Update Protection against Microsoft Active Directory Invalid Free Remote Code Execution Vulnerability (MS09-018)

Vulnerability
Protection

Check Point Reference:	CPAI-2009-152
Date Published:
Severity:
Last Updated:
Source:	Microsoft Security Bulletin MS09-018
Industry Reference(s):	CVE-2009-1138
Protection Provided by:	Security Gateway R70 VPN-1 NGX R65 NGX R62 VSX NGX R65 InterSpect NGX IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Active Directory on Microsoft Windows 2000 SP4
Vulnerability Description A remote code execution vulnerability has been reported in Microsoft Active Directory. Active Directory provides central authentication and authorization services for Windows-based systems. Active Directory Application Mode (ADAM) is a Lightweight Directory Access Protocol (LDAP) directory service that runs as a user service. A remote attacker can exploit the vulnerability to take complete control of an affected system.

Update/Patch Available Apply patches: Microsoft Security Bulletin MS09-018
Vulnerability Details The vulnerability is due to incorrect freeing of memory by the LDAP service when processing malformed LDAP and LDAPS requests. A remote attacker may trigger this vulnerability by sending a specially crafted LDAP or LDAPS packet to the Active Directory server. Successful exploitation of this vulnerability may allow execution of arbitrary code on a target system.

Protection Overview
This protection will detect and block malformed LDAP requests sent to the vulnerable server.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > LDAP.
2. In the right pane, double-click the Microsoft Active Directory LDAP Invalid Free Allocation (MS09-018) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: LDAP Protections
Attack Information: Microsoft Active Directory LDAP invalid free allocation (MS09-018)

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > LDAP > Microsoft Active Directory LDAP Invalid Free Allocation (MS09-018).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

VPN-1 VSX NGX R65

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > LDAP.
2. Select the following:

Microsoft Active Directory LDAP Invalid Free Allocation (MS09-018)

4. Install policy on all modules.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Security > LDAP, and select the MS ADAM protection group.
3. Click RDN buffer overflow (MS09-018) - (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: MS ADAM
Description: RDN buffer overflow (MS09-018)

Legal Notice for Threat Center Advisories