Penetration Testing mailing list archives
RE: Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability
From: "Tina Bird" <tbird () precision-guesswork com>
Date: Wed, 16 Aug 2006 13:09:54 -0700
We have SSL VPN (SVC, Tunneling) remote users that establish sessions with our corporate network. They need the ability to map drives to servers once the session is established. In order to map drives it requires that TCP ports 139 and 445 to be open and there in lies the problem so I cannot filter these ports. Cisco's ASA Secure Desktop allows me to check for the presence of service packs and any registry entry on the remote client PC's and can restrict access if they are not installed.
I have not yet played with Cisco's ASA endpoint-audit functionality, so I can't speak to that directly. However, be *very* careful in trusting registry entries only as a check of whether or not a patch is installed. If you're relying on Microsoft/Windows Update as your patching system, there are a number of scenarios in which the registry entry for an update is created, but the patch itself is not installed (as many of us learned to our torment during Blaster) -- and of course, the registry doesn't indicate whether the system has been rebooted since the patch was applied. And even if Microsoft has improved the validity of the reg key (I haven't checked in a year or so)...registry keys related to updates are *not* guaranteed to survive the application of new service packs, which can wreak havoc with your infrastructure whenever they get around to creating new SPs for your operating systems. At the time XP SP2 was released I was working for a company that sells an endpoint enforcement system. One of our large customers used reg keys for their patch checks. They did in fact knock a large subset of their endusers off line, because SP2 removed a bunch of reg keys they were checking. It's more labour intensive, but my vote for the best "easy" way to check for patches is to check file versions. YMMV. Even more effective is a mechanism to validate the file versions *and* the version running in memory, but that's a lot more work. HTH -- tbird ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability Paul Guibord (Aug 16)
- RE: Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability Tina Bird (Aug 16)
- <Possible follow-ups>
- Re: Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability krymson (Aug 16)