Web Servers, BIND Top 2004 Vulnerabilities List

The SANS Institute has released its annual list of the top 20
Internet security vulnerabilities, pinpointing Web servers and services
(Windows) and the BIND Domain Name System (Unix) for containing the most
dangerous security holes.

For the first time since creating the list five years ago, the SANS
Institute (SysAdmin, Audit, Network, Security) split the list in two to
identify the top 10 most commonly exploited holes in Windows and Unix
systems and warned that the security bugs require urgent attention.

According to the list,
the top 10 vulnerabilities to Windows Systems are:

1. Web Servers & Services
2. Workstation Service
3. Windows Remote Access Services
4. Microsoft SQL Server (MSSQL)
5. Windows Authentication
6. Web Browsers
7. File-Sharing Applications
8. LSAS Exposures
9. Mail Client
10. Instant Messaging

The top 10 flaws to Unix Systems are:

1. BIND Domain Name System
2. Web Server
3. Authentication
4. Version Control Systems
5. Mail Transport Service
6. Simple Network Management Protocol (SNMP)
7. Open Secure Sockets Layer (SSL)
8. Misconfiguration of Enterprise Services NIS/NFS
9. Databases
10. Kernel

The top 20 list is described as “a living document” that includes
step-by-step instructions and pointers to additional information for
correcting the security flaws.

In identifying Web servers and services as the most vulnerable for
Windows users, the institute warned that default installations of
various HTTP servers and additional components for serving HTTP requests
have proven vulnerable to a number of serious attacks over time.

Successful exploits of Web Server flaws include Denial-of-Service
attacks , data exposure, malicious code execution and
complete server compromise.

The vulnerable HTTP servers include Microsoft’s ,
the open-source Apache project and Sun’s iPlanet (SunONE). The
institute urged IT administrators to ensure all patches are up to date
for the server and that a current version is running.

“In most HTTP server software, the default configuration is rather
open leaving large avenues for exploit. Whilst this has been changed to
a ‘secure by default’ posture for IIS 6.0, it is crucial that
administrators take the time to fully understand their Web server and
adjust the configuration to allow only those features and services
required,” it added.

On the Unix side, SANS said buffer overflows and cache poisoning
throughout 2004 have plagued the Berkeley Internet Name Domain (BIND)
package. The BIND domain name system is used to handle the
conversion of hostnames into the corresponding IP address but, because
of its critical nature, it has been made the target of frequent attack.

“Although the BIND development team has
historically been quick to respond to and/or repair vulnerabilities, an
excessive number of outdated, misconfigured and/or vulnerable servers
still remain in production,” the institute warned.

The 2004 list includes detailed explanations of each vulnerability
and the corresponding attack vector and provides security information
for enterprise IT admins.

News Around the Web