Update Protection against Microsoft Windows BranchCache Insecure Library Loading Vulnerability (MS10-095)

Vulnerability
Protection

Check Point Reference:	CPAI-2010-342
Date Published:
Severity:
Last Updated:
Source:	Microsoft Security Bulletin MS10-095
Industry Reference(s):	CVE-2010-3966
Protection Provided by:	Security Gateway R71 R70 VPN-1 NGX R65 VSX NGX R65 IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 (Itanium)
Vulnerability Description A remote code execution vulnerability has been reported in the way that Microsoft Windows deals with the opening of specific files on platforms which do not support the BranchCache functionality. BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in some editions of the Windows Server 2008 R2 and Windows 7 operating systems. To optimize WAN bandwidth, BranchCache copies content from your main office content servers and caches the content at branch office locations, allowing client computers at branch offices to access the content locally rather than over the WAN. A remote attacker may exploit this vulnerability to execute arbitrary code on a target system.

Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS10-095

Vulnerability Details
The vulnerability is caused by Windows attempting to validate whether a specific DLL used by Windows BranchCache exists on the system. When the default DLL is not found, the application will attempt to locate the file on the location from where the file is opened, which could be an insecure location such as a network share. A specially crafted file placed in an alternate location could cause Windows to execute the code it contains. Successful exploitation of this vulnerability could allow the attacker to take complete control of an affected system.

Protection Overview
This protection will detect and block the transferring of suspicious DLL files over CIFS.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Microsoft Networks.
2. In the right pane, double-click the following protection:

Microsoft Windows BranchCache Insecure Library Loading (MS10-095)

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Windows SMB Protection Violation
Attack Information: Microsoft Windows BranchCache insecure library loading (MS10-095)

VPN-1 NGX R65 & VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Microsoft Networks > Microsoft Windows BranchCache Insecure Library Loading (MS10-095).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the Filename Recorder protection group.
3. Click Microsoft Windows BranchCache Insecure Library Loading (MS10-095) (IPS-1 NGX R65 only).

4. In the configuration pane, under Settings, check Active.

5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: BADFILENAME

Description: Microsoft Windows BranchCache Insecure Library Loading (MS10-095)

Legal Notice for Threat Center Advisories