Looking for a great way to get fired? I can’t think of a better way than to have your network grind to a halt because you failed to patch a well-known vulnerability, and I also can’t think of any more obvious problems than the ones that are on the Federal Bureau of Investigation’s top 20 list of the most dangerous threats to cybersecurity. Let’s face it, by the time a computer problem gets the attention of the FBI, it’s pretty well known, and you only have yourself to blame if you get caught with your patches down.
The top 20 list is actually three lists in one, containing seven general warnings, six Windows NT/2000-specific notices, and seven UNIX/Linux vulnerabilities.
The first list is very general. It covers:
- Warnings against simply using default installations of operating systems and applications.
- Failure to mange passwords correctly.
- Having too many network ports open on a firewall.
- Poor backup procedures.
- Poor logging.
- Failure to check and filter for spoofed IP addresses in packets.
- Common Gateway Interface (CGI) holes (particularly those data collection routines that are often included as samples with Web server software).
Except for the packet-filtering warning and the CGI problems, those general warnings are pretty obvious and should be known to almost anyone with a minimal background in security. Hopefully, you can take advantage of their inclusion on the FBI list to get management to pay attention to these problems, which you may have been harping on since you took over network security.
Six Microsoft-related problems
- Failure of IIS to correctly manage nonstandard Unicode sequences
This problem occurs because it’s possible to insert obsolete but still valid items in a Unicode number—for example, “/” = “%2f” is the standard configuration, but “%c0%af” also interprets as “/” and IIS doesn’t perform a security check on these extra long Unicodes.
- ISAPI extension buffer overflows including idq.dll
See this Locksmith column for the details of this vulnerability.
- IIS Remote Data Service (RDS) vulnerability
This is covered in Security Bulletin MS98-004. RDS is a default installation from the NT Option Pack and thus is on a lot of systems. The DataFactory component of RDS can allow unauthorized Internet access to OLE databases.
- NetBIOS file share vulnerability
Improper configuration of the Common Internet File System (CIFS) can give full system access to an attacker using the Internet. This vulnerability appears when users make their hard drive files accessible by network users. The free Microsoft Personal Security Advisor download monitors these potential holes in the Server Message Block (SMB) protocol that NetBIOS uses.
- Null session connections
The infamous anonymous logon can be very helpful for those wishing to make their data freely available, but this can open a door to intruders. For some systems, the fix is not to block null sessions but to limit the kind of data they can access. Most networks should block TCP and UDP ports 445 and 135 through 139 to stop all null sessions.
- Weak password hashing in SAM
Every Windows user gets legacy LAN Manager support by way of password hashes installed by default on NT and Win2K systems. LAN Manager has very weak encryption, so you need to disable it unless you absolutely need to leave it active for legacy interoperability.
Seven UNIX vulnerabilities
- Buffer overflow vulnerabilities in remote procedure calls (RPCs)
These RPC vulnerabilities (mostly rpc.ttdserverd, rps.cmsd, and rpc.stad) are common in most versions of UNIX and allow access to network services, including NFS file sharing and NIS centralized login. These buffer overflows have been responsible for a vast number of denial of service attacks, especially against Department of Defense systems. Internet-connected computers should have these services disabled/removed or at least have the latest patches installed if the services are necessary to operations.
- Sendmail holes
Shame on you if you let this one get past you; it was the subject of the very first CERT advisory back in 1988. Older versions of Sendmail have a number of weaknesses, including one that will allow attackers to have passwords mailed to them.
- BIND weaknesses
The Berkeley Internet Name Domain (BIND) system has a number of vulnerabilities. See this Locksmith column for the details.
- UNIX “R command” vulnerabilities
These commands—such as rlogin, rsh, and rcp—let one person administer a number of UNIX systems quickly and easily by allowing access without a password by permitting anyone from a trusted IP address to access system commands. Protect your systems by blocking these IP-based trust relationships.
- LPD vulnerabilities
The in.lpd print protocol daemon monitors TCP port 515 for print requests. A flood of requests sent to that port can cause a crash or allow an attacker to run arbitrary code. This affects Solaris and most Linux versions.
- Sadmind and mountd problems
Sadmind and mountd buffer overflows can be exploited to give attackers root access.
- Using default SNMP strings
Simple Network Management Protocol (SNMP) is used to control printers, computers, and routers remotely, but the unencrypted username/password (called a community name) allows easy access. Even worse, most default installations use public as the authentication text, and most of the rest use private instead. This makes it unnecessary to even sniff SNMP traffic to learn the community string needed to access the administration tools. The answer is to close down SNMP unless you really need it and, if so, use a more inventive community name.
Unless you’ve just taken over network security, you probably know about most of these vulnerabilities listed by the FBI, but just imagine how bad your position would be if your predecessor had ignored these vulnerabilities and a virus or an attack by a hacker led to significant network downtime on your watch. The boss may never know how many rare, but important, vulnerabilities you have plugged, but he or she will never forget when you missed one and it led to significant downtime, lost productivity, and a drain on company funds.
Do you have all of these vulnerabilities covered?
We look forward to getting your input and hearing your experiences regarding this topic. Post a comment or a question about this article.