Security Watch

Cisco Security Agent Bonked By BOV

Plus: SonicWALL exposes VPN; Microsoft kills 'kill switch'; ESPN sports bad code; more.

Cisco Systems released a bulletin detailing how its Cisco Security Agent can be configured to protect systems from attacks against vulnerabilities, allowing systems to remain unpatched but defended. Unfortunately, a vulnerability has been discovered in the agent itself that can be exploited by a criminal via TCP139 or 445, the common SMB ports Windows uses. Patches are available.

Well, how unfortunate is this! The agent installs as a driver, and as such, exploitation would lead to the criminal's code executing with system privileges capable of installing a rootkit or anything else the criminal wants. Luckily, other devices in the network which would typically be present if the Cisco Security Agent was deployed can be configured to prevent attacks exploiting the vulnerability. While it holds true while inside an organization, it isn't necessarily be true if the user is roaming prior to connecting to a VPN.

About Those VPNs...
The configuration file for the SonicWALL Global VPN can be criminally crafted such that when it has loaded the application, it can execute code of the criminal's choice. The company says exposure can occur due to "a format string vulnerability within the client." Patches are available (more info in the .PDF here).

On the surface, it would be easy to discount SonicWALL's problem as an extremely unlikely attack vector. However, all that is required is the that the criminal write a file onto the victim's disk, into a likely known location. Once done, the victim then initiates all further actions of the criminal's configuration file simply by starting a VPN client.

That said, it's still unlikely that such an attack might occur given the numerous other methods available to criminals.

Integrity Crisis with Software Integrity Checks
Three researchers have extended work that was done back in 2004 on MD5 collisions, to the point of being able to construct two different executables which, when their MD5 checksum values are checked, they are identical. This means its possible to create two such executables with a properly signed digital signature and they too will appear identical.

This announcement has largely been misunderstood, despite the author’s explicit explanation. Some seem to think it is possible for a criminal to create a malicious executable with the identical MD5 checksum as some company’s existing executable -- not possible. To achieve the results discussed, both good and malicious executable have to be made by the same person, as both files need to be modified to achieve the same checksum.

Since both files have to have some garbage added to get identical checksums, even the idea that a rogue employee might do this to some company's executable is unlikely, albeit possible.

Antipiracy 'Kill Switch' Is History
Microsoft said it will remove the "reduced functionality" mode from Vista and will not include it in Windows Server 2008. The mode is invoked if a system is not activated within 30 days, or, if a system fails a Windows Genuine Advantage check. WGA is supposed to determine whether a system has a pirated version of Windows. A WGA check can also occur if significant changes had been made to the original hardware configuration reported when the system first has Windows installed. Now Windows will still indicate that a system isn't valid, but it will do so via the wallpaper and a balloon dialog prompting the user.

The stories about WGA disabling people's systems were vastly overblown. Sure, if you changed the hard disk, video card and some other component it may have been triggered, but it did so first with a warning and the opportunity to simply reactivate. People whose systems went into reduced functionality mode but were, in fact, valid must have chosen to ignore the prompts for some time.

Microsoft will make the change to Vista via Service Pack 1, due to be released soon. There’s no reason Microsoft should not be able to do something to crack down on pirates. Still, we have to agree that removing the possibility of a server going into reduced functionality mode -- particularly if we're hoping it will stay up in a lights-out facility for longer periods of time -- is a good thing for everyone.

ESPN Sports Bad Code
ESPN's Soccernet site hosted a malicious advertisement that, ultimately, led to PerformanceOptimizer.com, which in turn displayed numerous popups alleging problems with the victim's system and offering a solution.

Yep -- ad networks strike again! It simply amazes me how willing sites are to allow someone else to decide what its customers are going to see when they come to a site. That's precisely what you’re doing if you subscribe to an ad network. Revenue is a necessary component to any successful Web site, but there needs to be some additional steps taken to ensure your customers' experiences on your own site are good ones.

Want More Security?

This column was originally published in our weekly Redmond Security Watch newsletter. To subscribe, click here.

Beer Drowns Calif. Canal Computers
The Sacramento Valley Mirror reported that a supervisor for the Tehama-Colusa Canal Authority, Michael Keehn, who developed that county's automated gate management system for its canals, has been charged with damaging the computer used to manage the system. The damage is alleged to have occurred after he was fired during a dispute. (Read more from The Register here.)

Keehn claimed he'd had a few beers at the time of the intrusion. Also, he claimed to have turned over the administrative password for the system before being fired. Therefore, one has to wonder why he was still able to get into the system remotely from his home. He needed remote access to check on the system periodically, but sensible best practice should have been to both disable that remote access and modify the passwords as soon as he was no longer employed there.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular