Update Protection against Microsoft Server Service Vulnerabilities (MS06-063)
| Check Point Reference: | CPAI-2006-129 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS06-063 | |
| Industry Reference(s): | CVE-2006-4696 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Microsoft Windows 2000 SP4 Microsoft Windows XP SP1 and SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 with SP1 for Itanium-based Systems | ||
| Vulnerability Description Microsoft Server Service fails to handle network messages in a way that may lead to a denial of service and execution of arbitrary code . Microsoft Server Service provides support for Remote Procedure Call (RPC), resource sharing, and named pipe communication over the network. By sending a specially-crafted Server Message Block (SMB) Rename request or Transaction to an affected system, a remote attacker with valid authentication credentials could cause the system to reboot or execute arbitrary code. |
||
|
Update/Patch Available Apply patches: Microsoft Security Bulletin MS06-063 |
|
|
Vulnerability Details Microsoft Server Service contains 2 vulnerabilities: CVE-2006-3942: A denial of service vulnerability exists in the Server service because of the way it handles certain network messages. The server driver (srv.sys) in multiple versions of Microsoft Windows allows remote attackers to cause a denial of service via an SMB_COM_TRANSACTION SMB message that contains a string without null character termination. This may lead to a NULL dereference in the ExecuteTransaction function. CVE-2006-4696: A remote code execution vulnerability exists in the Server service because of the way it handles certain network messages. A remote authenticated user can send specially crafted SMB Rename data to cause the Server service to dereference an invalid pointer, causing the service to crash. |
Protection Overview
The protections address the vulnerabilities by blocking malformed SMB Rename and Transaction Requests.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on November 13, 2006 includes the following protections:
OpenSSL RSA Key Signature Forgery Vulnerability (CPAI-2006-123)
C-News File Inclusion Vulnerability (CPAI-2006-125)
phpFullAnnu File Inclusion Vulnerability (CPAI-2006-126)
Microsoft setSlice Integer Overflow Vulnerability (MS06-057) - CPAI-2006-127
Microsoft Vector Markup Language (VML) Vulnerability (MS06-055) - CPAI-2006-128
Microsoft Server Service Vulnerabilities (MS06-063) CPAI-32006-129
Multiple MySQL Query Commands Vulnerabilities (CPAI-2006-130)
W-Agora Remote File Inclusion Vulnerabilities (CPAI-2006-131)
Protecting against Heap Spraying Techniques by Blocking Known Shell Code Exploits (SBP-2006-12)
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Microsoft Networks > Block Malformed SMB Transaction Requests and Block Malformed SMB Rename Requests.
2. In the protection's configuration pane, under Mode, click Active.
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker logs the following entries:
Attack Name: Windows SMB Protection Violation
Attack Information:
Malformed Transaction request
Malformed Rename request
VPN-1 NGX R61 & R60; VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the SmartDefense tree, click Microsoft Networks > Block Malformed SMB Transaction Requests and Block Malformed SMB Rename Requests.
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker logs the following entries:
Attack Name: Windows SMB Protection Violation
Attack Information:
Malformed Transaction request
Malformed Rename request
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Microsoft Networks > Block Malformed SMB Transaction Requests and Block Malformed SMB Rename Requests.
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker logs rules #99440 and #99441.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Microsoft Networks > Block Malformed SMB Transaction Requests and Block Malformed SMB Rename Requests.
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker logs rules #99440 and #99441.
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Microsoft Networks > Block Malformed SMB Transaction Requests and Block Malformed SMB Rename Requests.
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker logs the following entries:
Attack Name: Windows SMB Protection Violation
Attack Information:
Malformed Transaction request
Malformed Rename request
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Microsoft Networks > Block Malformed SMB Transaction Requests and Block Malformed SMB Rename Requests.
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker logs the following entries:
Attack Name: Windows SMB Protection Violation
Attack Information:
Malformed Transaction request
Malformed Rename request