Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Applied Mitigation Bulletin

Cisco Applied Mitigation Bulletin: Identifying and Mitigating the W32 Duqu Trojan Vulnerability

 
Threat Type:Malicious Code: Trojan Horse
IntelliShield ID:24455
Version:1
First Published:2011 October 25 17:43 GMT
Last Published:2011 October 25 17:43 GMT
Port: 139, 443, 445, 80
Urgency:Possible use
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:

This is the initial version of the Cisco Applied Mitigation Bulletin to address the?W32 Duqu Trojan?vulnerability.

 

Contents

Introduction
Device-Specific Mitigation and Identification
Additional Information
Cisco Security Procedures
Related Information

Introduction

W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide back door access to a remote attacker. The trojan communicates with its command and control center over HTTP and HTTPS protocols. Server Message Block (SMB) command and control channel functionality has also been implemented that could also be used for communications.

This document includes a vulnerability that can be effectively identified and/or mitigated using Cisco network devices.

Vulnerability Characteristics

Details of this vulnerability are described in IntelliShield Alert 24425.

Mitigation Technique Overview

Cisco IOS Software can provide effective means of exploit prevention using transit access control lists (tACLs).

Effective means of exploit prevention can also be provided by the Cisco ASA 5500 Series Adaptive Security Appliance and the Cisco Catalyst 6500 Series Firewall Services Module (FWSM).

  • Transit access control lists (tACLs)
  • Application layer protocol inspection

These protection mechanisms filter and drop packets that are attempting to exploit this vulnerability.

Cisco IOS NetFlow can provide visibility into network-based exploitation attempts using flow records.

Cisco IOS Software, Cisco ASA, and Catalyst 6500 Series FWSM firewalls can provide visibility through syslog messages and the counter values displayed in the output from show commands.

This vulnerability is mitigated most successfully at the endpoint through software updates, user education, desktop administration best practices, and endpoint protection software/ Host Intrusion Prevention System (HIPS) such as Cisco Security Agent or antivirus products.

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of this vulnerability. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

Caution: The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Specific information about mitigation and identification is available for these devices:

Cisco IOS Routers and Switches

Mitigation: Transit Access Control Lists

To protect the network from traffic that enters the network at ingress access points, which may include Internet connection points, partner and supplier connection points, or VPN connection points, administrators are advised to deploy transit access control lists (tACLs) to perform policy enforcement. Administrators can construct a tACL by explicitly permitting only authorized traffic to enter the network at ingress access points or permitting authorized traffic to transit the network in accordance with existing security policies and configurations. A tACL workaround cannot provide complete protection against these vulnerabilities that have a network attack vector when the attack comes from a trusted source address.

The tACL policy denies unauthorized HTTP and HTTPS packets using TCP port 80 and 443 respectively, and Server Message Block (SMB) packets using TCP port 139 or TCP port 445 that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices, and the host at 192.168.100.1 is considered a trusted source that requires access to the affected devices. Care should be taken to allow required traffic for routing and administrative access prior to denying all unauthorized traffic.

Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge.

!-- Include any explicit permit statements for trusted 
!-- sources that require access on the vulnerable command and control
!-- channels using HTTP, HTTPS, and SMB services 
!-- on affected devices using TCP ports 80, 443, 139, and 445
!
access-list 150 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 80
access-list 150 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 443
access-list 150 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 139
access-list 150 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 445
!
!-- The following vulnerability-specific access control entries
!-- (ACEs) can aid in identification of attacks against
!-- using the command and control channels for ingress traffic attempting 
!-- to establish HTTP, HTTPS, and SMB sessions
!-- with affected devices.
!
access-list 150 deny tcp any 192.168.60.0 0.0.0.255 eq 80
access-list 150 deny tcp any 192.168.60.0 0.0.0.255 eq 443
access-list 150 deny tcp any 192.168.60.0 0.0.0.255 eq 139
access-list 150 deny tcp any 192.168.60.0 0.0.0.255 eq 445
!
!-- Permit or deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations
!
!-- Explicit deny for all other IP traffic
!

access-list 150 deny ip any any
!
!-- Apply tACL to interfaces in the ingress direction
interface GigabitEthernet0/0
 ip access-group 150 in
!

Note that filtering with an interface access list will elicit the transmission of ICMP unreachable messages back to the source of the filtered traffic. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software, ICMP unreachable generation is limited to one packet every 500 milliseconds by default. ICMP unreachable message generation can be disabled using the interface configuration command no ip unreachables. ICMP unreachable rate limiting can be changed from the default using the global configuration command ip icmp rate-limit unreachable interval-in-ms.

Identification: Transit Access Control Lists

After the administrator applies the tACL to an interface, the show ip access-lists command will identify the number of HTTP and HTTPS packets using TCP port 80 and 443 respectively, and Server Message Block (SMB) packets using TCP port 139 or TCP port 445 that have been filtered. Administrators are advised to investigate filtered packets to determine whether they are attempts to exploit these vulnerabilities. Example output for show ip access-lists 150 follows:

router#show ip access-lists 150
Extended IP access list 150
    10 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq www
    20 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 443
    30 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 139
    40 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 445
    50 deny tcp any 192.168.60.0 0.0.0.255 eq www (44 matches)
    60 deny tcp any 192.168.60.0 0.0.0.255 eq 443 (61 matches)
    70 deny tcp any 192.168.60.0 0.0.0.255 eq 139 (22 matches)
    80 deny tcp any 192.168.60.0 0.0.0.255 eq 445 (37 matches)
    90 deny ip any any
router#

In the preceding example, access list 150 has dropped the following packets received from an untrusted host or network:

  • 44 HTTP packets on TCP port 80 for ACE sequence identifier 50
  • 61 HTTPS packets on TCP port 443 for ACE sequence identifier 60
  • 22 SMB packets on TCP port 139 for ACE sequence identifier 70
  • 37 SMB packets on TCP port 445 for ACE sequence identifier 80

For additional information about investigating incidents using ACE counters and syslog events, reference the Identifying Incidents Using Firewall and IOS Router Syslog Events Applied Intelligence white paper.

Administrators can use Embedded Event Manager to provide instrumentation when specific conditions are met, such as ACE counter hits. The Applied Intelligence white paper Embedded Event Manager in a Security Context provides additional details about how to use this feature.

Identification: Access List Logging

The log and log-input access control list (ACL) option will cause packets that match specific ACEs to be logged. The log-input option enables logging of the ingress interface in addition to the packet source and destination IP addresses and ports.

Caution: Access control list logging can be very CPU intensive and must be used with extreme caution. Factors that drive the CPU impact of ACL logging are log generation, log transmission, and process switching to forward packets that match log-enabled ACEs.

For Cisco IOS Software, the ip access-list logging interval interval-in-ms command can limit the effects of process switching induced by ACL logging. The logging rate-limit rate-per-second [except loglevel] command limits the impact of log generation and transmission.

The CPU impact from ACL logging can be addressed in hardware on the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers with Supervisor Engine 720 or Supervisor Engine 32 using optimized ACL logging.

For additional information about the configuration and use of ACL logging, reference the Understanding Access Control List Logging Applied Intelligence white paper.

Cisco IOS NetFlow

Identification: Traffic Flow Identification Using NetFlow Records

Administrators can configure Cisco IOS NetFlow on Cisco IOS routers and switches to aid in the identification of traffic flows that may be attempts to exploit the vulnerabilities described in this document that have a network attack vector. Administrators are advised to investigate flows to determine whether they are attempts to exploit the vulnerabilities or whether they are legitimate traffic flows.

router#show ip cache flow

IP packet size distribution (90784136 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .698 .011 .001 .004 .005 .000 .004 .000 .000 .003 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .001 .256 .000 .010 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
  1885 active, 63651 inactive, 59960004 added
  129803821 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 402056 bytes
  0 active, 16384 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet    11393421      2.8         1    48      3.1       0.0       1.4
TCP-FTP            236      0.0        12    66      0.0       1.8       4.8
TCP-FTPD            21      0.0     13726  1294      0.0      18.4       4.1
TCP-WWW          22282      0.0        21  1020      0.1       4.1       7.3
TCP-X              719      0.0         1    40      0.0       0.0       1.3
TCP-BGP              1      0.0         1    40      0.0       0.0      15.0
TCP-Frag         70399      0.0         1   688      0.0       0.0      22.7
TCP-other     47861004     11.8         1   211     18.9       0.0       1.3
UDP-DNS            582      0.0         4    73      0.0       3.4      15.4
UDP-NTP         287252      0.0         1    76      0.0       0.0      15.5
UDP-other       310347      0.0         2   230      0.1       0.6      15.9
ICMP             11674      0.0         3    61      0.0      19.8      15.5
IPv6INIP            15      0.0         1  1132      0.0       0.0      15.4
GRE                  4      0.0         1    48      0.0       0.0      15.3 
Total:        59957957     14.8         1   196     22.5       0.0       1.5

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/0         192.168.10.201  Gi0/1         192.168.60.102  06 0984 008B    17
Gi0/0         192.168.11.54   Gi0/1         192.168.60.158  06 0911 01BD    33
Gi0/0         192.168.11.57   Gi0/1         192.168.60.150  06 0911 0050    71
Gi0/0         192.168.13.41   Gi0/1         192.168.60.127  06 0911 01BB    11
Gi0/1         192.168.150.60  Gi0/0         10.89.16.226    06 0016 12CA     1
Gi0/0         192.168.13.97   Gi0/1         192.168.60.28   06 0B3E 01BD    55
Gi0/0         192.168.10.17   Gi0/1         192.168.60.97   06 0B89 01BD    41
Gi0/0         10.88.226.1     Gi0/1         192.168.202.22  11 007B 007B     1
Gi0/0         192.168.12.185  Gi0/1         192.168.60.239  06 0BD7 008B    19
Gi0/0         10.89.16.226    Gi0/1         192.168.150.60  06 12CA 0016     1
router#

In the preceding example, there are multiple flows for HTTP and HTTPS packets on TCP ports 80 (hex value 0050) and 443 (hex value 01BB) respectively, and SMB packets on TCP port 139 (hex value 008B) and TCP port 445 (hex value 01BD).

This traffic is sourced from and sent to addresses within the 192.168.60.0/24 address block, which is used by affected devices. The packets in these flows may indicate an attempt to exploit this vulnerability. Administrators are advised to compare these flows to baseline utilization for HTTP and HTTPS packets using TCP port 80 and 443 respectively, and Server Message Block (SMB) packets using TCP port 139 or TCP port 445 and also investigate the flows to determine whether they are sourced from or sent to untrusted hosts or networks.

To view only the traffic flows for HTTP and HTTPS packets on TCP ports 80 (hex value 0050) and 443 (hex value 01BB) respectively, and SMB packets on TCP port 139 (hex value 008B) and TCP port 445 (hex value 01BD), the command show ip cache flow | include SrcIf|_06_.*(0050|01BB|008B|01BD)_ will display the related NetFlow records as shown here:

router#show ip cache flow | include SrcIf|_06_.*(008B|01BD)_
SrcIf         SrcIPaddress     DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/0         192.168.10.201   Gi0/1         192.168.60.102  06 0984 008B    17
Gi0/0         192.168.11.54    Gi0/1         192.168.60.158  06 0911 01BD    33
Gi0/0         192.168.11.57    Gi0/1         192.168.60.150  06 0911 0050    71
Gi0/0         192.168.13.41    Gi0/1         192.168.60.127  06 0911 01BB    11
Gi0/0         192.168.13.97    Gi0/1         192.168.60.28   06 0B3E 01BD    55
Gi0/0         192.168.10.17    Gi0/1         192.168.60.97   06 0B89 01BD    41
Gi0/0         192.168.12.185   Gi0/1         192.168.60.239  06 0BD7 008B    19
router#

Cisco ASA and FWSM Firewalls

Mitigation: Transit Access Control Lists

To protect the network from traffic that enters the network at ingress access points, which may include Internet connection points, partner and supplier connection points, or VPN connection points, administrators are advised to deploy tACLs to perform policy enforcement. Administrators can construct a tACL by explicitly permitting only authorized traffic to enter the network at ingress access points or permitting authorized traffic to transit the network in accordance with existing security policies and configurations. A tACL workaround cannot provide complete protection against the vulnerabilities that have a network attack vector when the attack comes from a trusted source address.

The tACL policy denies unauthorized HTTP and HTTPS packets using TCP port 80 and 443 respectively, and Server Message Block (SMB) packets using TCP port 139 or TCP port 445 that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices, and the host at 192.168.100.1 is considered a trusted source that requires access to the affected devices. Care should be taken to allow required traffic for routing and administrative access prior to denying all unauthorized traffic.

Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge.

Ingress Transit ACL Policy

!
!-- Include any explicit permit statements for trusted 
!-- sources that require access on the vulnerable command and control
!-- (c&c) channels using HTTP, HTTPS, and SMB services 
!-- on affected devices using TCP ports 80, 443, 139, and 445
!
access-list tACL-Policy-Ingress extended permit tcp host 192.168.100.1
  192.168.60.0 255.255.255.0 eq 80
access-list tACL-Policy-Ingress extended permit tcp host 192.168.100.1
  192.168.60.0 255.255.255.0 eq 443
access-list tACL-Policy-Ingress extended permit tcp host 192.168.100.1
  192.168.60.0 255.255.255.0 eq 139
access-list tACL-Policy-Ingress extended permit tcp host 192.168.100.1
  192.168.60.0 255.255.255.0 eq 445
!
!-- The following vulnerability-specific access control entries
!-- (ACEs) can aid in identification of attacks against
!-- using the c&c channels for ingress traffic attempting 
!-- to establish HTTP, HTTPS, and SMB sessions
!-- with affected devices.
!

access-list tACL-Policy-Ingress extended deny tcp any 192.168.60.0
  255.255.255.0 eq 80
access-list tACL-Policy-Ingress extended deny tcp any 192.168.60.0
  255.255.255.0 eq 443
access-list tACL-Policy-Ingress extended deny tcp any 192.168.60.0
  255.255.255.0 eq 139
access-list tACL-Policy-Ingress extended deny tcp any 192.168.60.0
  255.255.255.0 eq 445
!
!-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations
!
!-- Explicit deny for all other IP traffic
!
access-list tACL-Policy-Ingress extended deny ip any any
!
!-- Apply tACL to interface(s) in the ingress direction
!
access-group tACL-Policy-Ingress in interface outside
!

Egress Transit ACL Policy

Note: The W32 Duqu vulnerability is known to host Command and Control (C&C) on 206.183.111.9, therefore, an egress ACL configuration will filter and drop packets of any inside hosts attempting to connect to the C&C channel at this respective address.

!
!-- Include any explicit permit statements for trusted 
!-- destinations that require access on the vulnerable ports
!-- used by c&c channels 
!
access-list tACL-Policy-Egress extended permit tcp 192.168.60.0 255.255.255.0
  host 192.168.100.1 eq 80
access-list tACL-Policy-Egress extended permit tcp 192.168.60.0 255.255.255.0
  host 192.168.100.1 eq 443
access-list tACL-Policy-Egress extended permit tcp 192.168.60.0 255.255.255.0
  host 192.168.100.1 eq 139
access-list tACL-Policy-Egress extended permit tcp 192.168.60.0 255.255.255.0
  host 192.168.100.1 eq 445
!
!-- The following vulnerability-specific access control entries
!-- (ACEs) can aid in identification of attacks against
!-- using the command and control channels for egress traffic attempting 
!-- to establish HTTP, HTTPS, and SMB sessions
!
access-list tACL-Policy-Egress extended deny tcp 192.168.60.0
  255.255.255.0 any eq 80
access-list tACL-Policy-Egress extended deny tcp 192.168.60.0
  255.255.255.0 any eq 443
access-list tACL-Policy-Egress extended deny tcp 192.168.60.0
  255.255.255.0 any eq 139
access-list tACL-Policy-Egress extended deny tcp 192.168.60.0
  255.255.255.0 any eq 445
!
!-- Include any explicit deny statements for trusted 
!-- sources that attempt access vulnerable c&c channels 
!
access-list tACL-Policy-Egress extended deny tcp 192.168.60.0 255.255.255.0 
  host 206.183.111.9
!
!-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations
!
!-- Explicit deny for all other IP traffic
!
access-list tACL-Policy-Egress extended deny ip any any
!
!-- Apply tACL to inside interface(s) in the ingress direction
!
access-group tACL-Policy-Ingress in interface inside
!

Identification: Transit Access Control Lists

After the tACL has been applied to an interface, administrators can use the show access-list command to identify the number of HTTP and HTTPS packets using TCP port 80 and 443 respectively, and Server Message Block (SMB) packets using TCP port 139 or TCP port 445 that have been filtered. Administrators are advised to investigate filtered packets to determine whether they are attempts to exploit these vulnerabilities.

Example output for show access-list tACL-Policy-Ingress follows:

firewall#show access-list tACL-Policy-Ingress
access-list tACL-Policy-Ingress; 9 elements
access-list tACL-Policy-Ingress line 1 extended permit tcp host
  192.168.100.1 192.168.60.0 255.255.255.0 eq www (hitcnt=51)
access-list tACL-Policy-Ingress line 2 extended permit tcp host
  192.168.100.1 192.168.60.0 255.255.255.0 eq https (hitcnt=22)
access-list tACL-Policy-Ingress line 3 extended permit tcp host
  192.168.100.1 192.168.60.0 255.255.255.0 eq netbios-ssn (hitcnt=11)
access-list tACL-Policy-Ingress line 4 extended permit tcp host
  192.168.100.1 192.168.60.0 255.255.255.0 eq 445 (hitcnt=14)
access-list tACL-Policy-Ingress line 5 extended deny tcp any
  192.168.60.0 255.255.255.0 eq www (hitcnt=71)
access-list tACL-Policy-Ingress line 6 extended deny tcp any
  192.168.60.0 255.255.255.0 eq https (hitcnt=96)
access-list tACL-Policy-Ingress line 7 extended deny tcp any
  192.168.60.0 255.255.255.0 eq netbios-ssn (hitcnt=21)
access-list tACL-Policy-Ingress line 8 extended deny tcp any
  192.168.60.0 255.255.255.0 eq 445 (hitcnt=11)
access-list tACL-Policy-Ingress line 9 extended deny ip any any (hitcnt=128)
firewall#

In the preceding example, access list tACL-Policy-Ingress has dropped the following packets received from an untrusted host or network:

  • 71 HTTP packets on TCP port 80 (www) for ACE sequence identifier 5
  • 96 HTTPS packets on TCP port 443 (https) for ACE sequence identifier 6
  • 21 SMB packets on TCP port 139 (netbios-ssn) for ACE sequence identifier 7
  • 11 SMB packets on TCP port 445 for ACE sequence identifier 8

Example output for show access-list tACL-Policy-Egress follows:

firewall#show access-list tACL-Policy-Egress
access-list tACL-Policy-Egress; 10 elements
access-list tACL-Policy-Egress line 1 extended permit tcp 192.168.60.0 
  255.255.255.0 host 192.168.100.1 eq www (hitcnt=134)
access-list tACL-Policy-Egress line 2 extended permit tcp 192.168.60.0 
  255.255.255.0 host 192.168.100.1 eq https (hitcnt=23)
access-list tACL-Policy-Egress line 3 extended permit tcp 192.168.60.0 
  255.255.255.0 host 192.168.100.1 eq netbios-ssn (hitcnt=27)
access-list tACL-Policy-Egress line 4 extended permit tcp 192.168.60.0 
  255.255.255.0 host 192.168.100.1 eq 445 (hitcnt=134)
access-list tACL-Policy-Egress line 5 extended deny tcp 192.168.60.0 
  255.255.255.0 any eq www (hitcnt=12)
access-list tACL-Policy-Egress line 6 extended deny tcp 192.168.60.0 
  255.255.255.0 any eq https (hitcnt=45)

access-list tACL-Policy-Egress line 7 extended deny tcp 192.168.60.0 
  255.255.255.0 any eq netbios-ssn (hitcnt=6)
access-list tACL-Policy-Egress line 8 extended deny tcp 192.168.60.0 
  255.255.255.0 any eq 445 (hitcnt=16)
access-list tACL-Policy-Egress line 9 extended deny tcp 192.168.60.0 
  255.255.255.0 host 206.183.111.9 (hitcnt=18)
access-list tACL-Policy-Egress line 10 extended deny ip any any (hitcnt=112)
firewall#

In the preceding example, access list tACL-Policy-Egress has dropped the following packets received from an untrusted host or network:

  • 12 HTTP packets on TCP port 80 (www) for ACE sequence identifier 5
  • 45 HTTPS packets on TCP port 443 (https) for ACE sequence identifier 6
  • 6 SMB packets on TCP port 139 (netbios-ssn) for ACE sequence identifier 7
  • 16 SMB packets on TCP port 445 for ACE sequence identifier 8
  • 18 c&c destined packets on 206.183.111.9 for ACE sequence identifier 9

In addition, syslog message 106023 can provide valuable information, which includes the source and destination IP address, the source and destination port numbers, and the IP protocol for the denied packet.

Identification: Firewall Access List Syslog Messages

Firewall syslog message 106023 will be generated for packets denied by an access control entry (ACE) that does not have the log keyword present. Additional information about this syslog message is available in Cisco Security Appliance System Log Message - 106023.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance or the Cisco PIX 500 Series Security Appliance is available in Monitoring the Security Appliance - Configuring and Managing Logs. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is available in Monitoring the Firewall Services Module.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate potential attempts to exploit the vulnerabilities described in this document that have a network attack vector. It is possible to use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is available in Creating a Regular Expression.

firewall#show logging | grep 106023
Oct 24 2011 13:15:13: %ASA-4-106023: Deny tcp src outside:192.168.2.91/3785 dst
   inside:192.168.60.19/80 by access-group "tACL-Policy-Ingress"
Oct 24 2011 13:15:13: %ASA-4-106023: Deny tcp src outside:192.168.3.211/4719 dst
   inside:192.168.60.43/139 by access-group "tACL-Policy-Ingress"
Oct 24 2011 13:15:13: %ASA-4-106023: Deny tcp src outside:192.168.4.117/4419 dst
   inside:192.168.60.98/443 by access-group "tACL-Policy-Ingress"
Oct 24 2011 13:15:13: %ASA-4-106023: Deny tcp src outside:192.168.3.175/4185 dst
   inside:192.168.60.150/445 by access-group "tACL-Policy-Ingress"
Oct 24 2011 13:15:13: %ASA-4-106023: Deny tcp src outside:192.168.2.47/3981 dst
   inside:192.168.60.140/445 by access-group "tACL-Policy-Ingress"
Oct 24 2011 13:15:13: %ASA-4-106023: Deny tcp src outside:192.168.2.200/3190 dst
   inside:192.168.60.215/139 by access-group "tACL-Policy-Egress"
Oct 24 2011 13:15:13: %ASA-4-106023: Deny tcp src inside:192.168.60.150/4187 dst
   outside:206.183.111.9 by access-group "tACL-Policy-Egress"
Oct 24 2011 13:15:13: %ASA-4-106023: Deny tcp src inside:192.168.60.140/3981 dst
   outside:192.0.2.175/445 by access-group "tACL-Policy-Egress"
Oct 24 2011 13:15:13: %ASA-4-106023: Deny tcp src inside:192.168.60.140/3981 dst
   outside:192.0.2.80/80 by access-group "tACL-Policy-Egress"
Oct 24 2011 13:15:13: %ASA-4-106023: Deny tcp src inside:192.168.60.140/3981 dst
   outside:192.0.2.210/443 by access-group "tACL-Policy-Egress"
Oct 24 2011 13:15:13: %ASA-4-106023: Deny tcp src outside:192.168.2.200/3190 dst
   inside:192.0.2.13/139 by access-group "tACL-Policy-Egress"
firewall#

In the preceding example, the messages logged for the tACL tACL-Policy-Ingress show HTTP and HTTPS packets using TCP port 80 and 443 respectively, and Server Message Block (SMB) packets using TCP port 139 or TCP port 445 sent to the address block assigned to the affected devices. In addition, messages are also logged for the tACL tACL-Policy-Egress show HTTP and HTTPS packets using TCP port 80 and443 respectively, Server Message Block(SMB) packets using TCP port 139 or TCP port 445, and c&c packets using address 206.183.111.9 possible malicious sources.

Additional information about syslog messages for ASA and PIX security appliances is available in Cisco Security Appliance System Log Messages. Additional information about syslog messages for the FWSM is available in Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Logging Configuration and System Log Messages.

For additional information about investigating incidents using Syslog Events, reference the Identifying Incidents Using Firewall and IOS Router Syslog Events Applied Intelligence white paper.

Mitigation: Application Layer Protocol Inspection

DNS Application Inspection


Using the DNS application inspection engine on the Cisco ASA 5500 Series Adaptive Security Appliances and the Firewall Services Modules, administrators can configure regular expressions (regexes) for pattern matching and construct inspect class maps and inspect policy maps. These methods can help protect against specific vulnerabilities such as the one described in this document. The DNS application inspection policy will drop connections for which the DNS message contains any of the regular expressions (regexes) that are configured to match the domains that are associated with this vulnerability.

Caution: This is a not a complete list of domains that host malicious files that are associated with this vulnerability. If DNS inspection is configured, the full list of domains that host malicious files must be configured.

Caution: Legitimate domains use these DNS services. Denying access to the top-level domain will deny access to legitimate domains. Administrators are advised to determine whether any of these domains are required for business applications.

The following Modular Policy Framework (MPF) policy inspects all DNS traffic and will apply the configured actions and parameters:

!
!-- Match domains of known malicious hosts leveraging 
!-- This is not a comprehensive list
!-- and additional domains may be added
!-- to ensure full protection
!
!-- Note: The following regex filters malicious domains 
!-- used in performing a DNS lookup and C&C respectively.
!-- Refer to the aforementioned IntelliShield alert (24425)for details. 
!
regex malicious-Duqu-1 [Kk][Aa][Ss][Pp][Ee][Rr][Ss][Kk][Yy][Cc][Hh][Kk]\.[Dd][Yy][Nn][Dd][Nn][Ss]\.[Oo][Rr][Gg]
regex malicious-Duqu-2 [Cc][Aa][Nn][Oo][Yy][Rr][Aa][Gg][Oo][Mm][Ee][Zz]\.[Rr][Aa][Pp][Ii][Dd][Nn][Ss]\.[Cc][Oo][Mm]
!
!-- Create a regex class map to match on the 
!-- regular expressions that are configured above 
!
class-map type regex match-any malicious-Domains
 match regex malicious-Duqu-1
 match regex malicious-Duqu-2
!
!-- Configure a DNS application inspection policy  
!-- that looks for and drops packets that contain 
!-- the regular expression for the kasperskychk.dyndns.org 
!-- domain
!
!-- The policy also includes the default parameter
!-- setting DNS message length to a maximum of 
!-- 512 bytes
!
policy-map type inspect dns malicious-Drop
 parameters
  message-length maximum 512
 match not header-flag QR
 match question
 match domain-name regex class malicious-Domains    
 drop log
!
!-- Replace the default DNS "inspect" statement with
!-- the above-configured policy that matches 
!-- DNS queries to the default policy "global_policy"
!-- and use it to inspect DNS traffic that transits 
!-- the firewall
! 
policy-map global_policy
 class inspection_default
  no inspect dns preset_dns_map 
  inspect dns malicious-Drop
!
!-- By default, the policy "global_policy" is applied  
!-- globally, which results in the inspection of traffic  
!-- that enters the firewall from all interfaces 
!
service-policy global_policy global  

Additional information about DNS application inspection and the MPF is in the DNS Inspection section of the Cisco Security Appliance Command Line Configuration Guide.

Identification: Application Layer Protocol Inspection

Firewall syslog message 410003 will be generated when a DNS message matches a user-defined regular expression. The syslog message will identify the corresponding DNS class and indicate the action that is applied to the DNS message. Additional information about this syslog message is in Cisco Security Appliance System Log Message - 410003.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance or the Cisco PIX 500 Series Security Appliance is in Monitoring the Security Appliance - Configuring and Managing Logs. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is in Monitoring the Firewall Services Module.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate attempts to exploit this vulnerability. Administrators can use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is in Creating a Regular Expression.

DNS Application Inspection

firewall# show logging | grep 410003
Oct 24 2011 20:27:43: %ASA-4-410003: DNS Classification:
Dropped DNS request (id 13650) from
inside:192.168.60.70/1027 to outside:192.0.2.56/53;
matched Class 27: match domain-name regex class malicious-Domains
Oct 24 2011 20:27:48: %ASA-4-410003: DNS Classification:
Dropped DNS request (id 13650) from
inside:192.168.60.70/1027 to outside:191.0.2.120/53;
matched Class 27: match domain-name regex class malicious-Domains

With DNS application inspection enabled, the show service-policy inspect protocol command will identify the number of DNS packets that are inspected and dropped by this feature. The following example shows output for show service-policy inspect dns:

firewall# show service-policy inspect dns

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns malicious-Drop, packet 239, drop 3, reset-drop 0
message-length maximum 512, drop 0
dns-guard, count 114
protocol-enforcement, drop 0
nat-rewrite, count 0
match not header-flag QR
match question
match domain-name regex class malicious-Domains
drop log, packet 3


In the preceding example, 239 DNS packets have been inspected and 3 DNS packets have been dropped.

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Related Information

Vulnerability Characteristics

Mitigation Technique Overview

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of <this vulnerability | these vulnerabilities>. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

Caution:The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Specific information about mitigation and identification is available for these devices:

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Related Information

 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
N/A

Associated Products:
IntelliShieldUniversal Product Original Release Base




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield