On Sat, 2003-10-18 at 18:18, Andrew Sturman wrote: > Just in case you haven't seen it. > http://www.secunia.com/advisories/10004/ Looks like this calls me ;-) Actually, this security bulletin is not very well researched. We worked with Noam Rathaus of www.securityteam.com on this issue. We passed him complete information, including the vulnerable versions and fix. Unfortunately, none of that went into the advisory. Please visit http://www.adiscon.com/Common/en/advisory/2003-09-15.asp For the full details. A short breakdown: Interactive Server, a debugging and interactive troubleshooting tool, included in WinSyslog and MonitorWare Agent, has a vulnerability in it. All versions downloaded prior to 2003-09-16 have the vulnerable component. Noam claimed that this vulnerability can lead to an operating system DoS, but we were never able to reproduce this - but of course I can not outrule it. Play safe, install the patch. The core issue is that we hand over the data to a Microsoft Grid Control, which in turn experiences the the performance issues that lead to DoS of the Interactive Server. It is fixed by limiting the amount of data that is passed over. As a side note: if you run Interactive Server for serious logging needs, please reconsider your decision. It was never designed for this (nor do our samples promote this). Use the service instead. Email my privately if you do it and need assistance in setting up the service correctly. Please note that the solution proposed in the advisory does NOT work. The solution is to download the fix. It does not work, because: >Run the WinSyslog service and interactive syslog server on the same >system and make sure that the interactive syslog server only binds to >the localhost (127.0.0.1) interface. WinSyslog Interactive Server can not be configured to listen to 127.0.0.1, only (looking at the menu options would have showed that ;-)) >In infrastructures where the WinSyslog service and the interactive >syslog server is required to be on two separate systems, they should be >placed on their own network with a filtering device in front. This >should only allow traffic to the syslog service on port 514/udp and >services required for management purposes. >From an architectural point of view, relying on an interactive, non-automated process is bad design and includes many more potential security issues. There is no need to do this with WinSyslog, so don't do it. >NOTE: It is not sufficient to just filter traffic to port 10514/udp so >only traffic from trusted IPs is accepted, since UDP traffic is easily >spoofed. This is true, but proper filtering would block the spoofed traffic before it enters the internal network. Sorry for a somewhat lengthy response. I have to admit that I was not very delighted by the advisory. Not because it is there - I believe in full disclosure and information sharing - but because of the poor quality it has *even after talking to one of the researches* (and yes, I have records of those conversations ;)). Back to log analysis... (any flames please privately). Rainer _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 01:04:17 PDT