Executive Summary

Title Microsoft Windows IGMPv3 and MLDv2 processing vulnerability
Name VU#115083 First vendor Publication 2008-01-09
Vendor VU-CERT Last vendor Modification 2008-01-29
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#115083

Microsoft Windows IGMPv3 and MLDv2 processing vulnerability


Microsoft Windows fails to properly process IGMPv3 and MLDv2 network traffic. If exploited, this vulnerability may result in arbitrary code execution or a denial-of-service condition.

I. Description

Internet Group Management Protoco (IGMP) is the protocol used by IPv4 hosts to report their multicast group memberships to multicast routers. Version 3 (IGMPv3) adds support for source filtering. IGMP, IGMPv2 and IGMPv3 are specified in RFC 1112, RFC 2236, and RFC 3376.

Multicast Listener Discovery (MLD) is a protocol used by IPv6 routers to discover the presence of nodes who can receive multicast packets. MLD version 2 (MLDv2) adds source address filtering capabilities. MLD and MLDv2 are specified in RFC 2710 and RFC 3810.

Per Microsoft Security Bulletin MS08-001:

    A remote code execution vulnerability exists in the Windows kernel due to the way that the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries. Supported editions of Microsoft Windows XP, Windows Server 2003, and Windows Vista all support IGMPv3. In addition to IGMPv3, Windows Vista supports MDLv2, which adds multicast support for IPv6 networks. An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Note that Windows 2000 is not affected by this vulnerability.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition. If a vulnerable system is being used as a network firewall or router, clients relying on that system may also be affected.

III. Solution


Microsoft has released an update to address this issue. See MS08-001 for more information.

Disable IGMP and MLD

Until updates can be applied disabling IGMP and MLD support may mitigate this vulnerability. See the workarounds section of MS08-001 for more information on disabling IGMP and MLD support in Windows.

Block IGMP and MLD

Using network or host based firewalls to block IGMP and MLD network traffic may prevent this vulnerability from being remotely exploited.

  • The workarounds section of MS08-001 contains instructions on how to configure the Windows Vista host firewall to block IGMP and MLD. Note that per the Microsoft TechNet article How Windows Firewall Works Windows XP and Server 2003 allow IGMP traffic to pass through the built-in Windows Firewall.
  • Linux system administrators may use the iptables -p parameter to block the IGMP and MLD protocols.
  • Administrators who use PF can set the proto keyword to block the IGMP and MLD protocols.
  • Cisco ASA administrators can disable IGMP support by using the no igmp command as specified in section 11-14 of the Cisco Security Appliance Command Line Configuration Guide.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable9-Jan-2008




Microsoft credits Alex Wheeler and Ryan Smith of IBM Internet Security Systems X-Force for reporting this vulenrabilty.

This document was written by Ryan Giobbi.

Other Information

Date Public01/08/2008
Date First Published01/09/2008 07:18:05 PM
Date Last Updated01/29/2008
CERT Advisory 
CVE NameCVE-2007-0069
US-CERT Technical Alerts 
Document Revision51

Original Source

Url : http://www.kb.cert.org/vuls/id/115083

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5370
Oval ID: oval:org.mitre.oval:def:5370
Title: Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability
Description: Unspecified vulnerability in the kernel in Microsoft Windows XP SP2, Server 2003, and Vista allows remote attackers to cause a denial of service (CPU consumption) and possibly execute arbitrary code via crafted (1) IGMPv3 and (2) MLDv2 packets that trigger memory corruption, aka "Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2007-0069
Version: 5
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Definition Synopsis:

CPE : Common Platform Enumeration

Os 1
Os 1
Os 1

OpenVAS Exploits

Date Description
2011-01-13 Name : Microsoft Windows TCP/IP Remote Code Execution Vulnerabilities (941644)
File : nvt/gb_ms08-001.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
40070 Microsoft Windows TCP/IP IGMPv3 / MLDv2 Packet Handling Remote Code Execution

A buffer overflow exists in Windows. The TCP/IP implementation fails to validate IGMPv3 and MLDv2 packets resulting in a buffer overflow. With a specially crafted packet, a remote attacker can cause arbtrary code execution resulting in a loss of integrity.

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Windows remote kernel tcp/ip igmp vulnerability exploit attempt
RuleID : 13287 - Revision : 13 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date Description
2008-01-08 Name : It is possible to execute code on the remote host.
File : smb_nt_ms08-001.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
Date Informations
2015-04-15 13:28:37
  • Multiple Updates
2013-05-11 00:56:50
  • Multiple Updates