Cisco Security Agent

A critical vulnerability was announced on July 11, 2006, for Microsoft Windows 2000, Windows XP and XP Professional, and Windows 2003 Server operating systems (http://www.microsoft.com/technet/security/Bulletin/MS06-035.mspx). There is a remote code execution vulnerability in the Server service driver (SRV.SYS) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. Microsoft has released patch updates for these vulnerable operating systems, available from its Website (www.microsoft.com).

Cisco Systems® has obtained exploit files and has confirmed that Cisco® Security Agent is effective in stopping these exploits using the default security policy configuration. Current supported versions of Cisco Security Agent 4.03.x, 4.5.1.x, 5.0.0.x, and 5.1.0.x are effective in stopping the exploits seen to date.

The first vulnerability is a buffer overflow vulnerability in the Microsoft mailslot server service that may allow a remote attacker to execute arbitrary code on vulnerable installations of the Microsoft Windows operating system. A mailslot is a temporary mechanism that uses TCP or UDP to facilitate data transfer between hosts. Buffer overflow can occur during the processing of mailslot messages. Authentication is not required to exploit this vulnerability, and code execution occurs within the context of the kernel. The Microsoft advisory states that attempts to exploit this vulnerability will most probably result in a denial-of-service condition caused by an unexpected restart of the affected system.

The second vulnerability is due to an uninitialized buffer in the server protocol driver, which could be exploited by attackers to remotely read fragments of memory used to store server message block traffic during transport.

The default policies in Cisco Security Agent include a buffer overflow prevention rule that stops the exploit from doing any damage. No changes to the Cisco Security Agent binaries or default configuration are required to get this protection.

The following actions have been observed being blocked by Cisco Security Agent running the default security policies:

This testing is shown in Figure 1.

The exploit was tested at Cisco with the agent in Protect mode, which blocks malicious behavior. When the agent is in Protect mode (the typical operational configuration), the first rule would kill the exploit. No subsequent events would be seen, as the exploit would be terminated before it could perform any malicious actions.

Testing was performed against the Cisco Security Agent default policies. No binary or policy update was needed for Cisco Security Agents to be effective. In short, this was a true test of "day zero" protection. This is similar to what Cisco has seen with earlier exploits and worms-the default Cisco Security Agent configuration stopped the exploit, with no binary or policy updates required. The following is a partial list of prior worms and exploits that Cisco Security Agent has stopped with the default security policy settings:

This exploit is only the latest example of new and mutating attacks that can seriously impact an organization's computing and network environments. The key to preventing damage from these new attacks is the ability to stop an attack without requiring any changes to default configuration, along with multiple rules in the default policies that provide a defense in depth.