The CERT for France Industry, Services and Tertiary sector

Members area [version française]

HOME PRESENTATION RESOURCES CONTACTS FAQ SEARCH

Security Advisory

Public Advisories/Alerts Cert-IST publications Useful links News - Events Printable version		Accueil | Resources | Public Advisories/Alerts | Security Advisories Vulnerabilities in the Microsoft Windows TCP/IP protocol (MS08-001) Reference: CERT-IST/AV-2008.009 Version: 2.1 Version date: 04 February 2008 Vulnerability Classification Risk: very-high Impact: Take control Denial of Service Get access Confidence: Vendor-acknowledged Attack expertise: Skilled Attack requirements: Remote (no account) over a standard service System Information Affected Platform(s): Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 Windows XP Professional x64 Edition and Windows XP x64 Edition SP2 Windows Server 2003 Service Pack 1 and Service Pack 2 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition SP2 Windows Server 2003 (Itanium) SP1 and Windows Server 2003 (Itanium) SP2 Windows Vista et Windows Vista x64 Edition Windows Small Business Server 2003 Service Pack 2 Affected Software(s): IGMP and ICMP Microsoft Windows protocols Remarks: CVE-2007-0069 vulnerability: Windows 2000 is not vulnerable, Windows XP is vulnerable by default, Windows Vista is vulnerable by default, Windows 2003 is not vulnerable by default, but it is recommended to check this point. CVE-2007-0066 vulnerability: Windows Vista is not impacted by this vulnerability. Description Publication context:  This advisory has been re-issued (Jan-31-2008) because a private exploit now exists for the CVE-2007-0069 vulnerability. The risk associated to this advisory has therefore been increased and set to "Very High".  The threats associated to this exploit have been described in the crisis response hub named "IGMP (MS08-001)". Problem description: Two vulnerabilities have been discovered in the IGMP and ICMP protocols in the Windows kernel. They allow a remote attacker to access the system with high privileges (which can lead system access) or to disrupt the vulnerable system.  Note: An exploit has been developped for the CVE-2007-0069 vulnerability. It allows to take the full control of a vulnerable system.  This exploit is private and is not freely available on Internet. Technical context: Multicast traffic is used to send packets to a subset of machines on the network. To do this, the IGMP protocol (Internet Group Management Protocol - RFC 1112-2236) allows a machine on the Internet to inform adjacent multicast routers of its adherence to a group. IGMP is implemented at the IP level (IP protocol: 2). The ICMP protocol (Internet Control Message Protocol) is a message control protocol used by TCP/IP protocols. ICMP is implemented at the IP level (IP protocol: 2). The IRDP protocol (ICMP Router Discovery Protocol - RFC 1256) is a default protocol used by DHCP clients. It allows to automatically update default route (to the router) in the routing of a system. Technical information:  CVE-2007-0069 vulnerability:  This vulnerability concerns the IGMP (Internet Group Management Protocol) protocol. It allows a remote attacker through malicious "IGMPv3" and "MLDv2" packets, to disrupt the system (denial of the service) or to execute arbitrary code with high privileges.  CVE-2007-0066 vulnerability:  This vulnerability concerns the ICMP (Internet Control Message Protocol) protocol. It allows a remote attacker through malicious ICMP fragmented packets to disrupt the system (denial of the service). Note: This vulnerability can only be exploited if the IRDP (ICMP Router Discovery Protocol) protocol is enabled (which is not the case by default). However, on Windows 2003 Server and Windows XP systems, the IRDP protocol can be either activated through a client DHCP configuration, or through a setting in the registry. On Windows 2000 systems, it can be activated through a setting in the registry. Diagnostic: On Windows 2003, to check if the system is vulnerable to the CVE-2007-0069 vulnerability, use the following command: netsh int ip show join The output of this command should look like : Interface Addr Multicast Group --------------- --------------- 10.1.1.1 224.0.0.1 If the multicast group 224.0.0.1 is the only one you have subscribed, then your machine is not vulnerable. If other lines (groups) are displayed, then your machine is vulnerable. Solution 01 - Apply the Microsoft patches (KB941644) regarding the "IGMP" and "ICMP" vulnerabilities Patches are available for the various impacted platforms. See the Microsoft security bulletin MS08-001 ("Additional Resources" section) to get the appropriate patch. Microsoft security bulletin MS08-001 http://support.microsoft.com/default.aspx?scid=kb;en-us;941644 02 - Workaround regarding the "IGMP" vulnerability (CVE-2007-0069) This vulnerability is critical and it is strongly recommended to apply the Microsoft security patches. There is however a workaround which is to configure Internet firewalls to block IGMP and MLD protocols. Note: This workaround blocks the "multicast" communications (1 sender and N recipients) in IPv4 (IGMP) and IPv6 (MLD) and thus prevents "Webcast" applications from running (television over IP, etc.). Standard vulnerability IDs Microsoft: Q941644 CVE: CVE-2007-0066 CVE: CVE-2007-0069 CERT/CC: VU#115083 Additional Resources Microsoft security advisory MS08-001 dated January 8, 2008 http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx US-CERT security advisory TA08-008A dated January 8, 2008 http://www.us-cert.gov/cas/techalerts/TA08-008A.html Nortel security advisory 683043 dated January 11, 2008 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=683043 History Version Comment Date 2.1 Addition of information 04 February 2008 2.0 Exploit available. Risk level increased 31 January 2008 1.1 Addition of impacted products (Windows Vista et Windows Small Business Server 2003 SP 2) 25 January 2008 1.0 Advisory creation 09 January 2008

Copyright © 1999-2008 Cert-IST | Legal Notice | Sitemap