Feed aggregator

TA15-240A: Controlling Outbound DNS Access

US-CERT Security Alerts - Fri, 08/28/2015 - 09:31
Original release date: August 28, 2015 | Last revised: August 30, 2015
Systems Affected

Networked systems

Overview

US-CERT has observed an increase in Domain Name System (DNS) traffic from client systems within internal networks to publically hosted DNS servers. Direct client access to Internet DNS servers, rather than controlled access through enterprise DNS servers, can expose an organization to unnecessary security risks and system inefficiencies. This Alert provides recommendations for improving security related to outbound DNS queries and responses.

Description

Client systems and applications may be configured to send DNS requests to servers other than authorized enterprise DNS caching name servers (also called resolving, forwarding or recursive name servers). This type of configuration poses a security risk and may introduce inefficiencies to an organization.   

Impact

Unless managed by perimeter technical solutions, client systems and applications may connect to systems outside the enterprise’s administrative control for DNS resolution. Internal enterprise systems should only be permitted to initiate requests to and receive responses from approved enterprise DNS caching name servers. Permitting client systems and applications to connect directly to Internet DNS infrastructure introduces risks and inefficiencies to the organization, which include:

  • Bypassed enterprise monitoring and logging of DNS traffic; this type of monitoring is an important tool for detecting potential malicious network activity.
  • Bypassed enterprise DNS security filtering (sinkhole/redirect or blackhole/block) capabilities; this may allow clients to access malicious domains that would otherwise be blocked.
  • Client interaction with compromised or malicious DNS servers; this may cause inaccurate DNS responses for the domain requested (e.g., the client is sent to a phishing site or served malicious code).
  • Lost protections against DNS cache poisoning and denial-of-service attacks. The mitigating effects of a tiered or hierarchical (e.g., separate internal and external DNS servers, split DNS, etc.) DNS architecture used to prevent such attacks are lost.  
  • Reduced Internet browsing speed since enterprise DNS caching would not be utilized.
Solution

Implement the recommendations below to provide a more secure and efficient DNS infrastructure. Please note that these recommendations focus on improving the security of outbound DNS query or responses and do not encompass all DNS security best practices.  

  • Configure operating systems and applications (including lower-tier DNS servers intended to forward queries to controlled enterprise DNS servers) to use only authorized DNS servers within the enterprise for outbound DNS resolution.
  • Configure enterprise perimeter network devices to block all outbound User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic to destination port 53, except from specific, authorized DNS servers (including both authoritative and caching/forwarding name servers).  
    • Additionally, filtering inbound destination port 53 TCP and UDP traffic to only allow connections to authorized DNS servers (including both authoritative and caching/forwarding name servers) will provide additional protections. 
  • Refer to Section 12 of the NIST Special Publication 800-81-2 for guidance when configuring enterprise recursive DNS resolvers. [1]
References Revision History
  • August 28, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

MS15-092 - Important: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3086251) - Version: 1.1

Microsoft Security Notifications - Sun, 08/23/2015 - 23:00
Severity Rating: Important
Revision Note: V1.1 (August 24, 2015): Updated bulletin to inform customers that on August 18, 2015, a metadata change was implemented on Windows Update for the updates documented in this bulletin. This is an informational change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft .NET Framework. The vulnerabilities could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so.
Categories: Security Alerts

MS15-080 - Critical: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3078662) - Version: 2.0

Microsoft Security Notifications - Thu, 08/20/2015 - 23:00
Severity Rating: Critical
Revision Note: V2.0 (August 21, 2015): Updated bulletin to inform customers running Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows Server 2008 R2 Service Pack 2, and Windows 7 Service Pack 1 that the 3078601 update on the Microsoft Download Center was updated on August 18, 2015. Microsoft recommends that customers who installed the 3078601 update via the Microsoft Download Center prior to August 18 reinstall the update to be fully protected from the vulnerabilities discussed in this bulletin. If you installed update 3078601 via Windows Update, Windows Update Catalog, or WSUS, no action is required.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.
Categories: Security Alerts

MS15-067 - Critical: Vulnerability in RDP Could Allow Remote Code Execution (3073094) - Version: 1.1

Microsoft Security Notifications - Thu, 08/20/2015 - 23:00
Severity Rating: Critical
Revision Note: V1.1 (August 21, 2015): Improved the Update FAQ section and the footnote for the Affected Software table to help customers more easily identify the correct update to apply based on the currently installed version of RDP on Windows 7 systems. These are informational changes only. Customers who have already successfully applied the update do not need to take any action. Customers who have not already installed the necessary update should do so to be protected from the vulnerability it addresses.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system with Remote Desktop Protocol (RDP) enabled. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Categories: Security Alerts

MS15-093 - Critical: Security Update for Internet Explorer (3088903) - Version: 1.1

Microsoft Security Notifications - Wed, 08/19/2015 - 23:00
Severity Rating: Critical
Revision Note: V1.1 (August 20, 2015): Bulletin revised to announce a detection change in the 3087985 update for Internet Explorer. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS15-082 - Important: Vulnerabilities in RDP Could Allow Remote Code Execution (3080348) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system with Remote Desktop Protocol (RDP) enabled. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Categories: Security Alerts

MS15-083 - Important: Vulnerability in Server Message Block Could Allow Remote Code Execution (3073921) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability affected software Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted file that invokes the vulnerable sandboxed application.
Categories: Security Alerts

MS15-091 - Critical: Cumulative Security Update for Microsoft Edge (3084525) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Critical
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS15-081 - Critical: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3080790) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Critical
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS15-085 - Important: Vulnerability in Mount Manager Could Allow Elevation of Privilege (3082487) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker inserts a malicious USB device into a target system. An attacker could then write a malicious binary to disk and in certain situations execute it.
Categories: Security Alerts

MS15-079 - Critical: Cumulative Security Update for Internet Explorer (3082442) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Critical
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS15-087 - Important: Vulnerability in UDDI Services Could Allow Elevation of Privilege (3082459) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker engineered a cross-site scripting (XSS) scenario by inserting a malicious script into a webpage search parameter. A user would have to visit a specially crafted webpage where the malicious script would then be executed.
Categories: Security Alerts

MS15-088 - Important: Unsafe Command Line Parameter Passing Could Allow Information Disclosure (3082458) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update helps to resolve an information disclosure vulnerability in Microsoft Windows, Internet Explorer, and Microsoft Office. To exploit the vulnerability an attacker would first have to use another vulnerability in Internet Explorer to execute code in the sandboxed process. The attacker could then execute Notepad, Visio, PowerPoint, Excel, or Word with an unsafe command line parameter to effect information disclosure. To be protected from the vulnerability, customers must apply the updates provided in this bulletin, as well as the update for Internet Explorer provided in MS15-079. Likewise, customers running an affected Microsoft Office product must also install the applicable updates provided in MS15-081.
Categories: Security Alerts

MS15-086 - Important: Vulnerability in System Center Operations Manager Could Allow Elevation of Privilege (3075158) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft System Center Operations Manager. The vulnerability could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the affected website.
Categories: Security Alerts

MS15-089 - Important: Vulnerability in WebDAV Could Allow Information Disclosure (3076949) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if an attacker forces an encrypted Secure Socket Layer (SSL) 2.0 session with a WebDAV server that has SSL 2.0 enabled and uses a man-in-the-middle (MiTM) attack to decrypt portions of the encrypted traffic.
Categories: Security Alerts

MS15-090 - Important: Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3060716) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application or convinces a user to open a specially crafted file that invokes a vulnerable sandboxed application, allowing an attacker to escape the sandbox.
Categories: Security Alerts

85 - None: Vulnerability in Mount Manager Could Allow Elevation of Privilege (3082487) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: None
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker inserts a malicious USB device into a target system. An attacker could then write a malicious binary to disk and in certain situations execute it.
Categories: Security Alerts

MS15-084 - Important: Vulnerabilities in XML Core Services Could Allow Information Disclosure (3080129) - Version: 1.0

Microsoft Security Notifications - Mon, 08/10/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (August 11, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow information disclosure by either exposing memory addresses if a user clicks a specially crafted link or by explicitly allowing the use of Secure Sockets Layer (SSL) 2.0. However, in all cases an attacker would have no way to force users to click a specially crafted link; an attacker would have to convince users to click the link, typically by way of an enticement in an email or Instant Messenger message.
Categories: Security Alerts

TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations

US-CERT Security Alerts - Sat, 08/01/2015 - 14:01
Original release date: August 01, 2015
Systems Affected

Microsoft Windows Systems, Adobe Flash Player, and Linux

Overview

Between June and July 2015, the United States Computer Emergency Readiness Team (US-CERT) received reports of multiple, ongoing and likely evolving, email-based phishing campaigns targeting U.S. Government agencies and private sector organizations. This alert provides general and phishing-specific mitigation strategies and countermeasures.

Description

US-CERT is aware of three phishing campaigns targeting U.S. Government agencies and private organizations across multiple sectors. All three campaigns leveraged website links contained in emails; two sites exploited a recent Adobe Flash vulnerability (CVE-2015-5119) while the third involved the download of a compressed (i.e., ZIP) file containing a malicious executable file. Most of the websites involved are legitimate corporate or organizational sites that were compromised and are hosting malicious content.

Impact

Systems infected through targeted phishing campaigns act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations.

Solution

Phishing Mitigation and Response Recommendations

  • Implement perimeter blocks for known threat indicators:
    • Email server or email security gateway filters for email indicators
    • Web proxy and firewall filters for websites or Internet Protocol (IP) addresses linked in the emails or used by related malware
    • DNS server blocks (blackhole) or redirects (sinkhole) for known related domains and hostnames
  • Remove malicious emails from targeted user mailboxes based on email indicators (e.g., using Microsoft ExMerge).
  • Identify recipients and possible infected systems:
    • Search email server logs for applicable sender, subject, attachments, etc. (to identify users that may have deleted the email and were not identified in purge of mailboxes)
    • Search applicable web proxy, DNS, firewall or IDS logs for activity the malicious link clicked.
    • Search applicable web proxy, DNS, firewall or IDS logs for activity to any associated command and control (C2) domains or IP addresses associated with the malware.
    • Review anti-virus (AV) logs for alerts associated with the malware.  AV products should be configured to be in quarantine mode. It is important to note that the absence of AV alerts or a clean AV scan should not be taken as conclusive evidence a system is not infected.
    • Scan systems for host-level indicators of the related malware (e.g., YARA signatures)
  • For systems that may be infected:
    • Capture live memory of potentially infected systems for analysis
    • Take forensic images of potentially infected systems for analysis
    • Isolate systems to a virtual local area network (VLAN) segmented form the production agency network (e.g., an Internet-only segment)
  • Report incidents, with as much detail as possible, to the NCCIC.

Educate Your Users

Organizations should remind users that they play a critical role in protecting their organizations form cyber threats. Users should:

  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.  Be particularly wary of compressed or ZIP file attachments.
  • Avoid clicking directly on website links in emails; attempts to verify web addresses independently (e.g., contact your organization’s helpdesk or sear the Internet for the main website of the organization or topic mentioned in the email).
  • Report any suspicious emails to the information technology (IT) helpdesk or security office immediately.

Basic Cyber Hygiene

Practicing basic cyber hygiene would address or mitigate the vast majority of security breaches handled by today’s security practitioners:

  • Privilege control (i.e., minimize administrative or superuser privileges)
  • Application whitelisting / software execution control (by file or location)
  • System application patching (e.g., operating system vulnerabilities, third-party vendor applications)
  • Security software updating (e.g., AV definitions, IDS/IPS signatures and filters)
  • Network segmentation (e.g., separate administrative networks from business-critical networks with physical controls and virtual local area networks)
  • Multi-factor authentication (e.g., one-time password tokens, personal identity verification (PIV cards)

Further Information

For more information on cybersecurity best practices, users and administrators are encouraged to review US-CERT Security Tip: Handling Destructive Malware to evaluate their capabilities encompassing planning, preparation, detection, and response. Another resource is ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.

References Revision History
  • August 1, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

MS15-078 - Critical: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Version: 2.0

Microsoft Security Notifications - Tue, 07/28/2015 - 23:00
Severity Rating: Critical
Revision Note: V2.0 (July 29, 2015): Bulletin published.
Summary: Bulletin rereleased to announce the availability of an update package for Windows 10 systems. Customers running Windows 10 should apply the 3074683 update to be protected from the vulnerability discussed in this bulletin. The update is available via Windows Update only. The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.
Categories: Security Alerts
Syndicate content