Update Protection against Microsoft Windows Mailslot Buffer Overflow Vulnerability (MS06-035)
| Check Point Reference: | CPAI-2006-117 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS06-035 | |
| Industry Reference(s): | CVE-2006-1314 US-CERT VU#189140 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Microsoft Windows 2000 SP4 Microsoft Windows XP SP1 Microsoft Windows XP SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 (Itanium) Microsoft Windows Server 2003 with SP1 (Itanium) Microsoft Windows Server 2003 x64 Edition | ||
| Vulnerability Description A Mailslot is a mechanism that can facilitate data transfer between hosts. The most widely known implementation of the Mailslot is the Messenger Service that exists in Windows XP. A Vulnerability in Mailslot server service (SRV.SYS) may allow a remote attacker to execute arbitrary code via a specially crafted Mailslot message. |
||
|
Update/Patch Available Apply patches: Microsoft Security Bulletin MS06-035 |
|
|
Vulnerability Details The vulnerability exists due to a flaw within the SRV.SYS driver that handles all Server Message Block (SMB) traffic. The driver fails to properly process Mailslot messages. To exploit this vulnerability, a remote attacker may provide a specially crafted Mailslot message that triggers a memory corruption and bypasses size restrictions. This buffer overflow allows remote attackers to execute arbitrary commands that may result in the complete control of the attacker over the vulnerable system. |
Protection Overview
The update defends against the vulnerability by detecting and blocking malformed Mailslot transaction requests.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on October 11, 2006 includes the following protections:
Malformed DNS Resource Records Protection (MS06-041) - CPAI-2006-111
Microsoft Internet Explorer Memory Corruption Vulnerabilities (MS06-042) - CPAI-2006-112
Microsoft Windows MHTML Remote Code Execution Vulnerability (MS06-043) - CPAI-2006-113
Microsoft Management Console Remote Code Execution Vulnerability (MS06-044) - CPAI-2006-114
Windows Explorer GUID Remote Code Execution Vulnerability (MS06-045) - CPAI-2006-115
Microsoft Windows RASMAN Buffer Overflow Vulnerabilities (MS06-025) - CPAI-2006-116
Microsoft Windows MailSlot Buffer Overflow Vulnerabilities (MS06-035) - CPAI-2006-117
Microsoft Internet Explorer (daxctle.ocx) Vulnerabilities (CPAI-2006-118)
CBSMS Mambo Module Remote File Vulnerabilities (CPAI-2006-119)
VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the SmartDefense tree, click Microsoft Networks > Block Malformed Mailslot Transaction Requests. 
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Windows SMB Protection Violation
Attack Information: Malformed Mailslot Transaction Request
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Microsoft Networks > Block Malformed Mailslot Transaction Requests.
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99442 will appear on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Microsoft Networks > Block Malformed Mailslot Transaction Requests.
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99442 will appear on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Microsoft Networks > Block Malformed Mailslot Transaction Requests.
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Windows SMB Protection Violation
Attack Information: Malformed Mailslot Transaction Request
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Microsoft Networks > Block Malformed Mailslot Transaction Requests.
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Information: Malformed Mailslot Transaction Request
Connectra NGX R61
How Can I Protect My Network?
1. In the navigation tree, click Security > SmartDefense > Application Intelligence.
2. In the Application Intelligence pane, under Dynamic Attacks, select
Block Malformed Mailslot Transaction Requests
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Attack Name: Windows SMB Protection Violation
Attack Information: Malformed Mailslot Transaction Request