I often get asked about market trends and why VMware would buy Mozy and Sliderocket. I don’t usually like to indulge the speculation. However, take a look at today’s announcement on the vCenter Orchestrator Plug-in for Microsoft Active Directory and you have to see how security tools help build the foundation of a new user platform.

The VMware vCenter Orchestrator plug-in for Microsoft Active Directory allows organizations to automate the management of directory services tasks, particularly as they pertain to cloud provisioning use cases. For instance, the plug-in enables the automatic provisioning of vCloud Director organizations based on data retrieved from Active Directory.

It just became a little easier to run your office in a provider environment. You can stand up some of your own apps or use provider managed productivity apps like SlideRocket and Zimbra in a handy vCloud environment with credentials already under your control.

The new capabilities also bring to mind new risks, which I am happy to speculate about and will discuss next week in my presentation at Interop.

If we accept the premise that the perimeter model of security is eroding and systems are becoming a loosely federated collection of compute power and storage…then will firewalls even exist? Yes, and I don’t see the perimeter going away.

Case in point, Whisper Systems’ new product for Andoid:

Dynamic egress filtering.

When enabled, WhisperMonitor will monitor all outbound network traffic and issue dynamic prompts in order to determine egress filter rules.

Excellent feature. ZoneAlarm was famous for this. Knowing who your device is communicating with seems like an obvious requirement for security controls. However, far too many spend all their time focused on blocking inbound traffic only. Filtering outbound traffic is just as important.

Of course that begs the question of monitoring:

Connection history.

WhisperMonitor optionally records the connection history of the software installed on your device, giving you insight into where it is connecting and how often.

What I can’t find in the WhisperMonitor is the ability to setup zones or profiles, a usual feature of firewalls. It would be excellent to be able to switch between a work mode with egress to a certain set of systems, and a personal or home mode with different egress rules.

That might be something more likely to be found in Juniper Pulse, which allows egress filtering for Symbian S60 devices based on configuration policies (not yet for Android).

Speaking of Pulse, imagine if you could tunnel all traffic from the mobile device back to your home router and then filter it there. That could be handy for those who want to manage and monitor a policy for all their phones — a single shared egress point with a perimeter for all mobile users in a family or group.

NIST gave CVE-2011-0654 the highest severity rank (10) on February 16th — complete loss of confidentiality and integrity from a trivial remote exploit. They assigned it the following Common Weakness Enumeration

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Microsoft apparently failed to follow their own design specification. Section 2.2.3 or “RequestElection Browser Frame” of the Common Internet File System (CIFS) Browser Protocol has the following requirement.

ServerName (variable): MUST be a null-terminated ASCII server name and MUST be less than or equal to 16 bytes in length, including the null terminator.

It seems unusually clear and with heavy emphasis. They “MUST” be less. Is that meant to be a hint or a challenge?

It obviously is not difficult to craft a ServerName variable that violates the 16 byte null-terminated ASCII rule in an SMB response, and it is not hard to push a user into accessing a server. So the attack difficulty is rated as low. Section 3.3.5.8 or “Receiving a RequestElection Frame from CIFS” also makes a good point about elections and forcing a response.

The RequestElectionframe (as specified in section 2.2.3) MUST be sent whenever a browser client or server is unable to retrieve information that is maintained by the local master browser server. It also MUST be issued when a local master browser server receives a frame that indicates that another machine on the machine group also believes it is a local master browser server.

In other words, there are plenty of vectors to send a large ServerName that violates section 2.2.3 of the Microsoft Windows Browser Protocol to compromise a system.

Microsoft gave their response on April 12th to this boundary error, almost two months after disclosure:

Security Bulletin MS11-019 – Critical
Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)

…these vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit the vulnerability, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.

Their patch is nothing fancy. It basically follows the section 2.2.3 requirement.

The security update addresses the vulnerabilities by correcting the manner in which the CIFS Browser handles specially crafted Browser messages, and correcting the manner in which the SMB client validates specially crafted SMB responses

That could be the start and end of the story, except for the fact that Microsoft is not really new to this game.

Microsoft Security Bulletin MS10-020 – Critical
Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)

Microsoft Security Bulletin MS10-006 – Critical
Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)

Microsoft Security Bulletin MS09-001 – Critical
Vulnerabilities in SMB Could Allow Remote Code Execution (958687)

Microsoft Security Bulletin MS08-068 – Important
Vulnerability in SMB Could Allow Remote Code Execution (957097)

Microsoft Security Bulletin MS06-030
Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389)

Microsoft Security Bulletin MS05-027
Vulnerability in Server Message Block Could Allow Remote Code Execution (896422)

Microsoft Security Bulletin MS05-011
Vulnerability in Server Message Block Could Allow Remote Code Execution (885250)

Note the exploit details from February 8, 2005:

The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the “Server Message Block Vulnerability,” and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields

How strangely familiar that sounds, despite being six years ago…and last but not least (I’ve omitted many others, such as MS02-070)

Microsoft Security Bulletin MS03-024
Buffer Overrun in Windows Could Lead to Data Corruption (817606)

I am reminded of a January 1997 paper by Hobbit (hobbit@avian.org) called “CIFS: Common Insecurities Fail Scrutiny”

By now the reader may be thinking twice before replacing all those Unix servers with NT, and considering the significant risks in yielding to all that marketing rah-rah. In general we now see, in what is hoped to be a clearer way than previously, both how and why to check networks for these additional vulnerabilities. Unix may have its own problems, but overall it is still easier to secure and verify for correctness, and is largely free with all sources included. There are many good people out there proactively finding and fixing Unix problems on a daily basis. And as detailed in this document, Unix still has plenty of fight in it to help kick the NT monster in the ass.

Ah, look how far we have come.