Update Protection against Microsoft LSASS Authentication Process Integer Overflow Vulnerability (MS09-059)

Vulnerability
Protection

Check Point Reference:	CPAI-2009-216
Date Published:
Severity:
Last Updated:
Source:	Microsoft Security Bulletin MS09-059
Industry Reference(s):	CVE-2009-2524
Protection Provided by:	Security Gateway R70 VPN-1 NGX R65 VSX NGX R65 InterSpect NGX IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Windows XP SP2 Windows XP SP3 Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 Windows Server 2003 x64 Edition SP2 Windows Server 2003 with SP2 (Itanium) Windows Vista Windows Vista SP1 Windows Vista SP2 Windows Vista x64 Edition Windows Vista x64 Edition SP1 Windows Vista x64 Edition SP2 Windows Server 2008 for 32-bit Systems Windows Server 2008 for 32-bit Systems SP2 Windows Server 2008 for x64-based Systems Windows Server 2008 for x64-based Systems SP2 Windows Server 2008 (Itanium) Windows Server 2008 (Itanium) SP2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 (Itanium)
Vulnerability Description An elevation of privilege vulnerability has been discovered in the Microsoft Windows Local Security Authority Subsystem Service (LSASS). LSASS provides an interface for managing local security, domain authentication, and Active Directory service processes. It handles authentication for the client and for the server. A remote attacker could exploit this issue via a specially crafted NTLM request.

Update/Patch Available Apply patches: Microsoft Security Bulletin MS09-059
Vulnerability Details The vulnerability is due to the Windows NTLM implementation in LSASS improper handling of malformed packets during NTLM authentication. A remote attacker could create a specially crafted anonymous NTLM authentication request that would cause a crash in the server-side LSASS process and restart the computer.

Protection Overview
The vulnerability is caused by improper handling of valid RPC requests. Therefore, this protection will detect and block suspicious NTLM authentication requests, and may harm connectivity by blocking legitimate requests.

In order for the protection to be activated, update your Security Gateway/VPN-1/InterSpect product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > MS-RPC > MS-RPC over CIFS.
2. In the right pane, double-click the Microsoft LSASS Authentication Process Integer Overflow (MS09-059) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

Note: In order for this protection to work properly, please replace the $FWDIR/libf/dcom.def file on the Security Management server with the following dcom.def file.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: Microsoft LSASS authentication process integer overflow (MS09-059)

VPN-1 NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > MS-RPC > MS-RPC over CIFS > Microsoft LSASS Authentication Process Integer Overflow (MS09-059).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

Note: In order for this protection to work properly, please do the following:
1. In the SmartDefense tab, click Application Intelligence > MS-RPC.
2. In the MS-RPC configuration pane, under settings, select Enforce MS-RPC Protection on all TCP Ports.
3. In the SmartDefense tab, click Application Intelligence > MS-RPC > DCOM.
4. In the DCOM configuration pane, under settings, select Allow DCE-RPC interfaces other than End-Point Mapper (such as DCOM) on Port 135.
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: Microsoft LSASS authentication process integer overflow (MS09-059)

VPN-1 VSX NGX R65

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: Microsoft LSASS authentication process integer overflow (MS09-059)

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
2. Select the following:

Microsoft LSASS Authentication Process Integer Overflow (MS09-059)

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: Microsoft LSASS authentication process integer overflow (MS09-059)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > MS-RPC, and select the LSASS Active Directory Remote (MS04-011) protection group.
3. Click Microsoft LSASS Authentication Process Integer Overflow (MS09-059) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: LSASS Active Directory
Description: Microsoft LSASS Authentication Process Integer Overflow (MS09-059)

Legal Notice for Threat Center Advisories