Practical Windows Security - The Identification of Vulnerabilities - Case Study Example

Practical Windows Security against CVE-2003-0352/MS03-026 Table of Contents Introduction Common Vulnerabilities and Exposures or simplyCVE is a record of information security vulnerabilities and experiences that intend to offer frequent names for publicly recognized problems. The objective of Common Vulnerabilities and Exposures is to make it rather easier to share data all through the alienated vulnerability potentials (repositories, expert tools as well as services) by means of this "common enumeration. Additionally, through a widespread identifier it becomes easy to dispense data all through separate services, since many records and various tools until the arrangement of CVE in the year 1999 were not simply incorporated. If a statement from a security prospective integrates Common Vulnerabilities and Exposures identifiers, we can then rapidly and exactly get admittance to the predetermined information in one or else more isolated CVE-compatible warehouses, ways and services to rectify the difficulty. In addition, through Common Vulnerabilities and Exposures, our tools and services are competent enough to "respond" (i.e., swap data) to each other. However, we will be acquainted with precisely what each take in for the reason that Common Vulnerabilities and Exposures offers us a level of comparison proposed for evaluating the behavior of our tools. This outlines that we are proficient to find out which tools are mainly effectual and suitable for convening our businesss requirements. Briefly explaining, Common Vulnerabilities and Exposures compatible benefits, tools and databases will offer us much better reporting, fairly easy capability to share and make use of information, and improved safety (IPA, 2009), (Skoudis, 2010) & (Mitre, 2010) Common Vulnerabilities and Exposures is an industry which is authorized by the CVE Editorial Board and by many associations and organizations that have confirmed their goods CVE-compatible or else incorporate CVE identifier in their retailer observant as well as safety consultants. Common Vulnerabilities and Exposures content must be accepted by the CVE Editorial Board that generally includes prime professionals from the information security society (Mitre, 2010). This report is designed to provide deep and comprehensive analysis of some of the main issues and areas of the Practical Windows Security. In this report I am going to discuss and analyze some of the prime aspects of Common Vulnerabilities and Exposures (CVE) and its connection to the Windows security management as well as organization. For this reason I will assess one of Windows security aspects outlined by the Common Vulnerabilities and Exposures that is CVE-2003-0352/MS03-026. This report will provide a deep and detailed insight into the CVE-2003-0352/MS03-026 and level of threat does this CVE/MS pretense to a windows network/domain. In this scenario I will assess and evaluate what is CVE/MS and how does it function in addition to how does this vulnerability be exploited and how an exploit might work. In this scenario this report will also analyze remedial action necessary to mitigate this CVE/MS (Mitre, 2010). 2- CVE (Common Vulnerabilities and Exposures) Vulnerability or Information security vulnerability is a flaw or error in software that is competent to be openly utilized by a hacker to get admittance to a system or a network. Exposure of information or information security exposure is incorrectness in software that generally permits admittance to the information or potentials that is capable to be employed by a hacker or intruder like a method of taking out somewhat into a network or system (Mitre, 2010; Shelly et al., 2005; Norton, 2001). As I have already stated, Common Vulnerabilities and Exposures (or shortly CVE) is a glossary of typical word associated with safety intimidations. These system and network based security threats are divided into two groups, which are recognized as vulnerabilities and exposures. A security and information vulnerability is a detail regarding an information server, workstation or network that offers an explicit, particular security risk in a definite background. Additionally, a security exposure is a security allied conditions, occasion or else reality that can be observed as vulnerability through a number of people however not through others. CVE was established and is supported by the MITRE Corporation to ease the allocation of data among different security concerns. In addition, it is capable to shorten the procedure of searching for information from safety allied databases and on the geographically spanned network like Internet. Moreover, the CVE dictionary is the creation of teamwork between specialists and agents from security allied businesses worldwide (TechTarget, 2008) & (Mitre, 2010). Items in Common Vulnerabilities and Exposures are specific names from the year of their official addition as well as the order wherein they were incorporated to the catalog in that particular period or year. Such as, CVE-2002-0250 is recognized as the definite arrangement service designed for web that can permit an unofficial user to change a system administrators secret code or password. This entry was incorporated in the year 2002 and was offered series number 250 proposed for that year (TechTarget, 2008; Mitre, 2010). In any case two dissimilar definitions are present regarding security associated vulnerability. In it’s the popular frequently engaged viewpoint, vulnerability is a certain difficulty that is competent to openly outcome in the negotiation of a system in the interim. An instance is a recognized security ambiguity in an OS (operating system) that has been broken in real-world circumstances by means of unfavorable outcomes. Additionally, the less frequent description of vulnerability acknowledged to any issue that does not create an impending, straight security risk however is competent to ultimately augment the risk in the extended term. An instance of this next definition is a speedy Internet link. It is rather simpler to hack into a business or else corporate workstation linked to the Internet by using a wired modem through a downstream speed of 5 Mbps and an upstream speed of 1 Mbps, than it is to enter into a PC operational in the course of a dial-up modem by means of downstream as well as upstream speeds of 56 Kbps (TechTarget, 2008) & (Mitre, 2010). As stated by the MITRE Corporation, the index of Common Vulnerabilities and Exposures should not rely on the perception of the particular client. A number of Common Vulnerabilities and Exposures entries that is capable to be recognized as vulnerability from all the viewpoints is identified as a worldwide vulnerability. On the other hand, other entries are acknowledged as exposures. An un-patched, before used protection ambiguity in an operating system would comprise a worldwide vulnerability as of to the CVE quality level. An extensive-speed Internet link would typically form a contact (TechTarget, 2008). 3- Microsoft Security and Common Vulnerabilities and Exposures Common Vulnerabilities and Exposures have a greater influence on the betterment in addition to enhancement of Microsoft’s security ambiguities. In this scenario the evolution of the CVE database and fixation of related problems by the Microsoft for the enhanced protection of its products as well as better handling of security related aspects has offered more enhanced versions of Windows with the support of Common Vulnerabilities and Exposures. Following to the release of each bulletin by the CVE, Microsoft has been made conscious attempts for the enhanced management of security at the all levels of the system. For example in case of CVE-2003-0352 Microsoft has offered additional ports concerning RPC which are capable to be engaged to utilize this vulnerability. Information about these extra ports has been well incorporated to the extenuating issues and bypassing the identifiable elements or Workarounds of the bulletin. As well, Microsoft has presented security official statement MS03-039 plus a modern and innovative scanning tool that fulfills this official declaration as well as the modern scanning tool offered by it. As such, this Common Vulnerabilities and Exposure’s official declaration has as well been rationalized to imitate the release of the fresh patches as well as innovative scanning tool for Windows (Moore, 2010; Mitre2, 2010) & (National Vulnerability Database, 2010). 4- CVE-2003-0352 (technical descriptions) Windows NT 4.0, Windows 2000, Windows Server 2003 and Windows XP are vulnerable to a buffer runoff in the DCOM (Distributed Component Object Model) working and operational interface of the Remote Procedure Call (or RPC) service, permits remote invaders to carry out random code by means of Local System privileges using a distorted message (DragonSoft Security Associates, Inc, 2010) & (Mitre2, 2010) . This Metasploit unit uses a stack overflow in the Remote Procedure Call service; this weakness was initially discovered through the Final Phase of ecstasy study group has been extensively oppressed since ever. This Metasploit unit is capable to make use of the English versions of Windows 2000, Windows NT 4.0 SP3-6a, Windows 2003 as well as Windows XP the entire in one demand. Buffer overflow in a secure Distributed Component Object Model interface planned for Remote Procedure Call in Windows 2000, Windows XP, Microsoft Windows NT 4.0, and Windows Server 2003 permits remote attackers to carry out random convention by means of a deformed message, like exploited through the MSblast/ Blaster/LovSAN as well as Welchia/ Nachi worms (Moore, 2010) & (National Vulnerability Database, 2010). 5- Scope of CVE-2003-0352 vulnerability (level of threat) CVE-2003-0352 vulnerability is buffer swamped vulnerability for Microsoft Windows. An attacker who effectively has broken this vulnerability could attain an unlimited authority over a remote user system, database, PC or else workstation. This would generally provide attacker the potential to take some illegal action on the server machine that they would like. Such as, an attacker can competently delete and spoil the data on the hard disk, alter Web pages, or could insert new users to having the privileges of local administrators account. To take out similar assault, a system attacker would need the capability to make a corrupt communication with the remote procedural call service plus thus causes the intended machine to be unproductive in such a manner that random code could be implemented (Microsoft, 2003). 6- Reasons Windows Vulnerability The vulnerability is produced for the reason that the Windows RPCSS service is not competent to appropriately verify communication objects and inputs beneath definite conditions. After setting up a link, an attacker could transmit a particularly skilled collapsed Remote Procedural Call message to facilitate the elemental DCOM (or Distributed Component Object Model) procedure on the remote system to be ineffective in a similar manner that random code can be carried out (Microsoft, 2003).. 7- Target of Window’s Vulnerability Any user who might carry a malformed RPC message to the RPCSS Service on a vulnerably affected system can try to make use of this vulnerability. For the reason that the Remote Procedural Call Session Service is found in ‘ON’ state by default in the intact versions of Windows, this is deliberate means that some user who may set up a link by means of a defective system can typically effort to make use of this security exposure (Microsoft, 2003).. 8- Remedial Action 8.1 - Windows Patch (The Solution) In case CVE-2003-0352/MS03-026 Windows has offered an appropriate patch for the fixation as well as rectification of this security problem. In this scenario this security management patch corrects the vulnerability through modifying the DCOM implementation to correctly ensure the data plus information conceded to it (Microsoft, 2003) & (Mitre2, 2010) & (Mitre, 2010).. In order to offer the security management patch, Microsoft strongly suggests for all the clients to set up the patch at the initial probable opportunity, there are many bypassed certain objects or workarounds which could be established in order to facilitate and end the vector used to take advantage of this security vulnerability in intervening. There is no assurance that the workarounds will prevent the entire probable attack vectors. It must be renowned that these workarounds should be deemed provisional measures as they immediately facilitate in blocking the paths of security attack rather than improvising the fundamental vulnerability (Microsoft, 2003) & (Mitre2, 2010) & (Mitre, 2010). 8.2 - Block TCP and UDP ports In order to block this security vulnerability at the Windows network/domain we need to take a lot of remedial actions. In this scenario the main remedial that is taken is to block TCP ports 139, 135, 593, 445 and UDP ports 137, 135, 445, 138 at our network and system firewall as well as stop COM Internet Services (CIS) as well as Remote Procedural Call services over HTTP, that snoops on ports 80 and 443, on the victim systems. These ports are employed to start a Remote Procedural Call connection by means of a remote computer. So stopping them at the system or network firewall will facilitate to stop the systems after that firewall as of being negotiated through efforts to use these network, system as well as database vulnerabilities. We should as well be sure as well as block several other particularly configured Remote Procedural Call port on the remote Systems. If allowed CIS as well as RPC above HTTP permits DCOM calls to function over Transmission Control Protocol at ports 80 (as well as 443 on XP and Windows Server 2003). Ascertain that RPC and CIS above HTTP are stopped on the entire victim systems (Microsoft, 2003) & (Mitre2, 2010) & (Mitre, 2010). 8.3 - Using Firewall In order to stop these security vulnerabilities we can utilize a personal firewall like that Internet Connection Firewall (simply accessible on XP as well as Windows Server 2003) and stop COM Internet Services (CIS) and RPC on HTTP, that eavesdrops on ports 80 as well as 443, on the sufferer systems and machines, particularly some systems that are attached to a business network remotely by using a VPN or same network link. If we are utilizing the Internet Connection Firewall in Windows Server 2003 or Windows XP to guard our Internet link, it will automatically obstruct incoming Remote Procedural Call traffic as of the Internet. Ensure that RPC as well as CIS over HTTP are stopped on the entire infected systems (Microsoft, 2003) & (Mitre2, 2010) & (Mitre, 2010). 8.4- Blocking the Affected Ports In order to get security against these vulnerabilities at Windows system we can make the affected ports unusable by means of an IPSEC filter technology as well as stop COM Internet Services (CIS) and Remote Procedural Call over HTTP, that takes note on ports 443 plus 80, on the vulnerabilities influenced systems (Microsoft, 2003) & (Mitre2, 2010) & (Mitre, 2010). 8.5- DCOM Disabling at the entire Affected Systems As a system is component of a network, the DCOM wire protocol facilitates COM objects on that system to correspond with COM objects on further systems. We are competent to put out of action DCOM intended for a particular computer to facilitate and defend beside this security vulnerability; however executing such a task will halt the entire communication among objects on that system plus objects on other systems. If we put out of action DCOM on a remote network attached systems, we will not be capable to remotely get admittance to that computer besides to re-enable DCOM. In case of DCOM re-enabling, we will require physical admittance to that system (CVE -2, 2010)& (Microsoft, 2003) & (Mitre2, 2010) & (Mitre, 2010). 9- Microsoft Support In case of MS03-026 security vulnerabilities Microsoft has developed a system and tools that are capable to be employed to scan a network for the occurrence of systems that have not had the MS03-026 or else the recently offered MS03-039 security vulnerabilities management patch established. The old patch for MS03-026 security vulnerabilities is now more effectively managed through the new Microsoft scanning tool which still scans appropriately and is proposed for systems that do not encompass MS03-026 installed. This tool is known as the MS03-039 that succeeded this official statement. This recently provided scanning tool will correctly scan for vulnerable computers as well as offer the suitable outcomes if MS03-039 has been well established (Microsoft, 2003) & (Mitre2, 2010) & (Mitre, 2010). 10- Conclusion With the increase in technology there is an expected increase in the security vulnerabilities as well as attacks. In this scenario Common Vulnerabilities and Exposures or CVE are performing a very effective role for an enhanced management and handling of the security vulnerabilities delineation and alleviation. This framework has offered an enhanced role in case of better security management and issues handling. In this report I have offered a comprehensive analysis of Common Vulnerabilities and Exposures or CVE as well as CVE-2003-0352/MS03-026 security vulnerability. In this scenario I have outlined major issues which produce the CVE-2003-0352/MS03-026 security vulnerability situation, then its main influences and possible mitigation actions that can really make enhanced management and administration of some of the prime aspects and areas of the security handling and management at the Microsoft Windows security platforms. 11- References CVE -2, 2010. CVE Reference Map for Source MS. [Online] Available at: http://cve.mitre.org/data/refs/refmap/source-MS.html [Accessed 20 December 2010]. DragonSoft Security Associates, Inc, 2010. MS03-026:Windows RPC buffer overlow - XP. [Online] Available at: http://vdb.dragonsoft.com/detail.php?id=1702 [Accessed 20 December 2010]. IPA, 2009. The Identification of Vulnerabilities Using a Common Identifier Scheme. [Online] Available at: http://www.ipa.go.jp/security/english/vuln/CVE_en.html [Accessed 20 December 2010]. Microsoft, 2003. Microsoft Security Bulletin MS03-026. [Online] Available at: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx [Accessed 20 December 2010]. Mitre, 2010. CVE. [Online] Available at: http://cve.mitre.org/about/faqs.html [Accessed 20 December 2010]. Mitre2, 2010. CVE-2003-0352. [Online] Available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0352 [Accessed 20 December 2010]. Moore, H.D., 2010. CVE-2003-0352. [Online] Available at: http://packetstormsecurity.org/files/cve/CVE-2003-0352 [Accessed 14 December 2010]. National Vulnerability Database, 2010. Vulnerability Summary for CVE-2003-0352. [Online] Available at: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0352 [Accessed 20 December 2010]. Norton, P., 2001. Introduction to Computers, Fourth Edition. Singapore: McGraw-Hill. Shelly, Cashman & Vermaat, 2005. Discovering Computers 2005. Boston: Thomson Course Technology. Skoudis, E., 2010. Do the Common Vulnerabilities and Exposures protect applications? [Online] Available at: http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1264688,00.html [Accessed 20 December 2010]. TechTarget, 2008. Common Vulnerabilities and Exposures. [Online] Available at: http://searchfinancialsecurity.techtarget.com/sDefinition/0,sid185_gci1256235,00.html [Accessed 20 December 2010]. Read More