Cisco's Switch Hitters
Switches and routers with NAM bound to be exploited. Also: InstallShield troubles and what Symantec is saying about Vista
Cisco Catalyst 6000 and 6500 switches, as well as Cisco 7600 routers,
can be exploited if they contain a Network Analysis Module (NAM) in the
same chassis and are running a vulnerable version of their OS (IOS or
COS). The vulnerability would allow SNMP traffic to be spoofed, possibly
permitting a criminal to send SNMP configuration instructions to the device.
Patches are available at the advisories here
The vulnerability could be exploited via UDP161, but the traffic would
have to have the NAM's IP address spoofed, and destined for an IP address
of the switch or router. Best practice for switch and router configurations
should be to deny traffic from IP addresses known to reside on one path
from arriving via another. Since the NAM is installed in the same box
as the affected switch/router, its traffic should not arrive via a NIC
but only internally. Cisco said they discovered this internally, and that
there are no known exploits. Still, owning a router is a highly prized
target and it would not be surprising to see attempts at exploitation
in the foreseeable future.
InstallShield's Buffer Overflow Trouble
Macrovision FLEXnet Connect, also known as InstallShield Update
Service, contains a vulnerability which could be exploited by a criminally
controlled Web site. The control could be invoked and pass instructions
by a criminal which would cause it to run code of the criminal's choice.
Patches are not yet available.
This is a critical vulnerability in the sense that it is an Automatic
Update mechanism which can be compromised. Such tools should be trustworthy.
Macrovision, in its promotional literature, states, "From the Trusted
Name in Software Updating FLEXnet Connect is from Macrovision, the company
that develops the InstallShield and InstallAnywhere installation authoring
solutions. Since 1987, the name InstallShield has been synonymous with
quality software installations and updating. Because end users are familiar
with the InstallShield installation and updating experience, they are
more willing to trust it and accept updates that follow its industry-standard
format. It helps reduce customers' reluctance to adopt new updates and
While no exploit code is known to exist, trust in such updating services
can be severely damaged if such code is developed, and if it mimics the
behavior of the update service and prompts the user that a new update
is available. Automatic updating is crucial to the overall security infrastructure
of the Internet to try to keep home users as patched as possible. We are
extremely worried that this will be exploited in such a way.
Vista's UAC Warnings Can't Be Trusted, Symantec
to Symantec researcher Ollie Whitehouse, the way Windows Vista's User
Account Control uses colors to denote trust levels can be bypassed using
a program supplied on Windows Vista. RunLegacyCPLElevated.exe is designed
to allow legacy control panel applets to run as Administrator, avoiding
restrictions they would otherwise have. This program can be told what
dynamic load library to load, and does nothing to verify what DLL it is
loading. When control panel applets are loaded this way, the Standard
User is prompted to allow Windows to "Run a legacy CPL elevated," with
no indication as to what precisely is going to be run. The color-coded
prompt panel denotes that it is something known to be part of Vista that
is attempting to run, whereas in reality the DLL being loaded by the Vista
application need not be a trusted application, and could, in fact, be
Whitehouse is correct in his assertions about this flaw in RunLegacyCPLElevated.exe.
In a similar way that IE implements killbit control over controls it permits
to run, this application and any others like it should be restricted to
only running controls that have been indicated as valid. That validation
should require Administrative approval and should clearly indicate whether
Microsoft can determine the author and signing authority.
Meanwhile, the only way to prevent this sort of exploitation would be
to prevent RunLegacyCPLElevated.exe from running at all.
Of course, this also assumes that consumers are going to understand the
different color meanings, which is unlikely. Nevertheless, the prompt
text is void of any information that any reasonable person could use to
determine whether they wish to allow the control panel applet to run.
Likely, this is because Microsoft intended RunLegacyCPLElevated.exe to
run any old control panel applets, including ones that don't adequately
identify themselves. Microsoft could have, at least, included the name
of the DLL that RunLegacyCPLElevated.exe was trying to load in the prompt.
This column was originally
published in our weekly Security Watch newsletter. To
subscribe, click here.
We can expect this one to get abused at some point.
Hack Attack Means Quick Action at Texas A&M
In a refreshingly upfront and timely fashion, Texas A&M decided to
force all 96,000 students, faculty and staff to change their NetID passwords
after it was discovered that attempts had been made to access the university's
encrypted user accounts database.
Now, there's an appropriate response. Rather than waiting until
forensics had determined the full extent of the breach, Texas A&M
simply informed everyone to change their passwords. In this way, no matter
whose password may have been compromised, everyone is protected sooner.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.