Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Windows TCP/IP Selective Acknowledgement Denial of Service Vulnerability (MS10-009)

Subscribe

Check Point Reference: CPAI-2010-040
Date Published:
Severity:
Source: Microsoft Security Bulletin MS10-009
Industry Reference(s): CVE-2010-0242
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
Who is Vulnerable?
Windows Vista
Windows Vista SP1
Windows Vista SP2
Windows Vista x64 Edition
Windows Vista x64 Edition SP1
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for 32-bit Systems SP2
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems SP2
Windows Server 2008 (Itanium)
Windows Server 2008 (Itanium)
Vulnerability Description
A denial of service vulnerability has been reported in Microsoft Windows TCP/IP stack Selective acknowledgment (SACK) processing. TCP/IP SACK is used for connections with large TCP window sizes. When SACK is enabled, if a packet or series of packets is dropped the receiver can inform the sender of exactly which data has been received and where the holes in the data are. The sender can then selectively retransmit the missing data without needing to retransmit blocks of data that have already been received successfully. A remote attacker may exploit this issue to cause the affected system to stop responding.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS10-009
Vulnerability Details
The vulnerability is due to insufficient bounds checking by the Windows TCP/IP stack when handling incoming Selective Acknowledgement packets. A remote attacker may trigger this vulnerability by sending specially crafted packets to the affected host. Successful exploitation of this issue could cause the affected system to stop accepting requests.

Protection Overview
This protection will detect and block TCP packets with malformed SACK options.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Network Security > TCP.
2. In the right pane, double-click the Microsoft TCP IP Selective Acknowledgement Denial of Service (MS10-009) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: TCP Enforcement Violation
Attack Information: Microsoft TCP IP selective acknowledgement denial of service (MS10-009)

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Network Security > TCP > Microsoft TCP IP Selective Acknowledgement Denial of Service (MS10-009).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: TCP Enforcement Violation
Attack Information: Microsoft TCP IP selective acknowledgement denial of service (MS10-009)