Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: (Updated) Additional info on yesterday's Linksys item, the importance of patching SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
(Updated) Additional info on yesterday's Linksys item, the importance of patching
Update from yesterday

A reader pointed out that our report on the Linksys LAN DoS yesterday applies only in the default configuration. If the LAN settings are changed from the default, the exploit (as published) will not work. In particular, the subnet, DHCP range, and router address should be changed from the defaults. This is fairly simple to accomplish through the web interface.

The importance of prompt patching

Today, the handler on duty, spent most of his day tracking down machines on a client's network that were still not updated with the MS04-011 and MS04-012 patches from Microsoft's April bulletins which had become infected with Korgo and Plexus worms which exploit the LSASS vulnerability. I'm going to rant a little because these patches have been available for nearly eight weeks. I promise not to rant about this again until the next time. :-) In all fairness, this client was successful in patching better than 90% of their systems (and 100% for servers), but there were systems that control machinery or for some other reason were set aside as too valuable to risk taking down. The machines are critical to the job the customer does and hence the customer is hesitant to take them down for patching becuase they are up running all the time. The point that is missed, though is that as long as these machines actually connect to the enterprise WAN, they remain very exposed and the potential malicious activity of the worm/exploit could be far more devistating than actaully scheduling some down time on the shop floor to patch. One of these worms could cause data damage or actual phyisical damage by misdirecting the controlled machinary. In the wrong instances this could even lead to loss of life. As has been proposed a number of times and in many other forums, machines handling critical infrastructure (or espeically critical life-saving equipment), if they must be networked, should be on networks that are completely disjoint from the company WAN and especially the internet. It isn't a bad thing to put air gaps between them.

Reminder, Microsoft will release more patches on Tuesday.


Jim Clausing, jim.clausing at acm.orgI will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Rocky Mountain Fall 2021


423 Posts
ISC Handler
Jun 5th 2004

Sign Up for Free or Log In to start participating in the conversation!