Penetration Testing mailing list archives

RE: Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability

From: "Tina Bird" <tbird () precision-guesswork com>
Date: Wed, 16 Aug 2006 13:09:54 -0700

We have SSL VPN (SVC, Tunneling)
remote users that establish sessions with our corporate network. They
need the ability to map drives to servers once the session is
established. In order to map drives it requires that TCP ports 139 and
445 to be open and there in lies the problem so I cannot filter these
ports. Cisco's ASA Secure Desktop allows me to check for the 
presence of
service packs and any registry entry on the remote client PC's and can
restrict access if they are not installed.


I have not yet played with Cisco's ASA endpoint-audit functionality, so I
can't speak to that directly. However, be *very* careful in trusting
registry entries only as a check of whether or not a patch is installed. If
you're relying on Microsoft/Windows Update as your patching system, there
are a number of scenarios in which the registry entry for an update is
created, but the patch itself is not installed (as many of us learned to our
torment during Blaster) -- and of course, the registry doesn't indicate
whether the system has been rebooted since the patch was applied. And even
if Microsoft has improved the validity of the reg key (I haven't checked in
a year or so)...registry keys related to updates are *not* guaranteed to
survive the application of new service packs, which can wreak havoc with
your infrastructure whenever they get around to creating new SPs for your
operating systems.

At the time XP SP2 was released I was working for a company that sells an
endpoint enforcement system. One of our large customers used reg keys for
their patch checks. They did in fact knock a large subset of their endusers
off line, because SP2 removed a bunch of reg keys they were checking.

It's more labour intensive, but my vote for the best "easy" way to check for
patches is to check file versions. YMMV. Even more effective is a mechanism
to validate the file versions *and* the version running in memory, but
that's a lot more work.

HTH -- tbird


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

Current thread:

Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability Paul Guibord (Aug 16)
- RE: Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability Tina Bird (Aug 16)
- <Possible follow-ups>
- Re: Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability krymson (Aug 16)