|
Brought to you by:
Suppliers of:
|
|
|
| |
Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems, also known as endpoints. It identifies and prevents malicious behavior, thereby eliminating known and unknown security risks.
A vulnerability exists in which a properly timed buffer overflow attack may evade the protections offered by CSA. The system under attack must contain an unpatched underlying vulnerability in system software that CSA is configured to protect. Another prerequisite for the attack is that a user must be interactively logged in during the attack. |
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20041111-csa.shtml
|
| |
Affected Products:
The following products are affected:
* Cisco Security Agent versions up to and excluding 4.0.3 build 728
* Cisco Security Agent 3.x versions
* Okena Stormwatch 3.x versions
CSA versions prior to 4.0.3.728 contain a vulnerability in the buffer overflow handling code allowing for the evasion of the protections offered by CSA. The evasion is timing dependent, where the second of two closely spaced overflow attacks is not processed by CSA.
In a vulnerable release a buffer overflow will trigger the Overflow heuristic, generating a query to the user. This query has a countdown timer of 5 minutes after which the default action of "Terminate" is taken in the event that the user does not make a selection. A second or subsequent buffer overflow attack that is received during this countdown period will not be trapped by CSA.
The result is that a sequence of two buffer overflow attacks in quick succession can result in the second bypassing CSA protection. If the attack is targeted at a vulnerable unpatched system process privileged access may result.
Agents prior to 4.0.3.728 are not affected if a user is not logged in or if the hidden GUI option is in effect. Under these circumstances the agent knows that there is no user to respond to a query message. Because of this, the agent immediately takes the default action to terminate the process thus preventing the opportunity to evade the protection provided by CSA.
Impact:
The integrity of the system which CSA is protecting may be compromised via privileged access which may be gained if patches for underlying system software vulnerabilities have not been applied.
Software Versions and Fixes:
Environments in which CSA is being used should ensure that they are running version 4.0.3.728 or later with a minimum of the default desktop or default server policy enabled.
Workarounds:
Placing the agents into hidden user interface mode will cause agents to defeat this attack technique. This is configurable via the CSA Management Console by selecting No user interaction in all applicable groups for Microsoft Windows clients.
|
|
|
|
|
