Update Protection against Microsoft Windows Web Client Service Vulnerability (MS06-008)
| Check Point Reference: | CPAI-2006-015 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS06-008 | |
| Industry Reference(s): | CVE-2006-0013 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Microsoft Windows XP SP1 and SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition | ||
| Vulnerability Description A vulnerability was detected in Microsoft Windows Web Client service. The Web Client Service allows applications to access documents on the Internet by using the WebDAV protocol. WebDAV is a set of extensions to the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. To exploit the vulnerability, an attacker would first have to authenticate to the system. Successful exploitation will enable an attacker complete control of an affected system. |
||
|
Vulnerability Status No exploit has been reported so far. |
|
|
Update/Patch Available Microsoft has released a patch for this vulnerability. The patch is available at http://www.microsoft.com/technet/security/Bulletin/MS06-008.mspx. |
|
|
Vulnerability Details The vulnerability is caused by an unchecked buffer in the Web Client service. To exploit the vulnerability, an attacker must have valid logon credentials. By creating a series of specially crafted messages and sending them to an affected system, an attacker can cause the affected system to execute code. |
Protection Overview
The protection blocks HTTP WebDAV connections.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
Users of VPN-1 NGX R60 and users of VPN-1 NG with Application Intelligence R55W can protect against this vulnerability by blocking HTTP WebDAV methods.
To enable the protection:
1. In the Web Intelligence tree, select HTTP Protocol Inspection > HTTP Methods.
2. Under Protection Scope, decide Whether to apply to all HTTP Traffic or to Selected Web servers:
- If you select Apply to all HTTP traffic, click Block WebDAV HTTP Methods.
- If you select Apply to selected Web servers, click Customize; the Select Servers window opens. Click Configure Default. and then enable Click WebDAV HTTP Methods. Click OK.
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log entries such as the following (example only, the log depends on the WebDAV method the firewall will block):
Attack Name: HTTP Methods
Information: reason: WSE0110002 blocked method : PROPFIND
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and then select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, select HTTP Protocol Inspection > HTTP Methods.
3. in the HTTP Methods window, select Block WebDAV HTTP Methods. 
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Methods
Information: reason: WSE0110002 blocked WebDAV method
VPN-1 NG with Application Intelligence R55/R54
How Can I Protect My Network?
- In the SmartDefense tree, click Application intelligence > Web and then click HTTP Protocol Inspection.
- Select one of the two options:
If you select Configurations apply to all connections, you will also need to enable Perform strict protocol enforcement in order for the protection to work.
Selecting Configurations apply only to connections related to resources used in the Rule Base offers a more granular protection with inspection only to connections related to pre-configured URI resources used in the rule base. If you select this option you will need to define a URI resource and use it in the rule base.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log a entry such as the following (PROPFIND is an example, the log may vary according to the method blocked):
Web Security: HTTP method 'PROPFIND' is not allowed