Microsoft Windows TCP/IP SACK denial of service (TCP_Malformed_SACK_DoS)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This signature detects TCP Selective-ACK packets that are malformed in a very specific manner so as disrupt the Windows operating system and cause a denial of service.


False positives

Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: It is possible for a Selective-ACK with a badly out of sequence SACK block to trigger this signature without causing the DoS exploit.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IPS: XPU 30.020, Proventia Desktop: 2480, RealSecure Network: XPU 30.020, RealSecure Server Sensor: XPU 30.020, Proventia Network MFS: XPU 30.020, Proventia-G 1.1 and earlier: XPU 30.020, Proventia Network IDS: XPU 30.020, IBM Security Server Protection for Windows: 2.1.14.2480, IBM Security Server Protection for Windows: 2.0.300.2480, Virtual Server Protection for Vmware: XPU 30.020, Proventia Server IPS for Linux technology: 30.020

Systems affected

Microsoft Windows Vista, Microsoft Windows Vista: x64, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows Server 2008: SP2 Itanium

Type

Denial of Service

Vulnerability description

Microsoft Windows is vulnerable to a denial of service, caused by an error in the TCP/IP stack when processing TCP packets containing a malicious selective acknowledgment (SACK) value. By sending a series of specially-crafted TCP packets with a malformed selective acknowledgment (SACK) value, a remote attacker could exploit this vulnerability to cause the system to become unresponsive.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS10-009. See References.

References

Microsoft Security Bulletin MS10-009
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)
http://www.microsoft.com/technet/security/bulletin/ms10-009.mspx

ISS X-Force
Microsoft Windows TCP/IP SACK denial of service
http://www.iss.net/security_center/static/55897.php

CVE
CVE-2010-0242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0242