[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FW: Cisco Security Notice: W.32 BLASTER Worm Mitigation Recommendations
FYI.
Regards,
Mark Tinka - CCNA
Network Engineer, Africa Online Uganda
-----Original Message-----
From: owner-cust-security-announce@cisco.com
[mailto:owner-cust-security-announce@cisco.com] On Behalf Of Cisco Systems
Product Security Incident Response Team
Sent: Thursday, August 14, 2003 5:00 AM
To: cust-security-announce@cisco.com
Cc: psirt@cisco.com
Subject: Cisco Security Notice: W.32 BLASTER Worm Mitigation Recommendations
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Notice: W32.BLASTER Worm Mitigation Recommendations
==================================================================
Revision 1.0 INTERIM
============
-
----------------------------------------------------------------------------
--
Contents
========
Summary
Details
Detection
Using IOS with NetFlow Enabled to Detect Infected Hosts
Using CatOS with Sup2 and MLS to Detect Infected Hosts
CSIDS Signature
Symptoms
Affected Products
Software Versions and Fixes
Cisco CallManager, Cisco Customer Response Server, Cisco Personal
Assistant, Cisco Conference Connection, Cisco Emergency Responder
Cisco Building Broadband Service Manager
Other Windows-based Cisco Products
Obtaining Fixed Software
Workarounds
ACL for IOS
Cisco 12000
VACL on the 6500
Catalyst 3550
Catalyst 2950
Catalyst 2900XL and 3500XL
PIX
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures
Related Information
-
----------------------------------------------------------------------------
--
Summary
=======
Cisco customers are currently experiencing attacks due to a new worm that is
active on the Internet. The signature of this worm appears as UDP traffic to
port 69 and high volumes of TCP traffic to port 135 and 4444. Affected
customers have been experiencing high volumes of traffic from both internal
and external systems. Symptoms on Cisco devices include, but are not limited
to high CPU and traffic drops on the input interfaces. This document focuses
on both mitigation techniques and affected Cisco products which need
software supplied by Cisco to patch properly.
The worm has been referenced by the name "W32.Blaster" and "msblast.exe".
This worm exploits a vulnerability previously disclosed by Microsoft,
details of which can be found at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
Details
=======
Details of the worm can be found on Microsoft's web site:
http://www.microsoft.com/technet/security/virus/alerts/msblaster.asp
The effects of this worm can be mitigated by blocking the required ports it
uses to spread itself, scan for new infections, and propagate the executable
code. This document focuses on blocking the spread of the worm, either
before or after your internal network is infected. This worm spreads using
valid ports, blocking those ports may break existing functionality, such as
file sharing, TFTP or Kerberos authentication. As with all network
configurations, Cisco recommends you establish documentation of baseline
traffic during normal times, and use that to make decisions about blocking
ports or traffic in your network. Block ports with caution to avoid
disabling functionality in your network. Brief descriptions of the normal
usage of these ports is listed below.
TCP port 135 is used for the MS RPC protocol. This is often used to share
files on local network segments, and rarely used to share files over WAN
segments. This is the port where the initial vulnerability is exploited,
initiating a sequence of events that fully infects a machine. Blocking port
135 can prevent initial infections, but may disable existing filesharing
functionality within your network.
UDP port 69 is used for Trivial File Transport Protocol (TFTP), often used
to load new software images or configurations to networked devices. A host
infected with the W32.Blaster worm opens up this port to transfer the
msblast.exe file from an infected machine to a newly exploited machine.
Blocking this port may prevent the spread of the worm from an already
infected machine to vulnerable hosts, but may break existing TFTP
functionality within your network.
TCP port 4444 is used for Kerberos authentication and Oracle9i
communication. A host fully infected with the W32.Blaster worm opens a
command shell on this port, allowing the machine to be controlled remotely.
Blocking this port may prevent an infected machine from being used for
further malicious activities, but may block existing Kerberos authentication
functionality or Oracle9i implementations within your network.
TCP and or UDP ports 137, 138, 139 and 593 have vulnerabilities associated
with them and may leave hosts open to exploitation, but are not currently
known to be directly connected to the spread of the W32.Blaster worm. Cisco
recommends that any unneeded ports, particularly those with known
vulnerabilities associated with them, should be blocked both inbound and
outbound at edge networks to prevent their remote exploitation.
Detection
=========
Using IOS with NetFlow Enabled to Detect Infected Hosts
NetFlow can be a powerful tool to help identify infected hosts. Netflow must
be enabled on an interface with the command ip route-cache flow.
Router>show ip cache flow | i 0087
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa2/0 XX.XX.XX.242 Fa1/0 XX.XX.XX.119 06 0B88 0087 1
Fa2/0 XX.XX.XX.242 Fa1/0 XX.XX.XX.169 06 0BF8 0087 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.63 06 0E80 0087 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.111 06 0CB0 0087 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.95 06 0CA0 0087 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.79 06 0C90 0087 1
Using CatOS with Sup2 and MLS to Detect Infected Hosts
NetFlow can be a powerful tool to help identify infected hosts. Netflow must
be enabled on an interface with the command ip route-cache flow.
Router>show ip cache flow | i 0087
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa2/0 XX.XX.XX.242 Fa1/0 XX.XX.XX.119 06 0B88 0087 1
Fa2/0 XX.XX.XX.242 Fa1/0 XX.XX.XX.169 06 0BF8 0087 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.63 06 0E80 0087 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.111 06 0CB0 0087 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.95 06 0CA0 0087 1
Fa2/0 XX.XX.XX.204 Fa1/0 XX.XX.XX.79 06 0C90 0087 1
CSIDS Signature
If a Cisco Secure Intrusion Detection System is in use, a signature update
file is available here:
http://www.cisco.com/public/sw-center/ciscosecure/ids/crypto/
To reduce false positives on S49, signature 3327 should be set to only
inspect port 135, and not 139 or 445.
Alternatively, a custom signature string can be added to address this worm.
Brief instructions are included here:
Engine STRING.UDP
SigName MS Blast Worm TFTP Request
ServicePorts 69
RegexString \x00\x01[Mm][Ss][Bb][Ll][Aa][Ss][Tt][.][Ee][Xx][Ee]\x00
Direction ToService
Symptoms
========
For symptoms on an infected Microsoft host, please see the Microsoft
bulletin at
http://www.microsoft.com/technet/security/virus/alerts/msblaster.asp
Overall network symptoms may manifest as increased load on firewalls,
routers and switches due to increased traffic. You may see instability in
networks due to increased load. The traffic load generated by this worm is
high, but appears to have stabilized after the first 24 hours of infection.
Unexplained network failures may be due to filtering or blocking legitimate
services with filters which are too generic -- if devices such as routers or
IP phones appear to not boot, please check that they still have access to a
TFTP server. These devices are not vulnerable to the W32.Blaster worm, but
may depend on open TFTP functionality when they boot to load software or
configuration files.
Affected Products
=================
To determine if a product is vulnerable, review the list below. If the
software versions or configuration information are provided, then only those
combinations are vulnerable. This is a list of appliance software which
needs patches downloaded from Cisco.
* Cisco CallManager
* Cisco Building Broadband Service Manager (BBSM)
+ BBSM Version 5.1
+ BBSM Version 5.2
+ HotSpot 1.0
* Cisco Customer Response Application Server (CRA)
* Cisco Personal Assistant
* Cisco Conference Connection (CCC)
* Cisco Emergency Responder
Other Cisco products which run on a Microsoft based operating system should
strongly consider loading the patch from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
This list is not all inclusive, please refer to Microsoft's bulletin if you
think you have an affected Microsoft platform.
* Cisco Unity
* Cisco uOne Enterprise Edition
* Cisco Network Registrar (CNR)
* Cisco Internet Service Node (ISN)
* Cisco Intelligent Contact Manager (ICM) (Hosted and Enterprise)
* Cisco IP Contact Center (IPCC) (Express and Enterprise)
* Cisco E-mail Manager (CEM)
* Cisco Collaboration Server (CCS)
* Cisco Dynamic Content Adapter (DCA)
* Cisco Media Blender (CMB)
* TrailHead (Part of the Web Gateway solution)
* Cisco Networking Services for Active Directory (CNS/AD)
* Cisco SN 5400 Series Storage Routers (driver to interface to Windows
server)
* CiscoWorks
+ CiscoWorks VPN/Security Management Solution (CWVMS)
+ User Registration Tool
+ Lan Management Solution
+ Routed WAN Management
+ Service Management
+ VPN/Security Management Solution
+ IP Telephony Environment Monitor
+ Wireless Lan Solution Engine
+ Small Network Management Solution
+ QoS Policy Manager
+ Voice Manager
* Cisco Transport Manager (CTM)
* Cisco Broadband Troubleshooter (CBT)
* DOCSIS CPE Configurator
* Cisco Secure Applications
+ Cisco Secure Scanner
+ Cisco Secure Policy Manager (CSPM)
+ Access Control Server (ACS)
Software Versions and Fixes
===========================
Cisco CallManager, Cisco Customer Response Server, Cisco Personal Assistant,
Cisco Conference Connection, Cisco Emergency Responder
If the operating system version is Win2000 2.4, customers should download
and install one of the following options:
* Latest service pack: win-OS-Upgrade-k9.2000-2-4sr5.exe
* Hotfix specifically for this issue: win-K9-MS03-026.exe
Both are available at http://www.cisco.com/pcgi-bin/tablebuild.pl/cmva-3des.
Cisco Building Broadband Service Manager
Software is now available on Cisco's website to patch BBSM 5.1, 5.2, and
HotSpot 1.0.
* Cisco BBSM 5.2-Download RPCBufferOverrun.exe from
http://www.cisco.com/pcgi-bin/tablebuild.pl/bbsm52
* Cisco BBSM 5.1-Download RPCBufferOverrun.exe from
http://www.cisco.com/pcgi-bin/tablebuild.pl/bbsm51
* Cisco BBSM HotSpot1.0-Download RPCBufferOverrun.exe from
http://www.cisco.com/pcgi-bin/tablebuild.pl/bbsmhs10
Instructions for installing service patches on BBSM can be found here:
http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm52/user/use52_
05.htm#50416
Other Windows-based Cisco Products
Customers should download the Security Patch directly from Microsoft and
follow the directions for installation:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
Obtaining Fixed Software
========================
Where Cisco provides the operating system bundled with the product, Cisco is
offering free software patches to address these vulnerabilities for all
affected customers. Customers may only install and expect support for the
feature sets they have purchased.
Customers with service contracts should contact their regular update
channels to obtain any software patch containing the feature sets they have
purchased. For most customers with service contracts, this means that
patches should be obtained through the Software Center on Cisco's Worldwide
Web site at
http://www.cisco.com/tacpage/sw-center/.
Customers whose Cisco products are provided or maintained through a prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with obtaining the free software
patch(es).
Customers who purchased directly from Cisco but who do not hold a Cisco
service contract, and customers who purchase through third party vendors but
are unsuccessful at obtaining fixed software through their point of sale,
should obtain fixed software by contacting the Cisco Technical Assistance
Center (TAC) using the contact information listed below. In these cases,
customers are entitled to obtain a patch to a later version of the same
release or as indicated by the applicable row in the Software Versions and
Fixes table (noted above).
Cisco TAC contacts are as follows:
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized telephone
numbers and instructions and e-mail addresses for use in various languages.
Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade.
Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com"
for software upgrades.
Workarounds
===========
This section is focused on mitigation techniques for the W32.Blaster worm
using existing Cisco products in your network. These techniques should be
applied both inbound and outbound at the edge of network segments if it is
determined they will not affect existing network functionality. Affected
systems will still be infected and able to spread within contained sections
of the network, therefore it is recommended that all affected servers be
patched according to Microsoft's recommendations.
Although each of these examples show how to block all affected ports, it may
not be necessary to block all ports. If you have no infected hosts within
your network, it may be acceptable to only block port 135 at your network
edge, this would prevent infection from outside your network without
impeding existing TFTP and Kerberos services. Using NetFlow to identify
normal traffic flow on your network will aid you in applying these
mitigation techniques with the least impact.
General information regarding strategies for protecting against Distributed
Denial of Service attacks may be found at
http://www.cisco.com/warp/public/707/newsflash.html.
Caution: As with any configuration change in a network, evaluate the impact
of this configuration prior to applying the change.
ACL for IOS
This workaround applies to most router platforms unless a platform is
mentioned specifically below.
Note: If you are trying to track source addresses, use Sampled NetFlow,
rather than "log" statements in ACLs as the high traffic in combination with
the log statement can overwhelm the router.
! --- block TFTP
access-list 115 deny udp any any eq 69
! --- block W32.Blaster related protocols
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
! --- block other vulnerable MS protocols
access-list 115 deny udp any any eq 137
access-list 115 deny udp any any eq 138
access-list 115 deny tcp any any eq 139
access-list 115 deny udp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
! --- block remote access due to W32.Blaster
access-list 115 deny tcp any any eq 4444
! --- Allow all other traffic -- insert
! --- other existing access-list entries here
access-list 115 permit ip any any
interface <interface>
ip access-group 115 in
ip access-group 115 out
The worm will attempt to send packets to random IP addresses, some of which
may not exist. When that occurs, the router will reply with an "ICMP
unreachable" packet. In some cases, replying to a large number of requests
with invalid IP addresses may result in degradation of the router's
performance. To prevent that from occurring, use the following command:
Router(config)# interface <interface>
Router(if-config)# no ip unreachables
Caution: Common network configurations, such as certain types of tunnel
structures, require the use of "ip unreachables". If the router must be able
to send "ICMP unreachable" packets, you can rate limit the number of replies
using the following command:
Router(config)# ip icmp rate-limit unreachable <millisecond>
Beginning with Cisco IOS Software Release 12.0, the default rate limiting is
set to two packets per second (500 ms), a value of 2000 ms is commonly used.
Cisco 12000
Receive ACL Feature-On a Cisco 12000 (GSR) series router, packets destined
to the router's ip addresses are "punted" to the gigabit route processor
(GRP) for processing. In order to protect the GRP, receive ACLs (rACLs) can
be applied. rACLs filter traffic destined to the GRP and only traffic
explicitly permitted is processed by the GRP, denied traffic is dropped. In
general, rACLs do not affect transit traffic (traffic flowing through a
router), only traffic destined to the router itself.
rACLs are an extremely effective countermeasure for mitigating the effects
of excessive attack traffic destined to the GRP. For more information please
refer
to: GSR: Receive Access Control Lists.
VACL on the 6500
Cisco recommends the use of IOS ACLs on the Cisco Catalyst 4000 with a Sup3
and Hybrid and Native configurations of the Cisco Catalyst 6500, however a
VACL configuration example is provided for your convenience. Additionally,
the use of "no ip unreachables" is recommended.
Caution: As when making any configuration change, use caution when using
VACLs in conjunction with IOS ACLs. Be aware that VACLs apply to all traffic
within the VLAN, regardless of direction.
To configure:
! --- block TFTP
set security acl ip BLASTER deny udp any any eq 69
! --- block vulnerable MS protocols
! --- Blaster related
set security acl ip BLASTER deny tcp any any eq 135
set security acl ip BLASTER deny udp any any eq 135
! --- Non-blaster related
set security acl ip BLASTER deny tcp any any eq 137
set security acl ip BLASTER deny udp any any eq 137
set security acl ip BLASTER deny tcp any any eq 138
set security acl ip BLASTER deny udp any any eq 138
set security acl ip BLASTER deny tcp any any eq 139
set security acl ip BLASTER deny udp any any eq 139
set security acl ip BLASTER deny tcp any any eq 593
! --- block remote access due to W32.Blaster
set security acl ip BLASTER deny tcp any any eq 4444
! --- Allow all other traffic
! --- insert other existing access-list entries here
set security acl ip BLASTER permit any any
! -- applies both inbound and outbound
commit security acl BLASTER
set security acl map BLASTER <vlans>
To verify:
show security acl info all
To remove:
clear security acl BLASTER
commit security acl BLASTER
Catalyst 3550
Apply the IOS ACL on switch virtual interfaces (SVIs), which are Layer 3
interfaces to VLANs; on physical Layer 3 interfaces; and on Layer 3
EtherChannel interfaces in both the inbound and/or outbound direction.
Ensure 'no ip unreachable' is configured on the interface.
Apply the IOS ACL to Layer 2 interfaces on the switch only if an IOS ACL is
not also applied to the input of a Layer 3 interface (an error message is
generated upon attempts to do so). For Layer 2 interfaces the IOS ACL is
supported on the physical interfaces only and not on EtherChannel
interfaces. It can be applied on the inbound direction only.
Catalyst 2950
Apply the IOS ACL to the interface. Note that ACL's are only supported in
the inbound direction. To apply ACLs to physical interfaces the enhanced
software image (EI) must be installed.
Catalyst 2900XL and 3500XL
These are Layer 2 switches with no Layer 3 access list support.
PIX
The default behavior of the PIX is to block traffic from lower security
level interfaces (OUTSIDE) to higher security level interfaces (INSIDE)
unless the affected ports and protocols have been explicitly permitted by an
access-list or conduit.
In addition, Cisco recommends blocking traffic from higher security level
interfaces (INSIDE) to lower security level interfaces (OUTSIDE).
Customers should deny outbound attempts to these ports:
access-list acl_inside deny udp any any eq 69
access-list acl_inside deny tcp any any eq 135
access-list acl_inside deny udp any any eq 135
access-list acl_inside deny tcp any any eq 137
access-list acl_inside deny udp any any eq 137
access-list acl_inside deny tcp any any eq 138
access-list acl_inside deny udp any any eq 138
access-list acl_inside deny tcp any any eq 139
access-list acl_inside deny udp any any eq 139
access-list acl_inside deny tcp any any eq 445
access-list acl_inside deny tcp any any eq 593
access-list acl_inside deny tcp any any eq 4444
! --- insert previously configured acl statements here,
! --- or permit all other traffic out
access-list acl_inside permit ip any any
access-group acl_inside in interface inside
The corresponding outbound lists may be applied, however, ACLs are strongly
recommended in lieu of outbound lists.
Exploitation and Public Announcements =====================================
This issue is being exploited actively and has been discussed in numerous
public announcements and messages. References include:
* http://www.eeye.com/html/Research/Advisories/AL20030811.html
* http://www.cert.org/advisories/CA-2003-20.html
Status of This Notice: INTERIM
=====================
This is a DRAFT notice. Although Cisco cannot guarantee the accuracy of all
statements in this notice, all of the facts have been checked to the best of
our ability. Cisco anticipates issuing updated versions of this notice when
there is material change in the facts.
Distribution
============
This notice will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml.
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
Future updates of this notice, if any, will be placed on Cisco's worldwide
web. Users concerned about this problem are encouraged to check the URL
given above for any updates.
Revision History
================
+---------------------------------------------+
| Revision | 14-August-2003 | Initial Public |
| 1.0 | | Release |
+---------------------------------------------+
Cisco Security Procedures
=========================
If you have any new information that would be of use to us, please send
email to psirt@cisco.com.
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's worldwide
website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security notices.
All Cisco Security Advisories are available at
http://www.cisco.com/go/psirt/.
-
----------------------------------------------------------------------------
--
Related Information
===================
* Technical Support - Cisco Systems
http://www.cisco.com/en/US/customer/support/index.html
-
----------------------------------------------------------------------------
--
All contents are Copyright © 1992-2003 Cisco Systems, Inc. All rights
reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQA/AwUBPzrrJnsxqM8ytrWQEQJ6pwCg2o5QLyxKh3oRAfeWuJuojb0vPRwAoKF+
WzBOI007jdkAXBLTUPt5laVi
=+Izn
-----END PGP SIGNATURE-----
--
This is the UiXP techies list.
The list archives can be found at http://uixp.co.ug/archives.