Microsoft has re-released a security bulletin and update to address the kernel IGMP and MLD code execution vulnerability in Microsoft Windows Small Business Server.
Description
Microsoft Windows XP SP2 and prior, Windows Server 2003 SP2 and prior, Windows Business Server 2003 SP2 and prior, and Windows Vista contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.
This vulnerability exists due to insufficient validation of Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) network messages. An attacker could exploit this vulnerability by sending a malicious network message to the affected system. When processed, this network message could trigger an error condition that may allow the attacker to execute arbitrary code with full system privileges.
Microsoft has confirmed this vulnerability in a security bulletin and released software updates that correct it.
Warning Indicators
Systems that are running the following software are vulnerable:
Microsoft Windows XP SP2 and prior
Microsoft Windows XP Professional x64 Edition SP2 and prior
Microsoft Windows Server 2003 SP2 and prior
Microsoft Windows Server 2003 x64 Edition SP2 and prior
Windows Server 2003 with SP2 and prior for Itanium-based Systems
Microsoft Windows Small Business Server 2003 SP2 and prior
Windows Vista
Windows Vista x64 Edition
IntelliShield Analysis
Systems most at risk are those that may process IGMPv3 or MLDv2 messages from untrusted networks. IGMP and MLD are typically used only on local physical network segments. However, some network configurations may allow such messages to be passed across segments. Such messages likely will not pass through network edge filtering devices, such as gateways or firewalls. Attackers therefore likely require access to internal network segments to target affected systems. An exploit could allow the attacker to execute arbitrary code with the privileges of the Windows kernel, resulting in a complete system compromise.
The IGMPv3 protocol is used to perform multicast group management on IPv4 networks. The MLDv2 protocol is the IPv6 implementation of IGMP.
Networks that are not configured to process multicast traffic are unlikely to be affected because network switches and routers will discard such packets. This would prevent a remote attacker from delivering a malicious payload to an affected system. However, a local attacker who wants to gain elevated privileges may be able to send a malicious request to himself or herself via the loopback interface to trigger the vulnerability.
Because this is a vulnerability in the processing of multicast packets, an attacker in the proper position could potentially compromise or deny service to a large number of machines with a single attack. This makes the potential impact of this vulnerability quite severe. An attacker who exploits desktop and server systems that do not perform domain authentication can compromise only the affected hosts. If an attacker could successfully attack a system that performs Active Directory and domain authentication functions, the integrity of the entire domain may be compromised.
The update available from Microsoft corrects this vulnerability by properly validating network messages.
Coinciding with each monthly Microsoft release, the Cisco Applied Intelligence team creates an Applied Mitigation Bulletin to address Microsoft vulnerabilities from this period that may be effectively identified and/or mitigated using Cisco network devices. This bulletin is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for January 2008
Vendor Announcements
Microsoft has re-released a security bulletin at the following link: MS08-001
Avaya has released a security advisory at the following link: ASA-2008-019
US-CERT has released a vulnerability note at the following link: VU#115083
Impact
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with kernel privileges, resulting in a complete system compromise.
Technical Information
This vulnerability exists due to insufficient validation of IGMPv3 and MLDv2 network messages. When processing malformed network messages, an unspecified error condition may occur when storing the IGMP or MLD message state. This could allow the attacker to gain the ability to execute arbitrary code.
Because the Windows kernel processes network messages, any code execution would run with full system privileges. By sending a network request to the affected system, an attacker could execute arbitrary code, resulting in a complete system compromise.
Safeguards
Administrators are advised to apply the available software updates.
Administrators are advised to restrict IGMP network traffic to affected systems using host-based firewalls.
Administrators may consider disabling IGMP and MLD packet processing.
Patches/Software
Microsoft has released updated software at the following links:
Version 4, January 11, 2008, 7:27 AM: Cisco has released an Applied Mitigation Bulletin to address Microsoft vulnerabilities that may be effectively identified and/or mitigated using Cisco network devices.
Version 3, January 10, 2008, 12:59 PM: Avaya has released a security advisory to address the Microsoft Windows kernel IGMP and MLD code execution vulnerability. US-CERT has released a vulnerability note.
Version 2, January 9, 2008, 11:25 AM: IntelliShield is updating this alert to include common vulnerability identification information.
Version 1, January 8, 2008, 3:37 PM: Microsoft Windows XP, Windows Server 2003, and Windows Vista contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges. Updates are available.
Business Base | Business x64 Edition Base | Enterprise Base | Enterprise x64 Edition Base | Home Basic Base | Home Basic x64 Edition Base | Home Premium Base | Home Premium x64 Edition Base | Ultimate Base | Ultimate x64 Edition Base
Microsoft, Inc.
Windows XP
Home Edition Base, SP1, SP2 | Professional Edition Base, SP1, SP2 | Professional x64 (AMD/EM64T) Base, SP2
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
