|
|
Joyce Winslow
jwins@oregon.uoregon.edu
Expanding on their original list of Ten Most Critical Internet Security Vulnerabilities,
the SANS Institute and the Federal Bureau of Investigation released a new "Top
Twenty" list last October.
The new list, available at http://www.sans.org/top20.htm,
is designed to heighten awareness of common threats to system security. It includes
seven problems that affect all systems, six vulnerabilities specific to Microsoft
servers, and seven flaws afflicting Unix (including Linux and Solaris). Although
the flaws are not ranked, Microsoft IIS's problems are more widespread than
others because these servers are the most widely used and they are very susceptible
to "back door" incursions (see "What
Vital Security Lessons Can We Learn from Code Red?" in the Fall 2001
issue of Computing News).
Fortunately, most of the major vulnerabilities can be disarmed as long as system
administrators are vigilant and stay informed. The Top Twenty list is designed
to help harried administrators immediately identify, and protect against, the
most common and dangerous attacks by combining the knowledge of leading security
experts from federal agencies, research institutions, universities, and security
software vendors.
Below is a brief summary of the Top Twenty vulnerabilities. (For complete details
and suggested remedies, as well as a list of common vulnerable ports, see http://www.sans.org/top20.htm)
1. Using the default installs of operating systems and applications.
As convenient as these "quick install" software scripts or programs
are, they create major security problems because users fail to realize what
is actually installed. Extraneous services with their corresponding open ports,
and unneeded sample programs or scripts offer easy avenues of attack that can
go undetected indefinitely. Remove all unnecessary services and install security
patches.
2. Allowing accounts with no passwords or weak passwords. Passwords
that are easily guessed or bypassed, and accounts that require no password at
all, are extremely vulnerable to attack. It's important to know what accounts
are on your system, and check passwords for all of them--including passwords
on systems like routers and Internet-connected digital printers, copiers, and
printer controllers.
3. Not running backups, or doing incomplete backups. Regular, verifiable
backups of mission-critical data are essential to being able to recover from
an attack. Make sure your backup medium is as well protected as your server.
4. Keeping a large number of open ports. Keep only as many ports open
as are necessary to keep your system functioning properly. Close all other ports,
as they can provide possible attack venues for attackers.
5. Not filtering packets for correct incoming and outgoing addresses.
Install a device that blocks decoy, or "spoofed" packets, and test
it often. You must verify the legitimacy of packet addresses coming in and out
of your network
6. Not keeping, or backing up, regular network logs on all key systems.
Keeping close tabs on what's occurring on your network is essential. Without
a network log, if you're victimized, you'll have little chance of discovering
what the attackers did.
7. Running vulnerable CGI programs. Run the latest version of legitimate
GGI programs, and always remove sample programs from production systems. You
should also run a vulnerability scanning tool to check for holes in your site
and apply patches for known vulnerabilities that can't be removed.
1. Unicode vulnerability (NT 4.0 with IIS 4.0 and Win2K server with IIS
5.0). Microsoft's security checks can be bypassed if invalid Unicode character
representations are used. For more information, see http://www.wiretrip.net/rfp/p/doc.asp?id=57&face=2
2. ISAPI extension buffer overflows (Microsoft IIS). To avoid buffer overflow
attacks, watch out for programming errors when extending the capabilities of
a IIS server and unmap any unneeded ISAPI extensions. Both the IIS Lockdown
tool (available at
http://www.microsoft.com/technet/security/tools/locktool.asp) and the URLScan
filter (http://www.microsoft.com/technet/security/URLScan.asp)
protect against this vulnerability.
3. IIS RDS (Remote Data Services) exploit on NT 4.0 systems. Malicious users
can exploit programming flaws in IIS RDS to run remote commands with administrator
privileges. For complete details, see http://wiretrip.net/rfp/p/doc.asp?id=29&iface=2
4. Unprotected Windows file sharing - NT and 2000. The Server Message Block
(SMB) protocol that enables file sharing over networks can be exploited by hackers.
Enabling file sharing on Windows machines makes them vulnerable to both information
theft and viruses. See http://www.microsoft.com/technet/security/tools/mpsa.asp
5. Anonymous logon ("Null Session" connections) - NT 4.0 and Win2K.
If anonymous users are allowed to retrieve information over the network or to
connect without authentication, your system can be vulnerable to attack. If
you're working in a domain environment, where Null sessions are required for
the controllers to communicate, you can limit the information available to attackers,
but you won't be able to stop all leakage. See "Top Twenty" section
W5 at http://www.sans.org/top20.htm
for full details on how to assess your vulnerability and protect your system.
6. Weak hashing in SAM (LAN Manager hash) - Windows NT and 2000. LAN Manager
password hashes are created by default on NT and 2000 installations. Because
LAN Manager uses a weaker encryption scheme than its more current Microsoft
counterparts, its passwords can be quickly cracked. For a complete description
of, and solutions for, the LAN Manager hash problem, see "Top Twenty"
section W6 at http://www.sans.org/top20.htm
(Note that the remedies for this problem do not work if you have older systems,
such as Windows 95, on your network. The safest option is to get rid of older
systems altogether, although that may not always be feasible.)
1. Buffer overflows in RPC services. Remote procedure calls (RPCs), which allow programs on one computer to execute programs on another computer, are highly vulnerable to buffer overflow attacks. The program's poor error checking leaves the door open for attackers.
You should turn these programs off, or at the very least, install the latest patches. See section U1. of the "Top Twenty" at http://www.sans.org/top20.htm for information on where to get the patches for Solaris, IBM AIX, SGI, Compaq (Digita)l UNIX, and Linux systems. Most versions ofLinux are potentially affected.
To protect your system, upgrade to the latest version of sendmail and/or apply
the patches. For complete details on sendmail's vulnerabilities and their remedies,
see http://www.cert.org/advisories/CA-1997-05.html
3. BIND (Berkeley Internet Name Domain) weaknesses - potentially affects
most versions of UNIX and Linux. This widely used implementation of Domain
Name Service (DNS), which locates systems on the Internet without having to
know specific IP addresses, is another popular target for attack. In the worst-case
scenario, BIND can be exploited to allow intruders to erase system logs and
install tools to gain root access. Outdated version of BIND also include buffer
overflow vulnerabilities.
For more details on BIND problems and a list of precautions for systems administrators,
see section U3 of the "Top Twenty" list at http://www.sans.org/top20.htm
4. r Commands (affects most variants of UNIX, including Linux).
r commands, which enable system administrators to access a remote system
without a password, can be exploited by attackers with ruinous results. If an
attacker gains control of any machine with a trusted IP address, he or she can
then use r commands to overtake all other machines that trust the hacked machine's
address. The best defense is not to allow IP-based trust relationships, and
not to use r commands. Never allow the ".rhosts" file in the root
account, and use the UNIX "find" command regularly to look for any
".rhosts" files that may have been created on other user accounts.
5. LPD (remote printer protocol daemon) - affects most variants of
Linux, as well as Solaris 2.6, 7, and 8 for SPARC and x86. The code that
transfers print jobs from one machine to another has an error that creates a
buffer overflow vulnerability. If the daemon is given too many jobs within a
short time, it will either crash or run arbitrary code with elevated privileges.
For Solaris patch information, see Sun's Security Bulletin #206 at http://sunsolve.sun.com/security
The CERT Advisory for this topic is available from http://www.cert.org/advisories/CA-2001-15.html
A patch for Linux can be found at http://redhat.com/support/errata/RHSA-2001-077.html
6. Sadmind and mountd - affects multiple versions of UNIX. These commands are both vulnerable to buffer overflow attacks that allow intruders to gain control with root access. For additional information, see
http://www.cert.org/advisories/CA-1999-16.html
http://www.cert.org/advisories/CA-1998-12.html
7. Default SNMP (Simple Network Management Protocol) strings - UNIX. A
weak authentication mechanism makes this protocol, which is widely used by network
administrators to monitor and administer all types of network-connected devices,
easily subverted by attackers. Attackers can use this vulnerability in SNMP
to reconfigure or shut down devices remotely. (Note that SNMP is also used in
Windows administration, but it has not been a major problem on Windows systems.)
The best protection is to disable SNMP if you don't require it. Otherwise, you
should beef up your authentication requirements as described in " "Top
Twenty" section U7 at http://www.sans.org/top20.htm