Update Protection against Microsoft Windows Security Support Provider SChannel Spoofing Vulnerability (MS09-007)
| Check Point Reference: | CPAI-2009-038 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS09-007 | |
| Industry Reference(s): | CVE-2009-0085 | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Microsoft Windows 2000 SP4 Windows XP SP2 Windows XP SP3 Windows XP Professional x64 Edition Windows XP Professional x64 Edition SP2 Windows Server 2003 SP1 Windows Server 2003 SP2 Windows Server 2003 x64 Edition Windows Server 2003 x64 Edition SP2 Windows Server 2003 with SP1 (Itanium) Windows Server 2003 with SP2 (Itanium) Windows Vista Windows Vista SP1 Windows Vista x64 Edition Windows Vista x64 Edition SP1 Windows Server 2008 for 32-bit Systems Windows Server 2008 for x64-based Systems Windows Server 2008 (Itanium) | ||
| Vulnerability Description A spoofing vulnerability has been reported in the Microsoft Windows Security Support Provider (SSP) SChannel authentication component when using certificate based authentication. SSP is a dynamic-link library (DLL) that implements a common interface between transport-level applications and security providers by making one or more security packages available to applications. Security packages support security protocols such as Kerberos authentication and Secure Channel (SChannel) authentication. A remote attacker may exploit this vulnerability to authenticate against a protected server, despite not having access to the authorized user's private key, which is normally required for successful authentication when the server is configured to require client authentication. |
||
|
Update/Patch Available Apply patches: Microsoft Security Bulletin MS09-007 |
|
|
Vulnerability Details The vulnerability is due to an error in the SChannel authentication component that fails to sufficiently validate certain Transport Layer Security (TLS) handshake messages to ensure that the client does in fact have access to the private key linked to the certificate used for authentication. A remote attacker may exploit this flaw if he will be able to gain access to the public component of the actual certificate used by the end user for authentication. He could then craft a TLS packet to bypass the SChannel component's validation. Successful exploitation of the issue will allow the attacker to impersonate another user and authenticate against a protected server using the public component of the user’s authentication credential. |
Protection Overview
By enabling this protection, SmartDefense will detect and block attempts to exploit the spoofing vulnerability. IPS-1 will detect and block attempts by SSL clients to skip client certificate verification.
In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.