Security Watch

Cisco's Switch Hitters

Switches and routers with NAM bound to be exploited. Also: InstallShield troubles and what Symantec is saying about Vista

• By Russ Cooper
• 04/03/2007

Cisco Catalyst 6000 and 6500 switches, as well as Cisco 7600 routers, can be exploited if they contain a Network Analysis Module (NAM) in the same chassis and are running a vulnerable version of their OS (IOS or COS). The vulnerability would allow SNMP traffic to be spoofed, possibly permitting a criminal to send SNMP configuration instructions to the device. Patches are available at the advisories here and here.

The vulnerability could be exploited via UDP161, but the traffic would have to have the NAM's IP address spoofed, and destined for an IP address of the switch or router. Best practice for switch and router configurations should be to deny traffic from IP addresses known to reside on one path from arriving via another. Since the NAM is installed in the same box as the affected switch/router, its traffic should not arrive via a NIC but only internally. Cisco said they discovered this internally, and that there are no known exploits. Still, owning a router is a highly prized target and it would not be surprising to see attempts at exploitation in the foreseeable future.

InstallShield's Buffer Overflow Trouble
Macrovision FLEXnet Connect, also known as InstallShield Update Service, contains a vulnerability which could be exploited by a criminally controlled Web site. The control could be invoked and pass instructions by a criminal which would cause it to run code of the criminal's choice. Patches are not yet available.

This is a critical vulnerability in the sense that it is an Automatic Update mechanism which can be compromised. Such tools should be trustworthy. Macrovision, in its promotional literature, states, "From the Trusted Name in Software Updating FLEXnet Connect is from Macrovision, the company that develops the InstallShield and InstallAnywhere installation authoring solutions. Since 1987, the name InstallShield has been synonymous with quality software installations and updating. Because end users are familiar with the InstallShield installation and updating experience, they are more willing to trust it and accept updates that follow its industry-standard format. It helps reduce customers' reluctance to adopt new updates and patches."

While no exploit code is known to exist, trust in such updating services can be severely damaged if such code is developed, and if it mimics the behavior of the update service and prompts the user that a new update is available. Automatic updating is crucial to the overall security infrastructure of the Internet to try to keep home users as patched as possible. We are extremely worried that this will be exploited in such a way.

Vista's UAC Warnings Can't Be Trusted, Symantec Says
According to Symantec researcher Ollie Whitehouse, the way Windows Vista's User Account Control uses colors to denote trust levels can be bypassed using a program supplied on Windows Vista. RunLegacyCPLElevated.exe is designed to allow legacy control panel applets to run as Administrator, avoiding restrictions they would otherwise have. This program can be told what dynamic load library to load, and does nothing to verify what DLL it is loading. When control panel applets are loaded this way, the Standard User is prompted to allow Windows to "Run a legacy CPL elevated," with no indication as to what precisely is going to be run. The color-coded prompt panel denotes that it is something known to be part of Vista that is attempting to run, whereas in reality the DLL being loaded by the Vista application need not be a trusted application, and could, in fact, be malware.

Whitehouse is correct in his assertions about this flaw in RunLegacyCPLElevated.exe. In a similar way that IE implements killbit control over controls it permits to run, this application and any others like it should be restricted to only running controls that have been indicated as valid. That validation should require Administrative approval and should clearly indicate whether Microsoft can determine the author and signing authority.

Meanwhile, the only way to prevent this sort of exploitation would be to prevent RunLegacyCPLElevated.exe from running at all.

Of course, this also assumes that consumers are going to understand the different color meanings, which is unlikely. Nevertheless, the prompt text is void of any information that any reasonable person could use to determine whether they wish to allow the control panel applet to run. Likely, this is because Microsoft intended RunLegacyCPLElevated.exe to run any old control panel applets, including ones that don't adequately identify themselves. Microsoft could have, at least, included the name of the DLL that RunLegacyCPLElevated.exe was trying to load in the prompt.

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

We can expect this one to get abused at some point.

Hack Attack Means Quick Action at Texas A&M
In a refreshingly upfront and timely fashion, Texas A&M decided to force all 96,000 students, faculty and staff to change their NetID passwords after it was discovered that attempts had been made to access the university's encrypted user accounts database.

Now, there's an appropriate response. Rather than waiting until forensics had determined the full extent of the breach, Texas A&M simply informed everyone to change their passwords. In this way, no matter whose password may have been compromised, everyone is protected sooner.