Microsoft Windows TCP/IP ICMPv6 code execution (ICMPv6_Router_Advertisement_Exec)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This signature detects malformed ICMPv6 Router Advertisement packets that could allow remote code execution during an attack.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: XPU 30.020, Proventia Desktop: 2480, RealSecure Network: XPU 30.020, RealSecure Server Sensor: XPU 30.020, Proventia Network MFS: XPU 30.020, Proventia-G 1.1 and earlier: XPU 30.020, Proventia Network IDS: XPU 30.020, IBM Security Server Protection for Windows: 2.1.14.2480, IBM Security Server Protection for Windows: 2.0.300.2480, Virtual Server Protection for Vmware: XPU 30.020, Proventia Server IPS for Linux technology: 30.020

Systems affected

Microsoft Windows Vista, Microsoft Windows Vista: x64, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows Server 2008: SP2 Itanium

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by an error in the TCP/IP stack when processing ICMPv6 Router Advertisement packets. By sending a specially-crafted ICMPv6 Router Advertisement packet to an IPv6 enabled computer, a remote attacker on the same physical or virtual link could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS10-009. See References.

References

Microsoft Security Bulletin MS10-009
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)
http://www.microsoft.com/technet/security/bulletin/ms10-009.mspx

ISS X-Force
Microsoft Windows TCP/IP ICMPv6 code execution
http://www.iss.net/security_center/static/55894.php

CVE
CVE-2010-0239
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0239