August 2006
Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability
ID: 00556
Ref: 532/2006
Date: 16 August 2006:14:08:59
Version: 1
Title: Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability
Abstract:
Vendors affected: Cisco
Operating systems affected: Cisco
Applications affected: Cisco
Title
=====
Cisco Security Response: Mitigating Exploitation of the MS06-040
Service Buffer Vulnerability
Detail
======
This document contains information to assist Cisco customers in
mitigating attempts to exploit the Microsoft Server Service Buffer
Overflow Vulnerability. There is a remote code execution
vulnerability in Server Service that could allow an attacker who
successfully exploited this vulnerability to take complete control of
the affected system.
Service Buffer Vulnerability
Date: Monday, 14 Aug 2006 23:20:00 -0500
Message-id: <200608142320.ms06-040-vulnerability@psirt.cisco.com>
Reply-to: psirt@cisco.com
Errors-to: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report:
Content-Return: Prohibited
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: Mitigating Exploitation of the MS06-040
Service Buffer Vulnerability
http://www.cisco.com/warp/public/707/
cisco-sr-20060814-ms06-040-vulnerability.shtml
Revision 1.0
For Public Release 2006 August 14 2300 UTC (GMT)
+--------------------------------------------------------------------
Contents
========
Cisco Response
Cisco ASA and PIX Firewalls
Cisco Intrusion Prevention System (IPS)
Cisco Security Agent (CSA)
Cisco VPN Termination Points
Interface Access-lists
Additional Information
Revision History
Cisco Security Procedures
Related Information
+--------------------------------------------------------------------
Cisco Response
==============
Vulnerability Characteristics
+----------------------------
Attack Type: Unauthenticated, Remote, No interaction
Vulnerability Impact: Ability to perform remote code execution with
the privileges of SYSTEM or create a Denial of Service
Attack Vector: Network Traffic on TCP ports 139 and 445
CVE ID: 2006-3439
Vulnerability Overview
+---------------------
This document contains information to assist Cisco customers in
mitigating attempts to exploit the Microsoft Server Service Buffer
Overflow Vulnerability. There is a remote code execution
vulnerability in Server Service that could allow an attacker who
successfully exploited this vulnerability to take complete control of
the affected system.
Computers using the following operating systems are affected:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 1
* Microsoft Windows XP Service Pack 2
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 for Itanium-based Systems
* Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
See MS06-040:
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
for details of Windows platforms affected.
Mitigation Technique Overview
+----------------------------
Cisco devices provide several countermeasures for the MS06-040
vulnerability. The most preventative control is provided by Cisco
Security Agent (CSA) at the end host level. CSA provides threat
mitigation from all known attack vectors. Detective controls can
be performed by the Cisco IPS product suite, which provides
identification and protection starting with signature pack
S243 using signatures 5799/0-5799/7. Access Lists applied on Cisco
IOS® software, PIX, and ASA along with Access controls applied to VPN
connections provide deterrents, thus reducing threat exposure.
The effectiveness of any mitigation technique is dependent on
specific customer situations such as product mix, network topology,
traffic behavior, and organizational mission. Due to the variety of
affected products and releases, customers should consult with their
service provider or support organization to ensure any applied
workaround is the most appropriate for use in the intended network
before it is deployed.
General Worm Mitigation
+----------------------
For general information regarding strategies and technologies for
Worm Mitigation, please refer to the Cisco MySDN site at
http://www.cisco.com/web/about/security/intelligence/
worm-mitigation-whitepaper.html
Cisco ASA and PIX Firewalls
===========================
PIX 6.x
+------
caution Caution: As with any configuration change in a network,
evaluate the impact of this configuration prior to applying the
change.
The access list entries shown below are examples for several of the
worm variants now being tracked. New variants using different ports
are possible and should be filtered using the information below as
examples.
The following access-list can be applied to a PIX Firewall running
6.x software to prevent/contain the spread of the MS06-040 exploit on
customer networks.
PIX 6.x: Network Ingress Inbound Filtering
!-- MS06-040 - Block Initial Scanning On Internet-facing Interfaces
!-- Note: When blocking TCP/139 and TCP/445, take care
!-- to ensure that legitimate connections are not impacted.
!-- For this example, 10.0.0.0/24 is the trusted internal network.
access-list ms06-040-in permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq netbios-ssn
access-list ms06-040-in permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq 445
access-list ms06-040-in deny tcp any any eq netbios-ssn
access-list ms06-040-in deny tcp any any eq 445
!-- Block IRCBot.ST (aka Mocbot) IRC Creation
!-- in the event internal hosts have been compromised as a C&C bot.
access-list ms06-040-in permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq 18067
access-list ms06-040-in deny tcp any any eq 18067
!-- Permit other traffic here.
access-list ms06-040-in permit ip any any
access-group ms06-040-in in interface outside
PIX 6.x: Network Ingress Outbound Filtering
! MS06-040 - Block Initial Scanning By Infected Hosts
! For this example 10.0.0.0/24 is the trusted internal network.
access-list ms06-040-out permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq netbios-ssn
access-list ms06-040-out permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq 445
access-list ms06-040-out deny tcp any any eq netbios-ssn
access-list ms06-040-out deny tcp any any eq 445
!-- Block Outbound IRC Requests to Attacking IRC IRCBot Server
!-- while permitting legitimate connections.
access-list ms06-040-out permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq 18067
access-list ms06-040-out deny tcp any any eq 18067
!-- Permit other traffic here.
access-list ms06-040-out permit ip any any
access-group ms06-040-out in interface inside
PIX/ASA 7.x
+----------
Caution: As with any configuration change in a network,
evaluate the impact of this configuration prior to applying the
change.
The following access-list can be applied inbound to a PIX/ASA
Firewall running 7.x software to prevent/contain the spread of the
MS06-040 exploit on customer networks:
PIX/ASA 7.x: Network Ingress Inbound Filtering
!-- MS06-040 - Block Initial Scanning On Internet-facing Interfaces
!-- Note: When blocking TCP/139 and TCP/445, take care
!-- to ensure that legitimate connections are not impacted.
!-- For this example, 10.0.0.0/24 is the trusted internal network.
access-list ms06-040-in permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq netbios-ssn
access-list ms06-040-in permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq 445
access-list ms06-040-in deny tcp any any eq netbios-ssn
access-list ms06-040-in deny tcp any any eq 445
!-- Block IRCBot.ST (aka Mocbot) IRC Creation
!-- in the event internal hosts have been compromised as a C&C bot.
access-list ms06-040-in permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq 18067
access-list ms06-040-in deny tcp any any eq 18067
!-- Permit other traffic here.
access-list ms06-040-in permit ip any any
access-group ms06-040-in in interface outside
PIX/ASA 7.x: Network Ingress Outbound Filtering
! MS06-040 - Block Initial Scanning By Infected Hosts
! For this example 10.0.0.0/24 is the trusted internal network.
access-list ms06-040-out permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq netbios-ssn
access-list ms06-040-out permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq 445
access-list ms06-040-out deny tcp any any eq netbios-ssn
access-list ms06-040-out deny tcp any any eq 445
!-- Block Outbound IRC Requests to Attacking IRC IRCBot Server
!-- while permitting legitimate connections.
access-list ms06-040-out permit tcp 10.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0 eq 18067
access-list ms06-040-out deny tcp any any eq 18067
!-- Permit other traffic here.
access-list ms06-040-out permit ip any any
access-group ms06-040-out in interface inside
Cisco Intrusion Prevention System (IPS)
=======================================
Mitigation
+---------
The Cisco Intrusion Prevention System (IPS) can provide mitigation
starting with signature pack S243. Signature pack S244 modifies
existing signatures and provides additional signatures for detection
of potential exploits of the MS06-040 vulnerability. IPS version 5.x
is required to support these signatures. The signatures that provide
detection are 5799/0 - 5799/7. In order to provide prevention, the
signatures will need to be configured to perform a response action.
The associated actions to provide mitigation are more effective when
the IPS device is configured in inline mode. This attack is TCP based
so active prevention measures are less likely to block non-hostile
legitimate traffic.
Identification
+-------------
IPS Signatures 5799/4 and 5799/7 provide a High severity alarm when
the vulnerabilities are exploited. Supporting subsignatures are used
to detect the intermediate steps of the attack.
evIdsAlert: eventId=1154989166673222106 severity=high vendor=Cisco
originator:
hostId: IDSM2
appName: sensorApp
appInstanceId: 2972
time: 2006/08/10 17:41:10 2006/08/10 17:41:10 UTC
signature: description=Server Service Code Execution id=5799 version=S244
subsigId: 7
sigDetails: Server Service Code Execution
interfaceGroup:
vlan: 0
participants:
attacker:
addr: locality=OUT 192.0.2.157
riskRatingValue: 75
interface: ge0_7
protocol: IP protocol 0
Signature Summary
+----------------
A total of eight subsignatures were defined in S243 and S244. Out of
those signatures, customers should monitor for signature 5799
subsignature 4 (5799/4) and signature 5799 subsignature 7 (5799/7).
The rest of the subsignatures in 5799 are to identify individual
steps in the attack, and it should be noted that 5799/0 and 5799/3
are no longer active as of Signature Update S244.
Signature 5799/4 Severity: HIGH
Uses the Meta engine: Fires when all its sub components have been seen:
5799/1 Count:1 SRVSVC UUID
engine: string TCP count:1
5799/5 Count:1 Server Service Code Execution [Informational]
engine: string TCP
enabled: true
5799/6 Count:1 Server Service Coe Execution [Informational]
engine: string TCP
Signature 5799/7 Severity: HIGH
Uses the Meta engine: Fires when all its sub components have been seen:
5799/1 Count:1 SRVSVC UUID
engine: string TCP count:1
5799/2 Count:1 Server Service Code Execution [Informational]
engine: string TCP
Signature 5799/0 Severity: HIGH [disabled in S244]
Meta: Components:
5799/1 Count:1 SRVSVC UUID
engine: string TCP count:1
5799/2 Count:1 Server Service Code Execution [Informational]
engine: string TCP
enabled: true
5799/3 Count:1 Server Service Coe Execution [Informational]
engine: string TCP
disabled [No longer required]
Signature 11203/0 Severity: MEDIUM
To detect communications on TCP port 18067 used by IRCBot.ST (aka
Mocbot) IRC, add 18067 to Signature "11203/0 - IRC Channel Join" on
the IPS device as shown here:
IDSM2# config t
IDSM2(config)# service signature-definition sig0
IDSM2(config-sig)# signatures 11203 0
IDSM2(config-sig-sig)# engine string-tcp
IDSM2(config-sig-sig-str)# service-ports 6666-6666,6667-6667,6668-6668,18067-18067
IDSM2(config-sig-sig-str)# exit
IDSM2(config-sig-sig)# exit
IDSM2(config-sig)# exit
Apply Changes:?[yes]: yes
IDSM2(config)# exit
IDS 4.x Signature
+----------------
IDS 4.x devices do not support the meta engine used for signatures
5799/0-7. Cisco is not expecting to add an IDS 4.x signature in
future signature packages.
Cisco Security Agent (CSA)
==========================
Mitigation
+---------
Cisco Security Agent (CSA) protecting vulnerable end hosts provides
the fullest mitigation. CSA buffer overflow protection mechanisms
prevent the exploit from doing damage and are enabled by default. CSA
version 4.03.X and later provide prevention capabilities. The CSA
agents must be set in "Protect Mode" (not "Test Mode") mode for
successful prevention of this exploit.
Identification
+-------------
The following is a screen shot depicting the CSA Management Center
(CSAMC) Console providing evidence of the CSA rules that were
triggered on the end host.
<< graphic available in on-line version >>
Cisco VPN Termination Points
============================
Mitigation
+---------
Site-to-site VPNs should have access control applied on a
need-to-know basis instead of an implicit trust model. Therefore,
applying an ACL to block TCP/139 and TCP/445 as part of standard VPN
configurations is recommended unless business use dictates otherwise.
Below is a sample IOS ACL that could be applied to the decrypted VPN
traffic as it exits the VPN termination device or to another
screening device that is located at the next hop from the VPN
termination device.
Caution: As with any configuration change in a network,
evaluate the impact of this configuration prior to applying the
change.
The access list entries shown below are an example for the worm
variant now being tracked. New variants using different ports are
possible and should be filtered using the information below as
examples.
Any added access list entries should be implemented as part of a
Transit Access Control List that filters transit and edge traffic at
network ingress points.
For more information on tACLs, refer to Transit Access Control Lists:
Filtering at Your Edge:
http://www.cisco.com/warp/public/707/tacl.html
Note: If you are trying to track source addresses, use Sampled
NetFlow, rather than "log" statements in access lists as the high
traffic in combination with the log statement can overwhelm the
router. The command show access-list can be used to determine the hit
count against individual access list entries. This data can be used
in conjunction with Sampled NetFlow to determine which specific worm
variants are attacking the network.
Network Ingress Inbound Filtering
!-- MS06-040 - Block Initial Scanning On Internet-facing Interfaces
!-- Note: When blocking TCP/139 and TCP/445, take care
!-- to ensure that legitimate connections are not impacted.
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 139
!
!-- Block IRCBot.ST (aka Mocbot) IRC Creation
!-- in the event internal hosts have been compromised as a C&C bot.
access-list 101 deny tcp any any eq 18067
!
!-- Permit other traffic here,
!-- or include other Transit ACL entries.
access-list 101 permit ip any any
Network Ingress Outbound Filtering
!-- MS06-040 - Block Initial Scanning By Infected Hosts
!
access-list 110 deny tcp any any eq 139
access-list 110 deny tcp any any eq 445
!
!-- Block Outbound IRC Requests to Attacking IRC IRCBot Server
!-- while permitting legitimate connections.
access-list 110 permit tcp
any eq 18067 established
access-list 110 deny tcp any any eq 18067
!
!-- Permit other traffic here,
!-- or include other Transit ACL entries.
!
access-list 110 permit ip any any
!
!-- Apply the access-lists to the interface.
interface serial 2/0
ip access-group 101 in
ip access-group 110 out
Interface Access-lists
======================
Any device capable of providing access control is positioned to deter
attempted exploitation of this issue.
Mitigation
+---------
With Transit Access-lists, Cisco IOS routers can be configured with
interface access-lists to drop packets that could potentially be used
to exploit (and contain the spread of) this issue.
Caution: As with any configuration change in a network,
evaluate the impact of this configuration prior to applying the
change.
The access list entries shown below are an example for the worm
variant now being tracked. New variants using different ports are
possible and should be filtered using the information below as
examples.
Any added access list entries should be implemented as part of a
Transit Access Control List that filters transit and edge traffic at
network ingress points.
For more information on tACLs, refer to Transit Access Control Lists:
Filtering at Your Edge:
http://www.cisco.com/warp/public/707/tacl.html
Note: If you are trying to track source addresses, use Sampled
NetFlow, rather than "log" statements in access lists as the high
traffic in combination with the log statement can overwhelm the
router. The command show access-list can be used to determine the hit
count against individual access list entries. This data can be used
in conjunction with Sampled NetFlow to determine which specific worm
variants are attacking the network.
Network Ingress Inbound Filtering
!-- MS06-040 - Block Initial Scanning On Internet-facing Interfaces
!-- Note: When blocking TCP/139 and TCP/445, take care
!-- to ensure that legitimate connections are not impacted.
!
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 139
!
!-- Block IRCBot.ST (aka Mocbot) IRC Creation
!-- in the event internal hosts have been compromised as a C&C bot.
access-list 101 deny tcp any any eq 18067
!
!-- Permit other traffic here,
!-- or include other Transit ACL entries.
access-list 101 permit ip any any
Network Ingress Outbound Filtering
!-- MS06-040 - Block Initial Scanning By Infected Hosts
!
access-list 110 deny tcp any any eq 139
access-list 110 deny tcp any any eq 445
!
!-- Block Outbound IRC Requests to Attacking IRC IRCBot Server while
permitting legitimate connections.
access-list 110 permit tcp
any eq 18067 established
access-list 110 deny tcp any any eq 18067
!
!-- Permit other traffic here,
!-- or include other Transit ACL entries.
!
!
access-list 110 permit ip any any
!
!-- Apply the access-lists to the interface.
interface serial 2/0
ip access-group 101 in
ip access-group 110 out
Please note that filtering traffic with an interface access list will
elicit the transmission of ICMP unreachable messages back to the
source of the filtered traffic. This could have the undesired side
effect of high CPU utilization since the device needs to generate
these ICMP unreachable messages. In Cisco IOS software, ICMP
unreachable generation is limited to one packet per 500 ms. ICMP
unreachable generation can be disabled using the interface
configuration command "no ip unreachables". ICMP unreachable
rate-limiting can be changed from the default 1 per 500 ms using the
global configuration command "ip icmp rate-limit unreachable
<1-4294967295 millisecond>".
Identification
+-------------
With a Transit Access-list, once the interface access-list is
deployed, the command show access-list 101 can be used to identify
the number of packets being dropped. Dropped packets should be
investigated to determine if they are attempts to exploit the issue.
Example output for show access-list 101:
Edge-Router#show access-list 101
Extended IP access list 101
10 deny tcp any any eq 445 (141 matches)
20 deny tcp any any eq 139 (100 matches)
30 deny tcp any any eq 18067
40 permit ip any any
In the above example, 100 TCP/139 packets and 141 TCP/445 packets
have been dropped by the access-list configured inbound on interface
serial 2/0.
Additional Information
======================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2006-August-14 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/
products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
- - ---------------------------------------------------------------------
Related Information
===================
* IPS 5.x Signature S244 Download (registered customers only)
http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-sigup
* Signatures by Release Version (registered customers only)
http://tools.cisco.com/MySDN/Intelligence/
allSignaturesByRelease.x?st=sr
* Microsoft Security Bulletin MS06-040:
Vulnerability in Server Service Could Allow Remote Code
Execution (921883)
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
* Microsoft Security Advisory (922437):
Exploit Code Published Affecting the Server Service
http://www.microsoft.com/technet/security/advisory/922437.mspx
* Cisco Systems IntelliShield Vulnerability Alert (Intellishield
customers only)
https://intellishield.cisco.com/security/alertmanager/
basicSearch.do?dispatch=1&UID=11488
+--------------------------------------------------------------------
All contents are Copyright © 1992-2006 Cisco Systems, Inc. All rights
reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (SunOS)
iD8DBQFE4Uvl8NUAbBmDaxQRAi3tAJ4rj+ZgNzlUjFfZOE8SzKlgt1ZvuQCeI0+x
HlzayHluHb3DuKo/0H/eGJ0=
=ut12
- -----END PGP SIGNATURE-----