By Jake Edge
December 17, 2008
A light-on-details warning—issued late on a Friday no less—had
users of the Asterisk telephony
platform scrambling recently. It was issued by a US government group that
includes the FBI, which tends to attract attention, and warned of unspecified
vulnerabilities that would allow "vishing" attacks using subverted Asterisk
systems. Vishing is a relatively new scam that uses phone calls in
phishing expeditions (the name comes from combining 'voice' with
'phishing'), but typically using systems that are owned and run by the
scammers.
Evidently, the FBI received word that Asterisk systems were being subverted
by way of a vulnerability (AST-2008-003)
reported last March. Systems were
then used to make "thousands of vishing telephone calls [...]
within one hour" trying to elicit
personal information—generally credit card numbers—from victims.
By using caller ID spoofing techniques those calls
could appear to be coming from the credit card company itself.
Typically, a
pre-recorded message would give the user another number to call, where they
would be prompted to enter the information via an interactive voice
response (IVR) interface.
Asterisk is a multi-purpose free software suite that can act as a public private branch
exchange (PBX), handle VoIP traffic, do IVR, and more. Because it provides
such a general purpose platform, it does make an attractive target.
It is probably also enticing to control such a device that is being run
by—and can be traced to—someone else. But the folks at
Digium—original developers and primary maintainers of
Asterisk—don't
really think the
problem is as bad as was indicated.
The original problem was fixed months ago, so it clearly irks the Digium
folks that it has been fingered now. In addition, the original advisory
didn't even point to the vulnerability so users and Digium were left to
guess what exactly was being exploited. The advisory was updated
to include information about AST-2008-003, but there is still some
skepticism about the potential for exploitation.
On Digium's blog, community manager John Todd thinks
the problem was overstated:
While I won't get into the details of configuration specifics, I would say
that an administrator would have to consciously configure their system in
what I believe to be an extremely unusual way in order to be victimized by
this particular vulnerability. The flexibility of Asterisk lets a
developer do almost anything, but it seems that there would need to be an
almost absurd configuration circumstance that would allow this bug to be
harmful in the way described.
While it may well be that this particular vulnerability is difficult to
exploit, there will likely be others down the road that are less so. While
some users may be getting a little more wary about phishing and email-based
scams in general, phone calls have generally been considered more trustworthy.
But it is no longer true that phone numbers are definitely traceable back to
a physical location with a billed party known by the telephone company. Much
of this information can be spoofed or re-routed in ways that make detection
more difficult.
Phones have certainly been used in scams over the years, but the advent of
caller ID has tended to put an undeserved stamp of authenticity on certain
calls. If a pre-recorded message purports to come from GiantCompany and the
caller ID entry has that name, it is easy to conclude that the call is genuine.
Much of the same effort that has gone into educating the public about phishing
will also need to be applied to vishing.
This is certainly not the first instance of PBX systems being abused either.
Subverting PBXs for free long distance calls is a longstanding trick in the
"phreaking" community. But Asterisk provides a much more capable platform,
thus a much more useful tool, both for those that run them and those that
subvert them. Asterisk users need to keep that in mind when security
issues come to light.
Comments (17 posted)
Brief items
Google has posted a
Browser Security
Handbook, written by Michal Zalewski. "
This document is meant to
provide web application developers, browser engineers, and information
security researchers with a one-stop reference to key security properties
of contemporary web browsers. Insufficient understanding of these often
poorly-documented characteristics is a major contributing factor to the
prevalence of several classes of security vulnerabilities." It is
thick and detailed enough to make it clear that no web application
developer can ever hope to understand all of the relevant details.
Comments (3 posted)
New vulnerabilities
aview: insecure tmp file usage
| Package(s): | aview |
CVE #(s): | CVE-2008-4935
|
| Created: | December 15, 2008 |
Updated: | December 17, 2008 |
| Description: |
From the Gentoo advisory:
Dmitry E. Oboukhov reported that aview uses the "/tmp/aview$$.pgm" file
in an insecure manner when processing files.
A local attacker could perform symlink attacks to overwrite arbitrary
files on the system with the privileges of the user running the
application.
|
| Alerts: |
|
Comments (none posted)
dovecot: improper permissions
| Package(s): | dovecot |
CVE #(s): | CVE-2008-4870
|
| Created: | December 15, 2008 |
Updated: | January 20, 2009 |
| Description: |
From the Gentoo advisory:
The dovecot.conf is world-readable, providing improper protection
for the ssl_key_password setting (CVE-2008-4870)
|
| Alerts: |
|
Comments (none posted)
drupal: multiple vulnerabilities
| Package(s): | drupal |
CVE #(s): | |
| Created: | December 15, 2008 |
Updated: | December 17, 2008 |
| Description: |
What little information there is comes from the Drupal security announcement:
Cross site request forgery: The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database.
Cross site scripting: When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from 'malicious' content that was posted earlier. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CVE-2008-5078
|
| Created: | December 15, 2008 |
Updated: | March 2, 2009 |
| Description: |
From the Red Hat advisory:
Several buffer overflow flaws were found in GNU enscript. An attacker could
craft an ASCII file in such a way that it could execute arbitrary commands
if the file was opened with enscript with the "special escapes" option (-e
or --escapes) enabled. (CVE-2008-3863, CVE-2008-4306, CVE-2008-5078)
|
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2008-5505
CVE-2008-5510
|
| Created: | December 17, 2008 |
Updated: | January 16, 2009 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way Firefox stored attributes in XML User Interface
Language (XUL) elements. A web site could use this flaw to track users
across browser sessions, even if users did not allow the site to store
cookies in the victim's browser. (CVE-2008-5505)
A flaw was found in Firefox's CSS parser. A malicious web page could inject
NULL characters into a CSS input string, possibly bypassing an
application's script sanitization routines. (CVE-2008-5510)
|
| Alerts: |
|
Comments (none posted)
freeradius: symlink attacks
| Package(s): | freeradius |
CVE #(s): | CVE-2008-4474
|
| Created: | December 16, 2008 |
Updated: | December 17, 2008 |
| Description: |
From the SUSE advisory: freeradius-dialupadmin was prone to symlink attacks via temporary files. |
| Alerts: |
|
Comments (none posted)
honeyd: insecure tmp file usage
| Package(s): | honeyd |
CVE #(s): | CVE-2008-3928
|
| Created: | December 15, 2008 |
Updated: | December 17, 2008 |
| Description: |
From the Gentoo advisory:
Dmitry E. Oboukhov reported an insecure temporary file usage within the
"test.sh" script.
A local attacker could perform symlink attacks and overwrite arbitrary
files with the privileges of the user running the application.
|
| Alerts: |
|
Comments (none posted)
jasper: multiple vulnerabilities
| Package(s): | jasper netpbm ghostscript |
CVE #(s): | CVE-2008-3520
CVE-2008-3522
|
| Created: | December 17, 2008 |
Updated: | January 4, 2012 |
| Description: |
From the Gentoo advisory:
Marc Espie and Christian Weisgerber have discovered multiple
vulnerabilities in JasPer:
* Multiple integer overflows might allow for insufficient memory
allocation, leading to heap-based buffer overflows (CVE-2008-3520).
* The jas_stream_printf() function in libjasper/base/jas_stream.c
uses vsprintf() to write user-provided data to a static to a buffer,
leading to an overflow (CVE-2008-3522).
Remote attackers could entice a user or automated system to process
specially crafted jpeg2k files with an application using JasPer,
possibly leading to the execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
no-ip: arbitrary code execution
| Package(s): | no-ip |
CVE #(s): | CVE-2008-5297
|
| Created: | December 15, 2008 |
Updated: | January 19, 2009 |
| Description: |
From the Debian advisory:
A buffer overflow has been discovered in the HTTP parser of the No-IP.com
Dynamic DNS update client, which may result in the execution of arbitrary
code.
|
| Alerts: |
|
Comments (none posted)
phpMyAdmin: sql injection via cross-site request forgery
| Package(s): | phpMyAdmin |
CVE #(s): | CVE-2007-0095
|
| Created: | December 15, 2008 |
Updated: | December 17, 2008 |
| Description: |
Some information can be found in the phpMyAdmin security announcement:
A logged-in user can be subject of SQL injection through cross site request forgery. Several scripts in phpMyAdmin are vulnerable and the attack can be made through table parameter. |
| Alerts: |
|
Comments (none posted)
povray: arbitrary code execution
| Package(s): | povray |
CVE #(s): | CVE-2008-3964
CVE-2004-0768
|
| Created: | December 15, 2008 |
Updated: | March 6, 2009 |
| Description: |
From the Gentoo advisory:
POV-Ray uses a statically linked copy of libpng to view and output PNG
files. The version shipped with POV-Ray is vulnerable to CVE-2008-3964,
CVE-2008-1382, CVE-2006-3334, CVE-2006-0481, CVE-2004-0768. A bug in
POV-Ray's build system caused it to load the old version when your
installed copy of libpng was >=media-libs/libpng-1.2.10.
An attacker could entice a user to load a specially crafted PNG file as
a texture, resulting in the execution of arbitrary code with the
permissions of the user running the application.
|
| Alerts: |
|
Comments (none posted)
roundcubemail: code injection
| Package(s): | roundcubemail |
CVE #(s): | |
| Created: | December 15, 2008 |
Updated: | December 17, 2008 |
| Description: |
From the Red Hat bugzilla entry:
A remotely exploitable code injection vulnerability has been found in
the RoundCube Webmail browser-based multilingual IMAP client due
to insufficient sanitization of certain HTML tags. A remote attacker could
use this flaw to potentially inject and execute arbitrary code
via HTML POST form request with specially-crafted HTML tags.
|
| Alerts: |
|
Comments (none posted)
seamonkey: multiple vulnerabilities
| Package(s): | seamonkey |
CVE #(s): | CVE-2008-5500
CVE-2008-5501
CVE-2008-5502
CVE-2008-5503
CVE-2008-5504
CVE-2008-5506
CVE-2008-5507
CVE-2008-5508
CVE-2008-5511
CVE-2008-5512
CVE-2008-5513
|
| Created: | December 17, 2008 |
Updated: | January 16, 2009 |
| Description: |
From the Red Hat advisory:
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause SeaMonkey to crash or,
potentially, execute arbitrary code as the user running SeaMonkey.
(CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5504, CVE-2008-5511,
CVE-2008-5512, CVE-2008-5513)
Several flaws were found in the way malformed content was processed. A
website containing specially-crafted content could potentially trick a
SeaMonkey user into surrendering sensitive information. (CVE-2008-5503,
CVE-2008-5506, CVE-2008-5507)
A flaw was found in the way malformed URLs were processed by SeaMonkey.
This flaw could prevent various URL sanitization mechanisms from properly
parsing a malicious URL. (CVE-2008-5508)
|
| Alerts: |
|
Comments (none posted)
tshark, wireshark: denial of service
| Package(s): | tshark |
CVE #(s): | CVE-2008-5285
|
| Created: | December 12, 2008 |
Updated: | June 30, 2009 |
| Description: |
From the CVE entry: Wireshark 1.0.4 and earlier allows remote attackers to cause a denial of service via a long SMTP request, which triggers an infinite loop. |
| Alerts: |
|
Comments (none posted)
uw-imap: buffer overflows, null pointer dereference
| Package(s): | uw-imap |
CVE #(s): | CVE-2008-5005
CVE-2008-5006
|
| Created: | December 12, 2008 |
Updated: | December 29, 2009 |
| Description: |
From the Debian advisory:
It was discovered that several buffer overflows can be triggered via a
long folder extension argument to the tmail or dmail program. This
could lead to arbitrary code execution (CVE-2008-5005).
It was discovered that a NULL pointer dereference could be triggered by
a malicious response to the QUIT command leading to a denial of service
(CVE-2008-5006).
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
