Update Protection against Workstation Service Buffer Overflow Vulnerability (MS06-070)
| Check Point Reference: | CPAI-2006-139 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS06-070 | |
| Industry Reference(s): | CVE-2006-4691 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Microsoft Windows 2000 SP4 Microsoft Windows XP SP2 | ||
| Vulnerability Description A denial of service vulnerability was detected in Microsoft Windows Workstation service. The workstation service manages the routing of system requests. The workstation service library file (wkssvc.dll) is used by windows when working with shared network drives and printers. A remote attacker could exploit this vulnerability to cause denial of service or to execute arbitrary code on a target system. |
||
|
Update/Patch Available Apply patches: Microsoft Security Bulletin MS06-070 |
|
|
Vulnerability Details This vulnerability is due to a buffer overflow error in the workstation service when processing malformed RPC requests. An attacker can exploit this flaw by sending a malformed RPC request with an overly long hostname. Successful exploitation of the vulnerability could allow remote attackers to cause denial of service and to execute arbitrary code on an affected system. |
Protection Overview
By enabling the protection, SmartDefense will block malformed RPC requests.
In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on November 30, 2006 includes the following protections:
Novell eDirectory 'evtFilteredMonitorEventsRequest' Vulnerability (CPAI-2006-137)
Microsoft NetWare Client Service Remote Code Execution Vulnerability (MS06-066) - CPAI-2006-138
Microsoft Workstation Service Buffer Overflow Vulnerability (MS06-070) - CPAI-2006-139
Microsoft XML Remote Code Execution Vulnerability (MS06-071) - CPAI-2006-140
Visual Studio WMI Code Execution Vulnerability (CPAI-2006-141)
Microsoft Agent Remote Code Execution Vulnerability (MS06-068) - CPAI-32006-142
Block MSN Messenger Live 8 (CPAI-2006-143)
AOL Nullsoft Winamp Ultravox Heap Overflow Vulnerability (CPAI-2006-144)
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > MS-RPC > MS-RPC over CIFS > Block Workstation Service Vulnerability (MS06-070). 
2. In the Block Workstation Service Vulnerability (MS06-070) configuration pane, under Settings > Mode, check Active. 
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack information: Workstation Service Vulnerability (MS06-070)
VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS and enable Block Workstation Service Vulnerability (MS06-070).
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack information: Workstation Service Vulnerability (MS06-070)
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS and enable Block Workstation Service Vulnerability (MS06-070).
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99456 will appear on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS and enable Block Workstation Service Vulnerability (MS06-070).
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99456 will appear on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS and enable Block Workstation Service Vulnerability (MS06-070).
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack information: Workstation Service Vulnerability (MS06-070)
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > RPC > MS-RPC over CIFS and enable Block Workstation Service Vulnerability (MS06-070).
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack information: Workstation Service Vulnerability (MS06-070)