Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Windows ICMPv6 Router Advertisement Vulnerability (MS10-009)

Subscribe

Check Point Reference: CPAI-2010-105
Date Published:
Severity:
Source: Microsoft Security Bulletin MS10-009
Industry Reference(s): CVE-2010-0239
Protection Provided by: IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Windows Vista
Windows Vista Service Pack 1
Windows Vista Service Pack 2
Windows Vista x64 Edition
Windows Vista x64 Edition Service Pack 1
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems
Windows Server 2008 for Itanium-based Systems Service Pack 2
Vulnerability Description
A remote code execution vulnerability exists in the Windows TCP/IP stack due to insufficient bounds checking when processing specially crafted ICMPv6 Router Advertisement packets. An anonymous attacker could exploit the vulnerability by sending specially crafted ICMPv6 Router Advertisement packets to a computer with IPv6 enabled. An attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled.  An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Update/Patch Available
Microsoft has released a patch:
http://www.microsoft.com/technet/security/Bulletin/MS10-009.mspx 
Vulnerability Details
The vulnerability is caused by the Windows TCP/IP stack not performing the appropriate level of bounds checking on specially crafted ICMPv6 Router Advertisement packets. Router Advertisements allow routers to instruct hosts how to perform Address Autoconfiguration. Router Advertisements contain prefixes that are used for determining whether another address shares the same link and/or address configuration, a suggested hop limit value, etc. Successful exploitation could grant an attacker complete control of the affected system.

Protection Overview

IPS-1 will detect and block ICMPv6 router advertisements with invalid prefix lengths.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Security > IP, and select the ICMPv6 protection group.
3. Click Microsoft Windows IPv6 Router Advertisment Stack Buffer Overflow (MS10-009) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: ICMPv6
Description: Microsoft Windows IPv6 Router Advertisment Stack Buffer Overflow (MS10-009)