Security
"Vishing" advisory targets Asterisk
A light-on-details warning—issued late on a Friday no less—had users of the Asterisk telephony platform scrambling recently. It was issued by a US government group that includes the FBI, which tends to attract attention, and warned of unspecified vulnerabilities that would allow "vishing" attacks using subverted Asterisk systems. Vishing is a relatively new scam that uses phone calls in phishing expeditions (the name comes from combining 'voice' with 'phishing'), but typically using systems that are owned and run by the scammers.
Evidently, the FBI received word that Asterisk systems were being subverted
by way of a vulnerability (AST-2008-003)
reported last March. Systems were
then used to make "thousands of vishing telephone calls [...]
within one hour
" trying to elicit
personal information—generally credit card numbers—from victims.
By using caller ID spoofing techniques those calls
could appear to be coming from the credit card company itself.
Typically, a
pre-recorded message would give the user another number to call, where they
would be prompted to enter the information via an interactive voice
response (IVR) interface.
Asterisk is a multi-purpose free software suite that can act as a public private branch
exchange (PBX), handle VoIP traffic, do IVR, and more. Because it provides
such a general purpose platform, it does make an attractive target.
It is probably also enticing to control such a device that is being run
by—and can be traced to—someone else. But the folks at
Digium—original developers and primary maintainers of
Asterisk—don't
really think the
problem is as bad as was indicated.
The original problem was fixed months ago, so it clearly irks the Digium folks that it has been fingered now. In addition, the original advisory didn't even point to the vulnerability so users and Digium were left to guess what exactly was being exploited. The advisory was updated to include information about AST-2008-003, but there is still some skepticism about the potential for exploitation. On Digium's blog, community manager John Todd thinks the problem was overstated:
While it may well be that this particular vulnerability is difficult to exploit, there will likely be others down the road that are less so. While some users may be getting a little more wary about phishing and email-based scams in general, phone calls have generally been considered more trustworthy. But it is no longer true that phone numbers are definitely traceable back to a physical location with a billed party known by the telephone company. Much of this information can be spoofed or re-routed in ways that make detection more difficult.
Phones have certainly been used in scams over the years, but the advent of caller ID has tended to put an undeserved stamp of authenticity on certain calls. If a pre-recorded message purports to come from GiantCompany and the caller ID entry has that name, it is easy to conclude that the call is genuine. Much of the same effort that has gone into educating the public about phishing will also need to be applied to vishing.
This is certainly not the first instance of PBX systems being abused either. Subverting PBXs for free long distance calls is a longstanding trick in the "phreaking" community. But Asterisk provides a much more capable platform, thus a much more useful tool, both for those that run them and those that subvert them. Asterisk users need to keep that in mind when security issues come to light.
Brief items
Google's Browser Security Handbook
Google has posted a Browser Security Handbook, written by Michal Zalewski. "This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities." It is thick and detailed enough to make it clear that no web application developer can ever hope to understand all of the relevant details.
New vulnerabilities
aview: insecure tmp file usage
| Package(s): | aview | CVE #(s): | CVE-2008-4935 | ||||
| Created: | December 15, 2008 | Updated: | December 17, 2008 | ||||
| Description: | From the Gentoo advisory: Dmitry E. Oboukhov reported that aview uses the "/tmp/aview$$.pgm" file in an insecure manner when processing files. A local attacker could perform symlink attacks to overwrite arbitrary files on the system with the privileges of the user running the application. | ||||||
| Alerts: |
| ||||||
dovecot: improper permissions
| Package(s): | dovecot | CVE #(s): | CVE-2008-4870 | ||||||||||||
| Created: | December 15, 2008 | Updated: | January 20, 2009 | ||||||||||||
| Description: | From the Gentoo advisory: The dovecot.conf is world-readable, providing improper protection for the ssl_key_password setting (CVE-2008-4870) | ||||||||||||||
| Alerts: |
| ||||||||||||||
drupal: multiple vulnerabilities
| Package(s): | drupal | CVE #(s): | |||||||||||||
| Created: | December 15, 2008 | Updated: | December 17, 2008 | ||||||||||||
| Description: | What little information there is comes from the Drupal security announcement: Cross site request forgery: The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database. Cross site scripting: When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from 'malicious' content that was posted earlier. | ||||||||||||||
| Alerts: |
| ||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CVE-2008-5078 | ||||||||||||
| Created: | December 15, 2008 | Updated: | March 2, 2009 | ||||||||||||
| Description: | From the Red Hat advisory: Several buffer overflow flaws were found in GNU enscript. An attacker could craft an ASCII file in such a way that it could execute arbitrary commands if the file was opened with enscript with the "special escapes" option (-e or --escapes) enabled. (CVE-2008-3863, CVE-2008-4306, CVE-2008-5078) | ||||||||||||||
| Alerts: |
| ||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2008-5505 CVE-2008-5510 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 17, 2008 | Updated: | January 16, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way Firefox stored attributes in XML User Interface Language (XUL) elements. A web site could use this flaw to track users across browser sessions, even if users did not allow the site to store cookies in the victim's browser. (CVE-2008-5505) A flaw was found in Firefox's CSS parser. A malicious web page could inject NULL characters into a CSS input string, possibly bypassing an application's script sanitization routines. (CVE-2008-5510) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
freeradius: symlink attacks
| Package(s): | freeradius | CVE #(s): | CVE-2008-4474 | ||||
| Created: | December 16, 2008 | Updated: | December 17, 2008 | ||||
| Description: | From the SUSE advisory: freeradius-dialupadmin was prone to symlink attacks via temporary files. | ||||||
| Alerts: |
| ||||||
honeyd: insecure tmp file usage
| Package(s): | honeyd | CVE #(s): | CVE-2008-3928 | ||||
| Created: | December 15, 2008 | Updated: | December 17, 2008 | ||||
| Description: | From the Gentoo advisory: Dmitry E. Oboukhov reported an insecure temporary file usage within the "test.sh" script. A local attacker could perform symlink attacks and overwrite arbitrary files with the privileges of the user running the application. | ||||||
| Alerts: |
| ||||||
jasper: multiple vulnerabilities
| Package(s): | jasper netpbm ghostscript | CVE #(s): | CVE-2008-3520 CVE-2008-3522 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 17, 2008 | Updated: | January 4, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Gentoo advisory: Marc Espie and Christian Weisgerber have discovered multiple vulnerabilities in JasPer: * Multiple integer overflows might allow for insufficient memory allocation, leading to heap-based buffer overflows (CVE-2008-3520). * The jas_stream_printf() function in libjasper/base/jas_stream.c uses vsprintf() to write user-provided data to a static to a buffer, leading to an overflow (CVE-2008-3522). Remote attackers could entice a user or automated system to process specially crafted jpeg2k files with an application using JasPer, possibly leading to the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
no-ip: arbitrary code execution
| Package(s): | no-ip | CVE #(s): | CVE-2008-5297 | ||||||||
| Created: | December 15, 2008 | Updated: | January 19, 2009 | ||||||||
| Description: | From the Debian advisory: A buffer overflow has been discovered in the HTTP parser of the No-IP.com Dynamic DNS update client, which may result in the execution of arbitrary code. | ||||||||||
| Alerts: |
| ||||||||||
phpMyAdmin: sql injection via cross-site request forgery
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2007-0095 | ||||||||||||
| Created: | December 15, 2008 | Updated: | December 17, 2008 | ||||||||||||
| Description: | Some information can be found in the phpMyAdmin security announcement: A logged-in user can be subject of SQL injection through cross site request forgery. Several scripts in phpMyAdmin are vulnerable and the attack can be made through table parameter. | ||||||||||||||
| Alerts: |
| ||||||||||||||
povray: arbitrary code execution
| Package(s): | povray | CVE #(s): | CVE-2008-3964 CVE-2004-0768 | ||||||||||||
| Created: | December 15, 2008 | Updated: | March 6, 2009 | ||||||||||||
| Description: | From the Gentoo advisory: POV-Ray uses a statically linked copy of libpng to view and output PNG files. The version shipped with POV-Ray is vulnerable to CVE-2008-3964, CVE-2008-1382, CVE-2006-3334, CVE-2006-0481, CVE-2004-0768. A bug in POV-Ray's build system caused it to load the old version when your installed copy of libpng was >=media-libs/libpng-1.2.10. An attacker could entice a user to load a specially crafted PNG file as a texture, resulting in the execution of arbitrary code with the permissions of the user running the application. | ||||||||||||||
| Alerts: |
| ||||||||||||||
roundcubemail: code injection
| Package(s): | roundcubemail | CVE #(s): | |||||||||||||
| Created: | December 15, 2008 | Updated: | December 17, 2008 | ||||||||||||
| Description: | From the Red Hat bugzilla entry: A remotely exploitable code injection vulnerability has been found in the RoundCube Webmail browser-based multilingual IMAP client due to insufficient sanitization of certain HTML tags. A remote attacker could use this flaw to potentially inject and execute arbitrary code via HTML POST form request with specially-crafted HTML tags. | ||||||||||||||
| Alerts: |
| ||||||||||||||
seamonkey: multiple vulnerabilities
| Package(s): | seamonkey | CVE #(s): | CVE-2008-5500 CVE-2008-5501 CVE-2008-5502 CVE-2008-5503 CVE-2008-5504 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5511 CVE-2008-5512 CVE-2008-5513 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 17, 2008 | Updated: | January 16, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5504, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could potentially trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-5503, CVE-2008-5506, CVE-2008-5507) A flaw was found in the way malformed URLs were processed by SeaMonkey. This flaw could prevent various URL sanitization mechanisms from properly parsing a malicious URL. (CVE-2008-5508) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
tshark, wireshark: denial of service
| Package(s): | tshark | CVE #(s): | CVE-2008-5285 | ||||||||||||||||||||||||
| Created: | December 12, 2008 | Updated: | June 30, 2009 | ||||||||||||||||||||||||
| Description: | From the CVE entry: Wireshark 1.0.4 and earlier allows remote attackers to cause a denial of service via a long SMTP request, which triggers an infinite loop. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
uw-imap: buffer overflows, null pointer dereference
| Package(s): | uw-imap | CVE #(s): | CVE-2008-5005 CVE-2008-5006 | ||||||||||||||||||||||||||||||||||||
| Created: | December 12, 2008 | Updated: | December 29, 2009 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
It was discovered that several buffer overflows can be triggered via a long folder extension argument to the tmail or dmail program. This could lead to arbitrary code execution (CVE-2008-5005). It was discovered that a NULL pointer dereference could be triggered by a malicious response to the QUIT command leading to a denial of service (CVE-2008-5006). | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>