Archives ||About Us || Advertise || Feedback || Subscribe-
-
Issue of August 2003 
-
  -  
 
 Home > Security
 Print Friendly Page ||  Email this story

Security Watch

Cisco & Microsoft Vulnerabilities

Two new security vulnerabilities affecting the Microsoft Windows OS and Cisco routing equipment have been announced.

Cisco IOS Interface Blocked by IPv4 Packet

Cisco has published information regarding a DoS vulnerability in Cisco IOS versions 11.x and 12.x.

This vulnerability in many versions of Cisco's IOS could allow an intruder to execute a DoS attack against a vulnerable device.

Systems affected:

All Cisco devices running Cisco IOS software and configured to process IPv4 packets. This vulnerability affects a significant number of infrastructure devices, on both corporate, and core Internet networks.

Impact:

A device receiving these specifically crafted IPv4 packets will force the inbound interface to stop processing traffic. The device may stop processing packets destined to the router, including routing protocol packets and ARP packets. No alarms will be triggered, nor will the router reload to correct itself.

This vulnerability may be exercised repeatedly, resulting in loss of availability until a workaround has been applied or the device has been upgraded to a fixed version of code.

Solution/patches:

1. Restrict access

Until a patch can be applied, you can mitigate the risks presented by this vulnerability by judicious use of Access Control Lists (ACLs). The correct use of ACLs depends on your network topology. Additionally, ACLs may degrade performance on some systems.

2. The advisory is available at www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.

Additional information:

Specially crafted IPv4 packets with modified headers will trigger this issue. A power cycling of an affected device is required to regain normal functionality. Due to the critical nature of the affected Cisco devices, administrators are strongly urged to upgrade to the latest version of Cisco IOS as soon as possible.

Buffer Overflow in Microsoft RPC

New security vulnerability affecting the core part of the Microsoft Windows OS has been announced. This vulnerability does not require any prior authentication and any attacker to exploit this vulnerability. It only requires the ability to connect to port TCP/135 on a vulnerable system. Once exploited, the attacker will have full access to the targeted system.

Systems Affected:

  • Microsoft Windows NT 4.0
  • Microsoft Windows NT 4.0 Terminal Services Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server 2003

Impact:

A remote attacker could exploit this vulnerability to execute arbitrary code with local system privileges or to cause a DoS.

Solution/patches:

1. Restrict access
You may wish to block access from outside your network perimeter, specifically by blocking access to port 135/TCP. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.

2. Apply a patch
Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-026.

Additional information:

The buffer overflow vulnerability exists in Microsoft's Remote Procedure Call (RPC), that deals with message exchange over TCP/IP.

The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a DCOM interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server.

Buffer Overflow in Core Microsoft Windows dll

A buffer overflow vulnerability exists in the Win32 API libraries shipped with all versions of Microsoft Windows 2000 and Microsoft Windows NT 4.0. This vulnerability, which is being actively exploited on WebDAV-enabled IIS 5.0 servers, will allow a remote attacker to execute arbitrary code on unpatched systems. Sites running Microsoft Windows 2000 and Microsoft Windows NT 4.0 should apply a patch or disable WebDAV services as soon as possible.

Microsoft Windows 2000 (and possibly prior versions of Windows) contains a DLL named ntdll.dll. This DLL is a core OS component used to interact with the Windows kernel. A buffer overflow vulnerability exists in ntdll.dll, which is utilized by many different components in the Windows OS.

Systems Affected:

Systems running Windows 2000 / NT 4.0

Impact:

Any attacker who can reach a vulnerable web server can gain complete control of the system and execute arbitrary code in the Local System security context. Note that this may be significantly more serious than a simple 'web defacement'.

Solution/patches:

1. Disable vulnerable service
Until a patch can be applied, you may wish to disable IIS: support.microsoft.com/default.aspx?scid=kb;en-us;321141

If you cannot disable IIS, consider using the IIS lockdown tool to disable WebDAV (removing WebDAV can be specified when running the IIS lockdown tool).

2. Use URLScan, which will block web requests that attempt to exploit this vulnerability. Information about URLScan is available at support.microsoft.com/default.aspx?scid=kb;[LN];326444

3. Apply a patch from your vendor
A patch is available from Microsoft at, microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62EC69D32AC929B& displaylang=en

According to MS03-007, "Microsoft was made aware that some customers who had received a hotfix from Product Support Services experienced stop errors on boot after applying the patch released for this bulletin." For more information, see the 'Frequently Asked Questions' section of MS03-007.

Bugwatch

W32/Sobig.E
A bug that is a variant of the Sobig mass-emailing worm referred to as 'W32/Sobig.E' arrives as an attachment with a .zip extension. Within that .zip file is a file with either a .scr or .pif extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in files with a .wab, .dbx, .htm, .html, .eml, or .txt file extension. Additionally, this worm spoofs the 'from' address, therefore it is likely that the sender address is not that of the infected user.

Systems affected
Upon execution, the worm places the following files in the "%Windir%" directory: winssk32.exe (copy of worm) msrrf.dat (configuration file)

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"SSKService"=" %Windir%\winssk32.exe"
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Run"SSKService"=" %Windir%\winssk32.exe"

The worm also attempts to propagate by copying itself to the following folders:

  • Documents and Settings\All Users\Start Menu\ Programs\Startup\
  • Windows\All Users\Start Menu\ Programs\ StartUp\

Consider filtering e-mail attachments with the extensions listed above.

 
     
- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.