Guest

Cisco Application Analysis Solution

Field Notice: FN - 63013 - Cisco Application Analysis Solution Capture Agent Upgrade for Bundled WinPcap


November 30, 2007

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Revision History

Revision

Date

Comment

1.0

30-NOV-2007

Initial Public Release

Products Affected

Products Affected

CAAS - 2.0

Problem Description

On November 12, 2007, iDefense Labs released a public advisory identifying a security vulnerability in WinPcap.

WinPcap NPF.SYS bpf_filter_init Arbitrary Array Indexing Vulnerability

The Windows version of the Cisco Application Capture Agent installs WinPcap for use as the underlying packet capture technology. Windows hosts with the Cisco Application Capture Agent installed can therefore be susceptible to this vulnerability. This security vulnerability allows an attacker to obtain elevated privileges and execute code within the Windows kernel. The attacker must be local - that is, the attacker must be running code on the same Windows machine as the WinPcap software.

Background

WinPcap is a software package that facilitates real-time link-level network access for Windows-based operating systems.

Local exploitation of an invalid array indexing vulnerability in the NPF.SYS device driver of WinPcap allows attackers to execute arbitrary code in kernel context. The problem specifically exists within the bpf_filter_init function. In several places throughout this function, values supplied from a potential attacker are used as array indexes without proper bounds checking. By making IOCTL requests with specially chosen values, attackers are able to corrupt the stack, or pool memory, within the kernel.

Categorization of vulnerability FrSIRT categorizes this vulnerability as a "Moderate Risk":

WinPcap NPF.SYS "bpf_filter_init()" Arbitrary Array Indexing Vulnerability

Secunia categorizes this vulnerability as "Less critical":

Secunia - WinPcap NPF.SYS "bpf_filter_init" Array Indexing Vulnerability

Problem Symptoms

Local exploitation of an invalid array indexing vulnerability in the NPF.SYS device driver of WinPcap allows attackers to execute arbitrary code in kernel context.

The WinPcap "npf" device driver must be loaded to expose this vulnerability. The AAS agent is installed as the Windows Service named "OPNET Application Capture Agent". Starting and running this service will not load the vulnerable WinPcap device driver unless an actual packet capture is started. Starting an AAS packet capture will load the vulnerable WinPcap device driver on the Windows host where the packet capture is occurring. The vulnerable WinPcap device driver will remain loaded after a capture completes, until the machine is rebooted or the "npf" driver is stopped (for example, via a net stop npf command).

Workaround/Solution

Maintained Cisco customers may download and install a release of the Cisco Application Capture Agent (version 3.6 build 285) from the Cisco Software Center.

Network Management Software

This release includes WinPcap version 4.0.2, which addresses this vulnerability. This Application Capture Agent will be available for General Availability release on November 28, 2007.

Users may also address the problem by manually upgrading to WinPcap 4.0.2, using the following procedure:

  1. Stop the "OPNET Application Capture Agent" Windows Service.

  2. Uninstall WinPcap 4.0.1

  3. Download WinPcap 4.0.2 from the WinPcap 4.0.2 download page.

  4. Install WinPcap 4.0.2.

  5. Manually remove the "rpcapd.exe" executable that was installed by the WinPcap 4.0.2 installer.

    Note: "rpcapd.exe" is an experimental component of WinPcap that is usually installed in C:\Program Files\WinPcap; "rpcapd.exe" would not be present after a normal installation of the Cisco Application Capture Agent.

  6. Start the "OPNET Application Capture Agent" Windows Service.

If you cannot address the problem using the above methods, you may reduce your exposure to this vulnerability by stopping the OPNET Application Capture Agent service when not in use, with the following procedure:

  1. Stop the "OPNET Application Capture Agent" Windows Service.

  2. Change the "Startup Type" Windows service configuration for the Cisco Application Capture Agent to "Manual." This prevents the service from starting automatically when the system is rebooted.

  3. When you wish to perform a capture, start the service, perform the capture, then stop the service, as well as stop the "npf" device driver (for example, via executing net stop npf at the command line, or by using Windows administrative tools).

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.