NCCIC / US-CERT

National Cyber Awareness System:

TA15-240A: Controlling Outbound DNS Access
08/28/2015 01:31 PM EDT


Original release date: August 28, 2015

Systems Affected
Networked systems

Overview
US-CERT has observed an increase in Domain Name System (DNS) traffic from client systems within internal networks to publically hosted DNS servers. Direct client access to Internet DNS servers, rather than controlled access through enterprise DNS servers, can expose an organization to unnecessary security risks and system inefficiencies. This Alert provides recommendations for improving security related to outbound DNS queries and responses.

Description
Client systems and applications may be configured to send DNS requests to servers other than authorized enterprise DNS caching name servers (also called resolving, forwarding or recursive name servers). This type of configuration poses a security risk and may introduce inefficiencies to an organization.

Impact
Unless managed by perimeter technical solutions, client systems and applications may connect to systems outside the enterpriseÆs administrative control for DNS resolution. Internal enterprise systems should only be permitted to initiate requests to and receive responses from approved enterprise DNS caching name servers. Permitting client systems and applications
to connect directly to Internet DNS infrastructure introduces risks and inefficiencies to the organization, which include:

Bypassed enterprise monitoring and logging of DNS traffic; this type of monitoring is an important tool for detecting potential malicious network activity.
Bypassed enterprise DNS security filtering (sinkhole/redirect or blackhole/block) capabilities; this may allow clients to access malicious domains that would otherwise be blocked.
Client interaction with compromised or malicious DNS servers; this may cause inaccurate DNS responses for the domain requested (e.g., the client is sent to a phishing site or served malicious code).
Lost protections against DNS cache poisoning and denial-of-service attacks. The
mitigating effects of a tiered or hierarchical (e.g., separate internal and external DNS servers, split DNS, etc.) DNS architecture used to prevent such attacks are lost.
Reduced Internet browsing speed since enterprise DNS caching would not be utilized.
Solution
Implement the recommendations below to provide a more secure and efficient DNS infrastructure. Please note that these recommendations focus on improving the security of outbound DNS query or responses and do not encompass all DNS security best practices.

Configure operating systems and applications (including lower-tier DNS servers intended to forward queries to controlled enterprise DNS servers) to use only authorized DNS servers within the enterprise for outbound DNS resolution. Configure enterprise perimeter network devices to block all outbound User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic to destination port 53, except from specific, authorized DNS servers (including both authoritative and caching/forwarding name servers).
Additionally, filtering inbound destination port 53 TCP and UDP traffic to only
allow connections to authorized DNS servers (including both authoritative and caching/forwarding name servers) will provide additional protections.
Refer to Section 12 of the NIST Special Publication 800-81-2 for guidance when configuring enterprise recursive DNS resolvers. [1]
References
Secure Domain Name System (DNS) Deployment Guide
Revision History
August 28, 2015: Initial Release

-------------------------------------------------------------------------------
-

This product is provided subject to this Notification and this Privacy & Use policy.


-------------------------------------------------------------------------------
-
A copy of this publication is available at www.us-cert.gov. If you need help or
have questions, please send an email to info@us-cert.gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help


-------------------------------------------------------------------------------
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW Bldg 410 ╖ Washington, DC 20598 ╖ (888) 282-0870 Powered by GovDelivery

=== Cut ===

--
Guardien Fide :^)

Ben aka cMech Web: http://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities
07/05/2016 10:50 AM EDT


Original release date: July 05, 2016

Systems Affected
All Symantec and Norton branded antivirus products

Overview
Symantec and Norton branded antivirus products contain multiple vulnerabilities. Some of these products are in widespread use throughout government and industry. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system.

Description
The vulnerabilities are listed below:

CVE-2016-2207

Symantec Antivirus multiple remote memory corruption unpacking RAR [1]

CVE-2016-2208

Symantec antivirus products use common unpackers to extract malware binaries when scanning a system. A heap overflow vulnerability in the ASPack unpacker could allow an unauthenticated remote attacker to gain root privileges on Linux

or OSX platforms. The vulnerability can be triggered remotely using a malicious

file (via email or link) with no user interaction. [2]
CVE-2016-2209

Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow [3] CVE-2016-2210

Symantec: Remote Stack Buffer Overflow in dec2lha library [4]
CVE-2016-2211

Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK

Archives [5]
CVE-2016-3644

Symantec: Heap overflow modifying MIME messages [6]
CVE-2016-3645

Symantec: Integer Overflow in TNEF decoder [7]
CVE-2016 -3646

Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink [8]


Impact
The large number of products affected (24 products), across multiple platforms (OSX, Windows, and Linux), and the severity of these vulnerabilities (remote code execution at root or SYSTEM privilege) make this a very serious event. A remote, unauthenticated attacker may be able to run arbitrary code at root or SYSTEM privileges by taking advantage of these vulnerabilities. Some of the vulnerabilities require no user interaction and are network-aware, which could result in a wormable-event.

Solution
Symantec has provided patches or hotfixes to these vulnerabilities in their SYM16-008 [9] and SYM16-010 [10] security advisories.

US-CERT encourages users and network administrators to patch Symantec or Norton

antivirus products immediately. While there has been no evidence of exploitation, the ease of attack, widespread nature of the products, and severity of the exploit may make this vulnerability a popular target.

References
[1] Symantec Antivirus multiple remote memory corruption unpacking RAR
[2] How to Compromise the Enterprise Endpoint
[3] Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow [4] Symantec: Remote Stack Buffer Overflow in dec2lha library
[5] Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives
[6] Symantec: Heap overflow modifying MIME messages
[7] Symantec: Integer Overflow in TNEF decoder
[8] Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink
[9] Symantec SYM16-008 security advisory
[10] Symantec SYM16-010 security advisory
Revision History
July 5, 2016: Initial Release

-------------------------------------------------------------------------------

-

This product is provided subject to this Notification and this Privacy & Use policy.


-------------------------------------------------------------------------------

-
A copy of this publication is available at www.us-cert.gov. If you need help or

have questions, please send an email to info@us-cert.gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help


-------------------------------------------------------------------------------

-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:

United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW Bldg 410 ╖ Washington, DC 20598 ╖ (888) 282-0870 Powered by GovDelivery
=== Cut ===


-+-
Keep the faith :^)

Ben aka cMech Web: http|ftp|binkp|telnet://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

--- GoldED+/W32-MSVC v1.1.5 via Mystic BBS
* Origin: FIDONet - The Positronium Repository (1:393/68)