On July 14th, 2009 Microsoft released Microsoft Security Bulletin MS09-032 to address a remote code execution vulnerability in the Microsoft Video ActiveX Control (msvidctl.dll). Microsoft initially announced this vulnerability via Microsoft Security Advisory 972890. Cisco Security Intelligence Operations (SIO) released IPS Signature Updates S411 and S414 which contain signatures that detect attempts to exploit this vulnerability. Additional information about this and other vulnerabilities in Microsoft’s Security Bulletin for July 2009 is available in the corresponding Cisco Event Response.
Analysis of IPS Network Participation data in the Cisco SensorBase Network confirms that this vulnerability is being exploited.
Read More »
“Leading Websites under Attack — Several major Web sites have reported attacks over the past few days that rendered their sites largely inaccessible.” — CNETA major wave of denial of service attacks against commercial and government organizations recently made headline news. This activity highlights how vulnerable networks can be to new attacks and how the modern cybercriminal is an increasingly sophisticated adversary. What’s interesting is that the above headline is from February 2000, when a major distributed denial of service (DDoS) attack took down Yahoo! in addition to other major websites. It was the most significant denial of service attack we had ever seen. Fast-forward nine and a half years to July 2009 when a recent New York Times headline reads “Cyberattacks Jam Government and Commercial Web Sites in U.S. and South Korea.” Read More »
An interface queue wedge is a class of vulnerability in which certain packets are received and queued by a Cisco IOS router or switch, but due to a processing error, are never removed from the queue. This is a problem as there are a finite number of packets that may be queued on an individual interface. Should the queue become full, the device will be unable to receive new traffic via that interface.
Although this type of problem could affect any networked device, queue wedges are a classic security problem for Cisco IOS. There have been several instances of queue wedges on Cisco IOS that resulted in Cisco Security Advisories. Here are some examples:
In order to gain a better understanding of why these vulnerabilities exist and are considered severe, we need to examine things in a bit more detail.
Read More »
Tags: blocked interface, queue wedge, security
Inclusion of third-party software as part of a vendor’s own products has become a common method of reducing time from conception to product launch. As with all strategic decisions related to product development, the costs of including third party code are weighed against the benefits. In this post I’ll discuss how security considerations should be factored into this decision. These include who has worked on the code, the end-user, and the vendor using it. Who does the work (and how much does it cost)? Read More »
Cisco IOS Embedded Event Manager (EEM) is a technology that allows a Cisco IOS device to detect an event and perform an action. EEM links events and actions using EEM policies, which are manifested as either configuration-based EEM applets, or EEM scripts that exist as Tcl scripts on the Cisco IOS device.EEM has been successful in many ways; it is recognized as a powerful troubleshooting tool and as a great aid in detecting those hard-to-catch intermittent network issues. Perhaps less well known, however, is that the reactive capabilities of EEM lend themselves very well to the identification of security issues on Cisco IOS devices.Within the realm of security, EEM can be used to instrument the “un-instrumented”.For example, Cisco IOS XR Software contains a security feature known has Local Packet Transport Services (LPTS). Although widely heralded as a fantastic security feature, LPTS does not contain robust reporting capabilities. So while LPTS can be used to protect Cisco IOS XR devices from several types of denial of service attacks, it is impossible for an LPTS-enabled device to alert an administrator that an attack may be occurring. Enter EEM… Read More »