HighProventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, BlackICE Server Protection, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects attempts to overflow a buffer using SSM packets.
High
Proventia Network IPS: XPU 27.070, Proventia Desktop: 2080, RealSecure Server Sensor: XPU 27.070, RealSecure Network: XPU 27.070, BlackICE PC Protection: 3.6cqn, BlackICE Server Protection: 3.6.cqn, Proventia-G 1.1 and earlier: XPU 27.070, Proventia Network IDS: XPU 27.070, IBM Security Server Protection for Windows: 1.0.914.2080, Proventia Network MFS: XPU 27.070, IBM Security Server Protection for Windows: 2.1.14.2400, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 27.070
Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Small Business Server: 2003 SP1, Microsoft Small Business Server: 2003 R2, Microsoft Small Business Server: 2003 R2 SP2, Microsoft Windows Home Server
Unauthorized Access Attempt
The Microsoft Windows TCP/IP implementation is vulnerable to multiple buffer overflows in the Source Specific Multicasting (SSM) timers caused by improper handling of IGMPv3 and MLDv2 packets. By sending a series of malformed IGMPv3 or MLDv2 packets to a vulnerable host, a remote attacker could overflow a buffer and execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS08-001
Vulnerabilities in TCP/IP Could Allow Remote Code Execution (941644)
http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
IBM Internet Security Systems X-Force Database
Microsoft Windows TCP/IP Source Specific Multicasting (SSM) IGMPv3 buffer overflow
http://xforce.iss.net/xforce/xfdb/39452
IBM Internet Security Systems X-Force Database
Microsoft Windows TCP/IP Source Specific Multicasting (SSM) MLDv2 buffer overflow
http://xforce.iss.net/xforce/xfdb/39453
Nortel BULLETIN ID: 2008008560
Centrex IP Client Manager (CICM) response to Microsoft January security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=683011
Microsoft Security Bulletin MS08-004
Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)
http://www.microsoft.com/technet/security/bulletin/ms08-004.mspx
ISS X-Force
Microsoft Windows TCP/IP Source Specific Multicasting (SSM) multiple buffer overflows
http://www.iss.net/security_center/static/35059.php
CVE
CVE-2007-0069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0069