Microsoft Windows LSASS Authentication

(MS09-059, CVE-2009-2524)

An elevation of privilege vulnerability has been discovered in Microsoft Windows Local Security Authority Subsystem Service (LSASS).

LSASS provides an interface for managing local security, domain authentication, and Active Directory service processes. It handles authentication for both client and server. Windows NTLM implementation in LSASS improperly handles malformed packets during NTLM authentication.

A remote attacker could create a specially crafted, anonymous NTLM authentication request that can cause a crash in the server-side LSASS process and restart the computer.

Check Point provides protection to detect and block malformed NTLM authentication requests though its integrated IPS products, IPS Software Blade and SmartDefense. For more information see CPAI-2009-216.