Hello List, Perhaps you're already aware of it, but perhaps not,if you've been too much in de workbooks lately ;-)
Recently, a day-zero vulnerability has been found in the help & support system of both Windows XP and Windows 2003. Sophos has found that an exploit has been active on an open source project, but it has been removed from that site. However, it is expected that the exploit will be on other websites as well. So, this appears to be a genuine day-zero attack / exploit. You can find information at the following sites: Sophos blog entry: http://www.sophos.com/blogs/sophoslabs/?p=10045 Cisco Security alert: http://tools.cisco.com/security/center/viewAlert.x?alertId=20691 CVE Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885 Microsoft article: http://www.microsoft.com/technet/security/advisory/2219475.mspx So, that is the information sharing. Now, let's get down to the mitigation of this vulnerability and get a discussion (perhaps?) on alternative solutions According to the technical details, the vulnerability exists in the parsing of an hcp malformed url, so the obvious workaround is basically: disable hcp protocol (which is what microsoft recommends). The disadvantage is that local help systems that use hcp:// won't work as well, until Microsoft releases a patch.. Now, that's a good thing to start with, but how could we solve this, on the network edge level, so that our users can still access the help. Cisco has already released a signature definition file S495, which contains signature 26599. If you look at the signature definition, it scans the web service ports for an hcp:// url regex. So, how could be use that information to prevent the exploit to occur, and do it at the edge (preventing network attacks). Since it's a regex, my guess would be, that on an ASA, create a regex matching the hcp:// prefix (either the complete regex, or just the hcp:// prefix) and apply that to the http inspection engine and drop any matches. That should give you a bit more security. It still won't do the encrypted inspection traffic (like ssl traffic), but that's something the IPS doesn't do as well. Now, how would one do that on the IOS side? there are too many options to name, ZBFW, CBAC perhaps, control plane protection on the transit plane, NBAR, FPM? What would be your guess to do, also with real-life-performance in the back of your mind.. I know. it's different from the workbooks, but it is real life and the things we learn in the workbooks and prepping at CCIE level should give you the edge to think about these attacks and might get you start thinking to see how to prevent it.. Kind regards Pieter-Jan --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: [email protected] Web: http://www.nefkensadvies.nl/
<<inline: green.gif>>
Think before you print.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
