Cisco MARS Event - Windows ASN.1 Bit String NTLMv2

LOkrasa · June 2008

I am getting an event type called "Windows ASN.1 Bit String NTLMv2 Integer Overflow" on my Cisco MARS server. I am not sure what it means even though the definition is given below:

This signature detects malformed ASN.1 data during Windows NTLMv2 authentication that may indicate an attempt to exploit an ASN.1 bit string integer overflow vulnerability in the Microsoft ASN.1 Library ("msasn1.dll") during ASN.1 BER decoding. Successful exploitation may allow execution of arbitrary code on an affected system with SYSTEM privileges. Services affected are Kerberos (UDP/8

and NTLMv2 authentication (TCP/135, 139, 445).

All of the events include our DNS server/ Domain Controller as the source/destination.

Anyone have any idea on how to troubleshoot this or check to see if this is just a false positive?

Thanks!

dtlokee · June 2008

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

It would appear to be a serious issue if the servers haven't been updated to prevent the exploit. I don't think this would be a false positive under normal circumstances.

LOkrasa · July 2008

Weird.... my servers are all up to date so I am not sure why this is occuring. I have the patch in the link you installed apparently because when I try to run the exe it tells me that I have a service pack newer then this release and kicks me out.

dtlokee · July 2008

It doesn't mean the attack is successful against your servers just that MARS box or an IPS/IDS somewhere is reporting packets that match the signature on the network. It seems to be a signature that has a hi fidelity rating so it is most likely not a false positive, you may want to investigate the source of the packets.

Cisco MARS Event - Windows ASN.1 Bit String NTLMv2

Comments