Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Microsoft IP Validation Vulnerability (MS05-019)

Attack ID: CPAI-2005-78
Publish Date:
Last Update:
Category: Remote Code Execution
Vulnerable Systems:

Microsoft Windows 98
Microsoft Windows 98 SE
Microsoft Windows 98 ME
Microsoft Windows 2000
Microsoft Windows 2000 SP3
Microsoft Windows 2000 SP4
Microsoft Windows XP SP1
Microsoft Windows XP 64-Bit Edition

Source:

Microsoft Security Bulletin MS05-19

Description:

A vulnerability exists in the way Microsoft Windows operating systems process IP (Internet Protocol) packets, caused by improper validation of IP network packets. This flaw may allow a malicious user to send a specially crafted packet, causing a denial of service and in some cases, remote code execution.

Severity:
Details:

The Internet Protocol (IP) is the most widely used communication protocol on the Internet. By sending a crafted IP packet to a vulnerable system, an attacker may create a denial of service condition, and in some cases, a remote execution of arbitrary code. The malformed packet must include IP option values which can pass the initial IP validation checks of the Windows operating system's IP stack. The vulnerability may be triggered only after the packet has passed the initial validation tests.

Attack Detection:

Users of VPN-1 NG with Application Intelligence R54 and later versions who have applied the solution outlined below, will be able to detect attempts to exploit this vulnerability. SmartView Tracker will generate he following log entry:

Information
: packet with ip options

Solution:

Users of VPN-1 NG with Application Intelligence R54 and later versions are preemptively protected against this vulnerability, as VPN-1 drops IP packets with IP options by default.

Users should verify that VPN-1 generates log entries for dropped packets with IP options:

1. On the SmartDashboard, click Policy > Global Properties.
2. In the Global Properties window, select Log and Alert.
3. Verify that the Log option is selected next to the "IP Options drop" option.



4. Install policy on all modules.

Industry Reference: CAN-2005-0048
Additional Information: