Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: (Updated) Additional info on yesterday's Linksys item, the importance of patching - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
(Updated) Additional info on yesterday's Linksys item, the importance of patching
Update from yesterday

A reader pointed out that our report on the Linksys LAN DoS yesterday applies only in the default configuration. If the LAN settings are changed from the default, the exploit (as published) will not work. In particular, the subnet, DHCP range, and router address should be changed from the defaults. This is fairly simple to accomplish through the web interface.


The importance of prompt patching

Today, the handler on duty, spent most of his day tracking down machines on a client's network that were still not updated with the MS04-011 and MS04-012 patches from Microsoft's April bulletins which had become infected with Korgo and Plexus worms which exploit the LSASS vulnerability. I'm going to rant a little because these patches have been available for nearly eight weeks. I promise not to rant about this again until the next time. :-) In all fairness, this client was successful in patching better than 90% of their systems (and 100% for servers), but there were systems that control machinery or for some other reason were set aside as too valuable to risk taking down. The machines are critical to the job the customer does and hence the customer is hesitant to take them down for patching becuase they are up running all the time. The point that is missed, though is that as long as these machines actually connect to the enterprise WAN, they remain very exposed and the potential malicious activity of the worm/exploit could be far more devistating than actaully scheduling some down time on the shop floor to patch. One of these worms could cause data damage or actual phyisical damage by misdirecting the controlled machinary. In the wrong instances this could even lead to loss of life. As has been proposed a number of times and in many other forums, machines handling critical infrastructure (or espeically critical life-saving equipment), if they must be networked, should be on networks that are completely disjoint from the company WAN and especially the internet. It isn't a bad thing to put air gaps between them.


Reminder, Microsoft will release more patches on Tuesday.



----------------------------

Jim Clausing, jim.clausing at acm.org
Jim

402 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!