Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

INFOCON back to GREEN; Cisco "device" Zotob & Rbot problems, Spanish Zotob description, Sun LPD remote exploit; More about Msdds.dll issue

Published: 2005-08-19
Last Updated: 2005-08-20 00:22:47 UTC
by Kevin Hong (Version: 1)
0 comment(s)

Infocon back to Green.

Our Infocon is back to Green status after stay Yellow within 24 Hours for alerting new MS IE msdds.dll issue. Microsoft releases their advisory yesterday with some more information. You can find more information from our yesterday's diary. Even though we are back to green status, the issue still exists and will keep updating any new information and stay with us.

Cisco "device" Zotob & Rbot problems

The UK's NISCC published that says that "Symptoms on Cisco devices include, but are not limited to, high CPU and traffic drops on the input interfaces."

**snipped from NISCC**

"Affected Products

If the software versions or configuration information are provided, then only those combinations are vulnerable. This is a list of appliance software that needs patches downloaded from Cisco:
* Cisco CallManager
* Cisco Customer Response Application Server (CRA)
* Cisco Personal Assistant
* Cisco Conference Connection (CCC)

* Cisco Emergency Responder

Other Cisco products that run on a Microsoft-based operating system should strongly consider loading the security update from Microsoft at

This list is not all inclusive, so refer to Microsoft's Advisory if you think you have an affected Microsoft platform.

* Cisco Unity

* Cisco Building Broadband Service Manager (BBSM)
* Cisco CNS Network Registrar (CNR)
* Cisco Customer Voice Portal
* Cisco ICM Enterprise Edition
* Cisco ICM Hosted Edition
* Cisco IP Contact Center (IPCC) (Express, Enterprise, Hosted, Remote Agent)
* Cisco E-mail Manager (CEM)
* Cisco Web Collaboration Option
* Cisco Collaboration Server Dynamic Content Adapter
* Cisco Media Blender (CMB)
* Cisco IP Interactive Voice Response
* IP Queue Manager

* Cisco Customer Voice Portal
* Cisco Computer Telephony Integration Option
* Cisco Outbound Option
* Cisco Remote Monitoring Suite Option
* Cisco Support Tools
* TrailHead (Part of the Web Gateway solution)
* Cisco Networking Services for Active Directory (CNS/AD)

* Cisco SN 5400 Series Storage Routers (driver to interface to Windows server)

* CiscoWorks
-- + CiscoWorks VPN/Security Management Solution (CWVMS)
-- + User Registration Tool

_- + LAN Management Solution
-- + Routed WAN Management

-- + Service Management
-- + IP Telephony Environment Monitor

-- + Small Network Management Solution

-- + QoS Policy Manager

-- + Voice Manager

* Cisco Transport Manager (CTM)

* Cisco Broadband Troubleshooter (CBT)
* DOCSIS CPE Configurator

* Access Control Server (ACS)

* Videoconferencing Applications

-- + IP/VC 3540 Video Rate Matching Module
-- + IP/VC 3540 Application Server"

The advisory also includes ACL's for IOS.

Spanish version Zotob description.

One of our reader who is Javier translate our recent description of Zotob variant explaination to Spanish. Even I don't understand Spanish, it will be good for people who is their native language is Spanish. You can find information at here

Sun LPD remote exploit

The Sun Microystems released patch 8th of August. Today the metasploit released new exploit module for Solaris LPD remote exploit. If you are not using the LPD service, disable it. Editing the /etc/inetd.conf file and comment out the following part.

#printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd

Of course, don't forget to execute hangup signal to inetd process: /usr/bin/pkill -HUP inetd

You can find more detail information following site If you are not using the LPD service, disable it. Don't forget to patch it. The miscreants will use this exploit for compromise your system.

More about Msdds.dll issue

The Microsoft updated their the Msddsl.dll exploit issue. The updated version contains additional information regarding what applications ship the affected DLL and are configured in a vulnerable state.

Following statements are summary of updated information.

The affected versions of Msdds.dll are 7.0.9064.9112 and 7.0.9446.0.
Customers who have Msdds.dll with version 7.0.9955.0, 7.10.3077.0, or
higher on their systems are not affected by this vulnerability.

The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in
the .NET Framework.

Microsoft Office 2003 are not affected by this vulnerability. (ships a higher version dll)

Microsoft Access 2003 are not affected by this vulnerability. (ships a higher version dll)

Microsoft Visual Studio 2003 are not affected by this vulnerability. (ships a higher version dll)

Microsoft Visual Studio 2002 Service Pack 1 are not affected by this vulnerability. (ships a higher version dll)

Microsoft Office XP Service Pack 3 are not by default affected by this vulnerability. However, its only in a vulnerable configuration if VS runtime library files are in the search path for Internet Explorer. These files are Msvcr70.dll and Msvscp70.dll. For instance by placing them in the same directory as Msdds.dll or in the %windir%/system32 directory could expose Office XP customers to this issue.

You can find the workarounds from our


Kevin Hong - On Duty

0 comment(s)
Diary Archives