RE: Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability

From: Tina Bird (tbird@precision-guesswork.com)
Date: Wed Aug 16 2006 - 16:09:54 EDT


 
> We have SSL VPN (SVC, Tunneling)
> remote users that establish sessions with our corporate network. They
> need the ability to map drives to servers once the session is
> established. In order to map drives it requires that TCP ports 139 and
> 445 to be open and there in lies the problem so I cannot filter these
> ports. Cisco's ASA Secure Desktop allows me to check for the
> presence of
> service packs and any registry entry on the remote client PC's and can
> restrict access if they are not installed.

I have not yet played with Cisco's ASA endpoint-audit functionality, so I
can't speak to that directly. However, be *very* careful in trusting
registry entries only as a check of whether or not a patch is installed. If
you're relying on Microsoft/Windows Update as your patching system, there
are a number of scenarios in which the registry entry for an update is
created, but the patch itself is not installed (as many of us learned to our
torment during Blaster) -- and of course, the registry doesn't indicate
whether the system has been rebooted since the patch was applied. And even
if Microsoft has improved the validity of the reg key (I haven't checked in
a year or so)...registry keys related to updates are *not* guaranteed to
survive the application of new service packs, which can wreak havoc with
your infrastructure whenever they get around to creating new SPs for your
operating systems.

At the time XP SP2 was released I was working for a company that sells an
endpoint enforcement system. One of our large customers used reg keys for
their patch checks. They did in fact knock a large subset of their endusers
off line, because SP2 removed a bunch of reg keys they were checking.

It's more labour intensive, but my vote for the best "easy" way to check for
patches is to check file versions. YMMV. Even more effective is a mechanism
to validate the file versions *and* the version running in memory, but
that's a lot more work.

HTH -- tbird

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:45 EDT