[AdvisorBits] GilbertWalker Group AdvisorBits - August 2001
John Walker
john@jsw4.net
Mon, 30 Jul 2001 22:06:58 -0400
This is the first edition of AdvisorBits, an informational newsletter
published monthly by GilbertWalker Group. Our intent is to raise your
security consciousness, and begin to expose you to new resources to
manage and secure your networks. To this end, each month we will review
some recent technology issues which you may have missed.
To find out more about GilbertWalker Group, please visit our web site:
http://www.gilbertwalker.com
***********************************************************
-- This Month's Headlines --
** Code Red worm causes disruption on Internet
** Terminal Services vulnerability
** Unix telnet daemon vulnerability
** Networking tool of the month: traceroute
-----------------------------------------------------------
Code Red worm causes disruption on Internet
Unless you've been hiding under a rock, you've probably heard about the
Code Red worm sweeping through the Internet. If you're responsible for a
Windows NT Server or Windows 2000 Server running Internet Information
Services (IIS) you should apply the patch supplied by Microsoft. For
more information see:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp. If
you're running IIS on Windows NT workstation or Windows 2000
professional, you're affected too, and should also patch your systems.
This is not the default condition on either of these workstation
platforms.
So what is it? Basically, there's a bug in a tiny little component of
the web server, that allows a malicious user to feed it too much data,
and it will crash, leaving the user in a position to execute the program
code of their choice on the web server. The worm is a program that
exploits this hole, and installs itself on the victim computer, and
subsequently infects other vulnerable computers automatically. Estimates
of infected hosts have ranged from 200,000 to 375,000.
The ultimate target of this worm was a denial of service attack on the White
House web server. The time and date for that attack has passed, and the
President's site was moved, so the attack failed. In the process the
volume of traffic generated had a significant impact on network
stability and throughput. There are also indication that this worm has
resurfaced with minor variations. The SANS Institute, Microsoft, and other
leading security organizations have announced that a mutation of Code Red is
expected to begin spreading again on July 31st, at 8:00 pm, EDT All
administrators responsible for IIS servers should address this vulnerability
immediately. A link to the patch is provided on the Microsoft security
bulletin.
-----------------------------------------------------------
Terminal Services vulnerability
On July 25, Microsoft released MS01-40, which describes another
vulnerability in Windows 2000 and Windows NT Terminal Server Edition.
Again, there is a bug in a part of the terminal server on both these
platforms. An attacker could send malformed packets to the server
causing it to "leak" memory until the whole server platform ground to a
halt. More information can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-040.asp
It does not appear that this vulnerability can be used to compromise
data or systems, but is limited to a denial of service attack.
Additionally, in most situations significant perimeter defenses should
protect against these kinds of attacks anyway. If you run Terminal
Server, you should apply the patch.
-----------------------------------------------------------
Unix telnet daemon vulnerability
Its probably time to do away with telnet. If this weren't the case,
there's plenty of discussion on BugTraq about various *nix flavors
having vulnerabilities in the telnet daemon. (daemon: from the Greek for
gatekeeper, a program which listens on an interface for incoming
connections.) If you're still running telnetd, you should check with
your vendor for an update or patch.
At GilbertWalker Group, we are recommending that our clients replace
telnetd with the secure shell daemon (sshd). This provides an immediate
improvement in security by encrypting all traffic between the client and
the server. Additionally, sshd can be configured to use digital
certificates for enhanced authentication, totally eliminating the need
to put any passwords on the wire.
-----------------------------------------------------------
Cool Tool of the month
One of the tools network engineers and administrators use to
troubleshoot connectivity problems is called traceroute. The traceroute
program is part of the networking client on most modern software
platforms. (Microsoft operating systems name the program tracert.) This
program allows the user to test connectivity of a network connection,
step by step through each router in the path. The output from traceroute
is a list of all the routers that the packets traverse on their way to
the destination address, including the time it takes to get to each
"hop". This can tell the administrator where bottlenecks or failure
points occur in complex networks such as the Internet.
The command is issued like this:
traceroute host.domain.com
or on Windows:
tracert host.domain.com
where the host.domain.com is the name of host you want to trace to.
If you're not a network engineer, but you would still like to explore
this tool, NeoWorx has written a traceroute program call NeoTrace with
additional functionality, and free version is available. This software
goes the extra step of trying to draw as many hops as possible on a map.
It should be understood that not all routers have geographic
information, and some assumptions made by the program are less than
optimal. Nevertheless its an interesting implementation of an old
standard tool. See:
http://www.neoworx.com/ for download information.
-----------------------------------------------------------
A word from our sponsors:
At GilbertWalker Group, we work with our clients to empower them to
effectively manage their own digital voice and data networks. Whether
our clients need independent security audit and review, managed firewall
implementations, a hand deploying cryptographic protocols, or bandwidth
management assistance, GilbertWalker Group stands ready to help. For
more information or to schedule an introductory meeting, please contact
Tom Gilbert at (413) 637-8858 ext. 11 or drop him a line at
info@jsw4.net
If you have comments, questions or suggestions about AdvisorBits, please
send them to John Walker- dev.random@gilbertwalker.com