Cisco Security Agent

A critical vulnerability was announced on August 8, 2006, for Microsoft Windows 2000, Windows XP and XP Professional, and Windows 2003 Server operating systems (http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx). This vulnerability is actively being exploited. There is a remote code execution vulnerability in the Server service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. Microsoft has released patch updates for these vulnerable operating systems, available from its Website (www.microsoft.com).

Cisco Systems® has obtained exploit files and has confirmed that Cisco® Security Agent is effective in stopping these exploits using the default security policy configuration. Current supported versions of Cisco Security Agent 4.03.x, 4.5.1.x, 5.0.0.x, and 5.1.0.x are effective in stopping the exploits seen to date.

This is a remote code execution vulnerability with an unchecked buffer in the Server service. The Server service provides remote-procedure call (RPC) support, file print support, and named pipe sharing over the network. The Server service allows the sharing of local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between a computer being used for RPC and applications running on other computers.

An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The default policies in Cisco Security Agent include a buffer overflow prevention rule that stops the exploit from doing any damage. No changes to the Cisco Security Agent binaries or default configuration are required to get this protection.

The following actions have been observed being blocked by Cisco Security Agent running the default security policies:

This testing is shown in Figure 1.

The exploit was tested at Cisco with the agent in Test mode, which does not block malicious behavior. This allows the agent to report all rules that would be applied if the agent was in Protect mode, to observe all possible ways that Cisco Security Agent default policies would stop the exploit. When the agent is in Protect mode (the typical operational configuration), the first rule would kill the exploit. No subsequent events would be seen, as the exploit would be terminated before it could perform any malicious actions.

Testing was performed against the Cisco Security Agent default policies. No binary or policy update was needed for Cisco Security Agents to be effective. In short, this was a true test of "day zero" protection. This is similar to what Cisco has seen with earlier exploits and worms-the default Cisco Security Agent configuration stopped the exploit, with no binary or policy updates required. The following is a partial list of prior worms and exploits that Cisco Security Agent has stopped with the default security policy settings:

This exploit is only the latest example of new and mutating attacks that can seriously impact an organization's computing and network environments. The key to preventing damage from these new attacks is the ability to stop an attack without requiring any changes to default configuration, along with multiple rules in the default policies that provide a defense in depth.