NGSSoftware

Critical Vulnerability in SNMPc

NGS — Wed, 30 Apr 2008 12:02:17 +0000

=======
Summary
=======
Name: Unauthenticated Stack Overflow in SNMPc
Release Date: 30 April 2008
Reference: NGS00526
Discover: Wade Alcorn (wade@ngssoftware.com) and John Heasman
(john@ngssoftware.com)
Vendor: Castle Rock Computing
Systems Affected: SNMPc versions 7.1 and earlier
Risk: Critical
Status: Published

===========
Description
===========
Wade Alcorn and John Heasman of NGSSoftware have discovered a stack
overflow vulnerability in Castle Rock Computing SNMPc Network Manager.
SNMPc Network Manger is a distributed network management system that
allows monitoring of the network infrastructure. It employs a
distributed polling agent architecture which uses SNMP TRAPs to provide
a solution capable of monitoring networks with up to ten thousand
devices. An SNMP TRAP initiated by a network element is sent to the
SNMPc Network Manager to allow monitoring of the infrastructure.

=================
Technical Details
=================
The vulnerability can be exploited when an overly long community string
is sent in the SNMP TRAP packet. The packets format will be valid ASN.1,
including the length of the community string. An attacker can craft a
single UDP packet that can lead to the execution of arbitrary code in
the context of LocalSystem.

===============
Fix Information
===============
NGSSoftware wish to note that Castle Rock Computing were extremely
pro-active in addressing this issue.

The latest version (SNMPc 7.1.1) can be downloaded from the Castle Rock
Computing website: http://www.castlerock.com/.

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

OWASP AppSec Europe 2008

NGS — Mon, 28 Apr 2008 05:50:09 +0000

NGSSoftware’s John Heasman will be presenting at the OWASP AppSec Europe 2008 Conference which is held in Ghent, Belgium from the 19th - 22nd May 2008.

John’s presentation is entitled “Office 2.0: Software as a Service, Security on the Sidelines?” Click here to read the abstract.

About OWASP

“The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security “visible,” so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under an open source license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.”

SC AWARDS EUROPE 2008: Winners announced

NGS — Wed, 23 Apr 2008 14:15:04 +0000

“The accolade for Best Security Company went to UK based NGSSoftware. A beaming David Litchfield, the managing director, accepted the award from Lumension’s Andrew Clarke. ”

Read the full article at SC Magazine.

NGSSoftware’s Press Release.

NGSSoftware wins Best Security Company at SC Awards 2008

NGS — Wed, 23 Apr 2008 06:09:32 +0000

NGSSoftware is proud to announce being named winners of the prestigious SC Magazine European Awards ‘Best Security Company‘ for 2008.

NGSSoftware’s world leading Security Assessment Consulting Services were recognised at the European Awards ceremony which was held on the 22nd April 2008 in London.

See here for a full list of the winners.

About the SC Awards Europe

The SC Awards Europe are widely considered the most prestigious awards programme in the information security industry and stand out as a true benchmark of achievement. Now in their thirteenth year, the Awards have a long-standing tradition of promoting excellence.

For further detail, visit www.scmagazine.com/uk/awards.

AusCERT 2008

NGS — Fri, 04 Apr 2008 09:47:46 +0000

NGSSoftware’s David Litchfield will be presenting at the AusCERT 2008 security conference, to be held on the Gold Coast, Australia from 18th - 23rd May 2008.

ITWeb Security Summit

NGS — Fri, 04 Apr 2008 09:43:25 +0000

NGSSoftware’s David Litchfield will be speaking at the ITWeb Security Summit, to be held in Johannesburg, South Africa from 6th - 8th May 2008.

Infosecurity Europe 2008

NGS — Fri, 04 Apr 2008 09:35:21 +0000

NGSSoftware’s David Litchfield will be speaking at the Infosecurity Europe 2008 conference, to be held in London, UK from 22nd - 24th April 2008.

ICST 2008

NGS — Fri, 04 Apr 2008 09:29:36 +0000

NGSSoftware’s David Litchfield will be speaking at the IEEE International Conference on Software Testing Verification and Validation (ICST) conference, to be held in Lillehammer, Norway from 9th - 11th April.

David LeBlanc’s 15 Most Influential Security People

NGS — Tue, 18 Mar 2008 06:42:59 +0000

“Same thing for SQL – used to be a security mess, now it’s really solid – and thanks to NGS for helping”

Read the full article at David LeBlanc’s Web Log.

NGSSoftware and David Litchfield named finalists in SC Magazine Awards 2008

NGS — Wed, 06 Feb 2008 07:20:56 +0000

Following on from the success in the SC Magazine Awards last year, NGSSoftware are delighted to have once again been nominated as finalists in the ‘Best Security Company‘ category for the SC Magazine Awards Europe 2008.

In addition, NGSSoftware’s Managing Director David Litchfield has also been nominated for ‘CEO of the Year‘.

About the SC Awards Europe

‘I congratulate all those businesses and individuals who have been short-listed and look forward to welcoming them to the Awards night in April’ – Paul Fisher, Editor, SC Magazine UK

The 2008 Awards presentation will be held on 22 April at the Hurlingham Club in London.

For further detail, visit www.scmagazine.com/uk/awards.