The Risks of “Big” Vulnerabilities
Recently the IT industry was awakened by the announcement of two security vulnerabilities
that represent an exposure for nearly every network in the world. Cisco, an
industry leader in networking gear, announced a vulnerability affecting nearly
every version of their IOS running on routers that move data across most of
the networks for companies worldwide, and the Internet. Almost as if planned,
Microsoft announced at the same time a vulnerability affecting most, if not
all versions of Windows, from the servers to the desktop, which could have serious
ramifications of not mitigated.
The impact on organizations is obvious. Considering how many companies look
to Cisco and Microsoft as their primary vendor for networking and operating
systems, respectively, a set of vulnerabilities affecting entire product lines
from two predominate market leaders the effect is broad and deep.
Scope of Problem
Given the proliferation of Cisco and Microsoft products, it is impossible to
simply say this is a vulnerability associated with Internet-based threats only.
The assumption that only a hacker sitting on the Internet will be the only one
targeting you only means you are in denial. The disturbing fact is thanks to
a small group of hackers, easy-to-use tools are available to anyone with no
skills and only motive to cause harm. Therefore, anyone with a computer is a
threat; this is include employees.
For example, roughly on Wednesday, July 16, at 6:10:00 GMT Cisco announced
the vulnerability and on that following Friday at 4:42:19 GMT an unknown person
identifying themselves as "Marion Barry" released “shadowchode”,
a tool that can be used to exploit the vulnerability.
The Cisco Vulnerability
In short, all Cisco routers and switches running IOS software are vulnerable
to a Denial of Service (DoS) attack. Multiple IPv4 (IPv6 only routers are not
vulnerable) packets with specific protocol fields sent directly to the device
may cause the input interface to stop processing traffic once the input queue
is full. The protocols in question are 53 (SWIPE), 55 (IP Mobility), or 77 (SUN
ND) with Time to Live (TTL) values of 0 or 1, and 103 (Protocol Independent
Multicast) with any TTL value. At this point the device’s interface will
simply stop responding and the system will not reload to rectify itself. What
makes this especially effective is the number of packets an attacker must send
is negligible when compared to the impact. This is because the specially formed
packet(s) the attacker sends triggers the router to flag the input queue on
an interface as full – very effective.
Dealing With It Now
There are a couple recommended workarounds from Cisco. First, and most obvious,
is apply an access control list (ACL) to the interface that blocks the unwanted
protocols. Secondly, you can increase the capacity of the queue in question
in an effort to buy you more time to react and reboot the router later to release
the blocked packets.
Finally, there is no patch that can be applied, you have to replace the IOS
on the router to the updated version.
In any scenario when the impact of a vulnerability affects something so core
to your network, the objective should be to find a method to tactically mitigate
the issue with as little collateral damage as possible. For example, implementing
an ACL to block protocols related to the vulnerability to the interface is a
relatively easy application of controls with little potential for introducing
other problems. If the protocol was 50 (ESP) many IPSec VPN solutions would
be rendered useless if that protocol had to be blocked. Of course, if you are
using one of the vulnerable protocols, it most certainly will affect operations
in some way. It is hoped that a border router connected to the Internet or partner
network is only used for traditional protocols, such as well-tested TCP/IP,
ICMP, and routing protocols.
Finally, the inevitability of having to update the IOS will come to pass, and
it will have to be completed in a meaningful timeframe to ensure sound security
across the enterprise. This can be an easy exercise, or a difficult one, depending
on your environment, technical capabilities, and system management architecture.
The Microsoft Vulnerability
Despite efforts to the contrary, Microsoft will continue to be challenged
with security issues. One can argue that a product which is used in so many
environments, in countless implementations, and all over the globe will certainly
be a primary focus for “white hat” attackers (researchers) as well
as their “black hat” counterparts in search of problems.
A well known “problem port” on Microsoft systems is the Remote
Procedure Call (RPC) service implemented by default on most Microsoft platforms.
The RPC service is used to allow programs on one system to seamlessly execute
on another. While the service and associated protocol is standardized, Microsoft
has some customized attributes specific to their implementation, hence certain
vulnerabilities are present in only Microsoft’s implementation of the
Historically, this has been the service which has been blocked by firewalls
and routers for years because it provides unauthenticated access to certain
information about the system. To exploit this specific vulnerability, an attacker
sends a crafted packet to one of the standard RPC ports, 135, 139, or 445 (or
any custom configured port). Seeing that this service and related ports have
been a problem child for years, the exposure to this type vulnerability is predominantly
from inside or from remote partner or customer networks that do not implement
traffic controls. Having said this, there still remains a significant threat
to Internet accessible Microsoft systems because either the firewall or filtering
router is not configured correctly, or there is another, unrelated avenue of
attack which could allow the necessary access to the RPC service.
The vulnerability can allow a remote attacker to send specially created packets
to the above mentioned ports allowing them to run arbitrary code (e.g. worm,
Trojan, etc) or simply overwhelm the system resulting in a DoS.
As mentioned above, the RPC service has been a problem for years for the security
conscious. However, previously identified weaknesses in the service and related
protocol were not nearly as critical as this particular vulnerability represents.
It takes little imagination to envision a disgruntled employee downloading a
tool that will exploit the vulnerability and automatically implant a tool to
allow remote anonymous administration of the targeted system. Therefore, is
should be a substantial concern for organizations that use Windows NT, NT Terminal
Server, 2000, 2003, and XP. A patch was provided by Microsoft and is available
on their website. However, proper testing and validation should be performed
to mitigate any added problems associated with the application of the patch
prior to enterprise wide distribution.
What We Could See Next
If there is one thing we have learned as an industry it is that these weaknesses
are the true bane of IT directors, security professionals, administrators, CIOs,
essentially anyone who has to deal with the constant avalanche of new vulnerabilities.
Moreover, since the introduction of highly sophisticated and aggressive software
“worms,” NIMDA and Code Red specifically, there is a direct correlation
between a successful worm attack and the number of vulnerable systems. Vulnerable
systems that typically shouldn’t be. For example, the Slammer worm of
recent months – the fastest spreading worm in the history – was
based on a vulnerability for which there had been a patch available for over
It is expected that this new Microsoft RPC vulnerability will be used in a
new worm to wreak havoc on organizations all over the world. And unlike the
prolific yet benign Slammer worm, the next one may be much more difficult to
get rid of and cause irreparable damage.
So, the issue is managing patches holistically as opposed to managing the vulnerabilities
based on assumption of overall impact. In other words, don’t just fix
the vulnerabilities that are well publicized, rather develop a comprehensive
strategy to address all vulnerabilities to ensure an effective security posture.
Developing these strategies, and the programs to successfully execute on them,
requires broad-based expertise, knowledge of both vulnerabilities and protective
approaches, and well-rounded management controls to ensure compliance and effective
remediation. Seeking expert help in one or more of these areas may be a prudent
International Network Services Inc. (INS) provides network consulting services
and business solutions to help companies build, secure, and manage business-critical
network infrastructures. Our end-to-end network consulting solutions address
customers’ needs in Next Generation Networking, Security, and Network
& Systems Management, helping them optimize their business to better face
competitive challenges and meet future demands. We are one of the world's largest
independent network consulting and security services providers with a track
record of thousands of successful engagements. INS is headquartered in Santa
Clara, Calif., and has offices across the U.S. and Europe. For additional information,
please contact INS at 1-888-767-2788 in the U.S., 44 (0) 1628 503000 in Europe,
or 1-408-330-2700 worldwide, or visit www.ins.com.