[NT] Cisco Security Agent for Windows System Driver Remote Buffer Overflow Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Cisco Security Agent for Windows System Driver Remote Buffer Overflow
Vulnerability
------------------------------------------------------------------------


SUMMARY

A buffer overflow vulnerability exists in a system driver used by the
Cisco Security Agent for Microsoft Windows. This buffer overflow can be
exploited remotely and causes corruption of kernel memory, which leads to
a Windows stop error (blue screen) or to arbitrary code execution.

The vulnerability is triggered during processing of a crafted TCP segment
destined to TCP port 139 or 445. These ports are used by the Microsoft
Server Message Block (SMB) protocol.

DETAILS

Vulnerable Products
All versions of Cisco Security Agent for Windows, either managed or
standalone, are affected. Agents that are running on Cisco IP
Communications application servers or agents on systems that are running
the Cisco Security Manager are examples of a standalone implementation.

Standalone agents are installed in the following Cisco IP Communications
products:
* Cisco Unified Communications Manager (CallManager)
* Cisco Conference Connection (CCC)
* Emergency Responder
* IPCC Express
* IPCC Enterprise
* IPCC Hosted
* IP Interactive Voice Response (IP IVR)
* IP Queue Manager
* Intelligent Contact Management (ICM)
* Cisco Voice Portal (CVP)
* Cisco Unified Meeting Place
* Cisco Personal Assistant (PA)
* Cisco Unity
* Cisco Unity Connection
* Cisco Unity Bridge
* Cisco Internet Service Node (ISN)

Cisco Security Manager installs a standalone version of Cisco Security
Agent if an agent is not found when Cisco Security Manager is installed,
so systems that are running Cisco Security Manager are also affected by
this vulnerability.

Products Confirmed Not Vulnerable
The Cisco Secure Access Control Server (ACS) Solution Engine, also known
as the ACS appliance, integrates a standalone version of Cisco Security
Agent. However, the ACS Solution Engine is not affected by this
vulnerability because by default it blocks incoming traffic to the
affected TCP ports (139 and 445). Additional information is in the Details
section.

Cisco Security Agents that are running on the Solaris and Linux operating
systems are not affected by the vulnerability described in this advisory.

Details:
Cisco Security Agent is a security software agent that provides threat
protection for server and desktop computing systems. Cisco Security Agents
can be managed by a Management Center for Cisco Security Agents or can be
standalone agents that are not managed by a Cisco Security Agent
Management Center.

Some Cisco products integrate standalone Cisco Security Agents to protect
the products against viruses, worms, and attacks. Examples of products
that integrate standalone Cisco Security Agents include Cisco IP
Communications application servers, the Cisco Secure Access Control Server
(ACS) Solution Engine, and the Cisco Security Manager.

A buffer overflow vulnerability exists in a system driver used by Cisco
Security Agents, whether they are managed or unmanaged. Cisco Security
Agents use this driver by default.

Windows kernel memory becomes corrupted when this buffer is overflowed.
Therefore, exploitation of this vulnerability will lead to a Windows stop
error (kernel panic, or blue screen error), or to arbitrary code
execution. The vulnerability can be exploited remotely via the network.

The vulnerability is triggered when Cisco Security Agent is processing a
crafted TCP segment destined to TCP port 139 or 445. These ports are used
by the Microsoft Server Message Block (SMB) protocol. A TCP session needs
to be established (that is, the TCP three-way handshake needs to be
completed) for the vulnerability to be triggered.

All systems that are running a vulnerable version of Cisco Security Agent
for Windows are affected. This includes Cisco products that integrate
standalone Cisco Security Agents, such as Cisco IP Communications
applications servers and the Cisco Security Manager. Although the ACS
Solution Engine integrates a standalone Cisco Security Agent, it is not
affected because TCP ports 139 and 445 have been firewalled by the ACS
Solution Engine itself. This blocking of traffic destined to TCP ports 139
and 445 is enabled by default and is not user-configurable.

Impact
Successful exploitation of the buffer overflow vulnerability described in
this advisory may result in an operating system crash or complete system
compromise.

Workarounds
General Considerations
Filters that deny SMB protocol packets using TCP ports 139 and 445 should
be deployed as part of a transit access control list (tACL) policy for
protection from traffic that enters the network at ingress access points.
This policy should be configured to protect the network device where the
filter is applied and other devices behind it. Filters for SMB protocol
packets using TCP ports 139 and 445 should also be deployed in front of
vulnerable hosts so that traffic is allowed only from trusted clients.

Additional information about tACLs is available in "Transit Access Control
Lists : Filtering at Your Edge":
<http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml.

Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory:
<http://www.cisco.com/warp/public/707/cisco-amb-20071205-csa.shtml>
http://www.cisco.com/warp/public/707/cisco-amb-20071205-csa.shtml.

Cisco Security Agent Rule to Block TCP Port 139 and 445 Traffic
Workstations that do not have a need to provide SMB services, such as
services for sharing directories or files and printers, can be protected
by configuring a Cisco Security Agent rule that blocks all traffic to TCP
ports 139 and 445 (the SMB ports).

Such a rule exists in versions of Cisco Security Agent that include the
Network Personal Firewall policy. The specific rule can be found by
searching rules for one that has the description "All applications, server
for SMB services (offering network shares)" or by opening the Personal
Firewall Module rule module (attached to the Network Personal Firewall
policy) and editing the rule that has this description. This rule is
enabled by default but the default action must be changed from Allow to a
High Priority Deny.

If the Network Personal Firewall policy is not available, administrators
can create a network access rule that blocks traffic to TCP ports 139 and
445. To do this, the rule must be configured as a Deny rule so traffic is
denied when the system on which Cisco Security Agent is installed attempts
to act as a server for network services on ports TCP 139 and 445. For
additional information on configuring Cisco Security Agent network access
control rules, reference the following document:

<http://www.cisco.com/en/US/docs/security/csa/csa52/user_guide/Chap6.html#wp1199624> http://www.cisco.com/en/US/docs/security/csa/csa52/user_guide/Chap6.html#wp1199624.

Caution: Blocking TCP ports 139 and 445 on a Windows system will cause the
Windows system to stop providing SMB services. Before implementing the
workarounds presented in this section, administrators are advised to
ensure that they understand the implications of disabling SMB services on
users' workstations.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5580>
CVE-2007-5580


ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@xxxxxxxxx> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20071205-csa.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20071205-csa.shtml



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.