Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using CSA to block the VML vulnerability

I thought those of you using CSA as a desktop agent would find this useful.

Microsoft has posted a security advisory "Vulnerability in Vector Markup Language Could Allow Remote Code Execution" at this link:

VML is used to generate graphics using an XML format.

Microsoft says they'll release a patch for this on October 10th. However, there are already known exploits for this. One of the suggested workarounds is to unregister vgx.dll on each machine until then.

But luckily we have CSA, and can do the following:

- Create a new File Access Control rule (I call it Possible VML Exploitation)

- Take the following action: Deny (or Monitor, if you just want to watch for it)

- when Applications in any of the following selected classes: Email applications, Instant Messenger applications, MS Office applications, Multimedia applications, Web browser applications

- But not in any of the to following selected classes: <none>

- Atempt the following: Read

- On any of these files: @program_files\**\VGX\vgx.dll

I'm testing this out now. If anyone else has a better rule to accomplish the same thing, please let me know.

New Member

Re: Using CSA to block the VML vulnerability

I tested this new rule, and it works. Google Maps uses VML to generate its maps, which is what I used for the test. I was afraid that IE might load the dll before it was used, but this shows it tries to use it in realtime and shouldn't affect normal browser functionality.

New Member

Re: Using CSA to block the VML vulnerability

Hi Richard,

Great rule!

Why not monitor all applications trying to access this dll?

New Member

Re: Using CSA to block the VML vulnerability

You could, but you would want to exclude antivirus and backup software. I was just trying to be specific and track only Internet based software that render web content.

New Member

Re: Using CSA to block the VML vulnerability

Another way of doing this is to enable the Specific SystemAPI rule that protects against Buffer Overflow (VML exploit and almost all others use this). This way your rule is dynamic and will prevent you against future exploits.E.g. Non-VML exploits which don't use the vgx.dll file.

The following System API rule works

1. Create a SystemAPI rule with the following box checked

"Access system functions from code executing in data or stack space"

However you have to be careful as this can deny legitimate applications also. For this testing you can only include "iexplore.exe" and that should work.

Later-on you can fine-tune this rule to exclude any legitimate applications.

Download the exploit from

(You will have to copy\paste the code and create your own HTML file and host it on your Server)

Without CSA (And No Microsoft Patch, I tested on XP-SP1) after you visit\open the page it should close IE and launch calc.exe (Using Shell-Code Injection).

With CSA enabled no calc.exe will be launched this preventing the execution of any malicious code.

\\ Naman


Re: Using CSA to block the VML vulnerability

Cisco also posted a security bulletin about how CSA protects against this vulnerability with the default policies.

Tom S

New Member

Re: Using CSA to block the VML vulnerability

Can you tell me specifically what Cisco considers to be the "default policies" for CSA? Does this refer to the "Operating Systems - Base Permissions - Windows" policy (containing the Required System Module and the System Bootstrap Permissions Module) that is in the auto-enrollment group for Windows XP hosts?




Re: Using CSA to block the VML vulnerability

Not specifically, but I think the "default policies" they refer to are those associated with one of the default agent kits.

I think the policies in the auto-enrollment group are less about system protection and more about allowing basic Windows functions and protecting the agent.

The two rules referenced in the link were buffer overflow and modification of system files and would be covered under trojan or system protection rules. These are different for each version of CSA.

In order for a host to be protected, it would need to be in one of the default groups and not in test mode.

I hope I got it...


CreatePlease login to create content