Exploit Theater : MS11-083 and Defense-in-Depth

A very interesting (OK, it was pretty cool) vulnerability in the TCP stack of Windows Vista and above (including 32-bit and 64-bit versions and Windows Server 2008) was recently announced and patched. This vulnerability is of particular note not just because of the wide range of products that it affected, but because of how the vulnerability worked.

Microsoft published this in its advisory on the vulnerability: ”A remote code execution vulnerability exists in the Windows TCP/IP stack due to the processing of a continuous flow of specially crafted UDP packets. An attacker who successfully exploited this vulnerability could run arbitrary code. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” – Microsoft Technet Bulletin

The issue resides in a reference counter, which overflows and causes some erratic system behavior which could (in some cases) result in remote code execution. The kicker? This vulnerability can be run on any closed UDP port. That’s right, a vulnerability that affects a closed port. The Windows firewall doesn’t work against this because it’s a vulnerability in the way that the driver tracks number of packets. In order to trigger the vulnerability, an attacker sends 2^32 packets to the target. The attacker will most likely this more than once, since code execution is just one of four execution paths that can occur. 2^32 packets translates about 4 billion packets, which would mean more than 4 gigabytes of traffic.

Something like this should be hard to pull off and incredibly loud to the point of impossibility, especially since there is a good chance of the target crashing. Surely someone would see the traffic, get an alert from the intrusion detection system, be patched, or have some other mechanism in place to prevent this from working. Sadly, some of my friends who work for large corporate IT departments informed me that this wasn’t true. They complained that the thousands of alerts on their detection systems caused their personnel to ignore the alerts or refuse to work on them. There were too many to handle. Another informed me that his company didn’t run IDS services at all. I know that some places also don’t have the manpower to look into spurious crashes or rebooting, or have the ability to quickly find anomalous traffic patterns to hosts within their domains. This came as a bit of a disappointment, because MS11-083 is not a big deal if you have a firewall in front of vulnerable devices, discarding packets before they reach their intended target. If you don’t, and you don’t have any monitoring services, you’ll find yourself in trouble (probably from more than just MS11-083).

This exploit just illustrates that a lot of our vulnerabilities come from not implementing a defense-in-depth that arcs from our end users to our servers. Network segmentation, policy, DMZ, firewalls, intrusion prevention/detection, endpoint protection, and vulnerability scanners are important pieces of the security architecture that require each other in order to be completely effective.

If you have a solid defense in depth approach and a new vulnerability is announced, you can generally respond much more effectively.