Applied Mitigation Bulletin

Updated data from Cisco Remote Management Services does not reveal any attempts to exploit the vulnerabilities that are described in this bulletin.

Contents

Introduction

Microsoft announced two security bulletins that contain two vulnerabilities as part of the monthly security bulletin release on November 13, 2007. A summary of these bulletins is on the Microsoft website at http://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx. This document highlights the vulnerability that can be effectively identified and/or mitigated using Cisco network devices.

MS07-061, Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460, CVE-2007-3896), has a client software attack vector, requires user interaction, and can be exploited through web-based attacks such as cross-site scripting or phishing.

Cisco devices provide several countermeasures for MS07-062, Vulnerability in DNS Could Allow Spoofing (941672, CVE-2007-3898), which will be discussed in detail later in this document.

Information about affected and unaffected products is available in the respective Microsoft advisories and the IntelliShield alerts that are referenced in the following table. In addition, multiple Cisco products use Microsoft operating systems as their base operating system. Cisco products that may be affected by the vulnerabilities described in the referenced Microsoft advisories are detailed in the "Associated Products" table in the "Product Sets" section.

Vulnerability Characteristics

Both the Microsoft Security Bulletins will be covered in this Applied Mitigation Bulletin. The following vulnerabilities are summarized in this document:

MS07-061, Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460): This vulnerability has been assigned CVE Identifier CVE-2007-3896. Microsoft Windows contains a vulnerability in the way that the Windows shell handles malformed URIs. This vulnerability can be exploited remotely without authentication and requires user interaction. Successful exploitation of this vulnerability may allow arbitrary code execution. The attack vectors for exploitation of this vulnerability are through client software that processes malicious files or attachments, and it can be exploited through web-based attacks such as Internet browsing, cross-site scripting, or phishing. Although Cisco Security Agent provides endpoint protection for potential attempts to exploit this vulnerability (a topic that is included in this document), cross-site scripting and phishing could also be used to exploit this vulnerability. For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, refer to the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.

MS07-062, Vulnerability in DNS Could Allow Spoofing (941672): This vulnerability has been assigned CVE Identifier CVE-2007-3898. The Microsoft Windows DNS Server service contains a vulnerability when it processes a malicious DNS response to a DNS request. This vulnerability can be exploited remotely without authentication and without end-user interaction. Successful exploitation of this vulnerability may allow information disclosure, which enables an attacker to learn information about the DNS servers' transaction IDs and also allows an attacker to send malicious DNS responses to DNS requests, thus redirecting traffic from legitimate locations. Exploitation of this vulnerability is possible because the DNS Server service does not provide sufficient entropy in the randomization of DNS transaction IDs when issuing DNS queries. DNS transaction IDs are used to keep track of DNS queries and subsequent DNS responses while attempting to ensure that valid DNS responses match the original DNS query. The attack vector for exploitation is through DNS packets using UDP port 53. An attacker could exploit this vulnerability through spoofed packets.

Information about vulnerable, unaffected, and fixed software is available in the Microsoft Security Bulletin Summary for November 2007, which is available at the following link: http://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx

Mitigation Technique Overview

MS07-061, Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460, CVE-2007-3896), has a client software attack vector, requires user interaction, and can be exploited through web-based attacks such as cross-site scripting or phishing.

This vulnerability is best mitigated at the endpoint through software updates, user education, desktop administration best practices, and endpoint protection software such as Cisco Security Agent Host Intrusion Prevention System (HIPS) or antivirus products.

Cisco devices provide several countermeasures for MS07-062, Vulnerability in DNS Could Allow Spoofing (941672, CVE-2007-3898), which will be discussed in detail later in this document.

Cisco IOS Software can provide effective means of exploit prevention using the following methods:

• Unicast Reverse Path Forwarding (Unicast RPF)
• IP source guard (IPSG)

These protection mechanisms drop, as well as verify the source IP address of, packets that are attempting to exploit the vulnerability in MS07-062.

The proper deployment and configuration of Unicast RPF provides an effective means of protection against attacks that use packets with spoofed source IP addresses. Unicast RPF should be deployed as close to all traffic sources as possible.

The proper deployment and configuration of IPSG provides an effective means of protection against spoofing attacks at the access layer.

Effective means of exploit prevention can also be provided by Cisco ASA 5500 Series Adaptive Security Appliance, Cisco PIX 500 Series Security Appliance, and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers using the following:

• Application layer protocol inspection
• Unicast RPF

These protection mechanisms inspect and drop, as well as verify the source IP address of, packets that are attempting to exploit the vulnerability that has a network attack vector.

Effective use of Cisco Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability.

Cisco IOS NetFlow can provide visibility into network-based exploitation attempts using flow records.

Cisco IOS Software, Cisco ASA, Cisco PIX security appliances, and FWSM firewalls can provide visibility through syslog messages and the counter values displayed in the output from show commands.

The Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) appliance can also provide visibility through incidents, queries, and event reporting.

Risk Management

Organizations should follow their standard risk evaluation and mitigation processes to determine the potential impact of these vulnerabilities. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

Caution: The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Specific information about mitigation and identification is available for these devices:

• Cisco IOS Routers and Switches
• Cisco IOS NetFlow
• Cisco ASA, PIX, and FWSM Firewalls
• Cisco Intrusion Prevention System
• Cisco Security Monitoring, Analysis, and Response System
• Cisco Security Agent

Cisco IOS Routers and Switches

Mitigation: Spoofing Protection

Unicast Reverse Path Forwarding

The vulnerability in MS07-062 can be exploited by spoofed IP packets. Administrators can deploy and configure Unicast Reverse Path Forwarding (Unicast RPF) as a protection mechanism against spoofing.

Unicast RPF is configured at the interface level and can detect and drop packets that lack a verifiable source IP address. Administrators should not rely on Unicast RPF to provide 100 percent spoofing protection because spoofed packets may enter the network through a Unicast RPF-enabled interface if an appropriate return route to the source IP address exists. Administrators should take care to ensure that the appropriate Unicast RPF mode (loose or strict) is configured during the deployment of this feature because it can drop legitimate traffic that is transiting the network. In an enterprise environment, Unicast RPF might be enabled at the Internet edge and the internal access layer on the user-supporting Layer 3 interfaces.

Additional information is available in the Unicast Reverse Path Forwarding Loose Mode Feature Guide.

For additional information about the configuration and use of Unicast RPF, reference the Understanding Unicast Reverse Path Forwarding Applied Intelligence white paper.

IP Source Guard

IP source guard (IPSG) is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering packets based on the DHCP snooping binding database and manually configured IP source bindings. Administrators can use IPSG to prevent attacks from an attacker who attempts to spoof packets by forging the source IP address and/or the MAC address. When properly deployed and configured, IPSG coupled with strict mode Unicast RPF provides the most effective means of spoofing protection for the vulnerability in MS07-062.

Additional information about the deployment and configuration of IPSG is available in Configuring DHCP Features and IP Source Guard.

Identification: Spoofing Protection Using Unicast Reverse Path Forwarding

With Unicast RPF properly deployed and configured throughout the network infrastructure, administrators can use the show cef interface type slot/port internal, show ip interface, show cef drop, and show ip traffic commands to identify the number of packets that Unicast RPF has dropped.

Note: The show command | begin regex, and show command | include regex command modifiers are used in the following examples to minimize the amount of output that administrators will need to parse to view the desired information. Additional information about command modifiers is available in the show command sections of the Cisco IOS Configuration Fundamentals Command Reference.

router#show cef interface GigabitEthernet 0/0 internal | include drop
    --      CLI Output Truncated       --
  ip verify: via=rx (allow default), acl=0, drop=2989, sdrop=0
router#

Note: show cef interface type slot/port internal is a hidden command that must be fully entered at the command-line interface. Command completion is not available for it.

router#show ip interface GigabitEthernet 0/0 | begin verify
    --      CLI Output Truncated       --
  IP verify source reachable-via RX, allow default
  2989 verification drops
  0 suppressed verification drops
router#


router#show cef drop
CEF Drop Statistics
Slot  Encap_fail  Unresolved Unsupported    No_route      No_adj  ChkSum_Err
RP            27           0           0        2989           0           0
router#


router#show ip traffic

IP statistics:
  Rcvd:  68051015 total, 2397325 local destination
         43999 format errors, 0 checksum errors, 33 bad hop count
         2 unknown protocol, 929 not a gateway
         21 security failures, 190123 bad options, 542768 with options
  Opts:  352227 end, 452 nop, 36 basic security, 1 loose source route
         45 timestamp, 59 extended security, 41 record route
         53 stream ID, 3 strict source route, 40 alert, 45 cipso, 0 ump
         361634 other
  Frags: 0 reassembled, 10008 timeouts, 56866 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
  Bcast: 64666 received, 0 sent
  Mcast: 1589885 received, 2405454 sent
  Sent:  3001564 generated, 65359134 forwarded
  Drop:  4256 encapsulation failed, 0 unresolved, 0 no adjacency
         1 no route, 2989 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address 
    --      CLI Output Truncated       --
router#

In the preceding examples for show cef drop and show ip traffic, Unicast RPF has dropped 2989 IP packets received globally on all interfaces with Unicast RPF configured because of the inability to verify the source address of the IP packets within the Cisco Express Forwarding Forwarding Information Base.

Cisco IOS NetFlow

Identification: Traffic Flow Identification Using NetFlow Records

Administrators can configure Cisco IOS NetFlow on Cisco IOS routers and switches to aid in the identification of traffic flows that may be attempts to exploit the vulnerability in MS07-062. Administrators should investigate flows to determine whether they are attempts to exploit this vulnerability or whether they are legitimate traffic flows.

router#show ip cache flow
IP packet size distribution (90784136 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .698 .011 .001 .004 .005 .000 .004 .000 .000 .003 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .001 .256 .000 .010 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
  1885 active, 63651 inactive, 59960004 added
  129803821 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 402056 bytes
  0 active, 16384 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet    11393421      2.8         1    48      3.1       0.0       1.4
TCP-FTP            236      0.0        12    66      0.0       1.8       4.8
TCP-FTPD            21      0.0     13726  1294      0.0      18.4       4.1
TCP-WWW          22282      0.0        21  1020      0.1       4.1       7.3
TCP-X              719      0.0         1    40      0.0       0.0       1.3
TCP-BGP              1      0.0         1    40      0.0       0.0      15.0
TCP-Frag         70399      0.0         1   688      0.0       0.0      22.7
TCP-other     47861004     11.8         1   211     18.9       0.0       1.3
UDP-DNS            582      0.0         4    73      0.0       3.4      15.4
UDP-NTP         287252      0.0         1    76      0.0       0.0      15.5
UDP-other       310347      0.0         2   230      0.1       0.6      15.9
ICMP             11674      0.0         3    61      0.0      19.8      15.5
IPv6INIP            15      0.0         1  1132      0.0       0.0      15.4
GRE                  4      0.0         1    48      0.0       0.0      15.3 
Total:        59957957     14.8         1   196     22.5       0.0       1.5

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/0         192.168.2.2     Gi0/1         192.168.1.163   11 092A 0035    39
Gi0/0         192.168.3.3     Gi0/1         192.168.1.20    11 0C09 0035    63
Gi0/1         192.168.150.60  Gi0/0         10.89.16.226    06 0016 12CA     1
Gi0/0         192.168.4.4     Gi0/1         192.168.1.100   11 0B66 0035    18
Gi0/0         192.168.10.17   Gi0/1         192.168.1.97    11 0B89 00A1     1
Gi0/0         192.168.1.1     Null          192.168.1.163   11 072A 0035    87
Gi0/0         10.88.226.1     Gi0/1         192.168.202.22  11 007B 007B     1
Gi0/0         192.168.5.5     Gi0/1         192.168.1.162   11 0914 0035    41
Gi0/0         10.89.16.226    Gi0/1         192.168.150.60  06 12CA 0016     1
Gi0/0         192.168.6.6     Gi0/1         192.168.1.27    11 0B7B 0035    52
router#

In the preceding example, there are multiple flows for DNS packets on UDP port 53 (hex value 0035). Some of this traffic is sourced from and sent to addresses within the 192.168.1.0/24 address block, which is used for infrastructure devices. The packets in these flows may be spoofed and may indicate an attempt to exploit the vulnerability in MS07-062. Administrators should compare these flows to baseline utilization for DNS traffic on UDP port 53 and also investigate the flows to determine whether they are sourced from untrusted hosts or networks.

To view only the traffic flows for DNS packets on UDP port 53 (hex value 0035), the command show ip cache flow | include SrcIf|_11_.*0035 will display the related NetFlow records as shown here:

router#show ip cache flow | include SrcIf|_11_.*0035
SrcIf         SrcIPaddress     DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/0         192.168.2.2      Gi0/1         192.168.1.163   11 092A 0035     6
Gi0/0         192.168.3.3      Gi0/1         192.168.1.20    11 0C09 0035     1
Gi0/0         192.168.4.4      Gi0/1         192.168.1.100   11 0B66 0035    18
Gi0/0         192.168.1.1      Null          192.168.1.163   11 072A 0035    87
Gi0/0         192.168.5.5      Gi0/1         192.168.1.162   11 0914 0035     1
Gi0/0         192.168.6.6      Gi0/1         192.168.1.27    11 0B7B 0035     2
router#

Cisco ASA, PIX, and FWSM Firewalls

Mitigation: Application Layer Protocol Inspection

Application layer protocol inspection is available beginning in software release 7.0 for the Cisco ASA 5500 Series Adaptive Security Appliance and Cisco PIX 500 Series Security Appliance and in software release 3.1 for the FWSM. This advanced security feature performs deep packet inspection of traffic transiting through the firewall. Administrators may construct an inspection policy for applications that require special handling through the configuration of inspect class maps and inspect policy maps, which are applied via a global or an interface service policy.

Additional information about application layer protocol inspection is available in Configuring Application Layer Protocol Inspection.

Caution: Application layer protocol inspection will decrease firewall performance. Performance impact should be tested in a lab environment before deployment in production environments.

The DNS application inspection feature is enabled by default and uses the DNS guard function to inspect and tear down an existing DNS session associated with a DNS query as soon as a DNS reply is received and forwarded by the firewall. The firewall also monitors the message exchange to ensure that the transaction ID of the DNS reply matches the transaction ID of the initial DNS query. For the firewall to successfully mitigate exploitation of MS07-062, both the initial DNS query and the subsequent nonmalicious DNS response will need to transit the firewall.

Note: Mitigation will be successful only if the malicious DNS response (with the correct transaction ID) is not the first response to the DNS query that is being tracked by the DNS guard function. If a valid malicious DNS response is returned (that is, a malicious response that matches the initial DNS query with the correct transaction ID) and processed by DNS guard before a nonmalicious response is received by the firewall, the nonmalicious DNS response will be discarded, resulting in potential exploitation of the vulnerability in MS07-062.

Beginning with software release 7.0(5) for Cisco ASA 5500 Series and Cisco PIX 500 Series, the DNS guard function can be controlled through the dns-guard global configuration or the dns-guard parameters submode command for policy-map type inspect dns. For Cisco ASA 5500 Series and Cisco PIX 500 Series appliances that are running releases prior to 7.0(5) and for the FWSM firewall, this command is not supported; the DNS guard function is always enabled, and it cannot be configured.

To determine whether the DNS guard function is enabled globally, look for the following string in the firewall configuration for software releases 7.0(5) and later for Cisco ASA 5500 Series and Cisco PIX 500 Series appliances:

firewall# show running-config dns-guard
dns-guard
firewall#

If the DNS guard function has been disabled globally, it can be re-enabled using the following commands for software releases 7.0(5) and later for Cisco ASA 5500 Series and Cisco PIX 500 Series appliances:

firewall# configure terminal
firewall(config)# dns-guard
firewall(config)# exit
firewall#

To determine whether DNS application inspection is enabled with the DNS guard function for software releases 7.2(1) and later for Cisco ASA 5500 Series and Cisco PIX 500 Series appliances, administrators can look for the following string in the firewall configuration or issue the show service-policy command and check the output to see if the function and feature are enabled:

firewall# show running-config | grep ^  inspect dns
  inspect dns [class_map]
firewall# 
firewall# show running-config all policy-map class_map
!
policy-map type inspect dns class_map
parameters
  message-length maximum 512
  no message-length maximum server
  no message-length maximum client
  dns-guard
  protocol-enforcement
  nat-rewrite
  no id-randomization
  no id-mismatch
  no tsig enforced
!
firewall#

!-- Output for service-policy applied globally with
!-- check for DNS application inspection

firewall# show service-policy | grep Inspect: dns
      Inspect: dns preset_dns_map, packet 29452, drop 1544, reset-drop 0
    --      CLI Output Truncated       --
firewall#
firewall# show service-policy inspect dns | grep Inspect: dns
      Inspect: dns preset_dns_map, packet 29452, drop 1544, reset-drop 0
    --      CLI Output Truncated       --
firewall#

!-- Output for service-policy applied globally with
!-- explicit check for DNS guard function

firewall# show service-policy inspect dns | grep Global|Inspect: dns|dns-guard
Global policy: 
      Inspect: dns preset_dns_map, packet 8, drop 0, reset-drop 0
        dns-guard, count 32874
firewall#

!-- Output for service-policy applied per interface
!-- with explicit check for DNS guard function

firewall# show service-policy inspect dns | grep Interface|Inspect: dns|dns-guard
Interface outside:
      Inspect: dns preset_dns_map, packet 7998, drop 387, reset-drop 0
        dns-guard, count 667
    --      CLI Output Truncated       --
Interface inside:
      Inspect: dns preset_dns_map, packet 58042, drop 0, reset-drop 0
        dns-guard, count 28657
    --      CLI Output Truncated       --
firewall#

If DNS application inspection has been disabled, it can be re-enabled using the following commands for software releases 7.2(1) and later for Cisco ASA 5500 Series and Cisco PIX 500 Series appliances, which is the default inspection policy for DNS application inspection:

!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  !-- Enforces the maximum DNS message length (the default
  !-- is 512 bytes and the maximum length is 65535 bytes)
  message-length maximum <512-65535>
!
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  --      CLI Output Truncated       --
!
service-policy global_policy global
!

If DNS application inspection has been disabled, it can be re-enabled using the following commands for 7.x software releases prior to 7.2(1) for Cisco ASA 5500 Series and Cisco PIX 500 Series appliances, which is the default inspection policy for DNS application inspection:

!
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  !-- DNS application inspection and DNS message maximum 
  !-- length enforcement (the default is 512 bytes and
  !-- the maximum length is 65535 bytes)
  inspect dns maximum-length <512-65535>
  --      CLI Output Truncated       --
!
service-policy global_policy global
!

Some DNS implementations use a weak randomization algorithm to generate DNS transaction IDs for DNS query messages, or even use sequential values. This makes the DNS server prone to cache poisoning attacks. Beginning with software release 7.2(1) for Cisco ASA 5500 Series and Cisco PIX 500 Series appliances, the id-randomization parameters submode command for policy-map type inspect dns can be used to randomize the DNS transaction ID for a DNS query. This function may be used to harden such DNS implementations. This function is disabled by default.

The following information shows how to configure the firewall to randomize the DNS transaction ID for DNS query messages for software releases 7.2(1) or later for Cisco ASA 5500 Series and Cisco PIX 500 Series appliances:

!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  !-- Enable DNS transaction ID randomization for DNS
  !-- query messages
  id-randomization
!
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  --      CLI Output Truncated       --
!
service-policy global_policy global
!

Additional information about DNS Application Inspection is available in How DNS Application Inspection Works.

Mitigation: Spoofing Protection Using Unicast Reverse Path Forwarding

The vulnerability in MS07-062 can be exploited by spoofed IP packets. Administrators can deploy and configure Unicast RPF as a protection mechanism against spoofing.

Unicast RPF is configured at the interface level and can detect and drop packets that lack a verifiable source IP address. Administrators should not rely on Unicast RPF to provide 100 percent spoofing protection because spoofed packets may enter the network through a Unicast RPF-enabled interface if an appropriate return route to the source IP address exists. In an enterprise environment, Unicast RPF might be enabled at the Internet edge and at the internal access layer on the user-supporting Layer 3 interfaces.

For additional information about the configuration and use of Unicast RPF, reference the Cisco Security Appliance Command Reference for ip verify reverse-path and the Understanding Unicast Reverse Path Forwarding Applied Intelligence white paper.

Identification: Application Layer Protocol Inspection

Firewall syslog message 106007 will be generated for DNS packets that may have been denied by the DNS guard function because a DNS server was probably too slow to respond to a DNS query, and the DNS query was answered by another DNS server. Additional information about this syslog message is available in Cisco Security Appliance System Log Message - 106007.

Beginning with software release 7.2(1) for Cisco ASA 5500 Series and Cisco PIX 500 Series appliances, the id-mismatch parameters submode command for policy-map type inspect dns can be used for detecting a high rate of DNS transaction ID mismatches. This may indicate a DNS cache poisoning attack. This function is disabled by default.

Firewall syslog message 410002 will be generated when the firewall detects a high rate of DNS responses with a mismatched DNS transaction ID. The threshold for this function is set by the id-mismatch parameters submode command for policy-map type inspect dns. Additional information about this syslog message is available in Cisco Security Appliance System Log Message - 410002.

The following information shows how to configure the firewall to generate syslog message 410002 upon detecting a high rate of mismatched DNS transaction IDs:

!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  !-- Enable logging when detecting a high rate of
  !-- DNS transaction ID mismatches will generate
  !-- syslog message 410002 
  id-mismatch [count number duration seconds] action log
!
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  --      CLI Output Truncated       --
!
service-policy global_policy global
!

With the DNS guard, DNS ID randomization, and DNS ID mismatch functions as well as the DNS application inspection feature enabled, the show service-policy inspect command will identify the number of DNS packets inspected and/or dropped by these functions and this feature. Example output for show service-policy inspect dns follows:

!-- Output for service-policy applied globally

firewall# show service-policy inspect dns

Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 37841, drop 0, reset-drop 0
        message-length maximum 512, drop 0
        dns-guard, count 21691
        protocol-enforcement, drop 0
        nat-rewrite, count 0
        id-randomization, count 21856
        id-mismatch count 100 duration 10, log 2
firewall#

!-- Output for service-policy applied per interface

firewall# show service-policy inspect dns

Interface outside:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 4923, drop 1544, reset-drop 0
        message-length maximum 512, drop 0
        dns-guard, count 2147
        protocol-enforcement, drop 542
        nat-rewrite, count 0
        id-randomization, count 2220
        id-mismatch count 100 duration 10, log 1

Interface inside:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 240, drop 0, reset-drop 0
        message-length maximum 512, drop 0
        dns-guard, count 88
        protocol-enforcement, drop 0
        nat-rewrite, count 0
        id-randomization, count 116
        id-mismatch count 100 duration 10, log 0
firewall#

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance or the Cisco PIX 500 Series Security Appliance is available in Configuring Logging on the Cisco Security Appliance. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is available in Configuring Monitoring and Logging on the Cisco FWSM.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate potential attempts to exploit the vulnerability in MS07-062. It is possible to use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is available in Using the Command Line Interface.

firewall#show logging | grep (106007|410002)
Nov 10 2007 00:29:13: %ASA-2-106007: Deny inbound UDP from 192.168.2.2/2875
   to 192.168.1.1/53 due to DNS Response.
Nov 10 2007 00:29:18: %ASA-2-410002: Dropped 189 DNS responses with mis-matched
   id in the past 10 second(s): from outside:192.168.2.2/3917 to inside:192.168.1.1/53
firewall#

The show asp drop frame command can also identify the number of DNS packets that the DNS guard function (with the counter name inspect-dns-id-not-matched) has dropped because the transaction ID in the DNS response message does not match any transaction IDs for DNS queries that have passed across the firewall earlier on the same connection, as shown in the following example:

firewall#show asp drop frame
  DNS Inspect id not matched                         182
  Flow is denied by configured rule                  855
  Expired flow                                         1
  Interface is down                                    2
firewall#

In the preceding example, the DNS guard function has dropped 182 DNS packets due to an incorrect DNS transaction ID.

For additional information about debugging accelerated security path dropped packets or connections, reference the Cisco Security Appliance Command Reference for show asp drop.

Identification: Spoofing Protection Using Unicast Reverse Path Forwarding

Firewall syslog message 106021 will be generated for packets denied by Unicast RPF. Additional information about this syslog message is available in Cisco Security Appliance System Log Message - 106021.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance or the Cisco PIX 500 Series Security Appliance is available in Configuring Logging on the Cisco Security Appliance. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is available in Configuring Monitoring and Logging on the Cisco FWSM.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate potential attempts to exploit the vulnerability in MS07-062. It is possible to use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is available in Using the Command Line Interface.

firewall#show logging | grep 106021
Nov 10 2007 00:14:10: %ASA-1-106021: Deny UDP reverse path check from
   192.168.2.2 to 192.168.1.1 on interface outside
Nov 10 2007 00:14:18: %ASA-1-106021: Deny UDP reverse path check from
   192.168.10.10 to 192.168.1.1 on interface inside
Nov 10 2007 00:15:09: %ASA-1-106021: Deny UDP reverse path check from
   192.168.10.10 to 192.168.1.1 on interface inside
Nov 10 2007 00:15:11: %ASA-1-106021: Deny UDP reverse path check from
   192.168.2.2 to 192.168.1.1 on interface outside
firewall#

The show asp drop command can also identify the number of packets that Unicast RPF has dropped, as shown in the following example:

firewall#show asp drop

Frame drop:
  Reverse-path verify failed                        2989
  Flow is denied by configured rule                  855
  Expired flow                                         1
  Interface is down                                    2

Flow drop:

firewall#

In the preceding example, Unicast RPF has dropped 2989 IP packets received on interfaces with Unicast RPF configured.

For additional information about debugging accelerated security path dropped packets or connections, reference the Cisco Security Appliance Command Reference for show asp drop.

Cisco Intrusion Prevention System

Mitigation: IPS Signature Event Actions

The Cisco Intrusion Prevention System (IPS) appliances and services modules can provide threat detection and help prevent attempts to exploit the two vulnerabilities in this document (MS07-061 and MS07-062). The following table provides an overview of CVE Identifiers and the respective Cisco IPS signatures that will trigger events on potential attempts to exploit these vulnerabilities.

* Fidelity is also referred to as Signature Fidelity Rating (SFR) and is the relative measure of the accuracy of the signature (predefined). The value ranges from 0 through 100 and is set by Cisco Systems, Inc.

Administrators can configure Cisco IPS sensors to perform an event action when an attack is detected. The configured event action performs preventive or deterrent controls to help protect against an attack that is attempting to exploit the vulnerabilities listed in the preceding table.

Exploits that are easily spoofed may cause a configured event action to inadvertently deny traffic from trusted sources.

Cisco IPS sensors are most effective when deployed in inline protection mode combined with the use of an event action. Automatic Threat Prevention for Cisco IPS 6.x sensors deployed in inline protection mode provides threat prevention against an attack that is attempting to exploit these vulnerabilities. Threat prevention is achieved through a default override that performs an event action of deny-packet-inline for triggered signatures with a riskRatingValue greater than 90. Additional information about the risk rating and the calculation of its value is available in Cisco IPS Risk Rating Explained.

Cisco IPS 5.x sensors that are deployed in inline protection mode require an event action configured on a per-signature basis. Alternatively, administrators can configure an override that can perform an event action for any signatures that are triggered and are calculated as a high-risk threat. Using the deny-packet-inline event action on sensors deployed in inline protection mode provides the most effective exploit prevention.

IPS Signature Event Data

The following data has been compiled through remote monitoring services that are provided by the Cisco Remote Management Services (Cisco RMS) team from a sample group of Cisco IPS sensors running Cisco IPS Signature Update version S308 or greater. The purpose of this data is to provide visibility into exploit attempts of the vulnerabilities that were detailed in the Microsoft November Security Update released on November 13, 2007. This data was gathered from events that were triggered on December 12, 2007.

Cisco Security Monitoring, Analysis, and Response System

Identification: Cisco Security Monitoring, Analysis, and Response System Incident

The Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) appliance can create incidents for events triggered due to potential exploitation of MS07-061 using IPS signature 5916/0 (Signature Name: URL Handler Vulnerability) and MS07-062 using IPS signatures 4002/0 (Signature Name: UDP Host Flood) or 6910/0 (Signature Name: Net Flood UDP).

The following screen shot shows an incident created by IPS signature 5916/0 (Signature Name: URL Handler Vulnerability) for potential attempts to exploit MS07-061.

The following screen shot shows an incident created by IPS signature 4002/0 (Signature Name: UDP Host Flood) for potential attempts to exploit MS07-062.

Note: Beginning with the 4.3.1 and 5.3.1 releases for Cisco Security MARS appliances, support has been added for the Cisco IPS dynamic signature updates feature. This feature downloads new signatures from Cisco.com or from a local web server, correctly processes and categorizes received events that match those signatures, and includes them in inspection rules and reports. These updates provide event normalization and event group mapping, and also enable the MARS appliance to parse new signatures from the IPS devices.

If this feature is not configured, events that match these new signatures appear as unknown event type in queries and reports. MARS will not include these events in inspection rules, thus incidents may not be created for potential threats or attacks occurring within the network.

By default, this feature is enabled but requires configuration. If the feature is not configured, the following Cisco Security MARS rule will be triggered:

System Rule: CS-MARS IPS Signature Update Failure

When this feature is enabled and configured, administrators can determine the current signature version downloaded by MARS by selecting Help > About and reviewing the IPS Signature Version value.

Additional information and instructions about to configure this feature are available at the following links for the Cisco Security MARS 4.3.1 and 5.3.1 releases.

Cisco Security Agent

Mitigation: Threat Prevention and Identification Interceptors

Cisco Security Agent offers proactive protection against exploits, threats, and variants that attempt to take advantage of disclosed and undisclosed vulnerabilities. Cisco Security Agent is designed to protect servers and desktops from these threats using rule-based policies. These policies determine which interceptors Cisco Security Agent will use to detect policy violations and to prevent actions that it identifies as policy violations, which may be malicious activity or legitimate actions.

Cisco Security Agent protects against attempts to exploit the vulnerability in Microsoft Security Bulletin MS07-061, Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460, CVE-2007-3896), through the use of default desktop policies. These policies block execution of maliciously formed URI handlers.

Identification: Threat Prevention and Identification Interceptors

The Cisco Security Agent Management Center console can be monitored for attempts to exploit MS07-061.

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Related Information

• Microsoft Security Bulletin Summary for November 2007
• Cisco Applied Intelligence Response Documents
• Understanding Unicast Reverse Path Forwarding
• Cisco IOS NetFlow - Home Page on Cisco.com
• Cisco IOS NetFlow White Papers
• Cisco Network Foundation Protection White Papers
• Cisco Network Foundation Protection Presentations
• Cisco Firewall Products - Home Page on Cisco.com
• Unicast Reverse Path Forwarding Loose Mode
• Unicast Reverse Path Forwarding Enhancements for the Internet Service Provider - Internet Service Provider Network Edge
• Cisco 6.x Intrusion Prevention System
• Cisco IPS Risk Rating Explained
• Cisco IPS 6.x Signature Downloads
• Cisco IPS Signatures by Release Version
• Cisco IPS Signatures by Signature ID
• Cisco Security Monitoring, Analysis, and Response System
• Cisco Security Agent
• Common Vulnerabilities and Exposures (CVE)

Version 4, November 27, 2007, 05:49 PM: Updated data from Cisco Remote Management Services does not reveal any attempts to exploit the vulnerabilities that are described in this bulletin.

Version 3, November 21, 2007, 8:55 AM: Updated data from Cisco Remote Management Services does not reveal any attempts to exploit the vulnerabilities that are described in this bulletin.

Version 2, November 16, 2007, 4:11 PM: Data from Cisco Remote Management Services does not reveal any attempts to exploit the vulnerabilities that are described in this bulletin.

Version 1, November 13, 2007, 1:57 PM: This is the initial version of the Cisco Applied Mitigation Bulletin to address the Microsoft Security Bulletin for November 2007.