Hmm,
I think that IPS would be my first choice since that is what the
IPS is made to do and there is a signature for it already... But for fun
I took a swag at a FPM config:
load protocol system:fpm/phdf/ip.phdf
load protocol system:fpm/phdf/tcp.phdf
!
ip tcp synwait-time 5
!
class-map type stack match-all CM:IP:TCP
match field IP protocol eq 0x6 next TCP
class-map type access-control match-all CM:TCP:HCP:8080:SRC
match field TCP source-port eq 8080
match start TCP payload-start offset 0 size 256 regex "hcp://"
class-map type access-control match-all CM:TCP:HCP:8080:DST
match field TCP dest-port eq 8080
match start TCP payload-start offset 0 size 256 regex "hcp://"
class-map type access-control match-all CM:TCP:HCP:80:SRC
match field TCP source-port eq 80
match start TCP payload-start offset 0 size 256 regex "hcp://"
class-map type access-control match-all CM:TCP:HCP:80:DST
match field TCP dest-port eq 80
match start TCP payload-start offset 0 size 256 regex "hcp://"
class-map type access-control match-all CM:TCP:HCP:443:DST
match field TCP dest-port eq 443
match start TCP payload-start offset 0 size 256 regex "hcp://"
class-map type access-control match-all CM:TCP:HCP:443:SRC
match field TCP source-port eq 443
match start TCP payload-start offset 0 size 256 regex "hcp://"
!
!
policy-map type access-control PM:TCP:HCP
class CM:TCP:HCP:80:SRC
drop
class CM:TCP:HCP:80:DST
drop
class CM:TCP:HCP:8080:SRC
drop
class CM:TCP:HCP:8080:DST
drop
class CM:TCP:HCP:443:SRC
drop
class CM:TCP:HCP:443:DST
drop
policy-map type access-control PM:HCP
class CM:IP:TCP
service-policy PM:TCP:HCP
!
You could apply this policy inbound or outbound where you need it.
FWIW,
Dave
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
Pieter-Jan Nefkens
Sent: Wednesday, June 16, 2010 11:56 AM
To: OSL Security
Subject: [OSL | CCIE_Security] Security related, but not completely CCIE
Hello List,
Perhaps you're already aware of it, but perhaps not,if you've been too
much in de workbooks lately ;-)
Recently, a day-zero vulnerability has been found in the help & support
system of both Windows XP and Windows 2003.
Sophos has found that an exploit has been active on an open source
project, but it has been removed from that site.
However, it is expected that the exploit will be on other websites as
well.
So, this appears to be a genuine day-zero attack / exploit.
You can find information at the following sites:
Sophos blog entry: http://www.sophos.com/blogs/sophoslabs/?p=10045
Cisco Security alert:
http://tools.cisco.com/security/center/viewAlert.x?alertId=20691
CVE Reference:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885
Microsoft article:
http://www.microsoft.com/technet/security/advisory/2219475.mspx
So, that is the information sharing.
Now, let's get down to the mitigation of this vulnerability and get a
discussion (perhaps?) on alternative solutions According to the
technical details, the vulnerability exists in the parsing of an hcp
malformed url, so the obvious workaround is basically:
disable hcp protocol (which is what microsoft recommends).
The disadvantage is that local help systems that use hcp:// won't work
as well, until Microsoft releases a patch..
Now, that's a good thing to start with, but how could we solve this, on
the network edge level, so that our users can still access the help.
Cisco has already released a signature definition file S495, which
contains signature 26599.
If you look at the signature definition, it scans the web service ports
for an hcp:// url regex.
So, how could be use that information to prevent the exploit to occur,
and do it at the edge (preventing network attacks).
Since it's a regex, my guess would be, that on an ASA, create a regex
matching the hcp:// prefix (either the complete regex, or just the
hcp:// prefix) and apply that to the http inspection engine and drop any
matches. That should give you a bit more security. It still won't do the
encrypted inspection traffic (like ssl traffic), but that's something
the IPS doesn't do as well.
Now, how would one do that on the IOS side? there are too many options
to name, ZBFW, CBAC perhaps, control plane protection on the transit
plane, NBAR, FPM? What would be your guess to do, also with
real-life-performance in the back of your mind..
I know. it's different from the workbooks, but it is real life and the
things we learn in the workbooks and prepping at CCIE level should give
you the edge to think about these attacks and might get you start
thinking to see how to prevent it..
Kind regards
Pieter-Jan
---
Nefkens Advies
Enk 26
4214 DD Vuren
The Netherlands
Tel: +31 183 634730
Fax: +31 183 690113
Cell: +31 654 323221
Email: [email protected]
Web: http://www.nefkensadvies.nl/
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
