SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#115083

Microsoft Windows IGMPv3 and MLDv2 processing vulnerability

Overview

Microsoft Windows fails to properly process IGMPv3 and MLDv2 network traffic. If exploited, this vulnerability may result in arbitrary code execution or a denial-of-service condition.

I. Description

 Internet Group Management Protoco (IGMP) is the protocol used by IPv4 hosts to report their multicast group memberships to multicast routers. Version 3 (IGMPv3) adds support for source filtering. IGMP, IGMPv2 and IGMPv3 are specified in RFC 1112, RFC 2236, and RFC 3376.

Multicast Listener Discovery (MLD) is a protocol used by IPv6 routers to discover the presence of nodes who can receive multicast packets. MLD version 2 (MLDv2) adds source address filtering capabilities. MLD and MLDv2 are specified in RFC 2710 and RFC 3810.

Per Microsoft Security Bulletin MS08-001:

    A remote code execution vulnerability exists in the Windows kernel due to the way that the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries. Supported editions of Microsoft Windows XP, Windows Server 2003, and Windows Vista all support IGMPv3. In addition to IGMPv3, Windows Vista supports MDLv2, which adds multicast support for IPv6 networks. An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Note that Windows 2000 is not affected by this vulnerability.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition. If a vulnerable system is being used as a network firewall or router, clients relying on that system may also be affected.

III. Solution

Update

Microsoft has released an update to address this issue. See MS08-001 for more information.

Disable IGMP and MLD

Until updates can be applied disabling IGMP and MLD support may mitigate this vulnerability. See the workarounds section of MS08-001 for more information on disabling IGMP and MLD support in Windows.

Block IGMP and MLD

Using network or host based firewalls to block IGMP and MLD network traffic may prevent this vulnerability from being remotely exploited.

  • The workarounds section of MS08-001 contains instructions on how to configure the Windows Vista host firewall to block IGMP and MLD. Note that per the Microsoft TechNet article How Windows Firewall Works Windows XP and Server 2003 allow IGMP traffic to pass through the built-in Windows Firewall.
  • Linux system administrators may use the iptables -p parameter to block the IGMP and MLD protocols.
  • Administrators who use PF can set the proto keyword to block the IGMP and MLD protocols.
  • Cisco ASA administrators can disable IGMP support by using the no igmp command as specified in section 11-14 of the Cisco Security Appliance Command Line Configuration Guide.

Systems Affected
VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable9-Jan-2008

References


http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
http://technet2.microsoft.com/windowsserver/en/library/3ccb6af5-d960-4a8d-b12b-70692dc47bf41033.mspx?mfr=true
http://tools.ietf.org/html/rfc1112
http://tools.ietf.org/html/rfc2236
http://tools.ietf.org/html/rfc2710
http://tools.ietf.org/html/rfc3376
http://tools.ietf.org/html/rfc3810
http://iptables-tutorial.frozentux.net/other/iptables.html
http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/conf_gd.html
http://en.wikipedia.org/wiki/IGMP
http://en.wikipedia.org/wiki/MLD

Credit

Microsoft credits Alex Wheeler and Ryan Smith of IBM Internet Security Systems X-Force for reporting this vulenrabilty.

This document was written by Ryan Giobbi.

Other Information

Date Public:2008-01-08
Date First Published:2008-01-09
Date Last Updated:2008-01-29
CERT Advisory: 
CVE-ID(s):CVE-2007-0069
NVD-ID(s):CVE-2007-0069
US-CERT Technical Alerts: 
Metric:22.72
Document Revision:51

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader