Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Windows Message Queuing Remote Code Execution Vulnerability (MS07-065)

Subscribe

Check Point Reference: CPAI-2007-139
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS07-065
Industry Reference(s): CVE-2007-3039
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55
VSX
  • NGX
InterSpect
  • NGX
Connectra
  • NGX R62
  • NGX R61
Who is Vulnerable?
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Server SP4
Microsoft Windows XP SP2
Vulnerability Description
A buffer overflow vulnerability exists in Microsoft Windows Message Queuing Service. Microsoft Message Queuing (MSMQ) is a component of Microsoft Windows designed to act as a message portal between a set of applications requiring message exchange functionality. MSMQ enables applications that are running at different times to communicate across heterogeneous networks and across systems that may be temporarily offline. A remote attacker can exploit the MSMQ vulnerability to take complete control over an affected system.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS07-065
Vulnerability Details
The vulnerability is due to boundary errors in the MSMQ service that fails to properly validate input strings before passing them to the buffer. A remote attacker could exploit this issue via a specially crafted MSMQ message sent to the vulnerable interface. Successful exploitation of this vulnerability could allow remote code execution on the affected system.

Protection Overview
By enabling this protection, SmartDefense will detect and block any attempt to exploit the message queuing buffer overflow and attempts to conceal the attacks with multi-context bind calls.

In order for the protection to be activated, update your VPN-1 product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The update released on December 18, 2007 includes the following protections:

FLAC Project libFLAC Picture Buffer Vulnerability (CPAI-2007-136)
Apple QuickTime Crafted RTSP Response Buffer Overflow Vulnerability (CPAI-2007-137)
Recent Malware Threats (18-Dec-07) – CPAI-2007-138
Microsoft Windows Message Queuing Code Execution Vulnerability (MS07-065) – CPAI-2007-139
Microsoft AVI File Parsing Code Execution Vulnerability (MS07-064) – CPAI-2007-140

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Microsoft Networks.
2. Select the following protection:

Block Message Queuing Buffer Overflow

3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS Message Queuing Protection Violation
Attack Information: Buffer Overflow Attempt

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Microsoft Networks.
2. Select the following protection:

Block Message Queuing Buffer Overflow

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS Message Queuing Protection Violation
Attack Information: Buffer Overflow Attempt

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Microsoft Networks.
2. Select the following protection:

Block Message Queuing Buffer Overflow

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Rule #92101 will appear on the SmartView Tracker.

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Microsoft Networks.
2. Select the following protection:

Block Message Queuing Buffer Overflow

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Rule #92101 will appear on the SmartView Tracker.

InterSpect NGX

How Can I Protect My Network?

1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > Microsoft Networks.
3. Select the following protection:

Block Message Queuing Buffer Overflow

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS Message Queuing Protection Violation
Attack Information: Buffer Overflow Attempt

Connectra NGX R62 & R61

How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following protection:

Block Message Queuing Buffer Overflow

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Attack Name: MS Message Queuing Protection Violation
Attack Information: Buffer Overflow Attempt