Update Protection against Microsoft Windows Routing and Remote Access Buffer Overflow Vulnerabilities (MS06-025)
| Check Point Reference: | CPAI-2006-116 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: |
Microsoft Security Bulletin MS06-025 |
|
| Industry Reference(s): | ||
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Microsoft Windows 2000 SP4 Microsoft Windows XP SP1 Microsoft Windows XP SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 (Itanium) Microsoft Windows Server 2003 with SP1 (Itanium) Microsoft Windows Server 2003 x64 Edition | ||
| Vulnerability Description Microsoft Windows is prone to buffer overflow vulnerabilities in the Routing and Remote Access service (RRAS) and in the Remote Access Connection Manager service (RASMAN). The Routing and Remote Access Service (RRAS) allows computers to act as dial-up remote access server, VPN server, IP router and network address translator (NAT). Remote Access Service Manager (RASMAN) is a service that handles the details of establishing the connection to the remote server. A remote attacker may exploit these vulnerabilities to take complete control of a target system. |
||
|
Update/Patch Available Apply patches: Microsoft Security Bulletin MS06-025 |
|
|
Vulnerability Details CVE-2006-2370: The vulnerability is due to buffer overflow errors in the Routing and Remote Access service that fails to properly handle malformed RPC requests. CVE-2006-2371: The vulnerability is due to buffer overflow errors in a Remote Procedure Call (RPC) interface provided by the Remote Access Connection Manager (RASMAN). A remote attacker may execute arbitrary code via specially crafted RPC requests that lead to registry corruption. |
Protection Overview
By enabling the protection, SmartDefense will block malformed RPC requests.
In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on October 11, 2006 includes the following protections:
Malformed DNS Resource Records Protection (MS06-041) - CPAI-2006-111
Microsoft Internet Explorer Memory Corruption Vulnerabilities (MS06-042) - CPAI-2006-112
Microsoft Windows MHTML Remote Code Execution Vulnerability (MS06-043) - CPAI-2006-113
Microsoft Management Console Remote Code Execution Vulnerability (MS06-044) - CPAI-2006-114
Windows Explorer GUID Remote Code Execution Vulnerability (MS06-045) - CPAI-2006-115
Microsoft Windows RASMAN Buffer Overflow Vulnerabilities (MS06-025) - CPAI-2006-116
Microsoft Windows MailSlot Buffer Overflow Vulnerabilities (MS06-035) - CPAI-2006-117
Microsoft Internet Explorer (daxctle.ocx) Vulnerabilities (CPAI-2006-118)
CBSMS Mambo Module Remote File Vulnerabilities (CPAI-2006-119)
VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS and enable Block RASMAN Vulnerability (MS06-025). 
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack information: RASMAN vulnerability detected (MS06-025)
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS and enable Block RASMAN Vulnerability (MS06-025).
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule #99453 indicating that an attempt to exploit RASMAN vulnerability (MS06-025) has been detected.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS and enable Block RASMAN Vulnerability (MS06-025).
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule #99453 indicating that an attempt to exploit RASMAN Vulnerability (MS06-025) has been detected.
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS and enable Block RASMAN Vulnerability (MS06-025).
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack information: RASMAN vulnerability detected (MS06-025)
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > RPC > MS-RPC over CIFS and enable Block RASMAN Vulnerability (MS06-025).
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack information: RASMAN vulnerability detected (MS06-025)