Microsoft Windows does not adequately validate IP options

2005-04-12T00:00:00
ID VU:233754
Type cert
Reporter CERT
Modified 2005-05-03T21:56:00

Description

Overview

Microsoft Windows does not adequately validate IP options, allowing an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service. An attacker could take complete control of a vulnerable system.

Description

Several versions of the Microsoft Windows IP stack are vulnerable to specially crafted packets that contain malformed IP options. When processing such a packet, a vulnerable IP stack may initially validate the options and pass them to code that uses the options data in ways that corrupt memory. Routers may drop packets with malformed IP options, so an attacker may need to be able to send packets from the same IP subnet as the target system. IP tunnels (VPNs, GRE) may deliver malformed packets through a router that would otherwise drop them.


Impact

An unauthenticated, remote attacker could execute arbitrary code or cause a denial of service. Since the IP stack is implemented as a kernel driver, an attacker who successfully executes arbitrary code could gain complete control of a vulnerable system. Kernel memory corruption caused by an attack could cause a vulnerable system to crash and possibly reboot.


Solution

Apply a patch

Apply the appropriate patch (893066) referenced by Microsoft Security Bulletin MS05-019. Microsoft Knowledge Base Article 893066 describes several issues related to the patch, including possible degraded network performance (890345).


Filter packets with malformed IP options

Filter packets with malformed IP options at network borders.


Vendor Information

233754

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ Microsoft Corporation

Updated: April 12, 2005

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS05-019.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx>
  • <http://xforce.iss.net/xforce/alerts/id/192>
  • <http://www.iana.org/assignments/ip-parameters>
  • <http://www.securityfocus.com/bid/13116/>
  • <http://secunia.com/advisories/14512/>
  • <http://securitytracker.com/alerts/2005/Apr/1013686.html>

Acknowledgements

This vulnerability was reported by Microsoft, who credits ISS X-Force.

This document was written by Art Manion.

Other Information

CVE IDs:* | CVE-2005-0048
---|---
**Severity Metric:
| 12.29
*Date Public:
| 2005-04-12
Date First Published: | 2005-04-12
Date Last Updated: | 2005-05-03 21:56 UTC
Document Revision: | 10