Archive for the ‘Security’ Category

MS14 081 Vulnerability in SharePoint

Wednesday, December 10th, 2014

MS14 081 Vulnerability in SharePoint

Version 1.0

Seems like this year has been really hard on Office Web Apps and Word Services within SharePoint 2010 / 2013 for security reasons.

Microsoft released another security bulletin that impacts:

  • SharePoint 2010
  • SharePoint 2013
  • Office Web Apps 2013
  • Microsoft Project Server 2010 / 2013 
  • and other application that leverages SharePoint platform

Here is the security bulletin that is ranked as critical.

Microsoft Security Bulletin MS14-081 – Critical
Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)

Resources

Following are the important resources on this issue.

  1. MS14-081: Vulnerabilities in Microsoft Word and Office Web Apps could allow remote code execution: December 9, 2014
  2. MS14-081: Description of the security update for SharePoint Server 2010: December 9, 2014
  3. CVE-ID Use After Free Word Remote Code Execution Vulnerability – CVE-2014-6357
  4. National Vulnerability Database
  5. SecurityFocus
  6. US-Cert Security Bulletin

Download Updates:

  1. Security Update for Microsoft SharePoint Server 2010 (KB2899581)
  2. Security Update for Microsoft SharePoint Enterprise Server 2013 (KB2883050)


Mitigating Factors

  • An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • The vulnerability cannot be exploited automatically through email. For an attack to be successful a user must open an attachment that is sent in an email message.
  • In a web-based attack scenario, an attacker could host a website that contains a file that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s site, and then convince them to open the specially crafted file in an affected version of Microsoft Office software.

Workaround

No workaround available so far.

Visit www.softvative.com for professional and Managed services for your SharePoint Farms.

MS14 073 Vulnerability in SharePoint

Tuesday, November 11th, 2014
Today Microsoft released a patch for vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege under Microsoft Security Bulletin MS14-073.

What:
An attacker who successfully exploited the vulnerability could execute arbitrary script in the security context of the logged-on user. The script could then, for example, take actions on the affected SharePoint site on behalf of the logged-on user with the same permissions as the logged-on user.

How:
An attacker could modify certain lists within SharePoint to exploit this vulnerability, and then convince users to browse to the modified list.

Risk:
Systems running an affected version of SharePoint Server that also support the mobile browser view are primarily at risk.

Mitigation:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities. An attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.

Workaround:
None identified

References

Recover Symantec Protection Engine Lost Password

Wednesday, October 15th, 2014

Recover Symantec Protection Engine Lost Password

Version: 1.2

Symantec Protection for SharePoint Servers (SPSS) is an antivirus solution for SharePoint. SPSS uses Symantec Protection Engine (SPE) as the underlining solution to provide the security framework to SPSS.

On each SharePoint Server running SPSS, usually you also have Symantec Protection Engine (SPE) there as well running under https://localhost:8004. SPE portal is usually password protected.

I came across a scenario where the password for the Symantec Protection Engine (SPE) portal was lost. We were using the right password but somehow SPE was not accepting it. On top of that the Symantec license was about to expire in few days. It was a race against the time!

Error Message

Login failed or Symantec Protection Engine server is not running.

SPE and SPSS services in Windows services console were running.

Symantec Protection Engine Portal Password Failure
Symantec Protection Engine Portal Password Failure

Method 1

I looked at the Symantec Protection for SharePoint Servers implementation guide and under chapter-7 found the section titled ‘Unable to remember the console password’. That is the one method to recover lost password for Symantec Protection Engine (SPE). It didn’t work in my case.

If you forget the console password, you can reset the password. The command line tool CmdSymScan lets you remove the password. It is located at the location
<installdir>:Program FilesSymantecSharePoint.

Type the following command in the command prompt:
cmdsymscan clearconsolepassword

You are not prompted for a password again.

Time was ticking….

Method 2

I went to the Symantec Scan Engine folder location and opened the configuration.xml file.
C:Program Files (x86)SymantecScan Engine

I then searched for the password parameter. Guess what, I found the encrypted password there. I cleared the value and saved the file. The password parameter should look like this.

<password value=””/>

After that I restarted the Symantec Protection Engine (SPE) services under Windows Services console.

Symantec Protection for SharePoint - Windows Services
Symantec Protection for SharePoint – Windows Services 

I closed and relaunched the Symantec Protection Engine (SPE) portal and I was able to successfully log in without the password. From there, I saved the new password, updated the license file and SPSS time clock stopped ticking.

Symantec Antivirus for SharePoint Blocked Linked Excel Files

Wednesday, October 8th, 2014

Symantec Protection for SharePoint Blocked Linked Excel Files

Issue Summary

Symantec Protection for SharePoint Servers (SPSS) 6.0 was deployed in the SharePoint farm. After deployment, certain files are getting blocked by it even though Symantec Antivirus on desktop had cleared those as clean files.

In one of my previous post Linked Excel Files and SharePoint, I covered the details on how linked files work in SharePoint.

Error:

2 – The file: FileNameByFM.xlsx -contains Unscannable Content. Reason: Container Size Violation | Container Size Violation -Status: Blocked

This file cannot be saved to the document library. If you want to save this file to the document library, clean the file using alternative virus scanning software and try saving it again.

Troubleshoot issues with Microsoft SharePoint Foundation.

File can not be uploaded to SharePoint dueto Symantec Antivirus for SharePoint SPSS
File can not be uploaded to SharePoint dueto Symantec Antivirus for SharePoint SPSS

If you are trying to upload a new file, the file is not uploaded. If you are trying to save after edit / checking out, file, it doesn’t work either.

Cause:

The issue is due to the linked MS Excel files that were on user desktop. Only container file was uploaded to the SharePoint. The file was 25 MB in size.

How to find linked files in MS Excel

Follow the steps listed below to find the linked files:
1. Open the Microsoft Excel file from SharePoint
2. Go to Data ribbon tab and then click Edit Links under Connections group
3. Review the linked file(s) for Location. Update / remove as it applies to your container file
4. Save and close the file

Microsoft Excel - Edit Linked Files
Microsoft Excel – Edit Linked Files

You might have to do these step by downloading a copy of that file on your desktop and then make above changes.

Microsoft Excel - Edit Linked Files - Review Location
Microsoft Excel – Edit Linked Files – Review Location

Resolution:

Even removing the linked file didn’t help in this case. The linked file was unnecessary in this scenario. Symantec Protection for SharePoint was still treating that file as a container file. Make sure you review the data in container Excel file that might be coming from the linked file.

I found that Symantec Protection Engine portal on the SharePoint server (http://localhost:8004) has a default filter policy for container handling. Symantec Protection Engine is a separate component of Symantec Protection for SharePoint Servers.

Container File Processing Limits:
Following filter policies were defined by default.

Stop processing a container file when any of the following limits is met or exceeded.
a. Time to extract file meets or exceeds: 180 seconds
b. Maximum extract size of the file meets or exceeds: 100 MB
c. Maximum extract depth of the file meets or exceeds: 10 levels

When processor limit is met or exceeded: Deny access to the file and generate a log entry.

Symantec Protection for SharePoint Servers - Filtering Policies on Container Handling
Symantec Protection for SharePoint Servers – Filtering Policies on Container Handling

I changed the container file  policy to: Allow access to the file and generate a log entry.

That seemed to resolve the issue.

Risk Assessment:

In this scenario, due to internal only SharePoint, the decision was made to allow access to files in case of container file processing limits are reached or exceeded. The decision was in favor of application availability rather strict security.

Keywords:

  • Symantec Antivirus for SharePoint
  • Symantec Protection for SharePoint
  • Symantec Protection for SharePoint blocks file
  • Symantec Protection for SharePoint does not allow file upload
  • Symantec Protection blocks file upload in SharePoint
  • File upload blocked by Symantec antivirus
  • File upload blocked in SharePoint
  • Unscannable Contents in SharePoint
  • Container Size violation in SharePoint
  • SharePoint File upload blocked by antivirus

Using Cisco Wifi Controller for Employee and Guest Wifi

Wednesday, October 1st, 2014

Using Cisco Wifi Controller for Employee and Guest Wifi

V: 1.0

Case Study:

  1. The client was using two different ISPs one each for employee and guest wifi. 
  2. Employees were sharing the guest wifi to bypass the firewall, web filters and security policies on the main network.
  3. Client was paying enormous amount of $$$$ to ISP. Operational and IT management costs were too high.
  4. Multiple wifi access points (APs) were in place. Changes were done on each APs when needed.
  5. APs were poorly places in the building and causing wifi performance issues

Solution:

I did the project research and came with following proposal based on the requirements:

  1. Cisco Wifi Controller with new Access Points
  2. Barracuda Web Filter 410
  3. VLAN network from APs, controller and ll the way to the Web filter to not allow guests traffic into internal network
  4. Sungard High Availability Services
  5. Use of Layer 3 wifi security for the employee network
  6. Using Layer 2 and 3 security for the guest network
  7. Using Cisco Wifi Controller’s security policies
See my planning diagram for the project.
Using Cisco Wifi Access Points /  Controller and VLAN for Employee and Guest Wifi Network
Using Cisco Wifi Access Points /  Controller and VLAN for Employee and Guest Wifi Network
The solution helped the customer streamline their IT processes.
  1. Client saves a lot of dollar amount they were paying to the additional ISP
  2. Isolation of the guest and employee wifi was achieved using the same network hardware but using VLAN. 
  3. Use of Cisco Wifi Controller helped IT department save lots of time in operational and maintenance costs and hence the hidden costs
  4. With the combination of Layer 2 and 3 wifi security, employees could not use the guest network easily

MS14-050 Critical Vulnerability in SharePoint 2013

Tuesday, August 12th, 2014

MS14-050 Critical Vulnerability in SharePoint 2013

V: 1.2

Recently Microsoft Security Bulletin MS14-050 has been released as Critical. It applies to following products:
  • Sharepoint Server 2013 (with or without SP1)
  • Sharepoint Foundation 2013 (with or without SP1)

Maximum Security Impact: Elevation of Privilege
Aggregate Severity Rating: Important

This security update may require reboot. 
This security update resolves one privately reported vulnerability in Microsoft SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could use a specially crafted app to run arbitrary JavaScript in the context of the user on the current SharePoint site.
Microsoft Security Bulletin MS14-050 – August 2014

MS Knowledge Base Articles
MS14-050: Vulnerability in Microsoft SharePoint Server could allow elevation of privilege: August 12, 2014

MS14-050: Description of the security update for SharePoint Services: August 12, 2014

Common Vulnerabilities and Exposures

NIST National Vulnerability Database – Vulnerability Summary for CVE-2014-2816
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2816

Updates Replaces by this update – MS14-022

Download MS14-050 – Security Update for Microsoft SharePoint Enterprise Server 2013 (KB2880994)

Mitigating Factors
No mitigating factors have been identified.

Workaround:
For SharePoint instances, evaluate and remove apps as appropriate. Install new apps from trusted sources only.

Security Tools:

MS14-022 Critical Vulnerabilities in SharePoint ProjectServer

Tuesday, May 13th, 2014
Recently Microsoft Security Bulletin MS14-022  has been released as Critical. It covers following products:
  • Sharepoint Server 2007, 2010, 2013
  • WSS 3.0
  • Sharepoint Foundation 2010 / 2013
  • Office Web Apps Server 2010 / 2013
  • Sharepoint Designer 2010 / 2013
Risk: High
Discovered: 05/13/2014
The security update addresses the vulnerabilities by correcting how SharePoint Server and Web Applications sanitize specially crafted page content.
Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)
MS Knowledge Base Article
MS14-022: Vulnerabilities in Microsoft SharePoint Server could allow remote code execution: May 13, 2014
Vulnerabilities Summary:
#
Vulnerability
CVE
Mitigating Factors
1
To exploit any of these related vulnerabilities, an attacker must be able to authenticate on the target SharePoint site. Note that this is not a mitigating factor if the SharePoint site is configured to allow anonymous users to access the site. By default, anonymous access is not enabled.
2
Microsoft has not identified any mitigating factors for this vulnerability.
3
To exploit this vulnerability, an attacker must be able to authenticate on the target SharePoint site. Note that this is not a mitigating factor if the SharePoint site is configured to allow anonymous users to access the site. By default, anonymous access is not enabled.
Security Resources
It is good to review the SANS Internet Storm Center for the criticality of these updates
https://isc.sans.edu/
SANS Internet Storm Center – May 2014 Patch Tuesday
Search on the Security Focus site
Recommendation
Run all software with less-privileged user with minimal access rights.

Word Automation Services Vulnerability and Sharepoint Server

Tuesday, March 25th, 2014
There is a vulnerability in Microsoft Word that could allow remote execution. That security issue impacts:
1.       Microsoft Word 2003 to 2013
2.       MS Word Viewer
3.       Word Automation Services  in Sharepoint 2010 and 2013
4.       MS Office Web Server 2010 and 2013
The issue is mainly with the special RTF formatted data.

Risk Mitigation:
1.       Use non-admin rights on the local systems. That will lower the impact
2.       Disabling opening RTF on Word / Outlook
7.       In Sharepoint Server – Uncheck the RTF as the supported file format
 
 
Sharepoint Server – Work Automation Services:
Follow the steps below to disable the RTF file format within Word Automation Services on Sharepoint Server 2010 / 2013. Make sure to understand the impact of this change in your organization.
1.       Go to Sharepoint Central Administration website of your farm
2.       Under Application Management, click on ‘Manage Service Applications’
3.       Under ‘Supported File Formats’, uncheck the Rich Text Format (.rtf)
4.       Click OK to save settings
 
 
 
References:
1.       Vulnerability in Microsoft Word Could Allow Remote Code Execution – Microsoft Security Advisory (2953095)
2.       MS Knowledge Base
3.       CVE Page

Secure Data Wiping and Recovery Tools

Saturday, March 3rd, 2012

In the past I worked on few file / data recovery and secure hard drive wiping projects. Before throwing away your old servers, laptop and other storage media, make sure to securely wipe it, try the recovery tools to retrieve data and work from there. Using encryption on your storage media is recommended. Instead, I’ll focus in this post on testing recovery and secure shredding options.

These are good free and licensed tools. Here is the list of tool I worked in the past and got recommendations from fellows. My recommended list is highlighted in orange.
Bundle Tools:

These two products are .ISO images which contain tens of free / open source tools including the once to recover deleted files and securely wipe hard drives.

1.       UBCD                                    http://www.ultimatebootcd.com
2.       UBCD4Win                         http://www.ubcd4win.com 
File Recovery Tools:
1.       PCInspector                       http://www.pcinspector.de
2.       PiriForm Recuva               http://www.piriform.com/recuva
3.       Kroll Ontrack                     http://www.krollontrack.com/software/free-downloads/
4.       Undelete Plus                   http://undeleteplus.com
5.       DiskInternals Uneraser   http://www.diskinternals.com/download
6.       WinUndelete                    http://www.winundelete.com/download.asp
7.       RecoverMyFiles               http://www.recovermyfiles.com
Secure Wiping Tools:
1.       Darin Boot and Nuke       http://www.dban.org
2.       Piriform CCleaner             http://www.piriform.com/ccleaner
3.       Eraser                                 http://eraser.heidi.ie/
4.       Sysinternals sDelete        http://technet.microsoft.com/en-us/sysinternals/bb897443
5.       KillDisk                               http://www.killdisk.com
6.       Secure Erase                     http://cmrr.ucsd.edu/people/Hughes/Secure-Erase.html
7.       Acronis Disk Cleanser      http://www.acronis.com/enterprise/products/drivecleanser/
8.       WipeDrive                         http://www.whitecanyon.com/wipedrive-erase-hard-drive.php
10.   RoadKil                                http://www.roadkil.net/downloads.php
11.   DiskDoctors                        http://www.diskdoctors.net/
Few Reference Articles on This topic:

LUA Least Privilege to User Accounts

Monday, January 1st, 2007

Few years back, I was working in development center. Every developer wanted to have full system rights to install everything they want. End result was lots of system failures, viruses, Trojans & what not on the network.

Giving users limited access to system by making sure all application functionality work was a difficult task. At that time I read few articles on the topic. (Read my comments & input on the topic at the bottom of these articles)

Keys to the Kingdom – http://mcpmag.com/articles/2003/10/28/keys-to-the-kingdom.aspx

Local Admin Rights, Right or Wrong – http://mcpmag.com/articles/2003/11/11/local-admin-rights-right-or-wrong.aspx

Since then Microsoft has done a lot of development in making sure applications work with limited-user access. Least-Privilege to User Accounts (LUA) has benefits of increased security, manageability, productivity, reduced cost & reduced privacy.

Check these articles for more details on the topic.

  1. Applying the Principle of Least Privilege to User Accounts on Windows XP
  2. Using a Least-Privileged User Account
  3. Browsing the Web and Reading E-mail Safely as an Administrator
  4. Running with Special Privileges
  5. Aaron Margosis’ Non-Admin Blog
  6. levating privileges for an administrator