Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Cisco security notice mentions the blaster worm possibly affectin

Cisco security notice mentions the blaster worm possibly affectin

From: Rodrigues, Bryan <BRodrigues_at_elcom.com>
Date: Thu, 14 Aug 2003 08:29:32 -0800
Message-ID: <F001.005CAAF0.20030814082932@fatcity.com>


My network admin sent me this Cisco security notice. In this notice there is a section about how the worm can affect a windows server running Oracle 9i and Kerberos.

Here is the section from the notice that was brought to my attention:

TCP port 4444 is used for Kerberos authentication and Oracle9i communication. A
host fully infected with the W32.Blaster worm opens a command shell on this port, allowing the machine to be controlled remotely. Blocking this port may prevent an infected machine from being used for further malicious activities,
but may block existing Kerberos authentication functionality or Oracle9i implementations within your network.

I have pasted the complete notice at the end of the message.

Bryan Rodrigues
Oracle DBA
Elcom, Inc.

[mailto:psirt_at_cisco.com]
Sent: Wednesday, August 13, 2003 10:00 PM To: cust-security-announce_at_cisco.com
Cc: psirt_at_cisco.com

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Cisco Security Notice: W32.BLASTER Worm Mitigation Recommendations


Revision 1.0 INTERIM


-



--

Contents


    Summary
    Details
    Detection

         Using IOS with NetFlow Enabled to Detect Infected Hosts
         Using CatOS with Sup2 and MLS to Detect Infected Hosts
         CSIDS Signature

    Symptoms
    Affected Products
    Software Versions and Fixes

         Cisco CallManager, Cisco Customer Response Server, Cisco Personal     Assistant, Cisco Conference Connection, Cisco Emergency Responder

         Cisco Building Broadband Service Manager
         Other Windows-based Cisco Products
    Obtaining Fixed Software
    Workarounds
         ACL for IOS
         Cisco 12000
         VACL on the 6500
         Catalyst 3550
         Catalyst 2950
         Catalyst 2900XL and 3500XL
         PIX

    Exploitation and Public Announcements     Status of This Notice: INTERIM
    Distribution
    Revision History
    Cisco Security Procedures
    Related Information

-



--

Summary


Cisco customers are currently experiencing attacks due to a new worm that is active on the Internet. The signature of this worm appears as UDP traffic to port 69 and high volumes of TCP traffic to port 135 and 4444. Affected customers have been experiencing high volumes of traffic from both internal and
external systems. Symptoms on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces. This document focuses on both mitigation techniques and affected Cisco products which need software supplied by Cisco to patch properly.

The worm has been referenced by the name "W32.Blaster" and "msblast.exe". This
worm exploits a vulnerability previously disclosed by Microsoft, details of which can be found at the following URL:

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

Details


Details of the worm can be found on Microsoft's web site:

http://www.microsoft.com/technet/security/virus/alerts/msblaster.asp

The effects of this worm can be mitigated by blocking the required ports it uses to spread itself, scan for new infections, and propagate the executable code. This document focuses on blocking the spread of the worm, either before
or after your internal network is infected. This worm spreads using valid ports, blocking those ports may break existing functionality, such as file sharing, TFTP or Kerberos authentication. As with all network configurations,
Cisco recommends you establish documentation of baseline traffic during normal
times, and use that to make decisions about blocking ports or traffic in your
network. Block ports with caution to avoid disabling functionality in your network. Brief descriptions of the normal usage of these ports is listed below.

TCP port 135 is used for the MS RPC protocol. This is often used to share files
on local network segments, and rarely used to share files over WAN segments. This is the port where the initial vulnerability is exploited, initiating a sequence of events that fully infects a machine. Blocking port 135 can prevent
initial infections, but may disable existing filesharing functionality within
your network.

UDP port 69 is used for Trivial File Transport Protocol (TFTP), often used to
load new software images or configurations to networked devices. A host infected with the W32.Blaster worm opens up this port to transfer the msblast.exe file from an infected machine to a newly exploited machine. Blocking this port may prevent the spread of the worm from an already infected
machine to vulnerable hosts, but may break existing TFTP functionality within
your network.

TCP port 4444 is used for Kerberos authentication and Oracle9i communication. A
host fully infected with the W32.Blaster worm opens a command shell on this port, allowing the machine to be controlled remotely. Blocking this port may prevent an infected machine from being used for further malicious activities,
but may block existing Kerberos authentication functionality or Oracle9i implementations within your network.

TCP and or UDP ports 137, 138, 139 and 593 have vulnerabilities associated with
them and may leave hosts open to exploitation, but are not currently known to
be directly connected to the spread of the W32.Blaster worm. Cisco recommends
that any unneeded ports, particularly those with known vulnerabilities associated with them, should be blocked both inbound and outbound at edge networks to prevent their remote exploitation.

Detection


Using IOS with NetFlow Enabled to Detect Infected Hosts

NetFlow can be a powerful tool to help identify infected hosts. Netflow must be
enabled on an interface with the command ip route-cache flow.

    Router>show ip cache flow | i 0087     

    SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts     

    Fa2/0      XX.XX.XX.242    Fa1/0    XX.XX.XX.119  06 0B88 0087    1
    Fa2/0      XX.XX.XX.242    Fa1/0    XX.XX.XX.169  06 0BF8 0087    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.63   06 0E80 0087    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.111  06 0CB0 0087    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.95   06 0CA0 0087    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.79   06 0C90 0087    1

Using CatOS with Sup2 and MLS to Detect Infected Hosts

NetFlow can be a powerful tool to help identify infected hosts. Netflow must be
enabled on an interface with the command ip route-cache flow.

    Router>show ip cache flow | i 0087     

    SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts     

    Fa2/0      XX.XX.XX.242    Fa1/0    XX.XX.XX.119  06 0B88 0087    1
    Fa2/0      XX.XX.XX.242    Fa1/0    XX.XX.XX.169  06 0BF8 0087    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.63   06 0E80 0087    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.111  06 0CB0 0087    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.95   06 0CA0 0087    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.79   06 0C90 0087    1

CSIDS Signature

If a Cisco Secure Intrusion Detection System is in use, a signature update file
is available here:
http://www.cisco.com/public/sw-center/ciscosecure/ids/crypto/

To reduce false positives on S49, signature 3327 should be set to only inspect
port 135, and not 139 or 445.

Alternatively, a custom signature string can be added to address this worm. Brief instructions are included here:

    Engine STRING.UDP
    SigName MS Blast Worm TFTP Request
    ServicePorts 69
    RegexString \x00\x01[Mm][Ss][Bb][Ll][Aa][Ss][Tt][.][Ee][Xx][Ee]\x00     Direction ToService

Symptoms


For symptoms on an infected Microsoft host, please see the Microsoft bulletin
at http://www.microsoft.com/technet/security/virus/alerts/msblaster.asp

Overall network symptoms may manifest as increased load on firewalls, routers
and switches due to increased traffic. You may see instability in networks due
to increased load. The traffic load generated by this worm is high, but appears
to have stabilized after the first 24 hours of infection.

Unexplained network failures may be due to filtering or blocking legitimate services with filters which are too generic -- if devices such as routers or IP
phones appear to not boot, please check that they still have access to a TFTP
server. These devices are not vulnerable to the W32.Blaster worm, but may depend on open TFTP functionality when they boot to load software or configuration files.

Affected Products


To determine if a product is vulnerable, review the list below. If the software
versions or configuration information are provided, then only those combinations are vulnerable. This is a list of appliance software which needs
patches downloaded from Cisco.

      + BBSM Version 5.1
       
      + BBSM Version 5.2
       
      + HotSpot 1.0
       

Other Cisco products which run on a Microsoft based operating system should strongly consider loading the patch from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

This list is not all inclusive, please refer to Microsoft's bulletin if you think you have an affected Microsoft platform.

      + CiscoWorks VPN/Security Management Solution (CWVMS)
       
      + User Registration Tool
       
      + Lan Management Solution
       
      + Routed WAN Management
       
      + Service Management
       
      + VPN/Security Management Solution
       
      + IP Telephony Environment Monitor
       
      + Wireless Lan Solution Engine
       
      + Small Network Management Solution
       
      + QoS Policy Manager
       
      + Voice Manager
       
      + Cisco Secure Scanner
       
      + Cisco Secure Policy Manager (CSPM)
       
      + Access Control Server (ACS)
       

Software Versions and Fixes


Cisco CallManager, Cisco Customer Response Server, Cisco Personal Assistant, Cisco Conference Connection, Cisco Emergency Responder

If the operating system version is Win2000 2.4, customers should download and
install one of the following options:

Both are available at http://www.cisco.com/pcgi-bin/tablebuild.pl/cmva-3des.

Cisco Building Broadband Service Manager

Software is now available on Cisco's website to patch BBSM 5.1, 5.2, and HotSpot 1.0.

Instructions for installing service patches on BBSM can be found here: http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm52/user/use52_ 05.htm#50416

Other Windows-based Cisco Products

Customers should download the Security Patch directly from Microsoft and follow
the directions for installation:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

Obtaining Fixed Software


Where Cisco provides the operating system bundled with the product, Cisco is offering free software patches to address these vulnerabilities for all affected customers. Customers may only install and expect support for the feature sets they have purchased.

Customers with service contracts should contact their regular update channels
to obtain any software patch containing the feature sets they have purchased.
For most customers with service contracts, this means that patches should be obtained through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/tacpage/sw-center/.

Customers whose Cisco products are provided or maintained through a prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with obtaining the free software patch(es).

Customers who purchased directly from Cisco but who do not hold a Cisco service
contract, and customers who purchase through third party vendors but are unsuccessful at obtaining fixed software through their point of sale, should obtain fixed software by contacting the Cisco Technical Assistance Center (TAC)
using the contact information listed below. In these cases, customers are entitled to obtain a patch to a later version of the same release or as indicated by the applicable row in the Software Versions and Fixes table (noted
above).

Cisco TAC contacts are as follows:

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages.

Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade.

Please do not contact either "psirt_at_cisco.com" or "security-alert_at_cisco.com" for software upgrades.

Workarounds


This section is focused on mitigation techniques for the W32.Blaster worm using
existing Cisco products in your network. These techniques should be applied both inbound and outbound at the edge of network segments if it is determined
they will not affect existing network functionality. Affected systems will still be infected and able to spread within contained sections of the network,
therefore it is recommended that all affected servers be patched according to
Microsoft's recommendations.

Although each of these examples show how to block all affected ports, it may not be necessary to block all ports. If you have no infected hosts within your
network, it may be acceptable to only block port 135 at your network edge, this
would prevent infection from outside your network without impeding existing TFTP and Kerberos services. Using NetFlow to identify normal traffic flow on your network will aid you in applying these mitigation techniques with the least impact.

General information regarding strategies for protecting against Distributed Denial of Service attacks may be found at http://www.cisco.com/warp/public/707/newsflash.html.

Caution: As with any configuration change in a network, evaluate the impact of this configuration prior to applying the change.

ACL for IOS

This workaround applies to most router platforms unless a platform is mentioned
specifically below.

Note: If you are trying to track source addresses, use Sampled NetFlow, rather
than "log" statements in ACLs as the high traffic in combination with the log
statement can overwhelm the router.          

    ! --- block TFTP     

    access-list 115 deny udp any any eq 69     

    ! --- block W32.Blaster related protocols     

    access-list 115 deny tcp any any eq 135     access-list 115 deny udp any any eq 135     

    ! --- block other vulnerable MS protocols     

    access-list 115 deny udp any any eq 137
    access-list 115 deny udp any any eq 138
    access-list 115 deny tcp any any eq 139
    access-list 115 deny udp any any eq 139
    access-list 115 deny tcp any any eq 445
    access-list 115 deny tcp any any eq 593
    

    ! --- block remote access due to W32.Blaster     

    access-list 115 deny tcp any any eq 4444     

    ! --- Allow all other traffic -- insert     ! --- other existing access-list entries here     

    access-list 115 permit ip any any
    interface <interface>
    ip access-group 115 in
    ip access-group 115 out

The worm will attempt to send packets to random IP addresses, some of which may
not exist. When that occurs, the router will reply with an "ICMP unreachable"
packet. In some cases, replying to a large number of requests with invalid IP
addresses may result in degradation of the router's performance. To prevent that from occurring, use the following command:

    Router(config)# interface <interface>     Router(if-config)# no ip unreachables

Caution: Common network configurations, such as certain types of tunnel structures, require the use of "ip unreachables". If the router must be able to send "ICMP unreachable" packets, you can rate limit the number of replies using the following command:

    Router(config)# ip icmp rate-limit unreachable <millisecond>

Beginning with Cisco IOS Software Release 12.0, the default rate limiting is set to two packets per second (500 ms), a value of 2000 ms is commonly used.

Cisco 12000

Receive ACL Feature-On a Cisco 12000 (GSR) series router, packets destined to
the router's ip addresses are "punted" to the gigabit route processor (GRP) for
processing. In order to protect the GRP, receive ACLs (rACLs) can be applied.
rACLs filter traffic destined to the GRP and only traffic explicitly permitted
is processed by the GRP, denied traffic is dropped. In general, rACLs do not affect transit traffic (traffic flowing through a router), only traffic destined to the router itself.

rACLs are an extremely effective countermeasure for mitigating the effects of
excessive attack traffic destined to the GRP. For more information please refer
to: GSR: Receive Access Control Lists.

VACL on the 6500

Cisco recommends the use of IOS ACLs on the Cisco Catalyst 4000 with a Sup3 and
Hybrid and Native configurations of the Cisco Catalyst 6500, however a VACL configuration example is provided for your convenience. Additionally, the use
of "no ip unreachables" is recommended.

Caution: As when making any configuration change, use caution when using VACLs in conjunction with IOS ACLs. Be aware that VACLs apply to all traffic within the VLAN, regardless of direction.

To configure:          

    ! --- block TFTP     

    set security acl ip BLASTER deny udp any any eq 69     

    ! --- block vulnerable MS protocols
    ! --- Blaster related     

    set security acl ip BLASTER deny tcp any any eq 135     set security acl ip BLASTER deny udp any any eq 135     

    ! --- Non-blaster related     

    set security acl ip BLASTER deny tcp any any eq 137     set security acl ip BLASTER deny udp any any eq 137     set security acl ip BLASTER deny tcp any any eq 138     set security acl ip BLASTER deny udp any any eq 138     set security acl ip BLASTER deny tcp any any eq 139     set security acl ip BLASTER deny udp any any eq 139     set security acl ip BLASTER deny tcp any any eq 593     

    ! --- block remote access due to W32.Blaster     

    set security acl ip BLASTER deny tcp any any eq 4444     

    ! --- Allow all other traffic
    ! --- insert other existing access-list entries here     

    set security acl ip BLASTER permit any any     

    ! -- applies both inbound and outbound     

    commit security acl BLASTER
    set security acl map BLASTER <vlans>

To verify:

    show security acl info all

To remove:

    clear security acl BLASTER
    commit security acl BLASTER

Catalyst 3550

Apply the IOS ACL on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs; on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces in both the inbound and/or outbound direction. Ensure
'no ip unreachable' is configured on the interface.

Apply the IOS ACL to Layer 2 interfaces on the switch only if an IOS ACL is not
also applied to the input of a Layer 3 interface (an error message is generated
upon attempts to do so). For Layer 2 interfaces the IOS ACL is supported on the
physical interfaces only and not on EtherChannel interfaces. It can be applied
on the inbound direction only.

Catalyst 2950

Apply the IOS ACL to the interface. Note that ACL's are only supported in the
inbound direction. To apply ACLs to physical interfaces the enhanced software
image (EI) must be installed.

Catalyst 2900XL and 3500XL

These are Layer 2 switches with no Layer 3 access list support.

PIX The default behavior of the PIX is to block traffic from lower security level
interfaces (OUTSIDE) to higher security level interfaces (INSIDE) unless the affected ports and protocols have been explicitly permitted by an access-list
or conduit.

In addition, Cisco recommends blocking traffic from higher security level interfaces (INSIDE) to lower security level interfaces (OUTSIDE).

Customers should deny outbound attempts to these ports:

    access-list acl_inside deny udp any any eq 69
    access-list acl_inside deny tcp any any eq 135
    access-list acl_inside deny udp any any eq 135
    access-list acl_inside deny tcp any any eq 137
    access-list acl_inside deny udp any any eq 137
    access-list acl_inside deny tcp any any eq 138
    access-list acl_inside deny udp any any eq 138
    access-list acl_inside deny tcp any any eq 139
    access-list acl_inside deny udp any any eq 139
    access-list acl_inside deny tcp any any eq 445
    access-list acl_inside deny tcp any any eq 593
    access-list acl_inside deny tcp any any eq 4444
    

    ! --- insert previously configured acl statements here,     ! --- or permit all other traffic out     

    access-list acl_inside permit ip any any

    access-group acl_inside in interface inside

The corresponding outbound lists may be applied, however, ACLs are strongly recommended in lieu of outbound lists.

Exploitation and Public Announcements


This issue is being exploited actively and has been discussed in numerous public announcements and messages. References include:

Status of This Notice: INTERIM


This is a DRAFT notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco anticipates issuing updated versions of this notice when there is material change in the facts.

Distribution


This notice will be posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients:

Future updates of this notice, if any, will be placed on Cisco's worldwide web.
Users concerned about this problem are encouraged to check the URL given above
for any updates.

Revision History


+---------------------------------------------+
| Revision | 14-August-2003 | Initial Public  |
| 1.0      |                | Release         |
+---------------------------------------------+

Cisco Security Procedures


If you have any new information that would be of use to us, please send email
to psirt_at_cisco.com.

Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes
instructions for press inquiries regarding Cisco security notices. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt/.

-



--

Related Information


-



--

All contents are Copyright 1992-2003 Cisco Systems, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----

Version: PGP 6.5.2

iQA/AwUBPzrrJnsxqM8ytrWQEQJ6pwCg2o5QLyxKh3oRAfeWuJuojb0vPRwAoKF+ WzBOI007jdkAXBLTUPt5laVi
=+Izn
-----END PGP SIGNATURE-----

--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author: Rodrigues, Bryan
  INET: BRodrigues_at_elcom.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services

---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Thu Aug 14 2003 - 11:29:32 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US