access control list
* Crafted TCP ACK Packet Vulnerability
* Crafted TLS Packet Vulnerability
* Instant Messenger Inspection Vulnerability
* Vulnerability Scan Denial of Service
* Control-plane Access Control List Vulnerability
The first four vulnerabilities may lead to a denial of service (DoS)
condition and the fifth vulnerability may allow an attacker to bypass
control-plane access control lists (ACL).
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml.
The Cisco Wireless LAN Controller (WLC) product family is affected by
these vulnerabilities:
* Two denial of service (DoS) vulnerabilities
* Three privilege escalation vulnerabilities
* Two access control list (ACL) bypass vulnerabilities
Note: These vulnerabilities are independent of one another. A device
may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these
Additional information on the configuration and use of the CoPP
feature is available at the following links:
http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml
and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html
Access Control List (ACL)
+------------------------
An Access Control List (ACL) can be used to help mitigate attacks
that target this vulnerability. ACLs can specify that only packets
from legitimate sources are permitted to reach a device, and all
Local exploitation of an insecure permission vulnerability in multiple
Check Point Zone Labs products allows attackers to escalate privileges
or disable protection.
The vulnerability specifically exists in the default file Access Control
List (ACL) settings that are applied during installation. When an
administrator installs any of the Zone Labs ZoneAlarm tools, the
default ACL allows any user to modify the installed files. Some of the
programs run as system services. This allows a user to simply replace
an installed ZoneAlarm file with their own code that will later be
executed with system-level privileges.
tries to locate the icabar.exe file in the directories listed in its
PATH environment variable. If the attacker is able to write in any of
this directories listed in its PATH before the Citrix Metaframe PATH
entry, so the attacker can escalate privilege.
The standard file ACL (Access Control List) of Windows NT and 2000
Operating Systems is weak and allow any user to create files in the
SystemDrive (in general c:\) and in many directorys listed in its
PATH, which allow an attacker to create a fake icabar.exe and
consequently escalate privilege.
found in Microsoft Security Bulletin MS11-006.
V. WORKAROUND
Microsoft has included an automated Microsoft Fix it solution for the
Modify the Access Control List (ACL) on shimgvw.dll workaround, which
can be found at the following link:
http://support.microsoft.com/kb/2483185
VI. VENDOR RESPONSE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Nexus 5000 and 3000 Series Switches
Access Control List Bypass Vulnerability
Advisory ID: cisco-sa-20110907-nexus
Revision 1.0
Router(config-sip-ua)#no transport tcp
If IPv4 UDP-based Services Are Required
+---------------------------------------
By deploying IPv6 Access Control List (ACL) it is possible to prevent
offending IPv6 packets reaching vulnerable UDP services. The ACL in
the following example will block all IPv6 traffic from reaching
vulnerable services.
Router(config)#ipv6 access-list protect_IPv4_services
* Policy-based routing is in use, and to make a routing decision,
an incoming packet needs to be parsed. If the packet is a
malformed TCP segment and the routing policy uses TCP information
for routing decisions, then this bug could be triggered.
* An egress Access Control List (ACL) is applied to an interface
and a malformed IP packet that needs to be forwarded through that
interface is received.
Note: This list is not exhaustive. It contains some of the scenarios
that have been confirmed to trigger the vulnerability described in this
+-------------------------------------------------------------------+
Workarounds
===========
The workaround consists of adding an Access Control List (ACL) to
every Cisco IOS IPS policy configured on the device so that traffic
destined to ports 53/udp or 53/tcp is not inspected by the Cisco IOS
IPS feature. The following ACL would need to be added to the device
configuration:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Object-group Access
Control List Bypass Vulnerability
Advisory ID: cisco-sa-20090923-acl
Revision 1.0
control restrictions that only permit authorized devices SNMP access
to the device.
The following configuration example provides operators with
information on changing the community string and adding SNMP access
control restrictions using an access control list (ACL).
access-list 90 permit host <RF-Switch-IP-1>
access-list 90 permit host <RF-Switch-IP-2>
access-list 90 permit host <up-converter-IP-if-exists>
access-list 90 deny any
===========
The following workarounds have been identified for these
vulnerabilities.
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
General Considerations
+---------------------
Filters that deny SMB protocol packets using TCP ports 139 and 445
should be deployed as part of a transit access control list (tACL)
policy for protection from traffic that enters the network at ingress
access points. This policy should be configured to protect the network
device where the filter is applied and other devices behind it. Filters
for SMB protocol packets using TCP ports 139 and 445 should also be
deployed in front of vulnerable hosts so that traffic is allowed only
value used. The value of the port can be viewed in CUCM
Administration interface by following the System > Service Parameters
menu and selecting the CTL Provider service.
Filters blocking access to TCP port 2444 should be deployed at the
network edge as part of a transit access control list (tACL). Further
information about transit access control lists is available in the
white paper "Transit Access Control Lists: Filtering at Your Edge,"
which is available at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
There is currently no method to configure filtering directly on IP
Gateway encoders and decoders or Services Platform devices.
Filters blocking access to TCP port 23 should be deployed at the network
edge as part of a transit access list, which will protect the router
where the access control list (ACL) is configured and also other devices
behind it. Further information about transit access control lists is
available in the white paper Transit Access Control Lists: Filtering at
Your Edge, which is available at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Services Module (FWSM) that may result in a reload of the FWSM. These
vulnerabilities can be triggered during the processing of HTTPS
requests, or during the processing of Media Gateway Control Protocol
(MGCP) packets.
A third vulnerability may cause access control list (ACL) entries to not
be evaluated after the access list has been manipulated.
Note: These vulnerabilities are independent of each other; a device may
be affected by one and not by the others.
|
