11 Jul 2017

Member information

AUSCERT Bulletin Formats

AUSCERT sends out two forms of bulletin – AUSCERT Security Bulletins (or ‘ASB’s) and External Security Bulletins (or ‘ESB’s). Previously, there were four types of bulletin – External Security Bulletins (ESB), AUSCERT Advisories (AA), AUSCERT Alerts (AL) and AUSCERT Updates (AU). The new two-type system allows a simpler differentiation between bulletin types – ASB’s are written in-house, referencing information available that may not have a current coherent source, while ESB’s are bulletins written by other vendors that we have summarised and re-released.

Both ASBs and ESBs contain ‘header information’ that quickly summarise the contents and allow readers to determine important information at a glance.

Document Titles and Subject Lines

Bulletin titles (which is also used as the subject line of mailouts) are formatted to indicate basic information in as short a format as possible. The titles include the AUSCERT bulletin ID (for instance ASB-2009.0001 or ESB-2009.0123), revision number if applicable (eg. ESB-2009.0123.2) and an ‘ALERT’ flag if the contents of the bulletin are time critical or reference an actively exploited vulnerability.

Titles also include a list of ‘environment’ tags that list operating systems or hardware types the vulnerability affects. Unless the vulnerability is very specific this will usually only contain operating system families such as Windows ([Win]) and Linux ([Linux]). The rest of the title is either the product or publisher along with the most severe impact of the vulnerability. In the case of a bulletin regarding multiple vulnerabilities this will be replaced with ‘Multiple Vulnerabilities’.

For instance, previously what might have been sent out with a subject line of:

(AUSCERT AL-2009.0000) [Win] Critical vulnerabilities in ImportantProgram may result in data loss

would now have a subject line like:

ESB-2009.0000 – ALERT [Win] ImportantProgram: Delete arbitrary files – Remote/unauthenticated

or

ESB-2009.0000 – ALERT [Win] ImportantProgram: Multiple vulnerabilities

Bulletin Header

Since more information is now included in the bulletin title the header will only include the bulletin ID, date and a short descriptive sentence. In the case of ESBs, this is often the subject of the original bulletin.

Bulletin Summary

The bulletin summary is an index of the important information in the bulletin. Both ESBs and ASBs contain a summary, although some fields may only be found in one type. A description of each field is below.

Product

The product field gives the names and version numbers of products affected by the bulletin. The product may be an operating system, in which case no Operating System field will be given. Both ESBs and ASBs will have a Product field.

Publisher

Only present in an ESB, the Publisher field gives the name of the original source of the bulletin. Often this is an operating system vendor (like Microsoft or Red Hat), but it may be another security team or research group.

Operating System

This field gives a list of operating systems or operating system families that are affected by the vulnerability. The operating systems themselves are not affected by the vulnerability, but the program that is affected will run on those operating systems.

Platform

A rarely used field, platform will specify particular architectures (eg i386, SPARC) that are affected by this vulnerability in a similar fashion to the Operating System field. In order to be brief, the Platform field will only be used if the architectures affected is a subset of the architectures that the operating systems affected run on.

Impact and Access

Previously separate as two fields, the Impact and Access matrix list the impacts of the vulnerabilities along with the associated access required to exploit them.

Impact Values

There are several predefined values for the Impact. The values and their meanings are below.

Root Compromise
The root account in a Unix or Linux based system can be accessed. This is a serious issue and may result in an attacker taking complete control of the affected machine.
Administrator Compromise
An administrator account (for instance within Windows or within an administration application) can be accessed. This is a serious issue and may result in an attacker taking over the affected machine. Note that in Windows this may also be a compromise of the SYSTEM account.
Execute Arbitrary Code/Commands
An attacker can execute commands beyond what is usually possible. This can include machine code, interpreted code such as Java or Javascript or SQL.
Increased Privileges
An attacker can increase their privilege level on the affected system. This may allow them to gain normal user access to a machine they should have no access to, or allow them to access the data or privileges of another user on the system.
Access Privileged Data
An attacker can read (and possibly write) data on the system that would otherwise be protected by a security measure. The attacker may not be able to perform any other action or gain the use of the priveleges they would otherwise require to view this content.
Modify Permissions
An attacker can add or remove permissions from an object. This may allow them to deny access to a valid user, or allow them to access something they would otherwise be blocked from.
Modify Arbitrary Files
An attacker can read, write or delete arbitrary files. The files they can access may be limited.
Overwrite Arbitrary Files
An attacker can replace the contents of arbitrary files. This may lead to a denial of service if important system files are replaced, or allow further access.
Create Arbitrary Files
An attacker can create files that they would otherwise not be allowed to. This may be leveraged to perform other attacks or gain access.
Delete Arbitrary Files
An attacker can delete files. This may allow a denial of service, or weaken existing defenses and allow further attacks.
Cross-site Scripting
A specific form of code execution, cross-site scripting may allow an attacker to inject their own HTML into an affected site’s code. This is not restricted to public facing websites – an attacker may be able to insert code that is activated when an administrator examines logs or uses some other administrative interface.
Denial of Service
An attacker can block access to resources from legitimate users. This may include causing a program to crash or freeze and not recover, causing an entire system to crash or simply using up all of the resource (for instance network bandwidth).
Website Defacement
A specific form of Modify Arbitrary Files, this impact allows an attacker to change a website. The change may not be obvious – an attacker might use such a vulnerability to spread malware to visitors of the affected site.
Provide Misleading Information
An attacker may be able to force a program or protocol to produce incorrect information. This may be to hide an attacker’s activity or trick a user into performing an unsafe action.
Read-only Data Access
An attacker may be able to read data they would otherwise not have access to. This may include files, segments of memory or network traffic.
Access Confidential Data
An attacker may be able to access data that would otherwise be hidden or inaccessible. This differs from Access Privileged Data in that the data may not be directly protected by access restrictions, but is still important. For instance, if a vulnerability allowed access to credit card details before those details were protected or deleted that would be Access Confidential Data.
Unauthorised Access
An attacker is able to access data in a way that is otherwise disallowed. This is a more generic version of other access-based impacts.
Reduced Security
A catch-all impact – the security level of the systems involved is weakened. This is used when an exact impact is unknown, or if the impact doesn’t match any of the others.

Access Values

There are several possible values for the access required to exploit a vulnerability. Generally the less access required the worse the vulnerability.

Remote/Unauthenticated
The only access required is that a connection can be made to the affected system.
Remote with User Interaction
The attacker requires no access themselves, but they need to trick a legitimate user into initiating the exploit (for instance by visiting a website or opening a file).
Existing Account
The attacker must have an existing user account on the system and must authenticate to exploit the vulnerability.
Console/Physical
The attacker must have direct physical access to the system. This is usually related to a vulnerability in a screen saver or other physical locking system.
Unknown/Unspecified
No access information is currently known.

Resolution

The Resolution field gives a quick indication on how to protect against the vulnerability. The possible values are:

None
No resolution is currently available.
Patch/Upgrade
A patch or new, unaffected version of the product is available. Note that only official vendor patches are acceptable as a patch – third party patches would be considered a mitigation.
Mitigation
There are mitigation steps available that may be used, however there is no specific fix to the vulnerability
Alternate Program
Another program with similar functionality is available that is not vulnerable.

CVE

This field lists any CVE identifiers that relate to this vulnerability. CVE’s are an excellent way of tracking vulnerabilities that affect multiple products.

Reference

This fields lists other AUSCERT bulletin ID’s that are related to this vulnerability. These ID’s should also appear as links at the top of the page so that related bulletins can be navigated to easily.

Bulletin URL

Only available in ESB’s, this field lists URLs of the original bulletin source. Often the original bulletin will have further links and information that might be of use.

Bulletin Versioning

If new information becomes available regarding a bulletin we have already released we will update information on our website and may resend the bulletin if the information is important. Previously only the most recent version of the bulletin was available on our website, however now previous versions will be available as attachments to the current version. Updates will have a version number appended to the bulletin ID. For instance, the second version of ESB-2009.0000 is ESB-2009.0000.2. After an update is done the original version will be renamed to ESB-2009.0000.1.

If a new version is considered to contain important information, the bulletin will be resent with an extra tag of ‘UPDATE’ in the subject line. For bulletins that were already tagged with ‘ALERT’, this will become ‘UPDATED ALERT’.

Example

An example bulletin under the new system is below.

===========================================================================               AUSCERT External Security Bulletin Redistribution                                   ESB-2009.0001     A critical vulnerability in ImportantProgram may allow code execution                                 16 April 2009    ===========================================================================            AUSCERT Security Bulletin Summary          ---------------------------------    Product:           ImportantProduct  Publisher:         ExamplePublisher  Operating System:  Windows  Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated                     Denial of Service               -- Remote/Unauthenticated  Patches Available: Yes  CVE Names:         CVE-2009-0000      Original Bulletin:      http://www.example.com/example?id    --------------------------BEGIN INCLUDED TEXT--------------------    This is an example bulletin.    Normally the details of the vulnerability and how to fix it would be here.    --------------------------END INCLUDED TEXT--------------------    You have received this e-mail bulletin as a result of your organisation's  registration with AUSCERT. The mailing list you are subscribed to is  maintained within your organisation, so if you do not wish to continue  receiving these bulletins you should contact your local IT manager. If  you do not know who that is, please send an email to auscert@auscert.org.au  and we will forward your request to the appropriate person.    NOTE: Third Party Rights  This security bulletin is provided as a service to AUSCERT's members.  As  AUSCERT did not write the document quoted above, AUSCERT has had no control  over its content. The decision to follow or act on information or advice  contained in this security bulletin is the responsibility of each user or  organisation, and should be considered in accordance with your  organisation's  site policies and procedures. AUSCERT takes no responsibility for  consequences  which may arise from following or acting on information or advice contained  in  this security bulletin.    NOTE: This is only the original release of the security bulletin.  It may  not be updated when updates to the original are made.  If downloading at  a later date, it is recommended that the bulletin is retrieved directly  from the author's website to ensure that the information is still current.    Contact information for the authors of the original document is included  in the Security Bulletin above.  If you have any questions or need further  information, please contact them directly.    Previous advisories and external security bulletins can be retrieved from:            http://www.auscert.org.au/render.html?cid=1980    If you believe that your computer system has been compromised or attacked in    any way, we encourage you to let us know by completing the secure National  IT   Incident Reporting Form at:            http://www.auscert.org.au/render.html?it=3192    ===========================================================================  Australian Computer Emergency Response Team  The University of Queensland  Brisbane  Qld 4072    Internet Email: auscert@auscert.org.au  Facsimile:      (07) 3365 7031  Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)                  AUSCERT personnel answer during Queensland business hours                  which are GMT+10:00 (AEST).                  On call after hours for member emergencies only.  ===========================================================================