Preemptive Protection against Microsoft IP Source Route Vulnerability (MS06-032)

Vulnerability
Protection

Check Point Reference:	CPAI-2006-064
Date Published:
Severity:
Last Updated:
Source:	Microsoft Security Bulletin MS06-032
Industry Reference(s):	CVE-2006-2379 US-CERT VU#722753
Protection Provided by:	VPN-1 NGX R61 NGX R60 NG with Application Intelligence R55W NG with Application Intelligence R55 NG with Application Intelligence R54 VSX NGX
Who is Vulnerable? Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP SP1 and SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 and Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition
Vulnerability Description IP source routing is a mechanism which allows the sender to determine the IP route that an IP packet should take through the network. The TCP/IP driver in some versions of Microsoft Windows contains a buffer overflow in the handling of packets with source routing information. An attacker could try to exploit the vulnerability by creating a specially crafted network packet and sending the packet to an affected system. Successful exploitation will most likely cause a crash, but may potentially allow execution of arbitrary code.

Update/Patch Available
Microsoft has published patches for this issue in Microsoft Security Bulletin MS06-032.

Vulnerability Details
The TCP/IP driver in some versions of Microsoft Windows fails to validate the length of a message before it is passed to an allocated buffer. According to Microsoft, IP packets containing IP source route options 131 and 137 could be used to initiate a connection with the affected components. Note that exploitation requires that "IP Source Routing" is enabled (disabled by default on Windows XP SP2 and Windows Server 2003 SP1) or the "Routing and Remote Access Service" is enabled (disabled by default).

Protection Overview
Users of VPN-1 NG with Application Intelligence R54 and later versions are preemptively protected against this vulnerability, as VPN-1 drops IP packets with IP options by default.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R61/R60

How Can I Protect My Network?
VPN-1 blocks IP options by default. An advisory was published in April 13, 2005. See CPAI-2005-78.

Users should verify that VPN-1 generates log entries for dropped packets with IP options:

1. On the SmartDashboard, click Policy > Global Properties.
2. In the Global Properties window, select Log and Alert.
3. Verify that the Log option is selected next to the "IP Options drop" option.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
Upon an attack, one of the following logs will be generated:

reason: Forbidden IP option
reason: IP option is not allowed for this packet

VPN-1 NG with Application Intelligence R55W, R55, R54

How Do I Know if My Network is Under Attack?
Upon an attack, the following log will be generated:

reason: packet with IP options

VPN-1 VSX NGX

How Do I Know if My Network is Under Attack?
Upon an attack, the following log will be generated:

reason: packet with IP options

Legal Notice for Threat Center Advisories