Microsoft Vulnerability VU#951982– The new UDP Packet of Death

#infosec #adcfw

Security: It’s in the DNA of BIG-IP

As a former developer, I have a special appreciation for vulnerabilities.  Putting out code for 25 years means that sooner or later someone is going to hack through a bug or oversight in the collective bits.  It’s happened to me more than once (but not lately, thank goodness).  Consequently, when a particularly gruesome exploit is announced, I feel an instinctual sympathy for the developers of the hacked system.  The sympathetic response goes like this: the shoulders raise forward, the gut tightens, the mouth grimaces and you say “Eeeewwww.”

Last month one of those cringe-worthy vulnerabilities was announced from the Microsoft Windows team.  Microsoft Knowledge Base article VU#951982 describes an exploit where a specially-crafted UDP packet, repeatedly sent to a port that the Windows kernel is not listening on, can eventually crash the system and allow an attacker to run arbitrary code in kernel mode or cause a denial-of-service.  This is a ugly vulnerability, and my heart goes out to everyone involved in the Windows network stack. 

It’s especially cringe-worthy because the system is vulnerable right out of the box so as a system administrator you don’t have to commit a sin to make your system vulnerable, it just IS. 

Unless that system is behind a BIG-IP LTM, of course.

Being based on virtual servers, BIG-IP LTM discards any packets that don’t match a virtual server destination address and port.  So of course you won’t get random UDP packets hitting your servers. This is yet another case of BIG-IP acting as a de-facto firewall by the very virtue of its default-deny security posture.  This is a native behavior; LTM protects you right out of the box, no iRules necessary for this one.  Though if you are looking for security iRules, here’s a link to a bunch.   Sample iRules : Security.

Security: It’s in the DNA of BIG-IP.

Update: See my follow-on post for more information.