Cisco Security Agent

A critical vulnerability was announced on November 14, 2006 for Microsoft Windows 2000 and Windows XP operating systems. [1] This vulnerability is actively being exploited. A remote code execution vulnerability exists in the Workstation service that could allow an attacker who successfully exploited this vulnerability to seize control of an affected system. Microsoft has released an update and is recommending customers with affected systems patch immediately. [2]

This vulnerability has already been exploited in several attacks. Cisco® has obtained exploit files, and has confirmed that the Cisco Security Agent is effective in stopping these exploits, using the default security policy configuration. Current supported versions of Cisco Security Agent 4.5.x, 5.0.x, and 5.1.x are all effective in stopping the exploits seen to date.

This is a remote code execution vulnerability caused by an unchecked buffer in the Workstation service. Local file system requests and remote file or print network requests are routed through the Workstation service. This service determines where the resource is located and then routes the request to the local file system or to the networking components. When the Workstation service is stopped, all requests are assumed to be local requests.

On Windows 2000, any anonymous user could deliver a specially crafted message to the affected system to exploit this vulnerability. On Windows XP Service Pack 2, the attack could be successfully performed by a user with administrator privileges. [3]

An attacker who successfully exploits this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Cisco Security Agent default policies contain multiple rules that stop the exploit from doing any damage. No changes to the Cisco Security Agent binaries or default configuration are required to get this protection.

The following actions have been observed being blocked by Cisco Security Agent running the default security policies:

This testing on Windows 2000 Service Pack 4 is shown in Figure 1.

Note that the exploit was tested at Cisco, with the agent in Test mode, which will cause the agent to alert (but not block) malicious behavior. This was done to observe all possible ways that the Cisco Security Agent default policies would stop the exploit. When the agent is in Protect mode (the typical operational configuration), the first rule would kill the exploit: no subsequent events would be seen, since the exploit would be terminated before it could perform any malicious actions.

Testing was performed against the Cisco Security Agent default policies. No binary or policy update was needed for Cisco Security Agent agents to be effective. In short, this was a true test of "day-zero" protection. This is similar to what Cisco has seen with earlier exploits and worms-the default Cisco Security Agent configuration stopped the exploit, with no binary or policy updates required. The following is a partial list of prior worms and exploits that Cisco Security Agent has stopped via the default security policy settings:

This exploit is only the latest example of new and mutating attacks that can seriously impact an organization's computing and network environments. The key to stopping these new attacks is two-fold: the ability to stop the attack without requiring any changes to the default configuration, and multiple rules in the default policies that provide defense in depth.

[1] Microsoft Security Advisory: http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx

[2] Microsoft Security Advisory: http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx

[3] CERT: http://www.kb.cert.org/vuls/id/778036