Date: 11 June 2009
Click here for printable version
AusCERT sends out two forms of bulletin - AusCERT Security Bulletins (or 'ASB's) and External
Security Bulletins (or 'ESB's). Previously, there were four types of bulletin - External Security
Bulletins (ESB), AusCERT Advisories (AA), AusCERT Alerts (AL) and AusCERT Updates (AU). The new
two-type system allows a simpler differentiation between bulletin types - ASB's are written in-house,
referencing information available that may not have a current coherent source, while ESB's are
bulletins written by other vendors that we have summarised and re-released.
Both ASBs and ESBs contain 'header information' that quickly summarise the contents and
allow readers to determine important information at a glance.
Document Titles and Subject Lines
Bulletin titles (which is also used as the subject line of mailouts) are formatted to indicate
basic information in as short a format as possible. The titles include the AusCERT bulletin ID (for
instance ASB-2009.0001 or ESB-2009.0123), revision number if applicable (eg. ESB-2009.0123.2) and an 'ALERT' flag if the
contents of the bulletin are time critical or reference an actively exploited vulnerability.
Titles also include a list of 'environment' tags that list operating systems or hardware types the
vulnerability affects. Unless the vulnerability is very specific this will usually only contain operating
system families such as Windows ([Win]) and Linux ([Linux]). The rest of the title is either the
product or publisher along with the most severe impact of the vulnerability. In the case of a bulletin
regarding multiple vulnerabilities this will be replaced with 'Multiple Vulnerabilities'.
For instance, previously what might have been sent out with a subject line of:
(AUSCERT AL-2009.0000) [Win] Critical vulnerabilities in ImportantProgram may result in data loss
would now have a subject line like:
ESB-2009.0000 - ALERT [Win] ImportantProgram: Delete arbitrary files - Remote/unauthenticated
or
ESB-2009.0000 - ALERT [Win] ImportantProgram: Multiple vulnerabilities
Bulletin Header
Since more information is now included in the bulletin title the header will only include the
bulletin ID, date and a short descriptive sentence. In the case of ESBs, this is often the subject of
the original bulletin.
Bulletin Summary
The bulletin summary is an index of the important information in the bulletin. Both ESBs and
ASBs contain a summary, although some fields may only be found in one type. A description of each
field is below.
Product
The product field gives the names and version numbers of products affected by the bulletin.
The product may be an operating system, in which case no Operating System field will be given. Both
ESBs and ASBs will have a Product field.
Publisher
Only present in an ESB, the Publisher field gives the name of the original source of the bulletin.
Often this is an operating system vendor (like Microsoft or Red Hat), but it may be another security
team or research group.
Operating System
This field gives a list of operating systems or operating system families that are affected by the
vulnerability. The operating systems themselves are not affected by the vulnerability, but the program
that is affected will run on those operating systems.
Platform
A rarely used field, platform will specify particular architectures (eg i386, SPARC) that are
affected by this vulnerability in a similar fashion to the Operating System field. In order to be brief, the
Platform field will only be used if the architectures affected is a subset of the architectures that the
operating systems affected run on.
Impact and Access
Previously separate as two fields, the Impact and Access matrix list the impacts of the
vulnerabilities along with the associated access required to exploit them.
Impact Values
There are several predefined values for the Impact. The values and their meanings are below.
- Root Compromise
- The root account in a Unix or Linux based system can be accessed. This is a serious issue and
may result in an attacker taking complete control of the affected machine.
- Administrator Compromise
- An administrator account (for instance within Windows or within an administration application)
can be accessed. This is a serious issue and may result in an attacker taking over the affected
machine. Note that in Windows this may also be a compromise of the SYSTEM account.
- Execute Arbitrary Code/Commands
- An attacker can execute commands beyond what is usually possible. This can include machine
code, interpreted code such as Java or Javascript or SQL.
- Increased Privileges
- An attacker can increase their privilege level on the affected system. This may allow them to
gain normal user access to a machine they should have no access to, or allow them to access
the data or privileges of another user on the system.
- Access Privileged Data
- An attacker can read (and possibly write) data on the system that would otherwise be
protected by a security measure. The attacker may not be able to perform any other action or gain
the use of the priveleges they would otherwise require to view this content.
- Modify Permissions
- An attacker can add or remove permissions from an object. This may allow them to deny access
to a valid user, or allow them to access something they would otherwise be blocked from.
- Modify Arbitrary Files
- An attacker can read, write or delete arbitrary files. The files they can access may be limited.
- Overwrite Arbitrary Files
- An attacker can replace the contents of arbitrary files. This may lead to a denial of service if
important system files are replaced, or allow further access.
- Create Arbitrary Files
- An attacker can create files that they would otherwise not be allowed to. This may be leveraged
to perform other attacks or gain access.
- Delete Arbitrary Files
- An attacker can delete files. This may allow a denial of service, or weaken existing defenses and
allow further attacks.
- Cross-site Scripting
- A specific form of code execution, cross-site scripting may allow an attacker to inject their own
HTML into an affected site's code. This is not restricted to public facing websites - an attacker may be
able to insert code that is activated when an administrator examines logs or uses some other
administrative interface.
- Denial of Service
- An attacker can block access to resources from legitimate users. This may include causing
a program to crash or freeze and not recover, causing an entire system to crash or simply using
up all of the resource (for instance network bandwidth).
- Website Defacement
- A specific form of Modify Arbitrary Files, this impact allows an attacker to change a website. The
change may not be obvious - an attacker might use such a vulnerability to spread malware to visitors
of the affected site.
- Provide Misleading Information
- An attacker may be able to force a program or protocol to produce incorrect information. This
may be to hide an attacker's activity or trick a user into performing an unsafe action.
- Read-only Data Access
- An attacker may be able to read data they would otherwise not have access to. This may
include files, segments of memory or network traffic.
- Access Confidential Data
- An attacker may be able to access data that would otherwise be hidden or inaccessible.
This differs from Access Privileged Data in that the data may not be directly protected by access
restrictions, but is still important. For instance, if a vulnerability allowed access to credit card details
before those details were protected or deleted that would be Access Confidential Data.
- Unauthorised Access
- An attacker is able to access data in a way that is otherwise disallowed. This is a more generic
version of other access-based impacts.
- Reduced Security
- A catch-all impact - the security level of the systems involved is weakened. This is used when
an exact impact is unknown, or if the impact doesn't match any of the others.
Access Values
There are several possible values for the access required to exploit a vulnerability. Generally the
less access required the worse the vulnerability.
- Remote/Unauthenticated
- The only access required is that a connection can be made to the affected system.
- Remote with User Interaction
- The attacker requires no access themselves, but they need to trick a legitimate user into
initiating the exploit (for instance by visiting a website or opening a file).
- Existing Account
- The attacker must have an existing user account on the system and must authenticate
to exploit the vulnerability.
- Console/Physical
- The attacker must have direct physical access to the system. This is usually related to a
vulnerability in a screen saver or other physical locking system.
- Unknown/Unspecified
- No access information is currently known.
Resolution
The Resolution field gives a quick indication on how to protect against the vulnerability. The
possible values are:
- None
- No resolution is currently available.
- Patch/Upgrade
- A patch or new, unaffected version of the product is available. Note that only official vendor patches are acceptable as a patch - third
party patches would be considered a mitigation.
- Mitigation
- There are mitigation steps available that may be used, however there is no specific fix to the
vulnerability
- Alternate Program
- Another program with similar functionality is available that is not vulnerable.
CVE
This field lists any CVE identifiers that relate to this vulnerability. CVE's are an excellent way of
tracking vulnerabilities that affect multiple products.
Reference
This fields lists other AusCERT bulletin ID's that are related to this vulnerability. These ID's
should also appear as links at the top of the page so that related bulletins can be navigated to
easily.
Bulletin URL
Only available in ESB's, this field lists URLs of the original bulletin source. Often the original
bulletin will have further links and information that might be of use.
Bulletin Versioning
If new information becomes available regarding a bulletin we have already released we will
update information on our website and may resend the bulletin if the information is important.
Previously only the most recent version of the bulletin was available on our website, however now
previous versions will be available as attachments to the current version. Updates will have a
version number appended to the bulletin ID. For instance, the second version of ESB-2009.0000
is ESB-2009.0000.2. After an update is done the original version will be renamed to
ESB-2009.0000.1.
If a new version is considered to contain important information, the bulletin will be resent with
an extra tag of 'UPDATE' in the subject line. For bulletins that were already tagged with 'ALERT', this
will become 'UPDATED ALERT'.
Example
An example bulletin under the new system is below.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0001
A critical vulnerability in ImportantProgram may allow code execution
16 April 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ImportantProduct
Publisher: ExamplePublisher
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Patches Available: Yes
CVE Names: CVE-2009-0000
Original Bulletin:
http://www.example.com/example?id
--------------------------BEGIN INCLUDED TEXT--------------------
This is an example bulletin.
Normally the details of the vulnerability and how to fix it would be here.
--------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your
organisation's
site policies and procedures. AusCERT takes no responsibility for
consequences
which may arise from following or acting on information or advice contained
in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National
IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
|