Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Windows RPC NTLMSSP Authentication Denial of Service Vulnerability (MS07-058)

Subscribe

Check Point Reference: CPAI-2007-124
Date Published:
Severity:
Source: Microsoft Security Bulletin MS07-058
Industry Reference(s):

CVE-2007-2228
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
InterSpect
  • NGX
Who is Vulnerable?
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Vulnerability Description
A denial of service vulnerability has been reported in the Microsoft Windows Remote Procedure Call (RPC) service. Remote Procedure Call (RPC) is a protocol that a program can use to request a service from another program which is located on another computer in a network. Microsoft Remote Procedure Call (MS-RPC) is Microsoft's implementation of RPC. MS-RPC may use the NTLM (NT Lan Manager) authentication protocol. NTLMSSP (NT Lan Manager Security Support Provider) is a binary message format used by NTLM. An attacker may exploit this issue to create a denial of service condition, causing the vulnerable service to crash.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS07-058
Vulnerability Details
The vulnerability is due to an error in the Microsoft Windows Remote Procedure Call Service that fails to properly communicate with the NTLM security provider when performing authentication of RPC requests. A remote attacker can exploit this issue by specially crafting a malicious RPC request using the NTLMSSP authentication method. Successful exploitation could create a denial of service condition, causing the computer to becomes non-responsive and automatically restart.

Protection Overview
By enabling this protection, SmartDefense will detect and block RPC requests with crafted NTLM authentication credentials.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The update released on October 28, 2007 includes the following protections:

OpenOffice TIFF File Parsing Integer Overflow Vulnerability (CPAI-2007-120)
Microsoft Windows Kodak Image Viewer Vulnerability (MS07-055) - CPAI-2007-121
Microsoft Visual Studio PDWizard.ocx ActiveX Control Vulnerability (CPAI-2007-122)
Microsoft Word Malformed String Memory Corruption Vulnerability (MS07-060) - CPAI-2007-123
Microsoft Windows RPC NTLMSSP Authentication DoS Vulnerability (MS07-058) - CPAI-2007-124
New Feature for the Block FTP Brute Force Attacks Protection (SBP-2007-09)
Blocking QQ Instant Messenger (SBP-2007-10)

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > MS-RPC > MS-RPC over CIFS > Block NTLMSSP Authentication Denial of Service (MS07-058).
2. In the configuration pane, under Settings > Mode, check Active.



3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: NTLMSSP authentication denial of service detected (MS07-058)

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
2. Select the following:

Block NTLMSSP Authentication Denial of Service (MS07-058)

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: NTLMSSP authentication denial of service detected (MS07-058)

InterSpect NGX

How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS and enable the following protection:

Block NTLMSSP Authentication Denial of Service (MS07-058)

3. Install security policy.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: NTLMSSP authentication denial of service detected (MS07-058)