The Risks of “Big” Vulnerabilities

Recently the IT industry was awakened by the announcement of two security vulnerabilities that represent an exposure for nearly every network in the world. Cisco, an industry leader in networking gear, announced a vulnerability affecting nearly every version of their IOS running on routers that move data across most of the networks for companies worldwide, and the Internet. Almost as if planned, Microsoft announced at the same time a vulnerability affecting most, if not all versions of Windows, from the servers to the desktop, which could have serious ramifications of not mitigated.

The impact on organizations is obvious. Considering how many companies look to Cisco and Microsoft as their primary vendor for networking and operating systems, respectively, a set of vulnerabilities affecting entire product lines from two predominate market leaders the effect is broad and deep.

Scope of Problem

Given the proliferation of Cisco and Microsoft products, it is impossible to simply say this is a vulnerability associated with Internet-based threats only. The assumption that only a hacker sitting on the Internet will be the only one targeting you only means you are in denial. The disturbing fact is thanks to a small group of hackers, easy-to-use tools are available to anyone with no skills and only motive to cause harm. Therefore, anyone with a computer is a threat; this is include employees.

For example, roughly on Wednesday, July 16, at 6:10:00 GMT Cisco announced the vulnerability and on that following Friday at 4:42:19 GMT an unknown person identifying themselves as "Marion Barry" released “shadowchode”, a tool that can be used to exploit the vulnerability.

The Cisco Vulnerability

In short, all Cisco routers and switches running IOS software are vulnerable to a Denial of Service (DoS) attack. Multiple IPv4 (IPv6 only routers are not vulnerable) packets with specific protocol fields sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. The protocols in question are 53 (SWIPE), 55 (IP Mobility), or 77 (SUN ND) with Time to Live (TTL) values of 0 or 1, and 103 (Protocol Independent Multicast) with any TTL value. At this point the device’s interface will simply stop responding and the system will not reload to rectify itself. What makes this especially effective is the number of packets an attacker must send is negligible when compared to the impact. This is because the specially formed packet(s) the attacker sends triggers the router to flag the input queue on an interface as full – very effective.

Dealing With It Now

There are a couple recommended workarounds from Cisco. First, and most obvious, is apply an access control list (ACL) to the interface that blocks the unwanted protocols. Secondly, you can increase the capacity of the queue in question in an effort to buy you more time to react and reboot the router later to release the blocked packets.

Finally, there is no patch that can be applied, you have to replace the IOS on the router to the updated version.

Mitigation Strategy

In any scenario when the impact of a vulnerability affects something so core to your network, the objective should be to find a method to tactically mitigate the issue with as little collateral damage as possible. For example, implementing an ACL to block protocols related to the vulnerability to the interface is a relatively easy application of controls with little potential for introducing other problems. If the protocol was 50 (ESP) many IPSec VPN solutions would be rendered useless if that protocol had to be blocked. Of course, if you are using one of the vulnerable protocols, it most certainly will affect operations in some way. It is hoped that a border router connected to the Internet or partner network is only used for traditional protocols, such as well-tested TCP/IP, ICMP, and routing protocols.

Finally, the inevitability of having to update the IOS will come to pass, and it will have to be completed in a meaningful timeframe to ensure sound security across the enterprise. This can be an easy exercise, or a difficult one, depending on your environment, technical capabilities, and system management architecture.

The Microsoft Vulnerability

Despite efforts to the contrary, Microsoft will continue to be challenged with security issues. One can argue that a product which is used in so many environments, in countless implementations, and all over the globe will certainly be a primary focus for “white hat” attackers (researchers) as well as their “black hat” counterparts in search of problems.

A well known “problem port” on Microsoft systems is the Remote Procedure Call (RPC) service implemented by default on most Microsoft platforms. The RPC service is used to allow programs on one system to seamlessly execute on another. While the service and associated protocol is standardized, Microsoft has some customized attributes specific to their implementation, hence certain vulnerabilities are present in only Microsoft’s implementation of the service.

Historically, this has been the service which has been blocked by firewalls and routers for years because it provides unauthenticated access to certain information about the system. To exploit this specific vulnerability, an attacker sends a crafted packet to one of the standard RPC ports, 135, 139, or 445 (or any custom configured port). Seeing that this service and related ports have been a problem child for years, the exposure to this type vulnerability is predominantly from inside or from remote partner or customer networks that do not implement traffic controls. Having said this, there still remains a significant threat to Internet accessible Microsoft systems because either the firewall or filtering router is not configured correctly, or there is another, unrelated avenue of attack which could allow the necessary access to the RPC service.

The vulnerability can allow a remote attacker to send specially created packets to the above mentioned ports allowing them to run arbitrary code (e.g. worm, Trojan, etc) or simply overwhelm the system resulting in a DoS.

The Details

As mentioned above, the RPC service has been a problem for years for the security conscious. However, previously identified weaknesses in the service and related protocol were not nearly as critical as this particular vulnerability represents. It takes little imagination to envision a disgruntled employee downloading a tool that will exploit the vulnerability and automatically implant a tool to allow remote anonymous administration of the targeted system. Therefore, is should be a substantial concern for organizations that use Windows NT, NT Terminal Server, 2000, 2003, and XP. A patch was provided by Microsoft and is available on their website. However, proper testing and validation should be performed to mitigate any added problems associated with the application of the patch prior to enterprise wide distribution.

What We Could See Next

If there is one thing we have learned as an industry it is that these weaknesses are the true bane of IT directors, security professionals, administrators, CIOs, essentially anyone who has to deal with the constant avalanche of new vulnerabilities. Moreover, since the introduction of highly sophisticated and aggressive software “worms,” NIMDA and Code Red specifically, there is a direct correlation between a successful worm attack and the number of vulnerable systems. Vulnerable systems that typically shouldn’t be. For example, the Slammer worm of recent months – the fastest spreading worm in the history – was based on a vulnerability for which there had been a patch available for over a year.

It is expected that this new Microsoft RPC vulnerability will be used in a new worm to wreak havoc on organizations all over the world. And unlike the prolific yet benign Slammer worm, the next one may be much more difficult to get rid of and cause irreparable damage.

So, the issue is managing patches holistically as opposed to managing the vulnerabilities based on assumption of overall impact. In other words, don’t just fix the vulnerabilities that are well publicized, rather develop a comprehensive strategy to address all vulnerabilities to ensure an effective security posture. Developing these strategies, and the programs to successfully execute on them, requires broad-based expertise, knowledge of both vulnerabilities and protective approaches, and well-rounded management controls to ensure compliance and effective remediation. Seeking expert help in one or more of these areas may be a prudent choice.

About INS

International Network Services Inc. (INS) provides network consulting services and business solutions to help companies build, secure, and manage business-critical network infrastructures. Our end-to-end network consulting solutions address customers’ needs in Next Generation Networking, Security, and Network & Systems Management, helping them optimize their business to better face competitive challenges and meet future demands. We are one of the world's largest independent network consulting and security services providers with a track record of thousands of successful engagements. INS is headquartered in Santa Clara, Calif., and has offices across the U.S. and Europe. For additional information, please contact INS at 1-888-767-2788 in the U.S., 44 (0) 1628 503000 in Europe, or 1-408-330-2700 worldwide, or visit www.ins.com.

Information

Cisco
• http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml#workarounds
• http://www.cisco.com/warp/public/707/racl.html
• http://www.cisco.com/warp/public/707/iacl.html
• http://www.cert.org/advisories/CA-2003-17.html
Microsoft
• http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
• http://www.cert.org/advisories/CA-2003-16.html
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352