Guest

CiscoWorks VPN/Security Management Solution

Microsoft Windows Vulnerability Affects Ciscoworks Virtual Private Network Security Management Solution


August 11, 2003


Products Affected

Product

CWVMS (Versions 2.2)

Problem Description

Microsoft Corporation recently announced a security vulnerability in it's Windows Operating Systems which may allow attacks to the Ciscoworks (CW) Virtual Private Network (VPN) Management Solution (VMS) server. This security vulnerability is in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. Additional information can be found on the Microsoft Website

Background

DCOM RPC Vulnerability

A stack-based buffer overflow condition has been discovered in the Microsoft RPC interface for DCOM. This is a core function of the Windows kernel, and cannot be disabled. Since this is a kernel function, implemented via SVCHOST.EXE, successful attacks will result in system privilege, equivalent to Unix root. Specially crafted messages sent to port 135 exploit the buffer overflow.

Problem Symptoms

Exploit code circulating in the wild executes shell code after the buffer overflow, allowing remote access to a command shell and complete, privileged remote control of the system.

Workaround/Solution

For all VMS users it is highly recommended that the primary method of resolution of this problem is to implement the available Microsoft patch. The patch can be found on the Microsoft Support Site.

For customers running CW VMS with only the Management Center (MC) for Cisco Security Agents and Security Monitor running, you may implement the CW VMS Restrictive Server Module as an alternative protection mechanism. This is not an advised work around for customer running other VMS MCs as the Restrictive Module does not take into account the operational requirements of these consoles.

The default Cisco Security Agent policies applied to desktop systems and servers will protect the system against the current exploits for the DCOM RPC vulnerability.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.