Update Protection against Microsoft Windows Print Spooler Service Denial of Service Vulnerability
| Check Point Reference: | CPAI-2007-023 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Secunia Advisory: SA23196 | |
| Industry Reference(s): | CVE-2006-6296 US-CERT VU#914617 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Microsoft Windows 2000 SP4 | ||
| Vulnerability Description The Microsoft Windows Print Spooler is vulnerable to a denial of service condition. Microsoft Windows Print Spooler Service (SPOOLSS) is a service responsible for print queuing. A remote attacker may exploit this issue to crash the vulnerable system via a malformed RPC request. A specially crafted RPC request could cause the spooler to consume all available memory on the Windows machine, and thus cause a denial of service. |
||
|
Vulnerability Details The vulnerability is due to an error in the print spooler (spoolsv.exe) service when handling malformed 'GetPrinterData' RPC requests. A remote attacker could specially craft a malicious RPC request that will cause successive memory allocations, which will add up to a large amount of allocated memory, causing the system to crash, creating a denial of service condition. |
Protection Overview
By enabling this protection, SmartDefense will detect and block the malicious RPC requests.
In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on February 22, 2007 includes the following protections:
AOL (CDDB) Control Buffer Overflow Vulnerability (CPAI-2007-013)
3Com TFTP Server Buffer Overflow Vulnerability (CPAI-2007-014)
IBM Tivoli Storage Manager Buffer Overflow Vulnerability (CPAI-2007-015)
CA BrightStor Discovery Buffer Overflow Vulnerability (CPAI-2007-016)
Symantec Veritas NetBackup Buffer Overflow Vulnerability (CPAI-2007-017)
Novell NetMail NMAP Buffer Overflow Vulnerability (CPAI-2007-018)
Citrix Presentation Remote Code Execution Vulnerability (CPAI-2007-019)
Microsoft Windows SNMP Memory Corruption Vulnerability (MS06-074) - CPAI-2007-020
Novell Print Spooler Buffer Overflow Vulnerability (CPAI-2007-021)
Novell eDirectory Denial of Service Vulnerability (CPAI-2007-022)
Microsoft Windows Print Spooler Service Denial of Service Vulnerability (CPAI-2007-023)
Multiple SNMP Vulnerabilities (SBP-2007-03)
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > MS-RPC > MS-RPC over CIFS > Block SPOOLSS GetPrinterData DoS. 
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack Information: SPOOLSS GetPrinterData DoS detected
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
2. Select the following:
Block SPOOLSS GetPrinterData DoS
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack Information: SPOOLSS GetPrinterData DoS detected
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
2. Select the following:
Block SPOOLSS GetPrinterData DoS
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99458 will appear on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
2. Select the following:
Block SPOOLSS GetPrinterData DoS
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99458 will appear on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS and enable the following protection:
Block SPOOLSS GetPrinterData DoS
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack Information: SPOOLSS GetPrinterData DoS detected
InterSpect 2.0
How Can I Protect My Network?
1. Click Application Intelligence > RPC > MS-RPC over CIFS and enable the following protection:
Block SPOOLSS GetPrinterData DoS
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack Information: SPOOLSS GetPrinterData DoS detected