9.3 - VU#115083

Executive Summary

Summary
Title	Microsoft Windows IGMPv3 and MLDv2 processing vulnerability

Informations
Name	VU#115083	First vendor Publication	2008-01-09
Vendor	VU-CERT	Last vendor Modification	2008-01-29
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#115083

Microsoft Windows IGMPv3 and MLDv2 processing vulnerability

Overview

Microsoft Windows fails to properly process IGMPv3 and MLDv2 network traffic. If exploited, this vulnerability may result in arbitrary code execution or a denial-of-service condition.

I. Description

Internet Group Management Protoco (IGMP) is the protocol used by IPv4 hosts to report their multicast group memberships to multicast routers. Version 3 (IGMPv3) adds support for source filtering. IGMP, IGMPv2 and IGMPv3 are specified in RFC 1112, RFC 2236, and RFC 3376.

Multicast Listener Discovery (MLD) is a protocol used by IPv6 routers to discover the presence of nodes who can receive multicast packets. MLD version 2 (MLDv2) adds source address filtering capabilities. MLD and MLDv2 are specified in RFC 2710 and RFC 3810.

Per Microsoft Security Bulletin MS08-001:

A remote code execution vulnerability exists in the Windows kernel due to the way that the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries. Supported editions of Microsoft Windows XP, Windows Server 2003, and Windows Vista all support IGMPv3. In addition to IGMPv3, Windows Vista supports MDLv2, which adds multicast support for IPv6 networks. An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Note that Windows 2000 is not affected by this vulnerability.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition. If a vulnerable system is being used as a network firewall or router, clients relying on that system may also be affected.

III. Solution

Update

Microsoft has released an update to address this issue. See MS08-001 for more information.

Disable IGMP and MLD

Until updates can be applied disabling IGMP and MLD support may mitigate this vulnerability. See the workarounds section of MS08-001 for more information on disabling IGMP and MLD support in Windows.

Block IGMP and MLD

Using network or host based firewalls to block IGMP and MLD network traffic may prevent this vulnerability from being remotely exploited.

The workarounds section of MS08-001 contains instructions on how to configure the Windows Vista host firewall to block IGMP and MLD. Note that per the Microsoft TechNet article How Windows Firewall Works Windows XP and Server 2003 allow IGMP traffic to pass through the built-in Windows Firewall.
Linux system administrators may use the iptables -p parameter to block the IGMP and MLD protocols.
Administrators who use PF can set the proto keyword to block the IGMP and MLD protocols.
Cisco ASA administrators can disable IGMP support by using the no igmp command as specified in section 11-14 of the Cisco Security Appliance Command Line Configuration Guide.

Systems Affected

Vendor	Status	Date Updated
Microsoft Corporation	Vulnerable	9-Jan-2008

References

http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
http://technet2.microsoft.com/windowsserver/en/library/3ccb6af5-d960-4a8d-b12b-70692dc47bf41033.mspx?mfr=true
http://tools.ietf.org/html/rfc1112
http://tools.ietf.org/html/rfc2236
http://tools.ietf.org/html/rfc2710
http://tools.ietf.org/html/rfc3376
http://tools.ietf.org/html/rfc3810
http://iptables-tutorial.frozentux.net/other/iptables.html
http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/conf_gd.html
http://en.wikipedia.org/wiki/IGMP
http://en.wikipedia.org/wiki/MLD

Credit

Microsoft credits Alex Wheeler and Ryan Smith of IBM Internet Security Systems X-Force for reporting this vulenrabilty.

This document was written by Ryan Giobbi.

Other Information

Date Public	01/08/2008
Date First Published	01/09/2008 07:18:05 PM
Date Last Updated	01/29/2008
CERT Advisory
CVE Name	CVE-2007-0069
US-CERT Technical Alerts
Metric	22.72
Document Revision	51

Original Source

Url : http://www.kb.cert.org/vuls/id/115083

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5370

Oval ID:	oval:org.mitre.oval:def:5370
Title:	Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability
Description:	Unspecified vulnerability in the kernel in Microsoft Windows XP SP2, Server 2003, and Vista allows remote attackers to cause a denial of service (CPU consumption) and possibly execute arbitrary code via crafted (1) IGMPv3 and (2) MLDv2 packets that trigger memory corruption, aka "Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability."
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2007-0069	Version:	5
Platform(s):	Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista	Product(s):
Definition Synopsis:
Win XP X86 SP2 and vulnerable version Microsoft Windows XP (x86) SP2 is installed AND the version of tcpip.sys is less than 5.1.2600.3244 OR Win XP X64 SP1 or Win 2K3 SP1 and vulnerable version Win XP 64 SP1 / Win 2k3 SP1 Microsoft Windows XP Professional x64 Edition SP1 is installed AND Microsoft Windows Server 2003 SP1 (x86) is installed AND Microsoft Windows Server 2003 SP1 (x64) is installed AND Microsoft Windows Server 2003 SP1 for Itanium is installed AND the version of tcpip.sys is less than 5.2.3790.3036 OR Win XP X64 SP2 / Win 2K3 SP2 and vulnerable version of file the version of tcpip.sys is less than 5.2.3790.4179 AND Win 2K3 Sp2 / Win XP X64 SP2 Microsoft Windows XP x64 Edition SP2 is installed AND Microsoft Windows Server 2003 SP2 (x86) is installed AND Microsoft Windows Server 2003 SP2 (x64) is installed AND Microsoft Windows Server 2003 (ia64) SP2 is installed OR Vista and vulnerable range Microsoft Windows Vista is installed AND Check for LDR / GDR the version of tcpip.sys is less than 6.0.6000.16567 OR Check for LDR the version of Tcpip.sys is greater than or equal 6.0.6000.20000 AND Check if the version of tcpip.sys is less than 6.0.6000.20689

CPE : Common Platform Enumeration

Type	Description	Count
Os	Microsoft Windows 2003 Server cpe:2.3:o:microsoft:windows_2003_server::::::::	1
Os	Microsoft Windows Vista cpe:2.3:o:microsoft:windows_vista::::::::	1
Os	Microsoft Windows Xp cpe:2.3:o:microsoft:windows_xp::sp2::::::*	1

OpenVAS Exploits

Date	Description
2011-01-13	Name : Microsoft Windows TCP/IP Remote Code Execution Vulnerabilities (941644) File : nvt/gb_ms08-001.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
40070	Microsoft Windows TCP/IP IGMPv3 / MLDv2 Packet Handling Remote Code Execution A buffer overflow exists in Windows. The TCP/IP implementation fails to validate IGMPv3 and MLDv2 packets resulting in a buffer overflow. With a specially crafted packet, a remote attacker can cause arbtrary code execution resulting in a loss of integrity.

Snort® IPS/IDS

Date	Description
2014-01-10	Microsoft Windows remote kernel tcp/ip igmp vulnerability exploit attempt RuleID : 13287 - Revision : 13 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date	Description
2008-01-08	Name : It is possible to execute code on the remote host. File : smb_nt_ms08-001.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2015-04-15 13:28:37	Multiple Updates
2013-05-11 00:56:50	Multiple Updates

Global Informations

Type	Count
Oval ID(s)	1
CPE ID(s)	3
osvdb(s)	1
Openvas Exploit(s)	1
Snort® Rule(s)	1
Nessus® Exploit(s)	1

	Related
9.3	MS08-001
9.3	CVE-2007-0069
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)