Check Point Advisories

TCP Window Size Enforcement (CVE-2008-4609; CVE-2009-1925; CVE-2009-1926)

Check Point Reference: SBP-2009-18
Date Published: 8 Sep 2009
Severity: Critical
Last Updated: Sunday 20 September, 2015
Source:
Industry Reference:CVE-2008-4609
CVE-2009-1925
CVE-2009-1926
Protection Provided by:

Security Gateway
R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description TCP/IP is a set of networking protocols that are widely used on the Internet. TCP/IP provides communications across interconnected networks of computers that have diverse hardware architectures and that run various operating systems. Multiple vulnerabilities exist in TCP/IP processing in Microsoft Windows. CVE-2008-4609 - This denial of service vulnerability is due to the Windows TCP/IP stack that fails to properly handle large numbers of established TCP connections. If these established connections are abused by a remote system requesting data and setting the TCP receive window size to a small or a zero value, the denial-of-service condition can be amplified. An attacker could exploit the vulnerability by flooding a system with an excessive number of TCP connections and keeping them alive indefinitely, or by sending specially crafted packets with the TCP receive window size set to a very small value or zero. CVE-2009-1925 - This remote code execution vulnerability is due to the Windows TCP/IP stack that fails to clean up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information. An attacker could exploit this vulnerability by creating specially crafted network packets and sending them to a listening service on an affected system. CVE-2009-1926 - This denial of service vulnerability is due to the Windows TCP/IP stack that allows connections to hang indefinitely in the FIN-WAIT-1 or FIN-WAIT-2 state under certain conditions. An attacker could exploit this vulnerability by flooding a system with specially crafted connections designed to keep the TCP connection state in the FIN-WAIT-1 or FIN-WAIT-2 state indefinitely.

Protection Overview

This protection will detect and block attempts to exploit these TCP vulnerabilities.Please note that this is a critical performance protection and its activation may significantly decrease IPS throughput.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

  1. In the IPS tab, click Protections and find the TCP Window Size Enforcement protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  TCP Enforcement Violation.
Attack Information:  Window size enforcement

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK