Cisco & Microsoft
Two new security
vulnerabilities affecting the Microsoft Windows OS and
Cisco routing equipment have been announced.
Cisco IOS Interface
Blocked by IPv4 Packet
Cisco has published
information regarding a DoS vulnerability in Cisco IOS
versions 11.x and 12.x.
in many versions of Cisco's IOS could allow an intruder
to execute a DoS attack against a vulnerable device.
All Cisco devices
running Cisco IOS software and configured to process
IPv4 packets. This vulnerability affects a significant
number of infrastructure devices, on both corporate,
and core Internet networks.
A device receiving
these specifically crafted IPv4 packets will force the
inbound interface to stop processing traffic. The device
may stop processing packets destined to the router,
including routing protocol packets and ARP packets.
No alarms will be triggered, nor will the router reload
to correct itself.
may be exercised repeatedly, resulting in loss of availability
until a workaround has been applied or the device has
been upgraded to a fixed version of code.
1. Restrict access
Until a patch can
be applied, you can mitigate the risks presented by
this vulnerability by judicious use of Access Control
Lists (ACLs). The correct use of ACLs depends on your
network topology. Additionally, ACLs may degrade performance
on some systems.
2. The advisory
is available at www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
IPv4 packets with modified headers will trigger this
issue. A power cycling of an affected device is required
to regain normal functionality. Due to the critical
nature of the affected Cisco devices, administrators
are strongly urged to upgrade to the latest version
of Cisco IOS as soon as possible.
in Microsoft RPC
New security vulnerability
affecting the core part of the Microsoft Windows OS
has been announced. This vulnerability does not require
any prior authentication and any attacker to exploit
this vulnerability. It only requires the ability to
connect to port TCP/135 on a vulnerable system. Once
exploited, the attacker will have full access to the
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Terminal Services Edition
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Windows Server
A remote attacker
could exploit this vulnerability to execute arbitrary
code with local system privileges or to cause a DoS.
1. Restrict access
You may wish to block
access from outside your network perimeter, specifically
by blocking access to port 135/TCP. This will limit
your exposure to attacks. However, blocking at the network
perimeter would still allow attackers within the perimeter
of your network to exploit the vulnerability. It is
important to understand your network's configuration
and service requirements before deciding what changes
2. Apply a patch
Apply the appropriate
patch as specified by Microsoft Security Bulletin MS03-026.
The buffer overflow
vulnerability exists in Microsoft's Remote Procedure
Call (RPC), that deals with message exchange over TCP/IP.
The failure results
because of incorrect handling of malformed messages.
This particular vulnerability affects a DCOM interface
with RPC, which listens on TCP/IP port 135. This interface
handles DCOM object activation requests that are sent
by client machines (such as Universal Naming Convention
(UNC) paths) to the server.
in Core Microsoft Windows dll
A buffer overflow
vulnerability exists in the Win32 API libraries shipped
with all versions of Microsoft Windows 2000 and Microsoft
Windows NT 4.0. This vulnerability, which is being actively
exploited on WebDAV-enabled IIS 5.0 servers, will allow
a remote attacker to execute arbitrary code on unpatched
systems. Sites running Microsoft Windows 2000 and Microsoft
Windows NT 4.0 should apply a patch or disable WebDAV
services as soon as possible.
2000 (and possibly prior versions of Windows) contains
a DLL named ntdll.dll. This DLL is a core OS component
used to interact with the Windows kernel. A buffer overflow
vulnerability exists in ntdll.dll, which is utilized
by many different components in the Windows OS.
Windows 2000 / NT 4.0
Any attacker who
can reach a vulnerable web server can gain complete
control of the system and execute arbitrary code in
the Local System security context. Note that this may
be significantly more serious than a simple 'web defacement'.
1. Disable vulnerable
Until a patch can be applied,
you may wish to disable IIS: support.microsoft.com/default.aspx?scid=kb;en-us;321141
If you cannot disable
IIS, consider using the IIS lockdown tool to disable
WebDAV (removing WebDAV can be specified when running
the IIS lockdown tool).
2. Use URLScan,
which will block web requests that attempt to exploit
this vulnerability. Information about URLScan is available
3. Apply a patch
from your vendor
A patch is available from
Microsoft at, microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62EC69D32AC929B&
According to MS03-007,
"Microsoft was made aware that some customers who had
received a hotfix from Product Support Services experienced
stop errors on boot after applying the patch released
for this bulletin." For more information, see the 'Frequently
Asked Questions' section of MS03-007.
A bug that is a variant of the Sobig mass-emailing
worm referred to as 'W32/Sobig.E' arrives as an
attachment with a .zip extension. Within that
.zip file is a file with either a .scr or .pif
extension. Upon opening the attachment, the worm
attempts to mail itself to all e-mail addresses
it finds in files with a .wab, .dbx, .htm, .html,
.eml, or .txt file extension. Additionally, this
worm spoofs the 'from' address, therefore it is
likely that the sender address is not that of
the infected user.
Upon execution, the worm places the following
files in the "%Windir%" directory: winssk32.exe
(copy of worm) msrrf.dat (configuration file)
The following registry
keys are created:
The worm also attempts
to propagate by copying itself to the following
- Documents and
Settings\All Users\Start Menu\ Programs\Startup\
- Windows\All Users\Start
Menu\ Programs\ StartUp\
e-mail attachments with the extensions listed