Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Windows DHCP Remote Code Execution Vulnerability (MS06-036)

Subscribe

Check Point Reference: CPAI-2006-101
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS06-036
FrSIRT/ADV-2006-2754
Industry Reference(s): CVE-2006-2372
US-CERT VU#257164
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
VSX
  • NGX
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
Microsoft Windows 2000 SP4
Microsoft Windows XP SP1
Microsoft Windows XP SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003 (Itanium)
Microsoft Windows Server 2003 SP1 (Itanium)
Microsoft Windows Server 2003 x64 Edition
Vulnerability Description
Microsoft Windows contains a vulnerability in the way that it processes and logs DHCP messages. The Dynamic Host Configuration Protocol (DHCP) provides central management of IP addresses and other details related to the IP configuration used on the network. A remote user can exploit this vulnerability by sending a specially crafted DHCP message to a vulnerable DHCP server. This may result in remote code execution on the affected system.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS06-036
Vulnerability Details
The vulnerability is caused due to a buffer overflow error in the way that DHCP validates a value from specially crafted network packets. A remote attacker can trigger the vulnerability by sending a malicious DHCP response to a DHCP request. Successful exploitation could result in arbitrary code execution and in the attackerÂ’s complete control of an affected system.

Protection Overview

 SmartDefense Service team has provided a protection against this type of DHCP vulnerabilities in Jaunary 23, 2005 (CPAI-2005-07) in response to MS04-042. The update from September 12 2006 enhances the DHCP protection by further enforcing the DHCP protocol. All you need to do is update SmartDefense on your VPN/InterSpect system.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The Update released on September 12, 2006 includes the following protections: 

Malformed IMAP Commands Protection (CPAI-2006-098)
Protection against Microsoft Windows DHCP Remote Code Execution (MS06-036) - CPAI-2006-101
MiniBB Remote File Vulnerabilities (CPAI-2006-102)
GraceNote (CDDB) Control ActiveX Vulnerability (CPAI-2006-103)
Microsoft Internet Explorer 6 (Internet.HHCtrl) Vulnerability (CPAI-2006-104)
Microsoft Internet Explorer UTF-8 Decoding Vulnerability (MS06-021) - CPAI-2006-105
Apache LDAP HTTP Server Buffer Overflow Vulnerability (CPAI-2006-106)
Pre-Patch Workaround for Microsoft Windows Vulnerabilities (SBP-2006-06)

VPN-1 NGX R61

How Can I Protect My Network?
Update SmartDefense: Click the SmartDefense Services tab and click Update Now in the Download Updates page. If you have enabled the protection released in January 23, 2005 (CPAI-2005-07), this update will block the current MS06-036 vulnerability.

To verify that you have enabled the DHCP protection as outlined in CPAI-2005-07:
1. In the SmartDefense tree, click Application Intelligence > DHCP.
2. The Perform Strict DHCP options enforcement option is enabled by default.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: DHCP Protocol Enforcement Violation
Attack Information: Malformed DHCP Option Length

VPN-1 NGX R60 & VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
Update SmartDefense by clicking Online Update in the SmartDashboard General window.If you have enabled the protection released in January 23, 2005 (CPAI-2005-07), this update will block the current MS06-036 vulnerability.

To verify that you have enabled the DHCP protection as outlined in CPAI-2005-07:
1. In the SmartDefense tree, click Application Intelligence > DHCP.
2. The Perform Strict DHCP options enforcement option is enabled by default.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: DHCP Protocol Enforcement Violation
Attack Information: Malformed DHCP Option Length

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
Update SmartDefense by clicking Update Now in the SmartDashboard General window. If you have enabled the protection released in January 23, 2005 (CPAI-2005-07), this update will block the current MS06-036 vulnerability.

To verify that you have enabled the DHCP protection as outlined in CPAI-2005-07:
1. In the SmartDefense tree, click Application Intelligence > DHCP.
2. The Perform Strict DHCP options enforcement option is enabled by default.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule 99670 indicating that a malformed DHCP packet has been detected.

VPN-1 VSX NGX

How Can I Protect My Network?
Update SmartDefense by clicking Update Now in the SmartDashboard General window.If you have enabled the protection released in January 23, 2005 (CPAI-2005-07), this update will block the current MS06-036 vulnerability.

To verify that you have enabled the DHCP protection as outlined in CPAI-2005-07:
1. In the SmartDefense tree, click Application Intelligence > DHCP.
2. The Perform Strict DHCP options enforcement option is enabled by default.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule 99670 indicating that a malformed DHCP packet has been detected.

InterSpect NGX

How Can I Protect My Network?
1. Update your SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile. If you have enabled the protection released in January 23, 2005 (CPAI-2005-07), this update will block the current MS06-036 vulnerability.

To verify that you have enabled the DHCP protection as outlined in CPAI-2005-07:
1. In the SmartDefense tree, click Application Intelligence > DHCP.
2. The Perform Strict DHCP options enforcement option is enabled by default.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: DHCP Protocol Enforcement Violation
Attack Information: Malformed DHCP Option Length

InterSpect 2.0

How Can I Protect My Network?
Update SmartDefense by clicking Online Update in the SmartDashboard General window. If you have enabled the protection released in January 23, 2005 (CPAI-2005-07), this update will block the current MS06-036 vulnerability.

To verify that you have enabled the DHCP protection as outlined in CPAI-2005-07:
1. In the SmartDefense tree, click Application Intelligence > DHCP.
2. The Perform Strict DHCP options enforcement option is enabled by default.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: DHCP Protocol Enforcement Violation
Attack Information: Malformed DHCP Option Length