search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Microsoft Windows IGMPv3 and MLDv2 processing vulnerability

Vulnerability Note VU#115083

Original Release Date: 2008-01-10 | Last Revised: 2008-01-29

Overview

Microsoft Windows fails to properly process IGMPv3 and MLDv2 network traffic. If exploited, this vulnerability may result in arbitrary code execution or a denial-of-service condition.

Description

Internet Group Management Protoco (IGMP) is the protocol used by IPv4 hosts to report their multicast group memberships to multicast routers. Version 3 (IGMPv3) adds support for source filtering. IGMP, IGMPv2 and IGMPv3 are specified in RFC 1112, RFC 2236, and RFC 3376.

Multicast Listener Discovery (MLD) is a protocol used by IPv6 routers to discover the presence of nodes who can receive multicast packets. MLD version 2 (MLDv2) adds source address filtering capabilities. MLD and MLDv2 are specified in RFC 2710 and RFC 3810.

Per Microsoft Security Bulletin MS08-001:
A remote code execution vulnerability exists in the Windows kernel due to the way that the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries. Supported editions of Microsoft Windows XP, Windows Server 2003, and Windows Vista all support IGMPv3. In addition to IGMPv3, Windows Vista supports MDLv2, which adds multicast support for IPv6 networks. An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Note that Windows 2000 is not affected by this vulnerability.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition. If a vulnerable system is being used as a network firewall or router, clients relying on that system may also be affected.

Solution

Update
Microsoft has released an update to address this issue. See MS08-001 for more information.


Disable IGMP and MLD

Until updates can be applied disabling IGMP and MLD support may mitigate this vulnerability. See the workarounds section of MS08-001 for more information on disabling IGMP and MLD support in Windows.

Block IGMP and MLD

Using network or host based firewalls to block IGMP and MLD network traffic may prevent this vulnerability from being remotely exploited.

    • The workarounds section of MS08-001 contains instructions on how to configure the Windows Vista host firewall to block IGMP and MLD. Note that per the Microsoft TechNet article How Windows Firewall Works Windows XP and Server 2003 allow IGMP traffic to pass through the built-in Windows Firewall.
    • Linux system administrators may use the iptables -p parameter to block the IGMP and MLD protocols.
    • Administrators who use PF can set the proto keyword to block the IGMP and MLD protocols.
    • Cisco ASA administrators can disable IGMP support by using the no igmp command as specified in section 11-14 of the Cisco Security Appliance Command Line Configuration Guide.

Vendor Information

115083
Expand all

Microsoft Corporation

Updated:  January 09, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Microsoft credits Alex Wheeler and Ryan Smith of IBM Internet Security Systems X-Force for reporting this vulenrabilty.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2007-0069
Severity Metric: 22.72
Date Public: 2008-01-08
Date First Published: 2008-01-10
Date Last Updated: 2008-01-29 17:49 UTC
Document Revision: 51

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.