After the unauthorized release of source code relating to several Symantec products by the hacker collective Anonymous, Symantec have stated that a significant risk of exploits to their pcAnywhere product exists with versions 12.0, 12.1, 12.5 and prior unsupported versions.

A recommendation direct from Symantec (see URL below) states “At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks”.

The concern is related to a potential man in the middle attack which would allow the stealing of credentials that could allow unauthorized system access.

The pcAnywhere Security Recommendations direct from Symantec are located at the following URL:
http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

For any further advice or assistance on this matter contact Janet CSIRT at irt@csirt.ja.net 0300 999 2340

Throughout the last 24 hours a number of organizations on the Internet have reported crashes of BIND servers when performing recursive queries. It appears that a vulnerability is being exploited whereby a network event can cause an invalid record to be cached, with
subsequent requests for that record resulting in a crash and error in query.c with the message:

"INSIST(! dns_rdataset_isassociated(sigrdataset))"

BIND 9.4-ESV-R, BIND 9.6-ESV-R, BIND 9.7 and BIND 9.8 appear to be affected. Further details are available at https://www.isc.org/software/bind/advisories/cve-2011-4313

Yesterday’s patch Tuesday saw Microsoft release a critical vulnerability bulletin (Microsoft Level 2). The vulnerability refers to the exploitation of the TCP/IP stack integer overflow flaw which involves the affected systems inability to properly parse a continuous flow of specially crafted UDP packets sent to a random port that does not have a service listening.

The eventual outcome is integer overflow as the reference counter is overwhelmed. This may result in a denial of service, system crash, memory corruption or a worse case, remote code execution. Whilst such packets are normally filtered at the network perimeter and this combined with the large number of packets required to succeed with such an attack it is deemed by Microsoft top be low at this time. There is the strong likelihood that worm based attacks are going to be developed to exploit this vulnerability.

http://technet.microsoft.com/en-us/security/bulletin/ms11-083

We have been seeing an increased amount of sequential TCP/80 scanning over the last week. One common attribute between all of the sites that we have detected this scanning activity originating from is that they all have been running JBoss.

It appears that the malware is spreading by using unprotected JMX consoles, it then uses the JMX console to execute code running as the JBoss user on the system.

A site which has investigated this has advised us about the malware conducting the scanning.

“The malware appears to scan out for some vulnerability in /jmx-console/HtmlAdaptor before connecting to an HTTP bot at magicstick.dyndns-remote.com.” An update to JBoss enterprise server was released earlier last year to mitigate this vulnerability.

https://access.redhat.com/kb/docs/DOC-30741

We have also been able to see that currently the attacks have been limited to a couple of different applications.

If you would like further information or assistance investigating this issue please contact JANET CSIRT.

The Apache Software Foundation has released version 2.2.20 of the Apache HTTP server, this fixes the bug that made the system vulnerable to a denial of service attack. More information is available in an announcement by the Foundation.

If you are using an installation of Apache packaged by a particular vendor or distribution then you should check their security updates, or contact them for further information. We recommend that you upgrade your Apache installations as soon as possible.

There has been some coverage in the news over the blacklisting of certain SSL certificates issued by Comodo. An account belonging to an a single reseller was compromised, and a limited number of certificates were falsely issued for high profile sites. More details are available from Comodo, Microsoft and Mozilla.

The JANET Certificate Service has not been affected in any way.

A vulnerability has been discovered in the version of the exim MTA as installed by default in the latest stable versions of Debian/lenny. A further flaw in the configuration leads to an escalation to root
privileges. This is now being exploited widely.

Debian have released a security update for the first issue, and will shortly be releasing an update to address the escalation issue. More details are available at:

http://www.debian.org/security/2010/dsa-2131

Other installations of exim may also be vulnerable, please check with your vendor for further information. Redhat have released the following document:

https://access.redhat.com/kb/docs/DOC-43789

You can check the version of your exim server by running:

/usr/sbin/exim -bV

Your system should be safe if it is version 4.70 or later or in the case of Debian/lenny, if the build date is Friday 10th December 2010 or later.

There has been a recent increase in the number of automated Conficker/malware reports that we have been processing in recent days and the information we have suggests that it is related to a recent drive by download.

An attack started on the 7th June which involved compromising third party websites and directing visitors to the site where the payload was hosted ww.robint.us/u.js This domain has been taken over by a trusted third party Shadowserver who monitor internet wide malware infections, they have directed this domain their HTTP sinkholes for analysis. As we track traffic going to the Shadowserver HTTP sinkholes this has led to an increase in the number of false positives that may be present in our automated Conficker/malware reports.

Below is a short summary of the amount of flows we have logged to the Shadowserver HTTP sinkholes in the last 12 complete days, and it demonstrates an increase of approximately 40% to the norm occurring from the day the attack started on the 7th of June.
Date Number of flows to Shadowserver HTTP sinkhole
29th May 2687
30th May 2933
31st May 2561
1st June 3085
2nd June 2906
3rd June 2922
4th June 2789
5th June 2421
6th June 2491
7th June 4311
8th June 4922
9th June 4931

Therefore there is an increased probability that flows which we report in our automated Conficker/malware reports may not be infected hosts, but rather hosts who are visiting a compromised website and in turn attempting to download the malware payload which is inaccessible due to the Shadowserver takeover of the payload site. It would be advisable to match up the flows in these reports with the HTTP query strings if they are available in your logs to filter out some of these false positives, JANET CSIRT are unable to do this as we only record limited IP and some layer 4 details.

There are reports that targeted attacks are exploiting a vulnerability in Internet Explorer. A specially crafted HTML document allows a remote attacker to execute arbitrary code. This vulnerability exists in Internet Explorer 6,7 and 8, but Data Execution Protection (DEP) appears to provide protection to users of versions 7 and 8. This leaves users of Internet Explorer 6 particularly exposed.

Whilst we are not aware of this vulnerability being widely used, the targeted nature of this attack may see it being used against particular sites. An update is not yet available, but Microsoft have released advice that may mitigate an attack. More details are available at:

http://www.kb.cert.org/vuls/id/492515
http://www.microsoft.com/technet/security/advisory/979352.mspx
http://support.microsoft.com/kb/979352

Microsoft yesterday announced that they plan to release an update for this issue outside of their normal patch scedule.