Applied Mitigation Bulletin

IPS signature event data from Cisco Remote Management Services is available for IPS signatures from March 24, 2009.

Contents

Introduction

Microsoft announced three security bulletins that contain eight vulnerabilities as part of the monthly security bulletin release on March, 10 2009. A summary of these bulletins is on the Microsoft website at http://www.microsoft.com/technet/security/bulletin/ms09-mar.mspx. This document highlights the vulnerabilities that can be effectively identified and/or mitigated using Cisco network devices.

The vulnerabilities that have a client software attack vector, require user interaction, or can be exploited through web-based attacks such as Internet browsing, cross-site scripting, phishing, or web-based e-mail are in the following list:

• MS09-006

For additional information about cross-site scripting attacks and the methods used to exploit this type of vulnerability, refer to the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.

Two vulnerabilities for MS09-008 (CVE Identifiers CVE-2009-0093 and CVE-2009-0094) have network mitigations that will be discussed in detail later in this document. Cisco devices provide several countermeasures for these vulnerabilities that have network attack vectors and/or detection mechanisms for potential malicious activities.

The two remaining vulnerabilities for MS09-008 (CVE Identifiers CVE-2009-0233 and CVE-2009-0234) have multiple network mitigations. Cisco devices provide several countermeasures for these vulnerabilities. Due to the network attack vector used for exploitation, these countermeasures are available in the Applied Intelligence white paper DNS Best Practices, Network Protections, and Attack Identification.

Information about affected and unaffected products is available in the respective Microsoft advisories and the IntelliShield alerts that are referenced in the following table. In addition, multiple Cisco products use Microsoft operating systems as their base operating system. Cisco products that may be affected by the vulnerabilities described in the referenced Microsoft advisories are detailed in the "Associated Products" table in the "Product Sets" section.

Vulnerability Characteristics

MS09-008, Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238): These vulnerabilities have been assigned CVE identifiers CVE-2009-0093, CVE-2009-0094, CVE-2009-0233, and CVE-2009-0234. These vulnerabilities can be exploited locally or remotely without authentication and with user interaction.

Successful exploitation of the vulnerabilities for CVE-2009-0093 and CVE-2009-0094 allows dynamic updates on Microsoft Windows DNS servers or registration of entries on Microsoft Windows WINS servers for WPAD or ISATAP. This can result in a man-in-the-middle attack and allows an attacker to redirect traffic to an address the attacker chooses. The attack vector for exploitation of CVE-2009-0093 is through Domain Name System (DNS) packets using UDP port 53 and the attack vector for exploitation of CVE-2009-0094 is through NetBIOS Name Service (NBNS) packets using UDP port 137. An attacker could exploit these vulnerabilities using spoofed packets.

Successful exploitation of the vulnerabilities for CVE-2009-0233 and CVE-2009-0234 may allow an attacker to effectively predict the DNS transaction identifier (TXID) and/or UDP source port value. If an attacker is able to successfully predict the DNS TXID and UDP source port value for a DNS query, attackers can poison the DNS cache on a Microsoft Windows DNS server. This can allow an attacker to redirect traffic to an address the attacker chooses. The attack vector for exploitation of CVE-2009-0233 and CVE-2009-0234 is through DNS packets using UDP port 53. An attacker could exploit these vulnerabilities using spoofed packets. Due to the network attack vector used for exploitation of these two vulnerabilities, countermeasures are available in the Applied Intelligence white paper DNS Best Practices, Network Protections, and Attack Identification.

Information about vulnerable, unaffected, and fixed software is available in the Microsoft Security Bulletin Summary for March 2009, which is available at the following link: http://www.microsoft.com/technet/security/bulletin/ms09-mar.mspx

Mitigation Technique Overview

MS09-006, Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690), has a client software attack vector, requires user interaction, or can be exploited through web-based attacks such as Internet browsing, cross-site scripting, phishing, or web-based e-mail.

For additional information about cross-site scripting attacks and the methods used to exploit this type of vulnerability, refer to the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.

These vulnerabilities are best mitigated at the endpoint through software updates, user education, desktop administration best practices, and endpoint protection software such as Cisco Security Agent Host Intrusion Prevention System (HIPS) or antivirus products.

The vulnerabilities that have a network mitigation are in the following list. Cisco devices provide several countermeasures for these vulnerabilities. This section of the document provides an overview of these techniques.

• MS09-008 (CVE-2009-0093 and CVE-2009-0094)

Note: Two vulnerabilities for MS09-008 (CVE Identifiers CVE-2009-0233 and CVE-2009-0234) have multiple network mitigations. Cisco devices provide several countermeasures for these vulnerabilities. Due to the network attack vector used for exploitation, these countermeasures are available in the Applied Intelligence white paper DNS Best Practices, Network Protections, and Attack Identification.

Cisco IOS Software can provide effective means of exploit prevention using the following methods:

• Transit access control lists (tACLs)
• Flexible Packet Matching (FPM)
• Unicast Reverse Path Forwarding (Unicast RPF)
• IP source guard (IPSG)

These protection mechanisms filter and drop, as well as verify the source IP address of, packets that are attempting to exploit the vulnerabilities that have a network attack vector.

The proper deployment and configuration of Unicast RPF provides an effective means of protection against attacks that use packets with spoofed source IP addresses. Unicast RPF should be deployed as close to all traffic sources as possible.

The proper deployment and configuration of IPSG provides an effective means of protection against spoofed packets at the access layer.

Because the potential exists that a trusted endpoint could become compromised by malicious code and does not use packets with spoofed source addresses, Unicast RPF and IPSG do not provide complete protection against these vulnerabilities.

Effective means of exploit prevention can also be provided by Cisco ASA 5500 Series Adaptive Security Appliance, Cisco PIX 500 Series Security Appliance, and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers using the following:

• Transit access control lists (tACLs)
• Application layer protocol inspection
• Unicast Reverse Path Forwarding (Unicast RPF)

These protection mechanisms filter and drop, as well as verify the source IP address of, packets that are attempting to exploit the vulnerabilities that have a network attack vector.

Effective use of Cisco Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit these vulnerabilities as discussed later in this document.

Cisco IOS NetFlow flow records can provide visibility into network-based exploitation attempts.

Cisco IOS Software, Cisco ASA, Cisco PIX security appliances, and FWSM firewalls can provide visibility through syslog messages and the counter values displayed in the output from show commands.

The Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) appliance can also provide visibility through incidents, queries, and event reporting.

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of these vulnerabilities. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

Caution: The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Specific information about mitigation and identification is available for these devices:

• Cisco IOS Routers and Switches
• Cisco IOS NetFlow
• Cisco ASA, PIX, and FWSM Firewalls
• Cisco Intrusion Prevention System
• Cisco Security Monitoring, Analysis, and Response System

Cisco IOS Routers and Switches

Mitigation: Transit Access Control Lists

To protect the network from traffic that enters the network at ingress access points, which may include Internet connection points, partner and supplier connection points, or VPN connection points, administrators are advised to deploy transit access control lists (tACLs) to perform policy enforcement. Administrators can construct a tACL by explicitly permitting only authorized traffic to enter the network at ingress access points or permitting authorized traffic to transit the network in accordance with existing security policies and configurations. A tACL workaround cannot provide complete protection against these vulnerabilities that have a network attack vector when the attack comes from a trusted source address.

The tACL policy denies unauthorized NetBIOS Name Service (NBNS) packets on UDP port 137 that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices, and the host at 192.168.100.1 is considered a trusted source that requires access to the affected devices. Care should be taken to allow required traffic for routing and administrative access prior to denying all unauthorized traffic.

Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge.

!-- Include any explicit permit statements for trusted
!-- sources that require access on the vulnerable port
!-- for MS09-008 (CVE-2009-0094)
!
access-list 150 permit udp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 137
!
!-- The following vulnerability-specific access control
!-- entry (ACE) can aid in identification of attacks
!-- against MS09-008 (CVE-2009-0094)
!
access-list 150 deny udp any 192.168.60.0 0.0.0.255 eq 137
!
!-- Permit/deny all other Layer 3 and Layer 4 traffic in 
!-- accordance with existing security policies and
!-- configurations
!
!-- Explicit deny for all other IP traffic
!
access-list 150 deny ip any any
!
!-- Apply tACL to interfaces in the ingress direction
interface GigabitEthernet0/0
 ip access-group 150 in
!

Note that filtering with an interface access list will elicit the transmission of ICMP unreachable messages back to the source of the filtered traffic. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software, ICMP unreachable generation is limited to one packet every 500 milliseconds by default. ICMP unreachable message generation can be disabled using the interface configuration command no ip unreachables. ICMP unreachable rate limiting can be changed from the default using the global configuration command ip icmp rate-limit unreachable interval-in-ms.

Mitigation: Flexible Packet Matching

To protect against current, existing, and emerging threats at all network entry points, administrators can use the Cisco IOS Flexible Packet Matching (FPM) feature to statelessly classify and filter traffic as it enters the network, and to immediately drop and/or log for auditing purposes. FPM uses flexible and granular Layer 2-7 pattern matching deep within the packet header or payload to provide a rapid first line of defense against network-based threats. Using FPM provides the means to inspect packets for characteristics of an attack, and to take appropriate actions (log, drop, or ICMP unreachable). FPM was introduced in Cisco IOS Software Release 12.4(4)T with the ability to define policies to classify and match packets using flexible and granular Layer 2-7 pattern matching deep within the packet header or payload. Cisco IOS Software Release 12.4(4)T initially allowed FPM to use a search window of 32 bytes and search the first 256 bytes of a packet. FPM was updated in Cisco IOS Software Release 12.4(15)T to increase the search window for patterns up to 256 bytes long and at any offset in a packet.

The capability to use field names in the match statement requires the use of Protocol Header Definition Files (PHDFs), which are available for download by registered users at http://www.cisco.com/pcgi-bin/tablebuild.pl/fpm.

Additional information about FPM is available in the Flexible Packet Matching Deployment Guide.

WINS WPAD Registration FPM Policy

CVE-2009-0094 MS09-008 can be mitigated using the Cisco IOS FPM feature by effectively classifying and filtering NetBIOS Name Service (NBNS) packets attempting to register a WPAD entry on a Microsoft Windows WINS server.

!-- Load the Protocol Header Definition File (PHDF) for
!-- the Internet Protocol (IP) and User Datagram Protocol
!-- (UDP)
!
!-- The PHDFs contain header definitions for fields used
!-- in the example policy
!
load protocol flash:ip.phdf
load protocol flash:udp.phdf
!
!-- Configure a stack class to match packets with a value
!-- of 17 (UDP) for the protocol field in an IP header
!
class-map type stack match-all ip_udp_class
 description "Match UDP Packets"
 match field IP protocol eq 17 next UDP
!
!-- Configure a access-control class to match packets with
!-- a value of 137 for the destination port field in the
!-- UDP header and two regular expressions that match the
!-- WPAD WINS registration packet
!
class-map type access-control match-all wins_wpad_register
 description "Match WINS WPAD Registration"
 match field UDP dest-port eq 137
 match start UDP payload-start offset 2 size 2 regex ".*[\x28-\x29]"
!-- Note: The following regex string is wrapped on multiple
!-- lines. For this regex string to work as expected, it
!-- must be entered as a single string value to the regex
!-- argument, and it must not be wrapped.
 match start UDP payload-start offset 12 size 136 regex
   ".*\x20\x46\x48\x46\x41\x45\x42\x45\x45\x43\x41\x43
      \x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43
      \x41\x43\x41\x43\x41\x43\x41[\x41\x43]\x41\x00"
!
!-- Configure a access-control policy that the previously
!-- defined access-control class will be attached to and
!-- then configure the actions of drop and log that FPM will
!-- perform when it successfully classifies and matches
!-- packets
!
policy-map type access-control fpm_wpad_classify
 class wins_wpad_register
   drop
   log
!
!-- Configure a access-control policy that the previoulsy
!-- defined stack class will be attached to and then the
!-- the previously defined access-control policy will be
!-- attached to the stack class. This access-control policy
!-- is then attached to interfaces that packets should be
!-- classified and filtered on
!
policy-map type access-control fpm_wpad_policy
 class ip_udp_class
  service-policy fpm_wpad_classify
!
!-- Attach the previously defined access-control policy to
!-- the interface in the ingress direction
!
interface GigabitEthernet0/0
 service-policy type access-control input fpm_wpad_policy
!

HTTP GET Request for WPAD.DAT (case-insensitive) FPM Policy

The following FPM policy will effectively detect, classify, and prevent endpoints from requesting the WPAD.DAT Proxy Auto Configuration File through the HTTP GET method.

!-- Load the Protocol Header Definition File (PHDF) for
!-- the Internet Protocol (IP) and Transmission Control
!-- Protocol (TCP)
!
!-- The PHDFs contain header definitions for fields used
!-- in the example policy
!
load protocol flash:ip.phdf
load protocol flash:udp.phdf
!
!-- Configure a stack class to match packets with a value
!-- of 6 (TCP) for the protocol field in an IP header
!
class-map type stack match-all ip_tcp_class
 description "Match TCP Packets"
 match field IP protocol eq 6 next TCP
!
!-- Configure a access-control class to match packets with
!-- a value of 80 for the destination port field in the
!-- TCP header and one regular expressions that matches an
!-- HTTP GET request for WPAD.DAT (case-insensitive)
!
class-map type access-control match-all wpad.dat_http_request
 description "Match HTTP GET Request for WPAD.DAT (case-insensitive)"
 match field TCP dest-port eq 80
!-- Note: The following regex string is wrapped on a second
!-- line. For this regex string to work as expected, it
!-- must be entered as a single string value to the regex
!-- argument, and it must not be wrapped.
 match start TCP payload-start offset 0 size 256 regex
   ".*[Gg][Ee][Tt].*\x2f[Ww][Pp][Aa][Dd]\x2e[Dd][Aa][Tt]"
!
!-- Configure a access-control policy that the previously
!-- defined access-control class will be attached to and
!-- then configure the actions of drop and log that FPM will
!-- perform when it successfully classifies and matches
!-- packets
!
policy-map type access-control fpm_wpad_classify
 class wpad.dat_http_request
   drop
   log
!
!-- Configure a access-control policy that the previoulsy
!-- defined stack class will be attached to and then the
!-- the previously defined access-control policy will be
!-- attached to the stack class. This access-control policy
!-- is then attached to interfaces that packets should be
!-- classified and filtered on
!
policy-map type access-control fpm_wpad_policy
 class ip_tcp_class
  service-policy fpm_wpad_classify
!
!-- Attach the previously defined access-control policy to
!-- the interface in the ingress direction
!
interface GigabitEthernet0/0
 service-policy type access-control input fpm_wpad_policy
!

Mitigation: Spoofing Protection

Unicast Reverse Path Forwarding

Some of the vulnerabilities described in this document that have a network attack vector can be exploited by spoofed IP packets. The proper deployment and configuration of Unicast Reverse Path Forwarding (Unicast RPF) can provide protection mechanisms for spoofing related to the following vulnerabilities:

• MS09-008 (CVE-2009-0093 and CVE-2009-0094)

Unicast RPF is configured at the interface level and can detect and drop packets that lack a verifiable source IP address. Administrators should not rely on Unicast RPF to provide complete spoofing protection because spoofed packets may enter the network through a Unicast RPF-enabled interface if an appropriate return route to the source IP address exists. Administrators are advised to take care to ensure that the appropriate Unicast RPF mode (loose or strict) is configured during the deployment of this feature because it can drop legitimate traffic that is transiting the network. In an enterprise environment, Unicast RPF might be enabled at the Internet edge and the internal access layer on the user-supporting Layer 3 interfaces.

Additional information is available in the Unicast Reverse Path Forwarding Loose Mode Feature Guide.

For additional information about the configuration and use of Unicast RPF, reference the Understanding Unicast Reverse Path Forwarding Applied Intelligence white paper.

IP Source Guard

IP source guard (IPSG) is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering packets based on the DHCP snooping binding database and manually configured IP source bindings. Administrators can use IPSG to prevent attacks from an attacker who attempts to spoof packets by forging the source IP address and/or the MAC address. The proper deployment and configuration of IPSG coupled with strict mode Unicast RPF can provide the most effective means of spoofing protection to help mitigate the following vulnerabilities:

• MS09-008 (CVE-2009-0093 and CVE-2009-0094)

Additional information about the deployment and configuration of IPSG is available in Configuring DHCP Features and IP Source Guard.

Identification: Transit Access Control Lists

After the administrator applies the tACL to an interface, the show ip access-lists command will identify the number of NetBIOS Name Service (NBNS) packets on UDP port 137 that have been filtered. Administrators are advised to investigate filtered packets to determine whether they are attempts to exploit these vulnerabilities. Example output for show ip access-lists 150 follows:

router#show ip access-lists 150
Extended IP access list 150
    10 permit udp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 137
    20 deny udp any 192.168.60.0 0.0.0.255 eq 137 (49 matches)
    30 deny ip any any (372 matches)
router#

In the preceding example, access list 150 has dropped 49 NetBIOS Name Service (NBNS) packets on UDP port 137 for access control list entry (ACE) sequence identifier 20.

For additional information about investigating incidents using ACE counters and syslog events, reference the Identifying Incidents Using Firewall and IOS Router Syslog Events Applied Intelligence white paper.

Administrators can use Embedded Event Manager to provide instrumentation when specific conditions are met, such as ACE counter hits. The Applied Intelligence white paper Embedded Event Manager in a Security Context provides additional details about how to use this feature.

Identification: Flexible Packet Matching

WINS WPAD Registration FPM Policy

After the administrator attaches the FPM access-control policy to an interface, the show policy-map type access-control command will identify the number of NetBIOS Name Service (NBNS) packets on UDP port 137 that have been classified, matched, and filtered. Administrators are advised to investigate filtered packets to determine whether they are attempts to exploit these vulnerabilities. Example output for show policy-map type access-control interface GigabitEthernet0/0 follows:

router#show policy-map type access-control interface GigabitEthernet0/0
 GigabitEthernet0/0

  Service-policy access-control input: fpm_wpad_policy

    Class-map: ip_udp_class (match-all)
      2407 packets, 230476 bytes
      5 minute offered rate 0 bps
      Match: field IP protocol eq 17 next UDP

      Service-policy access-control : fpm_wpad_classify

        Class-map: wins_wpad_register (match-all)
          12 packets, 1320 bytes
          5 minute offered rate 0 bps
          Match: field UDP source-port eq 137
          Match: field UDP dest-port eq 137
          Match: start UDP payload-start offset 2 size 2 regex ".*[\x28-\x29]"
          Match: start UDP payload-start offset 12 size 136 regex
            ".*\x20\x46\x48\x46\x41\x45\x42\x45\x45\x43\x41\x43
               \x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43
               \x41\x43\x41\x43\x41\x43\x41(\x41|\x43)\x41\x00"
      drop
      log

        Class-map: class-default (match-any)
          51 packets, 6566 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any

    Class-map: class-default (match-any)
      17245 packets, 2337810 bytes
      5 minute offered rate 21000 bps, drop rate 0 bps
      Match: any
router#

In the preceding example, access-control class wins_wpad_register has classified, matched, and dropped 12 NetBIOS Name Service (NBNS) packets on UDP port 137 attempting to register an entry of WPAD on a Microsoft Windows WINS server.

FPM creates syslog messages that can be displayed on the IOS device using the show logging command or sent to a syslog host for analysis. The syslog messages created by FPM are similar to those produced by the access control list entry log-input keyword; however, the FPM log messages do not contain MAC addresses. Example output for show logging | include wins_wpad_register follows:

router#show logging | include wins_wpad_register
*Mar  10 16:41:19.363 CST: %SEC-6-IPACCESSLOGP: list wins_wpad_register
  denied udp 192.168.1.11(137) (GigabitEthernet0/0 ) -> 192.168.60.60(137),
  1 packet
*Mar  10 16:46:22.235 CST: %SEC-6-IPACCESSLOGP: list wins_wpad_register
  denied udp 192.168.2.22(137) (GigabitEthernet0/0 ) -> 192.168.60.60(137),
  11 packets
router#

In the preceding example, the messages logged for access-control class wins_wpad_register shows NetBIOS Name Service (NBNS) packets for UDP port 137 sent to an address that may be a Microsoft Windows WINS server.

HTTP GET Request for WPAD.DAT (case-insensitive) FPM Policy

After the administrator attaches the FPM access-control policy to an interface, the show policy-map type access-control command will identify the number of Hypertext Transfer Protocol (HTTP) packets on TCP port 80 that have been classified, matched, and filtered. Administrators are advised to investigate filtered packets to determine whether they are endpoint attempts to request the WPAD.DAT Proxy Auto Configuration File. Example output for show policy-map type access-control interface GigabitEthernet0/0 follows:

router#show policy-map type access-control interface GigabitEthernet0/0
 GigabitEthernet0/0

  Service-policy access-control input: fpm_wpad_policy

    Class-map: ip_tcp_class (match-all)
      1185 packets, 74859 bytes
      5 minute offered rate 2000 bps
      Match: field IP protocol eq 6 next TCP

      Service-policy access-control : fpm_wpad_classify

        Class-map: wpad.dat_http_request (match-all)
          23 packets, 4986 bytes
          5 minute offered rate 0 bps
          Match: field TCP dest-port eq 80
          Match: start TCP payload-start offset 0 size 256 regex
            ".*[Gg][Ee][Tt].*\x2f[Ww][Pp][Aa][Dd]\x2e[Dd][Aa][Tt]"
      drop
      log

        Class-map: class-default (match-any)
          1136 packets, 68263 bytes
          5 minute offered rate 2000 bps, drop rate 0 bps
          Match: any

    Class-map: class-default (match-any)
      1894 packets, 254052 bytes
      5 minute offered rate 3000 bps, drop rate 0 bps
      Match: any
router#

In the preceding example, access-control class wpad.dat_http_request has classified, matched, and dropped 23 HTTP packets on TCP port 80. These indicate endpoints that are attempting to request the WPAD.DAT Proxy Auto Configuration File using the HTTP GET method from a device.

FPM creates syslog messages that can be displayed on the IOS device using the show logging command or sent to a syslog host for analysis. The syslog messages created by FPM are similar to those produced by the access control list entry log-input keyword; however, the FPM log messages do not contain MAC addresses. Example output for show logging | include wpad.dat_http_request follows:

router#show logging | include wpad.dat_http_request
*Mar  10 02:03:31.390: %SEC-6-IPACCESSLOGP: list wpad.dat_http_request
  denied tcp 192.168.1.11(7412) (GigabitEthernet0/0 ) -> 192.168.0.1(80),
  1 packet
*Mar  10 02:05:14.194: %SEC-6-IPACCESSLOGP: list wpad.dat_http_request
  denied tcp 192.168.5.55(33578) (GigabitEthernet0/0 ) -> 192.168.0.1(80),
  1 packet
*Mar  10 02:09:18.563: %SEC-6-IPACCESSLOGP: list wpad.dat_http_request
  denied tcp 192.168.3.33(9183) (GigabitEthernet0/0 ) -> 192.168.0.1(80),
  6 packets
*Mar  10 02:09:34.651: %SEC-6-IPACCESSLOGP: list wpad.dat_http_request
  denied tcp 192.168.4.44(4946) (GigabitEthernet0/0 ) -> 192.168.0.1(80),
  1 packet
*Mar  10 02:10:18.563: %SEC-6-IPACCESSLOGP: list wpad.dat_http_request
  denied tcp 192.168.2.22(4429) (GigabitEthernet0/0 ) -> 192.168.0.1(80),
  6 packets
*Mar  10 02:15:18.564: %SEC-6-IPACCESSLOGP: list wpad.dat_http_request
  denied tcp 192.168.6.66(4927) (GigabitEthernet0/0 ) -> 192.168.0.1(80),
  8 packets
router#

In the preceding example, the messages logged for access-control class wpad.dat_http_request shows HTTP packets for TCP port 80 sent to an address that may be malicious.

For additional information about investigating incidents using ACE counters and syslog events, reference the Identifying Incidents Using Firewall and IOS Router Syslog Events Applied Intelligence white paper.

Administrators can use Embedded Event Manager to provide instrumentation when specific conditions are met, such as ACE counter hits. The Applied Intelligence white paper Embedded Event Manager in a Security Context provides additional details about how to use this feature.

Identification: Access List Logging

The log and log-input access control list (ACL) option will cause packets that match specific ACEs to be logged. The log-input option enables logging of the ingress interface in addition to the packet source and destination IP addresses and ports.

Caution: Access control list logging can be very CPU intensive and must be used with extreme caution. Factors that drive the CPU impact of ACL logging are log generation, log transmission, and process switching to forward packets that match log-enabled ACEs.

For Cisco IOS Software, the ip access-list logging interval interval-in-ms command can limit the effects of process switching induced by ACL logging. The logging rate-limit rate-per-second [except loglevel] command limits the impact of log generation and transmission.

The CPU impact from ACL logging can be addressed in hardware on the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers with Supervisor Engine 720 or Supervisor Engine 32 using optimized ACL logging.

For additional information about the configuration and use of ACL logging, reference the Understanding Access Control List Logging Applied Intelligence white paper.

Identification: Spoofing Protection Using Unicast Reverse Path Forwarding

With Unicast RPF properly deployed and configured throughout the network infrastructure, administrators can use the show cef interface type slot/port internal, show ip interface, show cef drop, and show ip traffic commands to identify the number of packets that Unicast RPF has dropped.

Note: The show command | begin regex and show command | include regex command modifiers are used in the following examples to minimize the amount of output that administrators will need to parse to view the desired information. Additional information about command modifiers is available in the show command sections of the Cisco IOS Configuration Fundamentals Command Reference.

router#show cef interface GigabitEthernet 0/0 internal | include drop
    --      CLI Output Truncated       --
  ip verify: via=rx (allow default), acl=0, drop=11, sdrop=0
router#

Note: show cef interface type slot/port internal is a hidden command that must be fully entered at the command-line interface. Command completion is not available for it.

router#show ip interface GigabitEthernet 0/0 | begin verify
    --      CLI Output Truncated       --
  IP verify source reachable-via RX, allow default, allow self-ping
  11 verification drops
  0 suppressed verification drops
router#


router#show cef drop
CEF Drop Statistics
Slot  Encap_fail  Unresolved Unsupported    No_route      No_adj  ChkSum_Err
RP            27           0           0          11           0           0
router#


router#show ip traffic

IP statistics:
  Rcvd:  68051015 total, 2397325 local destination
         43999 format errors, 0 checksum errors, 33 bad hop count
         2 unknown protocol, 929 not a gateway
         21 security failures, 190123 bad options, 542768 with options
  Opts:  352227 end, 452 nop, 36 basic security, 1 loose source route
         45 timestamp, 59 extended security, 41 record route
         53 stream ID, 3 strict source route, 40 alert, 45 cipso, 0 ump
         361634 other
  Frags: 0 reassembled, 10008 timeouts, 56866 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
  Bcast: 64666 received, 0 sent
  Mcast: 1589885 received, 2405454 sent
  Sent:  3001564 generated, 65359134 forwarded
  Drop:  4256 encapsulation failed, 0 unresolved, 0 no adjacency
         11 no route, 11 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address 
    --      CLI Output Truncated       --
router#

In the preceding show cef drop and show ip traffic examples, Unicast RPF has dropped 11 IP packets received globally on all interfaces with Unicast RPF configured because of the inability to verify the source address of the IP packets within the Cisco Express Forwarding Forwarding Information Base (FIB).

Cisco IOS NetFlow

Identification: Traffic Flow Identification Using NetFlow Records

Administrators can configure Cisco IOS NetFlow on Cisco IOS routers and switches to aid in the identification of traffic flows that may be attempts to exploit the vulnerabilities described in this document that have a network attack vector. Administrators are advised to investigate flows to determine whether they are attempts to exploit the vulnerabilities or whether they are legitimate traffic flows.

router#show ip cache flow
IP packet size distribution (90784136 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .698 .011 .001 .004 .005 .000 .004 .000 .000 .003 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .001 .256 .000 .010 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
  1885 active, 63651 inactive, 59960004 added
  129803821 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 402056 bytes
  0 active, 16384 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet    11393421      2.8         1    48      3.1       0.0       1.4
TCP-FTP            236      0.0        12    66      0.0       1.8       4.8
TCP-FTPD            21      0.0     13726  1294      0.0      18.4       4.1
TCP-WWW          22282      0.0        21  1020      0.1       4.1       7.3
TCP-X              719      0.0         1    40      0.0       0.0       1.3
TCP-BGP              1      0.0         1    40      0.0       0.0      15.0
TCP-Frag         70399      0.0         1   688      0.0       0.0      22.7
TCP-other     47861004     11.8         1   211     18.9       0.0       1.3
UDP-DNS            582      0.0         4    73      0.0       3.4      15.4
UDP-NTP         287252      0.0         1    76      0.0       0.0      15.5
UDP-other       310347      0.0         2   230      0.1       0.6      15.9
ICMP             11674      0.0         3    61      0.0      19.8      15.5
IPv6INIP            15      0.0         1  1132      0.0       0.0      15.4
GRE                  4      0.0         1    48      0.0       0.0      15.3 
Total:        59957957     14.8         1   196     22.5       0.0       1.5

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/0         192.168.10.201  Gi0/1         192.168.60.102  11 0089 0089     1
Gi0/0         192.168.11.54   Gi0/1         192.168.60.158  11 0089 0089     3
Gi0/1         192.168.150.60  Gi0/0         10.89.16.226    06 0016 12CA     1
Gi0/0         192.168.13.97   Gi0/1         192.168.60.28   11 0089 0089     5
Gi0/0         192.168.10.17   Gi0/1         192.168.60.97   11 0089 0089     1
Gi0/0         10.88.226.1     Gi0/1         192.168.202.22  11 007B 007B     1
Gi0/0         192.168.12.185  Gi0/1         192.168.60.239  11 0089 0089     1
Gi0/0         10.89.16.226    Gi0/1         192.168.150.60  06 12CA 0016     1
router#

In the preceding example, there are multiple flows for NetBIOS Name Service (NBNS) packets on UDP port 137 (hex value 0089). The packets in these flows may indicate an attempt to exploit these vulnerabilities. Administrators are advised to compare these flows to baseline utilization for NetBIOS Name Service (NBNS) traffic sent on UDP port 137 and also investigate the flows to determine whether they are sourced from untrusted hosts or networks.

To view only the traffic flows for NetBIOS Name Service (NBNS) packets on UDP port 137 (hex value 0089), the command show ip cache flow | include SrcIf|_11_.*0089 will display the related UDP NetFlow records as shown here:

router#show ip cache flow | include SrcIf|_11_.*0089
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/0         192.168.10.201  Gi0/1         192.168.60.102  11 0089 0089     1
Gi0/0         192.168.11.54   Gi0/1         192.168.60.158  11 0089 0089     3
Gi0/0         192.168.13.97   Gi0/1         192.168.60.28   11 0089 0089     5
Gi0/0         192.168.10.17   Gi0/1         192.168.60.97   11 0089 0089     1
Gi0/0         192.168.12.185  Gi0/1         192.168.60.239  11 0089 0089     1
router#

Cisco ASA, PIX, and FWSM Firewalls

Mitigation: Transit Access Control Lists

To protect the network from traffic that enters the network at ingress access points, which may include Internet connection points, partner and supplier connection points, or VPN connection points, administrators are advised to deploy tACLs to perform policy enforcement. Administrators can construct a tACL by explicitly permitting only authorized traffic to enter the network at ingress access points or permitting authorized traffic to transit the network in accordance with existing security policies and configurations. A tACL workaround cannot provide complete protection against the vulnerabilities that have a network attack vector when the attack comes from a trusted source address.

The tACL policy denies unauthorized NetBIOS Name Service (NBNS) packets on UDP port 137 that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices, and the host at 192.168.100.1 is considered a trusted source that requires access to the affected devices. Care should be taken to allow required traffic for routing and administrative access prior to denying all unauthorized traffic.

Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge.

Ingress Transit ACL Policy

!-- Include any explicit permit statements for trusted
!-- sources that require access on the vulnerable port
!-- for MS09-008 (CVE-2009-0094)
!
access-list tACL-Policy-Ingress extended permit udp host 192.168.100.1
  192.168.60.0 255.255.255.0 eq 137
!
!-- The following vulnerability-specific access control
!-- entry (ACE) can aid in identification of attacks against
!-- MS09-008 (CVE-2009-0094)
!
access-list tACL-Policy-Ingress extended deny udp any 192.168.60.0
  255.255.255.0 eq 137
!
!-- Permit/deny all other Layer 3 and Layer 4 traffic in
!-- accordance with existing security policies and
!-- configurations
!
!-- Explicit deny for all other IP traffic
!
access-list tACL-Policy-Ingress extended deny ip any any
!
!-- Apply tACL to interface(s) in the ingress direction
!
access-group tACL-Policy-Ingress in interface outside
!

Egress Transit ACL Policy

!-- Include any explicit permit statements for trusted
!-- sources that require access on the vulnerable port
!-- for MS09-008 (CVE-2009-0094)
!
access-list tACL-Policy-Egress extended permit udp 192.168.60.0
  255.255.255.0 host 192.168.100.1 eq 137
!
!-- The following vulnerability-specific access control
!-- entry (ACE) can aid in identification of attacks against
!-- MS09-008 (CVE-2009-0094)
!
access-list tACL-Policy-Egress extended deny udp 192.168.60.0
  255.255.255.0 any eq 137
!
!-- Permit/deny all other Layer 3 and Layer 4 traffic in
!-- accordance with existing security policies and
!-- configurations
!
!-- Explicit deny for all other IP traffic
!
access-list tACL-Policy-Egress extended deny ip any any
!
!-- Apply tACL to interface(s) in the ingress direction
!
access-group tACL-Policy-Egress in interface inside
!

Mitigation: Application Layer Protocol Inspection

Application layer protocol inspection is available beginning in software release 7.2(1) for the Cisco ASA 5500 Series Adaptive Security Appliance and the Cisco PIX 500 Series Security Appliance and in software release 4.0(1) for the Firewall Services Module. This advanced security feature performs deep packet inspection of traffic that transits the firewall. Administrators may construct an inspection policy for applications that require special handling through the configuration of inspect class maps and inspect policy maps, which are applied via a global or interface service policy.

Additional information about application layer protocol inspection is in the Applying Application Layer Protocol Inspection section of the Cisco Security Appliance Command Line Configuration Guide.

Caution: Application layer protocol inspection will decrease firewall performance. Administrators are advised to test performance impact in a lab environment before this feature is deployed in production environments.

HTTP Application Inspection

By using the HTTP inspection engine on the Cisco ASA 5500 Series Adaptive Security Appliances, the Cisco PIX 500 Series Security Appliances, and the Firewall Services Module, administrators can configure regular expressions (regexes) for pattern matching and construct inspect class maps and inspect policy maps. These methods can help detect and protect against specific vulnerabilities, such as the ones described in this document, and other threats that may be associated with HTTP traffic. The following HTTP application inspection configuration uses the Cisco Modular Policy Framework (MPF) to create a policy for inspection of traffic on TCP ports 80, 3128, 8000, 8010, 8080, 8888, and 24326, which are the default ports for the Cisco IPS #WEBPORTS variable. The HTTP application inspection policy will log and drop connections where the HTTP GET request method contains the regex value of WPAD.DAT (case-insensitive) that is configured to match endpoints trying to download the Proxy Auto Configuration File.

Caution: The configured regex can match text strings in the HTTP request Uniform Resource Identifier (URI) field. Care should be taken to ensure that legitimate business applications that use matching text strings are not affected. Additional information about regex syntax is in Creating a Regular Expression.

!-- Configure case-insensitive regex for WPAD.DAT that
!-- that is associated with this endpoints attempting
!-- to download the WPAD.DAT Proxy Auto Configuration
!-- File
! 
regex WPAD-HTTP-GET "\x2f[Ww][Pp][Aa][Dd]\x2e[Dd][Aa][Tt]"
! 
!-- Configure a HTTP inspect class to match the HTTP
!-- method type (GET) and the regex value for the URI
!-- that was previously configured above
!
class-map type inspect http match-all WPAD-HTTP-GET-REQ
 match request method get
 match request uri regex WPAD-HTTP-GET
!
!-- Configure an object group for the default ports that 
!-- are used by the Cisco IPS #WEBPORTS variable, which 
!-- are TCP ports 80 (www), 3128, 8000, 8010, 8080, 8888, 
!-- and 24326
!
object-group service WEBPORTS tcp
 port-object eq www 
 port-object eq 3128 
 port-object eq 8000 
 port-object eq 8010 
 port-object eq 8080 
 port-object eq 8888 
 port-object eq 24326 
!
!-- Configure an access list that uses the WEBPORTS object 
!-- group, which will be used to match TCP packets that 
!-- are destined to the #WEBPORTS variable that is used 
!-- by a Cisco IPS device
!
access-list Webports-ACL extended permit tcp any any object-group WEBPORTS 
 !
!-- Configure a class that uses the above-configured
!-- access list to match TCP packets that are destined
!-- to the ports that are used by the Cisco IPS #WEBPORTS
!-- variable
!
class-map Webports-Class
 match access-list Webports-ACL
!
!-- Configure an HTTP application inspection policy that  
!-- looks for and drops connections that contain HTTP  
!-- protocol violations and looks for and drops connections   
!-- that contain the regexes for the affected ActiveX Class
!-- ID or Program ID that are configured above
! 
policy-map type inspect http HTTP-Policy
 parameters
!
!-- The "protocol-violation" configuration below is not
!-- required to detect endpoints attempting to download
!-- the WPAD.DAT Proxy Auto Configuration File but it is
!-- included to provide more robust protection against
!-- potential HTTP attacks. Care should be taken to ensure
!-- the legitimate applications that do not fully conform
!-- to the HTTP protocol standards are not dropped by this
!-- inspection
!
  protocol-violation action drop-connection
 class WPAD-HTTP-GET-REQ
  drop-connection log
!
!-- Add the above-configured "Webports-Class" that matches 
!-- TCP packets destined to the default ports that used by
!-- the Cisco IPS #WEBPORTS variable to the default policy
!-- "global_policy" and use it to inspect HTTP traffic that
!-- transits the firewall
! 
policy-map global_policy
 class Webports-Class
  inspect http HTTP-Policy
!
!-- By default, the policy "global_policy" is applied 
!-- globally, which results in the inspection of 
!-- traffic that enters the firewall from all interfaces 
!
service-policy global_policy global
!

For additional information about the configuration and use of object groups, reference the Cisco Security Appliance Command Reference for object-group.

Additional information about HTTP application inspection and the MPF is in the HTTP Inspection Overview section of the Cisco Security Appliance Command Line Configuration Guide.

DNS Application Inspection

Using the DNS application inspection engine on the Cisco ASA 5500 Series Adaptive Security Appliances, the Cisco PIX 500 Series Security Appliances, and the Firewall Services Modules, administrators can configure regexes for pattern matching and construct inspect class maps and inspect policy maps. These methods can help detect and protect against specific vulnerabilities such as the one described in this document. The DNS application inspection policy will log and drop connections for which the DNS query message contains the regular expression that is configured to match the wpad (case-insensitive) label for a domain that is associated with these vulnerabilities.

The following Modular Policy Framework (MPF) policy inspects all DNS traffic and will apply the configured actions and parameters:

!-- Configure case-insensitive regex for the label that
!-- matches a DNS query message that begins with "wpad"
!
regex WPAD-DNS-LABEL "^[Ww][Pp][Aa][Dd]\x2e?"
!
!-- Create a regex class map to match on the regex that
!-- was previously configured above 
!
class-map type regex match-any WPAD-DNS-CLASS
 match regex WPAD-DNS-LABEL
!
!-- Configure a DNS application inspection policy that
!-- looks for and drops packets that contain that the
!-- regex for the DNS domain label that is associated
!-- with these vulnerabilities
!
!-- The inspect policy map also includes the default
!-- parameter setting DNS message length to a maximum
!-- of 512 bytes (Note: if EDNS0 is in use, this value
!-- may need to be increased)
!
policy-map type inspect dns WPAD-DNS-QUERY
 parameters
  message-length maximum 512
 match not header-flag QR
 match question
 match domain-name regex class WPAD-DNS-CLASS
  drop log
!
!-- Replace the default DNS "inspect" statement with
!-- the previously configured policy above that matches 
!-- DNS queries to the default policy "global_policy"
!-- and use it to inspect DNS traffic that transits 
!-- the firewall
! 
policy-map global_policy
 class inspection_default
  no inspect dns preset_dns_map 
  inspect dns WPAD-DNS-QUERY
!
!-- By default, the policy "global_policy" is applied  
!-- globally, which results in the inspection of traffic  
!-- that enters the firewall from all interfaces 
!
service-policy global_policy global
!

Additional information about DNS application inspection and the MPF is in the DNS Inspection section of the Cisco Security Appliance Command Line Configuration Guide.

Mitigation: Spoofing Protection Using Unicast Reverse Path Forwarding

Some of the vulnerabilities described in this document that have a network attack vector can be exploited by spoofed IP packets. The proper deployment and configuration of Unicast Reverse Path Forwarding (Unicast RPF) can provide protection mechanisms for spoofing related to the following vulnerabilities:

• MS09-008 (CVE-2009-0093 and CVE-2009-0094)

Unicast RPF is configured at the interface level and can detect and drop packets that lack a verifiable source IP address. Administrators should not rely on Unicast RPF to provide complete spoofing protection because spoofed packets may enter the network through a Unicast RPF-enabled interface if an appropriate return route to the source IP address exists. In an enterprise environment, Unicast RPF might be enabled at the Internet edge and at the internal access layer on the user-supporting Layer 3 interfaces.

For additional information about the configuration and use of Unicast RPF, reference the Cisco Security Appliance Command Reference for ip verify reverse-path and the Understanding Unicast Reverse Path Forwarding Applied Intelligence white paper.

Identification: Transit Access Control Lists

After the tACL has been applied to an interface, administrators can use the show access-list command to identify the number of NetBIOS Name Service (NBNS) packets on UDP port 137 that have been filtered. Administrators are advised to investigate filtered packets to determine whether they are attempts to exploit these vulnerabilities. Example output for show access-list tACL-Policy-Ingress and show access-list tACL-Policy-Egress follows:

Ingress Transit ACL Policy

firewall#show access-list tACL-Policy-Ingress
access-list tACL-Policy-Ingress line 1 extended permit udp host 192.168.100.1
  192.168.60.0 255.255.255.0 eq 137 (hitcnt=72)
access-list tACL-Policy-Ingress line 2 extended deny udp any 192.168.60.0
  255.255.255.0 eq 137 (hitcnt=309)
access-list tACL-Policy-Ingress line 3 extended deny ip any any (hitcnt=4987)
firewall#

In the preceding example, access list tACL-Policy-Ingress has dropped 309 NetBIOS Name Service (NBNS) packets on UDP port 137 received from an untrusted host or network.

Egress Transit ACL Policy

firewall#show access-list tACL-Policy-Egress
access-list tACL-Policy-Egress line 1 extended permit udp 192.168.60.0 255.255.255.0
  host 192.168.100.1 eq 137 (hitcnt=59)
access-list tACL-Policy-Egress line 2 extended deny udp 192.168.60.0 255.255.255.0
  any eq 137 (hitcnt=237)
access-list tACL-Policy-Egress line 3 extended deny ip any any (hitcnt=3921)
firewall#

In the preceding example, access list tACL-Policy-Egress has dropped 237 NetBIOS Name Service (NBNS) packets on UDP port 137 received from an untrusted host or network.

In addition, syslog message 106023 can provide valuable information, which includes the source and destination IP address, the source and destination port numbers, and the IP protocol for the denied packet.

Identification: Firewall Access List Syslog Messages

Firewall syslog message 106023 will be generated for packets denied by an access control entry (ACE) that does not have the log keyword present. Additional information about this syslog message is available in Cisco Security Appliance System Log Message - 106023.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance or the Cisco PIX 500 Series Security Appliance is available in Monitoring the Security Appliance - Configuring and Managing Logs. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is available in Monitoring the Firewall Services Module.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate potential attempts to exploit the vulnerabilities described in this document that have a network attack vector. It is possible to use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is available in Creating a Regular Expression.

firewall#show logging | grep 106023
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src inside:192.168.60.191/137
  dst outside:192.168.2.18/137 by access-group "tACL-Policy-Egress"
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src inside:192.168.60.250/137
  dst outside:192.168.3.175/137 by access-group "tACL-Policy-Egress"
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src inside:192.168.60.33/137
  dst outside:192.168.3.200/137 by access-group "tACL-Policy-Egress"
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src outside:192.168.2.91/137
  dst inside:192.168.60.19/137 by access-group "tACL-Policy-Ingress"
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src outside:192.168.3.211/137
  dst inside:192.168.60.43/137 by access-group "tACL-Policy-Ingress"
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src inside:192.168.60.240/137
  dst outside:192.168.2.99/137 by access-group "tACL-Policy-Egress"
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src inside:192.168.60.115/137
  dst outside:192.168.2.100/137 by access-group "tACL-Policy-Egress"
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src outside:192.168.4.117/137
  dst inside:192.168.60.98/137 by access-group "tACL-Policy-Ingress"
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src outside:192.168.3.175/137
  dst inside:192.168.60.150/137 by access-group "tACL-Policy-Ingress"
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src inside:192.168.60.38/137
  dst outside:192.168.4.88/137 by access-group "tACL-Policy-Egress"
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src outside:192.168.2.47/137
  dst inside:192.168.60.140/137 by access-group "tACL-Policy-Ingress"
Mar 10 2009 13:15:13: %ASA-4-106023: Deny udp src outside:192.168.2.200/137
  dst inside:192.168.60.215/137 by access-group "tACL-Policy-Ingress"
firewall#

In the preceding example, the messages logged for tACL policies tACL-Policy-Ingress and tACL-Policy-Egress show NetBIOS Name Service (NBNS) packets for UDP port 137 sent to the address block assigned to affected devices.

Additional information about syslog messages for ASA and PIX security appliances is available in Cisco Security Appliance System Log Messages. Additional information about syslog messages for the FWSM is available in Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Logging Configuration and System Log Messages.

For additional information about investigating incidents using Syslog Events, reference the Identifying Incidents Using Firewall and IOS Router Syslog Events Applied Intelligence white paper.

Identification: Application Layer Protocol Inspection

HTTP Application Inspection

Firewall syslog message 415006 will be generated when the URI in a HTTP packet matches a user-defined regular expression. The syslog message will identify the corresponding HTTP class and indicate the action that is applied to the HTTP packet. Additional information about this syslog message is in Cisco Security Appliance System Log Message - 415006.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance or the Cisco PIX 500 Series Security Appliance is in Monitoring the Security Appliance - Configuring and Managing Logs. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is in Monitoring the Firewall Services Module.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate attempts to exploit these vulnerabilities. Administrators can use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is in Creating a Regular Expression.

!-- Note: The following regex string for the show logging
!-- command's grep argument is wrapped on a second line.
!-- For this regex string to work as expected, it must be
!-- entered as a single string value to the grep argument,
!-- and it must not be wrapped.
firewall# show logging | grep 304001\: .*[Ww][Pp][Aa][Dd]\.[Dd][Aa][Tt]
  |415006\: .*WPAD|507003\: |302014\: .*closed by inspection
Mar 10 2009 14:13:07: %ASA-5-304001: 192.168.60.71 Accessed URL
  192.168.0.1:/WPAD.DAT
Mar 10 2009 14:13:07: %ASA-5-415006: HTTP - matched Class 28:
  WPAD-HTTP-GET-REQ in policy-map HTTP-Policy, URI matched -
  Dropping connection from inside:192.168.60.71/3985 to
  outside:192.168.0.1/80
Mar 10 2009 14:13:07: %ASA-4-507003: tcp flow from
  inside:192.168.60.71/3985 to outside:192.168.0.1/80
  terminated by inspection engine, reason - disconnected,
  dropped packet.
Mar 10 2009 14:13:07: %ASA-6-302014: Teardown TCP connection
  2869069 for outside:192.168.0.1/80 to
  inside:192.168.60.71/3985 duration 0:00:00 bytes 0 Flow
  closed by inspection
firewall#

In the preceding example, the show logging | grep command is used to search for syslog messages that correlate to the traffic of a device or devices attempting to download the WPAD.DAT file using an HTTP GET request.

With HTTP application inspection enabled, the show service-policy inspect protocol command will identify the number of HTTP packets that are inspected and dropped by this feature. The following example shows output for show service-policy inspect http:

firewall# show service-policy inspect http
Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
    Class-map: Webports-Class
      Inspect: http HTTP-Policy, packet 1277, drop 13, reset-drop 0
        protocol violations
          packet 3
        class WPAD-HTTP-GET-REQ
          drop-connection log, packet 10

firewall#

In the preceding example, 1277 HTTP packets have been inspected and 13 HTTP packets have been matched and dropped by the WPAD-HTTP-GET-REQ class.

DNS Application Inspection

Firewall syslog message 410003 will be generated when a DNS message matches a user-defined regular expression. The syslog message will identify the corresponding DNS class and indicate the action that is applied to the DNS message. Additional information about this syslog message is in Cisco Security Appliance System Log Message - 410003.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance or the Cisco PIX 500 Series Security Appliance is in Monitoring the Security Appliance - Configuring and Managing Logs. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is in Monitoring the Firewall Services Module.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate attempts to exploit these vulnerabilities. Administrators can use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is in Creating a Regular Expression.

firewall# show logging | grep 410003\: .*Dropped DNS request
Mar 10 2009 13:10:32: %ASA-4-410003: DNS Classification: Dropped DNS request
  (id 32940) from inside:192.168.60.41/36579 to outside:192.168.100.53/53;
  matched Class 27: match domain-name regex class wpad-dns-label
Mar 10 2009 13:10:37: %ASA-4-410003: DNS Classification: Dropped DNS request
  (id 32940) from inside:192.168.60.41/36579 to outside:192.168.100.53/53;
  matched Class 27: match domain-name regex class wpad-dns-label
Mar 10 2009 13:10:42: %ASA-4-410003: DNS Classification: Dropped DNS request
  (id 32940) from inside:192.168.60.41/36579 to outside:192.168.100.53/53;
  matched Class 27: match domain-name regex class wpad-dns-label
Mar 10 2009 13:10:47: %ASA-4-410003: DNS Classification: Dropped DNS request
  (id 32940) from inside:192.168.60.41/36579 to outside:192.168.100.53/53;
  matched Class 27: match domain-name regex class wpad-dns-label
Mar 10 2009 13:10:52: %ASA-4-410003: DNS Classification: Dropped DNS request
  (id 32941) from inside:192.168.60.41/36579 to outside:192.168.100.53/53;
  matched Class 27: match domain-name regex class wpad-dns-label
Mar 10 2009 13:10:57: %ASA-4-410003: DNS Classification: Dropped DNS request
  (id 32941) from inside:192.168.60.41/36579 to outside:192.168.100.53/53;
  matched Class 27: match domain-name regex class wpad-dns-label
Mar 10 2009 13:11:02: %ASA-4-410003: DNS Classification: Dropped DNS request
  (id 32941) from inside:192.168.60.41/36579 to outside:192.168.100.53/53;
  matched Class 27: match domain-name regex class wpad-dns-label
Mar 10 2009 13:11:07: %ASA-4-410003: DNS Classification: Dropped DNS request
  (id 32941) from inside:192.168.60.41/36579 to outside:192.168.100.53/53;
  matched Class 27: match domain-name regex class wpad-dns-label
firewall#

With DNS application inspection enabled, the show service-policy inspect protocol command will identify the number of DNS packets that are inspected and dropped by this feature. The following example shows output for show service-policy inspect dns:

firewall# show service-policy inspect dns

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns WPAD-DNS-QUERY, packet 691, drop 8, reset-drop 0
        dns-guard, count 16
        protocol-enforcement, drop 0
        nat-rewrite, count 0
        match not header-flag QR
        match question
        match domain-name regex class WPAD-DNS-CLASS
          drop log, packet 8
firewall#

In the preceding example, 691 DNS packets have been inspected and 8 DNS packets have matched the configured reqex in a DNS query message, and have been logged and dropped.

Identification: Spoofing Protection Using Unicast Reverse Path Forwarding

Firewall syslog message 106021 will be generated for packets denied by Unicast RPF. Additional information about this syslog message is available in Cisco Security Appliance System Log Message - 106021.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance or the Cisco PIX 500 Series Security Appliance is in Monitoring the Security Appliance - Configuring and Managing Logs. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is in Monitoring the Firewall Services Module.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate potential attempts to exploit the vulnerabilities described in this document that have network attack vector. It is possible to use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is in Creating a Regular Expression.

firewall#show logging | grep 106021
Mar 10 2009 00:15:13: %ASA-1-106021: Deny UDP reverse path check from
   192.168.0.1 to 192.168.0.100 on interface outside
Mar 10 2009 00:15:13: %ASA-1-106021: Deny UDP reverse path check from
   192.168.0.1 to 192.168.0.100 on interface outside
Mar 10 2009 00:15:13: %ASA-1-106021: Deny TCP reverse path check from
   192.168.0.1 to 192.168.0.100 on interface outside
firewall#

The show asp drop command can also identify the number of packets that the Unicast RPF feature has dropped, as shown in the following example:

firewall#show asp drop frame rpf-violated
  Reverse-path verify failed                          11
firewall#

In the preceding example, Unicast RPF has dropped 11 IP packets received on interfaces with Unicast RPF configured. Absence of output indicates that the Unicast RPF feature on the firewall has not dropped packets.

For additional information about debugging accelerated security path dropped packets or connections, reference the Cisco Security Appliance Command Reference for show asp drop.

Cisco Intrusion Prevention System

Mitigation: Cisco IPS Signature Event Actions

Administrators can use the Cisco Intrusion Prevention System (IPS) appliances and services modules to provide threat detection and help prevent attempts to exploit several of the vulnerabilities described in this document. The following table provides an overview of CVE identifiers and the respective Cisco IPS signatures that will trigger events on potential attempts to exploit these vulnerabilities.

* Fidelity is also referred to as Signature Fidelity Rating (SFR) and is the relative measure of the accuracy of the signature (predefined). The value ranges from 0 through 100 and is set by Cisco Systems, Inc.

Administrators can configure Cisco IPS sensors to perform an event action when an attack is detected. The configured event action performs preventive or deterrent controls to help protect against an attack that is attempting to exploit the vulnerabilities listed in the preceding table.

Exploits that use spoofed IP addresses may cause a configured event action to inadvertently deny traffic from trusted sources.

Cisco IPS sensors are most effective when deployed in inline protection mode combined with the use of an event action. Automatic Threat Prevention for Cisco IPS 6.x sensors that are deployed in inline protection mode provides threat prevention against an attack that is attempting to exploit the vulnerabilities that are described in this document. Threat prevention is achieved through a default override that performs an event action for triggered signatures with a riskRatingValue greater than 90.

Cisco IPS 5.x sensors that are deployed in inline protection mode require an event action configured on a per-signature basis. Alternatively, administrators can configure an override that can perform an event action for any signatures that are triggered and are calculated as a high-risk threat. Using an event action on sensors deployed in inline protection mode provides the most effective exploit prevention.

For additional information about the risk rating and threat rating calculation, reference Risk Rating and Threat Rating: Simplify IPS Policy Management.

IPS Signature Event Data

The following data has been compiled through remote monitoring services provided by the Cisco Remote Management Services team from a sample group of Cisco IPS sensors running Cisco IPS Signature Update version S386 or greater. The purpose of this data is to provide visibility into attempts to exploit the vulnerabilities released as part of the Microsoft March Security Update released on March, 10, 2009. This data was gathered from events triggered on March, 24, 2009.

Cisco Security Monitoring, Analysis, and Response System

Identification: Cisco Security Monitoring, Analysis, and Response System Incidents

The Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) appliance can create incidents on events for the following Microsoft Security Bulletins. After the S386 dynamic signature update has been downloaded, using the following keywords for each of the respective IPS signatures and a query type of All Matching Events or All Matching Event Raw Messages on the Cisco Security MARS appliance will provide a report that lists the incidents created by these IPS signatures.

Beginning with the 4.3.1 and 5.3.1 releases of Cisco Security MARS appliances, support for the Cisco IPS dynamic signature updates feature has been added. This feature downloads new signatures from Cisco.com or from a local web server, correctly processes and categorizes received events that match those signatures, and includes them in inspection rules and reports. These updates provide event normalization and event group mapping, and they also enable the MARS appliance to parse new signatures from the IPS devices.

Caution: If dynamic signature updates are not configured, events that match these new signatures appear as unknown event type in queries and reports. Because MARS will not include these events in inspection rules, incidents may not be created for potential threats or attacks that occur within the network.

By default, this feature is enabled but requires configuration. If it is not configured, the following Cisco Security MARS rule will be triggered:

  System Rule: CS-MARS IPS Signature Update Failure

When this feature is enabled and configured, administrators can determine the current signature version downloaded by MARS by selecting Help > About and reviewing the IPS Signature Version value.

Additional information about dynamic signature updates and instructions for configuring dynamic signature updates are available for the Cisco Security MARS 4.3.1 and 5.3.1 releases.

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Related Information

• Microsoft Security Bulletin Summary for March 2009
• Cisco Applied Mitigation Bulletins
• Cisco Security Center
• Understanding Cross-Site Scripting (XSS) Threat Vectors
• Transit Access Control Lists: Filtering at Your Edge
• Cisco IOS Flexible Packet Matching (FPM) - Home Page on Cisco.com
• Cisco IOS Flexible Packet Matching (FPM) White Papers
• Flexible Packet Matching Deployment Guide
• Flexible Packet Matching Feature Guide
• Flexible Packet Matching XML Configuration
• Getting Started with Cisco IOS Flexible Packet Matching
• Cisco IOS NetFlow - Home Page on Cisco.com
• Cisco IOS NetFlow White Papers
• NetFlow Performance Analysis
• Cisco Network Foundation Protection White Papers
• Cisco Network Foundation Protection Presentations
• A Security-Oriented Approach to IP Addressing
• Cisco Firewall Products - Home Page on Cisco.com
• Unicast Reverse Path Forwarding Enhancements for the Internet Service Provider
• Cisco 6.x Intrusion Prevention System
• Cisco IPS 6.x Signature Downloads
• Cisco IPS Signature Search Page
• Cisco Security Monitoring, Analysis, and Response System
• Cisco Security Agent
• Common Vulnerabilities and Exposures (CVE)

Version 1, March 10, 2009, 3:48 PM: This initial version of the Cisco Applied Mitigation Bulletin addresses the Microsoft Security Bulletin Release for March 2009.