by Red Hat Inc. (RHSA-2000:02802), there are now new Netscape 4.73 packages available which fix bugs in SSL certification validation which could have allowed for the compromising of encrypted SSL sessions. Using this vulnerability, an attacker is able to poison a nameserver to redirect all connections to www.goodguy.com to www.badguy.com. The attacker causes all normal http requests to return what they normally would on www.goodguy.com, even though a user attempting to contact www.goodguy.com hits www.badguy.com. Upon getting a hit to www.badguy.com, the attacker causes an SSL connection to be established. This can be done by embedding a small image. The user may or may not get a warning about establishing a secure connection — this warning is on by
ISSN: 1353-4858/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, E-mail: [email protected]. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.nl), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 171 436 5931; fax: (+44) 171 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circu-
2
default, although many users will choose to disable this warning. The attacker needs to use a legitimate SSL key, certified by someone listed as trustworthy. When the user decides to leave the site, it will attempt to establish an SSL connection to www.goodguy.com. Upon checking the IP address for www.goodguy.com, for establishing an SSL connection, it will note that an SSL connection already exists to its IP. The key, however, was issued to www. badguy.com. The SSL connection will be established and, by all indications, it appears to go to www.goodguy.com, when it really goes to www. badguy.com. This could be used by a would-be attacker to steal information such as credit cards and other information protected by SSL. As a solution, for each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. For Red Hat Linux 5.0 and 5.1, use the Red Hat Linux 5.2 packages. For Red Hat Linux 6.0 and 6.1, use the Red Hat Linux 6.2 packages.
Server forced to halt and then reload Cisco bug ID CSCdr36952 has been identified and can cause virtually all mainstream Cisco routers and switches running Cisco IOS software releases 11.1 through to 12.1 to halt and reload. To determine if the Cisco product is running IOS, log in to the device and issue the command show version. Classic Cisco IOS software will identify itself simply as “Internetwork Operating System Software” or “IOS” software and will display a version number. Other Cisco devices either will not have the show version command or will give different output. Compare the version number obtained from the router with the versions the following list of affected versions: • Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 3000, 3600, 3800, 4000, 4500, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500 and 12000 series.
lation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) Ltd