A buffer overflow vulnerability exists in a system driver in Cisco Security Agent and can be exploited remotely to cause corruption of kernel memory, leading to a Windows stop error or arbitrary code execution.
The flaw occurs during the processing of a specially crafted TCP segment linked to TCP ports 139 or 445, both used by Microsoft Server Message Block protocol, according to Cisco’s advisory.
The flaw exists in all versions of Security Agent for Windows. It was reported to the San Jose, Calif.-based networking giant by researchers from the NSFocus Security Team.
Amol Sarwate, head of the vulnerability research lab at Qualys, highlighted the Security Agent flaw because an attacker does not need user interaction to infect a machine.
“That is what we would call an old school vulnerability where an attacker can remotely send packets and cause Windows with that driver running to blue screen or to take arbitrary code,” he said. “It has been assigned a security level of 10, which is the highest level.”
Cisco also warned of a vulnerability in CiscoWorks Common Services, which can be exploited by cross-site scripting (XSS) attacks from the CiscoWorks Server login page when using either Windows or Solaris operating systems.
During exploitation, malicious code is embedded within a URL and associated with an unsuccessful login attempt page refresh, according to Cisco’s advisory.
An attacker could use social engineering to convince an unsuspecting user to follow a malicious link, according to Cisco, which advised users to patch both flaws.
Cisco credited researcher Dave Lewis with discovering the flaw. Lewis disclosed Wednesday on his blog that he discovered the flaw on Aug. 20 and reported it to Cisco on Sept. 24. Lewis credited Cisco with a “prompt and professional response” to the report.
SANS Internet Storm Center handler Daniel Wesemann, said Wednesday on the organization’s diary, that administrators should patch systems as soon as possible.
“[Cisco Security Agent] is a ‘personal firewall’ style product, and usually deployed as a defense against exactly this sort of threat that the component itself is now vulnerable to,” he said. “Back in 2004, such a vulnerability would probably have led to a flurry of noisy network works. Today, drive-by installs of spyware are more likely, but at least as damaging. The bottom line is still the same: if you are using the vulnerable component, patch as soon as possible.”