December 3rd, 2001, 08:45 PM
Twenty Most Critical Internet Security Vulnerabilities
Vulnerabilities That Affect All Systems
1. Default installations of operating systems and applications
2. Accounts with No Passwords or Weak Passwords
Most systems are configured to use passwords as the first, and only, line of defense. User IDs are fairly easy to acquire, and most companies have dial-up access that bypasses the firewall. Therefore, if an attacker can determine an account name and password, he or she can log on to the network. Easy to guess passwords and default passwords are a big problem; but an even bigger one is accounts with no passwords at all. In practice all accounts with weak passwords, default passwords, and no passwords should be removed from your system.
3. Non-existent or Incomplete Backups
When an incident occurs (and it will occur in nearly every organization), recovery from the incident requires up-to-date backups and proven methods of restoring the data. Some organizations make daily backups, but never verify that the backups are actually working.
4. Large number of open ports
Both legitimate users and attackers connect to systems via open ports. The more ports that are open the more possible ways that someone can connect to your system. Therefore, it is important to keep the least number of ports open on a system necessary for it to function properly. All other ports must be closed.
5. Not filtering packets for correct incoming and outgoing addresses
Spoofing IP addresses is a common method used by attackers to hide their tracks when they attack a victim. For example, the very popular smurf attack uses a feature of routers to send a stream of packets to thousands of machines. Each packet contains a spoofed source address of a victim. The computers to which the spoofed packets are sent flood the victim’s computer often shutting down the computer or the network. Performing filtering on traffic coming into your network (ingress filtering) and going out (egress filtering) can help provide a high level of protection.
6. Non-existent or incomplete logging
One of the maxims of security is, “Prevention is ideal, but detection is a must.” As long as you allow traffic to flow between your network and the Internet, the opportunity for an attacker to sneak in and penetrate the network, is there. New vulnerabilities are discovered every week, and there are very few ways to defend yourself against an attacker using a new vulnerability. Once you are attacked, without logs, you have little chance of discovering what the attackers did. Without that knowledge, your organization must choose between completely reloading the operating system from original media, and then hoping the data back-ups were OK, or taking the risk that you are running a system that a hacker still controls.
7. Vulnerable CGI Programs
Most web servers, including Microsoft IIS and Apache, support Common Gateway Interface (CGI) programs to provide interactivity in web pages enabling functions such as data collection and verification. In fact, most web servers are delivered (and installed) with sample CGI programs. Unfortunately, too many CGI programmers fail to consider that their programs provide a direct link from any user anywhere on the Internet directly to the operating system of the computer running the web server. Vulnerable CGI programs present a particularly attractive target to intruders because they are relatively easy to locate and operate with the privileges and power of the web server software itself. Intruders are known to have exploited vulnerable CGI programs to vandalize web pages, steal credit card information, and set up back doors to enable future intrusions.
Vulnerabilities That Affect Windows Systems
8. Unicode Vulnerability
Sending an IIS server a carefully constructed URL (which contains the Unicode equivalent of certain commands), an attacker can force the server to literally ‘walk up and out’ of a directory and execute arbitrary scripts. This type of attack is also known as the web server folder traversal attack.
For example if an attacker sends the Unicode equivalents of / and \, which are %c0%af and %c1%9c, the usual checks can be bypassed, and the victim’s system will execute programs the attacker instructs it to run. Really popular and mean
Microsoft Windows NT 4.0 with IIS 4.0 and Windows 2000 server with IIS 5.0, which do not have Service Pack 2 installed.
9. ISAPI Extension Buffer Overflows
When IIS is installed, several ISAPI extensions are automatically installed. ISAPI, which stands for Internet Services Application Programming Interface, allows developers to extend the capabilities of an IIS server using DLLs. Several of the DLLs, like idq.dll, contain programming errors that cause them to do improper error bounds checking. In particular ,they do not block unacceptably long input strings. Attackers can send data to these DLLs, in what is known as a buffer overflow attack, and take full control of an IIS web server.
This exploit impacts Microsoft Index Server 2.0 and Indexing Service in Windows 2000.
10. IIS RDS exploit (Microsoft Remote Data Services)
Malicious users exploit programming flaws in IIS’s Remote Data Services (RDS) to run remote commands with administrator privileges.
Microsoft Windows NT and Windows 2000 systems running Internet Information Server
11. NETBIOS - unprotected Windows networking shares
Improper configuration can expose critical system files or give full file system access to any hostile party connected to the Internet. Many computer owners unknowingly open their systems to hackers when they try to improve convenience for coworkers and outside researchers by making their drives readable and writeable by network users.
Microsoft Windows NT and Windows 2000 systems
12. Information leakage via null session connections
A Null Session connection, also known as Anonymous Logon, is a mechanism that allows an anonymous user to retrieve information (such as user names and shares) over the network, or to connect without authentication.
Windows NT and Windows 2000 systems
13. Weak hashing in SAM (LM hash)
Since LAN Manager uses a much weaker encryption scheme than do the more current Microsoft approaches, LAN Manager passwords can be broken in a very short period of time. Even strong password hashes can be cracked in under a month.
Microsoft Windows NT and 2000 servers
Vulnerabilities That Affect Unix Systems
14. Buffer Overflows in RPC Services
Remote procedure calls (RPCs) allow programs on one computer to execute programs on a second computer. They are widely used to access network services such as NFS file sharing and NIS. Multiple vulnerabilities caused by flaws in RPC are being actively exploited. There is compelling evidence that the majority of the distributed denial of service attacks launched during 1999 and early 2000 were executed by systems that had been victimized through the RPC vulnerabilities.
Most versions of Unix
15. Sendmail Vulnerabilities
Several flaws have been found over the years. In fact, the very first advisory issued by CERT/CC, in 1988, made reference to an exploitable weakness in Sendmail. In one of the most common exploits, the attacker sends a crafted mail message to the machine running Sendmail, and Sendmail reads the message as instructions requiring the victim machine to send its password file to the attacker’s machine (or to another victim) where the passwords can be cracked.
Most versions of Unix and Linux
16. Bind Weaknesses
The Berkeley Internet Name Domain (BIND) package is the most widely used implementation of Domain Name Service (DNS) -- the critical means by which we all locate systems on the Internet by name (e.g., www.sans.org) without having to know specific IP addresses -- and this makes it a favorite target for attack. Sadly, according to a mid-1999 survey, as many as 50% of all DNS servers connected to the Internet are running vulnerable versions of BIND. In a typical example of a BIND attack, intruders erased the system logs and installed tools to gain administrative access.
Multiple UNIX and Linux systems
17. R Commands
Trust relationships are widely used in the UNIX world, particularly for system administration. Companies frequently assign a single administrator to be responsible for dozens or even hundreds of systems. Administrators often use trust relationships and the related UNIX r commands to switch from system to system conveniently. r commands enable someone to access a remote system without supplying a password. Instead of requiring a username/password combination, the remote machine authenticates anyone coming from a trusted IP addresses. If an attacker gains control of any machine in such a trusted network, he or she can gain access to all other machines that trust the hacked machine.
Most variants of Unix, including Linux
18. LPD (remote print protocol daemon)
LPD listens for requests on TCP port 515. The programmers who developed the code that transfers print jobs from one machine to another made an error that creates a buffer overflow vulnerability. If the daemon is given too many jobs within a short time interval, the daemon will either crash or run arbitrary code with elevated privileges.
The following systems are impacted:
Solaris 2.6 for SPARC, Solaris 2.6 x86, Solaris 7 for SPARC, Solaris 7 x86, Solaris 8 for SPARC, Solaris 8 x86, Most variants of Linux.
19. sadmind and mountd
Sadmind allows remote administration access to Solaris systems, providing a graphical user interface for system administration functions. Mountd controls and arbitrates access to NFS mounts on UNIX hosts. Buffer overflows in these applications, enabled by programming errors made by the software developers, can be exploited to allow attackers to gain control with root access.
Multiple versions of Unix
20. Default SNMP Strings
uses an unencrypted "community string" as its only authentication mechanism. Lack of encryption is bad enough, but the default community string used by the vast majority of SNMP devices is "public", with a few "clever" network equipment vendors changing the string to "private" for more sensitive information. Attackers can use this vulnerability in SNMP to reconfigure or shut down devices remotely. Sniffed SNMP traffic can reveal a great deal about the structure of your network, as well as the systems and devices attached to it.
All UNIX systems and network devices
Well i hope that list help´s you guys to harden your systems.