A fairly serious flaw that was announced in October 2008 by Outpost24 (and apparently discovered way back in 2005), has finally been patched by the major players Cisco and Microsoft.

So far Redhat has offered a workaround for the flaw and Juniper has responded that their equipment is not vulnerable.

It could be that Juniper doesn’t really understand the attack yet, if so that’s bad news as most of the Internet backbone (ISP Level) runs on Juniper equipment.

Microsoft and Cisco have issued updates that protect against a new class of attack that requires very little bandwidth and can leave servers and routers paralyzed even after a flood of malicious data has stopped.

The bug in the TCP, or transmission control protocol, was disclosed in October by security researchers Jack Louis and Robert E. Lee of Sweden-based Outpost24. It gave many security watchers pause because it provided attackers with a new way to launch potentially crippling attacks on a wide array of equipment used to route traffic over the internet.

“This is definitely momentum and other vendors, once they fully understand what has been talked about here, will come up with mitigation strategies of their own,” Lee told The Register. “This really is good progress from both Microsoft and Cisco.”

Microsoft rolled it out in their normal “Patch Tuesday” fashion and Cisco issued a bulletin about especially disruptive DoS attacks.

Good to see it being addressed finally, I guess it took Microsoft some time and money in R&D to come up with a satisfactory solution.

I wonder if any other vendors will be following suite shortly.

On Tuesday, Microsoft responded with MS09-048, a security advisory that fixes a variety of networking vulnerabilities in Windows operating systems, including those discovered by Louis and Lee. The update implements a new feature called memory pressure protection, which automatically drops existing TCP connections and SYN requests when attacks are detected.

The update from Microsoft came during the company’s Patch Tuesday, in which it fixed a total of eight security vulnerabilities in various versions of its Windows operating system. In all, Microsoft issued five patches, which change the way Windows processes javascript, MP3 audio files and wireless signals. As always, the Sans Institute provides a helpful overview here.

Cisco issued it’s own bulletin warning that multiple products are vulnerable to DoS, or denial-of-service attacks that can be especially disruptive.

It’s often hard to fix problems like this in core components because a band-aid solution could end up breaking some of the functionality, especially with something like the TCP stack which is relied on so heavily.

Even then, a patch is released but how many people actually apply it? Cisco equipment is well known for being hard to manage/patch so I’d imagine many network devices will remain unpatched.

Source: The Register

If your organisation is using any kind of Cisco Wi-Fi kit it may be time to get the latest patches for your kit. Although they state there is no proof that hackers have used this attack in the wild – in my experience if Cisco have discovered this now, someone else probably knew about it earlier.

There are multiple vulnerabilities mostly concerning malformed packets sent to the web authentication interface which can cause a reload or hanging of the hardware device.

Cisco is urging admins to update their wireless LAN hardware following the discovery of multiple vulnerabilities in its enterprise Wi-Fi kit.

Security flaws in Cisco Wireless LAN Controllers, Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers create a mechanism for hackers to knock over vulnerable hardware.

All Cisco Wireless LAN Controllers running version 4.2 of the network giant’s software are affected by a pair of denial of service flaws. A third DoS flaw affects software versions 4.1 and later.

The denial of service bugs include a flaw in the handling of Web authentication, which can cause an affected device to reload, and a separate flaw (that also affects version 4.1 of the software) that means vulnerable kit can freeze up on receipt of malformed data packets.

Even if you have recent software (version 4.1) it’s also vulnerable to a separate flaw, which also needs to be patched. I’d imagine now the news is out, even if no one had discovered this previously a little bit of reverse engineering with yield some proof or concept or even a working exploit for these flaws.

You need to check your model numbers though as not all wireless devices are affected.

The same set of potential problems affects Cisco Catalyst 6500 Series/7600 Series Wireless Services Module and Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers but not the equivalent wireless modules on Cisco 2800 and 3800 series Integrated Services Routers. Cisco 2000 and 2100 Series Wireless LAN Controllers are also unaffected by the vulnerability.

The denial of service problem is not the only issue to consider. Version 4.2.173.0 of Cisco’s Wireless LAN controller software is affected by a privilege escalation vulnerability. The security bug creates a means for an ordinary user to gain full administrative rights.

“Successful exploitation of the denial of service vulnerabilities may cause the affected device to hang or reload,” a security advisory from Cisco explains. “Repeated exploitation could result in a sustained DoS condition. The privilege escalation vulnerability may allow an authenticated user to obtain full administrative rights on the affected system.”

One of the flaws is a little more serious resulting in privilege escalation, the end result being administrative access. It does say though you need to be an authenticated user to achieve this – but as they say the majority of attacks come from within an organisation anyway.

As always be wary, and keep your patches up to date. A lot of organisations I’ve audited are very good on patching software, their antivirus is updated daily, Windows updates are applied regularly but often I’ve found hardware and especially Cisco devices woefully out of date.

The problem was discussed here a while ago with the Cisco Vulnerability Given ‘Write Once, Run Anywhere’ Treatement. Cisco needs to make it easier and more efficient for people to update their devices.

Source: The Register